Born and raised in France, I graduated in 2003 from ÉPITA (École Pour l'Informatique et les Techniques Avancées), with a specialization in computer security. Shortly afterwards I moved to the US and worked for various companies, most recently at Google as a whitehat hacker. I took a sabbatical in 2015–2016 to travel the world with my wife, and have since then been working for myself as a researcher, entrepreneur, and angel investor. I have a keen interest in: reverse engineering, security vulnerability research/exploitation, cryptography, software optimization, GPGPU, decentralized cryptocurrencies (Bitcoin), hardware hacking, home automation, IoT, just to name a few things.
Vulnerabilities I discovered either as an independent researcher or as an employee:
ASA stands for "After" Security Advisory, based on an old handle I used back in college.
I maintain these cryptocurrency resources:
Talks I gave at security conferences:
MD5 Chosen-Prefix Collisions on GPUs [whitepaper];
Black Hat USA 2009, Las Vegas, NV, USA (July 30, 2009).
In December 2008, an MD5 chosen-prefix collision attack was performed on a PlayStation 3 cluster to create a rogue CA certificate. A new implementation of this attack has been researched and developped to run an order of magnitude faster and more efficiently on video card GPUs, which now makes the attack practical to anybody. In addition, an MD5 password hash bruteforcer tool has been built on top of this implementation and achieves a speed of 1.5 billion MD5 hash/sec on an ATI Radeon HD 4850 X2, or 725 million MD5 hash/sec on an ATI Radeon HD 4850.
Source code: bday/
Breaking UNIX crypt() on the PlayStation 3; ToorCon 10, San Diego, CA, USA (September 28, 2008).
A UNIX crypt() password bruteforcing tool has been developed and optimized for the Cell B.E. processor. The major advance resides in a new set of bitslice DES "S-Box circuits" that average 45.5 gates per S-box by using all the logical instructions of the SPU ISA. This allows the bruteforcer to fully exploit the SPU cores of the Cell processor.
Source code: cell-bf/
Open source software I wrote:
SILENTARMY is a Zcash miner for Linux with multi-GPU and Stratum support. It is written in OpenCL and has been tested on AMD/Nvidia/Intel GPUs, Xeon Phi, and more. I initially wrote it as a command line solver for the Zcash open source miner challenge, and later expanded it into a full-featured miner.
hdminer is a Bitcoin GPU miner I wrote in 2010. I mined with it and sold copies of the software (I gave the source code to buyers, but the license prohibited redistribution.) It is of course useless today because miners abandoned GPUs and moved to ASICs.
whitepixel is an open source GPU-accelerated password hash auditing software for AMD/ATI graphics cards.
hablog is the proof-of-concept high availability, distributed blogging platform that I use for my blog. See my post for more information. I am only releasing it because I expect people will ask me for the code. However I cannot emphasize enough how proof-of-concept, prototype-stage, poorly documented this code is. You have been warned :-)
bday is an implementation of the improved birthday search described in On Collisions for MD5, Marc Stevens, Master's Thesis, section 7.4, using a hand-optimized MD5 compression function written in AMD CAL IL (Compute Abstract Layer Intermediate Language) targetting the ATI Radeon HD 4000 series and higher GPUs.
cell-bf is A UNIX crypt() password bruteforcing tool developed and optimized for the Cell B.E. processor. The major advance resides in a new set of bitslice DES "S-Box circuits" that average 45.5 gates per S-box by using all the logical instructions of the SPU ISA. This allows the bruteforcer to fully exploit the SPU cores of the Cell processor.
qemudo is a Web interface to QEMU offering a way for users to access and control multiple virtual machines (guest systems) running on one or more remote physical machines (host systems).
unrarhp is a Unix command line brute forcer to recover the passwords of RAR archives encrypted with the RAR 3.x "-hp" option. This option, contrary to "-p", also encrypts the block headers and protects metadata such as filenames, etc. As of June 2010, unrarhp is the only RAR "-hp" brute forcer that is open source and free.
bpwd is a GNU/Linux tool that allow you to tweak bios supervisor passwords by accessing directly the nvram, aka the cmos-ram. It can find them with the help of bruteforce (all possible combinations of characters are tried), test a password list, or even simply enable/disable them by modifying bios settings.
geronimo is a Unix/Win32 Netsoul client—a custom instant messaging protocol designed by ÉPITA sysadmins and used throughout the school. Geronimo was initially created by Nicolas Delon, and I have been maintaining it since November 2002 (version 0.7.2.)
Beaver is an Early AdVanced EditoR. It was the end-of-year project of my second year (InfoSpé) at ÉPITA. When the project began in January 2000, the developers team was composed of 3 students: Emmanuel Turquin, Damien Terrier and I. Currently, the project is maintained by Leslie Polzer and Michael Terry.
lceb finds all possible solutions to the mathematical game called "Le Compte est Bon," which is played on the French television show "Des Chiffres et des Lettres."
|[md5-amd64]||MD5 optimized for AMD64|
|[shellcode-amd64]||A Short Shellcode for AMD64|
|[rc4-amd64]||RC4 implementation for AMD64|
ÉPITA and Epitech are two French computer science schools. One day, I decided to write the FAQ (Frequently Asked Questions) of the computer network and resources available to students, because the same questions were asked in the newsgroups, again and again. It instantly became a hit. The first version (0.5.0) of the ÉPITA-Epitech FAQ (Epifaq) was published on December 4, 2001. I maintained it until April 2002 (version 0.8.8.) Then Jeff Lambo became the official maintainer. I archived a snapshot of version 1.1.3 here. To my knowledge, Epifaq is no longer maintained or available online.