Non-violent security talk for small and medium business @ BlendWebMix

In december, I was in a web conference, named #BlendWebMix, which gathers all kind of actors of the web economy, from investors to tech, including designers, influencers, politics, startupers, … Very diverse type of talks were given, 80, and 1800 people attended the event. I was selected to give a very short presentation on privacy and security. My challenge was : convincing a broad audience that the privacy was something each of us, as workers, should take action for, in 13 minutes. Here is the core of my message.

I am fed up with the usual talk in security which says ‘provide privacy by implementing some security or you will burn in the hell of bad reputation companies, together with Madison, Target, Yahoo, and potentially bankrupts”. You know, that Fear Uncertainty and Doubt (FUD). I tried another angle. I tried the non-violent path. And I believe there are at least two good reasons why people should give a chance (and budget and effort) to the privacy.


The first reason can be found on the optimistic side of the life. The good reputation. I have the feeling that in this digital storm of hacks, global attacks, social media bashing, the companies taking action to preserve the privacy of the users are playing a good game. And the user may know. And the user may appreciate it. And it may be a competitive advantage to invest and get rewarded for it.


The second reason is the data protection, as defined by the european comission. There is a new directive that mandates every company to allow its user to keep an eye on their data. It is the result of long discussions related to the value of the citizen privacy in our digital world. That regulation will be applicable in May 2018, to all European companies or all non-european companies handling some European citizen data. Well, yes, 2018 is after tomorrow. Which gives you only tomorrow to ramp up in good practices and get ready. The threat; if you are not compliant with the regulation, will directly touch your wallet, as fees could go up to 4% of your benefits, as a company. Universities and public services are also submitted to this regulation.

What does this regulation say ? It says that users will have to explicitly opt-in for registering their data, they will be able to control what you are doing with the data, they will have the right to modify and delete their data. In addition the data portability will have to be provided. Finally, users will have to be informed about any breach related to their data. Data in this context, means any piece of information which characterized the user, name, address, but also geo-localisation, social media activity, any digital evidence left by the user that you are collecting.

Who is submitted to this regulation ? Any company which collects, processes, transmits, stores the data. This means, you, but also anyone touching the data closely or by far. For example, the monetization partners (ads), or your cloud providers.  Now you see what could be the impact !

Duing the talk, I started a new technic for getting the audience sensitive to the message. I asked them to pause a second, to close their eyes, to breathe, and think about one of their user. Lea, 30 years old, digital, agile, conscious citizen, caring about her privacy. I asked the audience to answer in the secret of their mind and heart, eyes still closed, the following questions : do you know what are the data from Lea that you are taking in your super-super application or service ? Do you know where are Lea’s data stored ? When was the last time you had a conversation about privacy and security at work ? I mean, not on Twitter, being scandalized by the global surveillance of the states, but wondering, in your own framework. Some of the people in the audience smiled, and I felt some of the questions touched of them. What about you ?.

Targeting to convince the audience in a smooth way to take action for the privacy of their users. I reminded that it was important for them to identify the data, understand their life cycle in their own service life cycle, define some weak points (aka, any entry point, transfert, storage…) and protect those points. The thing is that of you are a small company, you may not know where to start. My key message was. Well. Start with pragmatic stuff.

First. Talk about security, create conversation around it. For example. Make a 2 hours meeting with the project manager or whoever in the company coded the solution, with a global view. And together make a status of the different security measures done up to know. Make an accurate status.

Second. Look for security champion(s) in your team. Basically the one(s) who had a security training at school or who had the chance to work on a security sensitive project in the past and may share with others.

Third. Write a process. It could be a paper sheet on the cafeteria reminding, i) before you ship a new feature, ask John (the security champion) to have a code review, ii) before you sign a deal with a company, check its track record in security, …. Or it could be a professional methodology for bigger companies. Well, the objective is just to make sure that the question of the security is handled in the product life cycle, at company scale, and taken into account in the delays and deals. This relates to create a security company culture.

Fourth. Engage conversation with your partners, providers, ask them the basic question on their security investment. They might be able to prove that they actually take care of it. With certification, or being able to tell you a nice story about their effort in that matter. Just like any company should be prepared to.

Fifth. Crash test your product. Some bug bounties platform are now existing. You can submit your product, it will be attacked by some hackers, and if some security vulnerabilities are found, you will be informed. The next level or complementary action could be to perform an audit of your code, or have actual security certification (but I guess that if you are on a market where security certification scheme exists, you might already be a security aware company).

