An enthusiast programmer with a passion for computer security and low-level concepts of IT. Author of the book “Zrozumieć Programowanie” [Understand Programming], Editor-in-Chief and creator of the experimental magazine Paged Out!, as well as the author of numerous articles, publications, podcasts, and conference talks devoted to the above-mentioned topics. In 2013 in Las Vegas (together with Mateusz Jurczyk) received the Pwnie Award in the category “The most innovative scientific research” in the field of computer security. Co-founder and former captain of Dragon Sector team, one of the best Capture The Flag teams in the world. Chairman of the Program Board of the Security PWNing conference. Since 2010 lives in Zurich, where he works for Google as Technical Lead / Manager in a security engineering team.
In a small town in the Canton of Zurich in Switzerland.
During my university years, I have worked for one of Polish anti-virus companies (ArcaBit). After a year, I went on to work at a Spanish company Hispasec (known for, among other things, VirusTotal), and after three more years, I have moved on to Google, where I have been working for the past 10 years.
Always mixed/combined/multiclass. At ArcaBit, it was programmer / reverse-engineer, at Hispasec – security researcher / pentester / malware analyst / programmer (true full-stack: drivers, desktop apps, web app backend/frontend, and even a mobile application) / local manager / or even furniture assembler :). At Google, the official position is Software Engineer + Tech Lead / Manager in one of many security teams (and in practice, the above-mentioned roles were joined by, e.g. electronics as well as many other things).
Apart from work (see above), I stream on YouTube twice a week (Wednesdays in English, Thursdays in Polish), I also oversee the creation of the Paged Out! magazine, and help a little with the Programista and Programista Junior magazines. Aside from that, if I have time (what unfortunately is a rare occurrence), I partake in CTFs with the Dragon Sector team. I am also a member of the Program Board of two Polish conferences – PWNing and CONFidence.
Haven (my main computer): https://gynvael.coldwind.pl/haven2.html
Yes. Mainly YubiKey – I recommend it :)
PC/Laptop: Windows as main desktop OS + Ubuntu Server on a VM. Servers/VPSs: Ubuntu Server. Why? Personal preferences :)
Mainly because my setup is older than WSL/WSL2 and I don't have yet a good reason to migrate. Also, WSL didn't support some Linux kernel features I've been using (e.g. various filesystem support).
I have quite a unique configuration, which combines some of the advantages of Windows and Linux. More about that can be read here: https://docs.google.com/document/d/1bq3lXdB2G4Mr2xVSxGdx6icleV7bfWbDUQUOuXzftTY/edit?usp=sharing
Fiddler and a whole lot of ad hoc scripts in Python.
None. There are some disadvantages to using AVs in some cases, i.e. they increase the attack surface (see e.g. the classic Sophail research by Tavis Ormandy).
Yes. Different things on different computers. Sometimes also additional encryption of specific folders / files
I don’t use pwntools for two reasons:
1. I have my own mini-framework that I use (which also has about 1% of pwntools features, but that’s enough for me).
2. Anytime I try to use pwntools, something’s not working :(
I practically know no functional languages. I also did not play neither with Rust (although it is on the to-do list) nor C#. And I played with some only for a very short time (e.g. Go lang). There are many other languages I never touched, but these ones I'm most frequently asked about.
I began my adventure with programming when I was 6.
Atari BASIC <3
I don’t have any certificates and in my particular field, I don’t feel the need to have any (from my limited experience, certificates are neutral, that is they do not help to get work and they don’t hinder that either). YMMV.
From my perspective, they are useful in two cases:
1. If you want to start work in companies/institutions that require such certificates or in companies who perform services for such companies/institutions.
2. If you want to have a certificate or use obtaining the certificate as a source of motivation for learning.
In such cases, I highly recommend obtaining the certificates you dream of :)
I only played with Go after it came out – I wrote a simple raytracer (https://gynvael.coldwind.pl/?id=249) and that’s how my adventure with that language ended. It seemed, however, a nicer alternative to C in some applications (and definitively safer).
A language with many traps and pitfalls. One of my favorite programming languages, but to write safely in it, you practically need to have a doctorate in it.
Two very good sources of knowledge about the language:
C++ Core Guidelines: https://github.com/isocpp/CppCoreGuidelines
The default implementation is slow (VM without JIT + GIL), but it works well for threads of the I/O bound type. Additionally, a vast collection of easy to install libraries, clear and very convenient and expressive syntax as well as its popularity in security/hacking makes it one of my favorite languages.
It is currently a very popular language which was created purely organically in the world of the browsers over many years, hence, many weird design decisions can be found in it. I personally like JS but... it is a language that has been through a lot and it requires patience as well as love from the programmer.
Rust is on my to-do list but I have not reached it yet :(
I have no idea what this is – foxtrot put it here, so it’s all his fault.
I know nothing about functional languages :(
Generally a fast and safe language, only very verbose/wordy. I've written more in Java back in the days, but currently I basically only read Java code (without writing any).
I have written almost nothing in C# – at most I happened to debug or read some code. It looks OK.
When Python meets Perl. I've mostly played with Ruby on CTFs, so I don't know too much about it.
Short answer: If you are not working in IT at the time of deciding if to go to a university, then I encourage you to go to a university – at the very least to have more time for developing/honing your skills on your own.
I have no opinion on that – both types have their advantages and disadvantages.
Yes. There two mundane things you'll need to consider though:
Will you be able to dedicate enough time during the day to learn it? Programming and hacking take A LOT of time to master.
Will you be able to survive for a junior's salary? After you transition to programming it will take time to reach regular/senior/staff positions.
Apart from that I'll just add that it might be easier for older folks to learn programming than for children, as the older we are the easier it gets to grasp abstract concepts (note: this is little more than my shower thoughts).
David Weber - series about Honor Harrington (military sci-fi)
Anne Bishop - The Black Jewels series (dark fantasy)
Jim Butcher - The Dresden Files series (urban fantasy)
Michał Cholewa - Algorytmy Wojny series (military sci-fi; not sure if this one is available in English though)
Mercedes Lackey – any books in the series about the Valdemar kingdom / Velgarth world (fantasy)