Sixth. Have a monitoring of the security news. Read some newspapers specialize din sec, or some forum alerting on vulnerabilities. It would be a pity if your service bim-bam-boum were based on a framework which has been seriously hacked, and that you are not aware of.

In the end. Six possible concrete actions. To be rolled out by any non-expert security. I asked again the audience to close their eyes. And to pick in that list one action, just one action. And promise, in the secret of their mind to do it, Monday morning, when coming back in the office.Hoping next Monday some SMB will enter the way of improving privacy of their services….

Note : all picture copyrighted Garry Winogrand

Some news on the Trusted Execution Environment side…



Few time ago I wrote about the Trusted Execution Environment (TEE), and how promising it was. Few months ago, I mentionned the arrival of Trusty TEE in Android, an API allowing mobile application to interact with TEE based services. One can still wonder in 2016, where is that technology positioned.

A reminder about what is TEE. Well, it is always an isolated environment, shipped into smart phones, offering a way to deploy some code that will be securely stored and executed. It could support any mobile application that may require some sensitive operations and a trusted user interface, to insure what you see is what you sign.

But the major question when we come to nice technology is : “yeap, your stuff sounds cool, but, who on earth is using it ?”.

Well. Let’s see the facts. On the GlobalPlatform website, you can find 8 products that did success in the functional official certification. You can check this yourself here. Among the certified vendors, one can note Samsung.

And what does the silicon valley say about it ? A recent event allowed to have an overview of the market. It was the TEE Seminar that happened in October in Santa Clara. This is a regular seminar which is gathering the usual suspects of the TEE eco-system. Speakers include ARM, Visa, Trustonic (one of the well known TEE provider, a gemalto owned company), FIDO Alliance, Linaro (which offers an open source version of a TEE, named OP TEE), Ericsson, Verimatrix (guys in the game of the content distribution and IP TV), plus gemalto (my company) and G&D (one of my company competitors). The key topics of the TEE this year was Internet of Things. While the TEE technology seems to be distilled in the smartphone market via official products (see Samsung statement, Android Trusty TEE API and Secure Enclave [PDF] in iOS), the next wave ready to take benefit of it is about Internet of Things.

Any diverging creative geeks interested ? In the same October month, there was an interesting event which happened also in the silicon valley. A TEE hackathon #BuildWithTEE, dedicated to get benefit of the technology. It was organized by BeMyApp and GlobalPlatform. It happened that 100 people joined the hackathon over the week end. The pitch exciting moment was made of 22 smart ideas, 12 went until the end of the sunday and 3 winners shared 10 000 US dollars. The material provided to participants was a Linaro Open TEE loaded in a Raspberry Pi 3, and all they had to do was to play with Linux and impelment thier idea, with the objective to use key asset of the TEE, aka the security, on a client or a server side. Ideas that won were about monitoring door lockers when renting your house, deploying a privacy respectful tracking system, a centralized password management server. The IoT use cases were the major ones that the creative geeks wanted to explore.

So, to conclude, the TEE is a technology alive and kicking and will definitely support nice innovation in the field of all-and-everything-connected !

Note : Picture from




Tadaaa, Trusty débarque dans vos téléphones…


TL;DR. Trusty débarque dans vos téléphones, c’est un framework d’execution sécurisé, c’est cool, vos données ou les opérations sensibles de vos appli mobiles en bénéficieront. Et je vous explique ici comment, avec des mots simples – pour les gens qui ne sont pas des geeks de la sécu.

Votre mobile et la sécurité (mise en jambe du sujet). Les téléphones mobiles accueillent de plus en plus de données sensibles, relatives à notre vie personnelle, sociale et professionnelle. Si l’on a longtemps considéré que les attaques les plus courantes et coûteuses se passaient sur des systèmes informatiques centralisés, tels que des serveurs ou des systèmes IT, force est de constater que l’attention se porte maintenant, aussi, sur les téléphones mobiles. Des applications chargées sur un téléphone peuvent embarquer du code silencieux et effectuer quelques opérations inappropriées sans l’accord de l’utilisateur. La plupart des applications officielles, disponibles sur les portails d’application populaires, subissent une vérification de code. Mais il se peut que le code d’une application malveillante exploite des vulnérabilités non-encore déclarées du téléphone. Bref. Ce renforcement des attaques logicielles sur les environnements embarqués, en plus grand nombre et plus pointues a forcé les concepteurs des environnements d’exécution, tels que Apple, Google, Microsoft à renforcer encore les outils pour protéger leurs produits des attaques logicielles. Ce sont ces outils que nous vous proposons de passer en revue dans cet article.

La sécurité intrinsèque des mobiles (pour ceux qui avaient un doute). Les environnements d’exécution comportent des mécanismes qui permettent de les protéger d’un chargement trop facile d’application malicieuse. Les applications officielles sont en général signées par le fournisseur de service et/ou par fabriquant de téléphone, cette signature inclut la vérification des permissions de l’application, à savoir les librairies auxquelles cette application pourra accéder pendant son exécution. Il arrive aussi fréquemment que avant même que l’OS du téléphone boote, l’OS vérifie la légitimité de chacun de ses constituants, driver de périphérique, middleware, librairie applicative. C’est le principe du secure boot.

Les fonctions de sécurité applicative. On trouve également dans les environnements iOS, android, WindowsPhone et BlackBerry OS des fonctions, mises à disposition des développeurs d’applications, qui leur permettent de renforcer leur application. On trouve ainsi dans la dernière version de android Marshmallow, des packages tels que android.hardware.fingerprint pour gérer les empreintes digitales, pour générer des clés et effectuer des opérations cryptographiques. Il s’agit donc de mettre à disposition des développeurs des outils permettant de construire un modèle de sécurité plus robuste au sein même de leurs applications. On pourra donc rajouter une authentification de l’utilisateur par la vérification d’une empreinte digitale et la transmission de contenu entre le serveur et le client, chiffré ou signé pour en assurer la confidentialité ou l’intégrité (ou pourquoi pas les deux).

Le Trusted Execution Environement (nous y voilà). Les applications mobiles, intégrant les barrières de sécurité traditionnelles peuvent être soumises à des attaques de logiciel malveillants, résidant dans le téléphone, ou à proximité. Heureusement, l’art de sécuriser les environnements embarqués et ouverts, comme les téléphones, évolue et s’adapte. Ainsi, une nouvelle sorte de technologie a fait discrètement son apparition dans la planète mobile. Il s’agit du Trusted Execution Environment (environnement d’exécution de confiance, ou TEE). Penchons-nous quelques instants sur la définition de cette technologie. Quels en sont les mérites et les spécificités ? Le TEE est une technologie qui permet de garantir qu’un code d’application soit exécuté de manière sécurisé. Plus précisément, le TEE garantit que le code et les données d’une application ne soient pas modifiables ou lisibles par une application malveillante. Ainsi, l’intégrité et la confidentialité seront respectées pour une application, stockée dans le TEE. Cette technologie est définie par un organisme de normalisation nommé GlobalPlatform. Cette organisation regroupe des entreprises et industries provenant d’horizons différents, du fabriquant de composant pour téléphone, aux assembleurs de téléphone, en passant par les fournisseurs d’application bancaire ou les opérateurs téléphoniques. Les normes techniques du TEE décrivent donc les états possibles d’une application stockée dedans, le comportement en cas de détection de problème, les différentes librairies mises à disposition pour développer des applications. GlobalPlatform définit également des tests fonctionnels, permettant de démontrer une conformité fonctionnelle. Il existe également une méthodologie pour certifier la robustesse sécuritaire des produits embarquant cette technologie. Bref, le TEE est donc un objet technologique normé et certifiable.

Le TEE dans les téléphones, un mythe ? Non. Il a fait une discrète apparition dans les environnements de téléphone depuis quelques années, pour des fonctions internes au téléphone. Ainsi iOS mentionnait depuis quelques temps déjà une technologie appelée Secure Enclave, dont les vertus ressemblaient au TEE. Samsung indiquait que sa gamme de produit Knock dédiée dans un premier temps aux applications de production ou de gestion à distance de flotte de téléphone, reposait sur une technologie de type TEE. Récemment, c’est la plateforme android qui a clarifié l’usage de cette technologie. Ainsi, au début de l’année 2016, l’environnement android marshmallow met à disposition des développeurs un accès à la technologie TEE. Cette fonctionnalité est appelée Trusty TEE. Alors, en quoi consiste cette technologie ?

Trusty TEE, qu’est ce que c’est ? Tusty TEE, apparu dans Android 6.0  est une couche logicielle offrant les services d’un TEE. Trusty est composé de trois éléments : (1) un environnement d’exécution appelé le Trusty OS, (2) des librairies internes permettant d’accéder depuis le Trusty OS aux ressources linux, de manière sécurisée et de développer ainsi des applications sécurisées, et (3) une librairie permettant depuis l’environnement dit normal, d’accéder aux applications hébergées dans le Trusty OS. Il s’agit donc d’un environnement séparé du reste du téléphone, qui abritera des applications, dites sécurisées, pouvant être accédées par  des applications du monde normal, les traditionnelles applications android.

Quels sont les cas d’usage ? En théorie, un environnement d’exécution, privilégié, protégé contre les attaques logicielles comme l’est le TEE est très attractif pour protéger des applications sensibles. Plus exactement, puisque tout ne peut pas être exécuté dans un TEE, faute de ressource, on privilégiera d’utiliser le TEE pour l’exécution de fonctions sensibles. Par exemple, une comparaison de secret, une opération cryptographique comme la génération d’une signature, le stockage de secret, … La documentation d’android fournit une liste d’exemples pertinents, que sont les applications bancaires, les applications d’authentification, de DRM (oui, pardon..) …

Comment ça marche ? En pratique, pour le moment Trusty ne permet pas le développeur lambda de charger des applications sécurisées. Ceci reste le privilège du fabriquant de téléphone, au moment où il assemble les composants et intègre son code. Ainsi on pourra imaginer des applications permettant de gérer les empreintes digitales (capture, stockage et vérification) ou des applications bancaires pré-chargées. Pour utiliser des services sécurisés par l’environnement Trusty, il faut que chaque application soit déjà chargée dans l’environnement Trusty. Une fois chargée, l’application déclare les services qu’elle offre, grâce à une déclaration de nom (sous forme de domaine inversé, par exemple « com.mabanque.payment». Ce service est alors mis à disposition des applications dites normales, tournant sur l’environnement normal, dit non sécurisé.

Comment utiliser les services offerts dans Trusty (sinon, vous pouvez aussi lire la doc). Il existe une API Client et une API Serveur, qui permettent de mettre en relation une application sécurisée avec une application du monde dit non-sécurisé. A noter qu’il est également possible pour une application sécurisée de mettre ses services à disposition d’une autre application sécurisée. Voici en résumé comment tout cela se passe. Du côté de l’API Serveur, on déclare les ports grâce à port_create(), et on écoute l’arrivée d’événements grâce à une fonction wait(). Du côté de l’API Client, on ouvre une connexion avec un port connu par le biais de la méthode connect(), on se voit attribué un numéro de canal (dit channel). Une fois la connexion acceptée par l’application sécurisée offrant le fameux service, les applications peuvent échanger des messages en utilisant l’API Messenger pour transférer ses données, grâce aux fonctions send_msg() et get_msg().  Il n’existe pas de formatage particulier attendu pour le transfert de ces données puisque elles seront spécifiques aux applications. Néanmoins, au moment de l’ouverture du port et du chanel, on pourra spécifier si on souhaite une communication avec plusieurs buffers, et/ou de manière asynchrone.

En conclusion. La technologie permettant d’exécuter des morceaux de code de manière sécurisée, garantissant confidentialité et intégrité est en expansion. Preuve en est puisqu’elle se retrouve utilisable par des développeurs d’applications mobiles. On attend maintenant avec impatience les premiers services que les fabricants de téléphone mettront à disposition dans cet environnement Trusty.

Quelques références importantes. Oui.

Normes de TEE définies à GlobalPlatform :

Documentation Trusty

Note :

Picture by “Un savoisien à Paris” (


La #blockchain expliquée simplement, avec monsieur patate

Cette semaine j’étais à #shake16 – oui, je sais, j’en ai beaucoup parlé sur twitter et sur ce blog. J’étais invitée par les organisateurs Hervé et Jacques pour exposer les enjeux de la blockchain. Un exercice difficile puisque la blockchain: on a tous envie d’en parler, on en mange tous les jours dans nos revues de presse et activité de veille technologique, mais on ne possède pas forcément les clés pour comprendre son potentiel.

J’ai donc fait l’exercice de présenter les principes de la blockchain de manière très simple et accessible. Et il semblerait que l’atelier ait été apprecié !

Je partage donc avec vous le support. Evidemment il vous manquera les explications live, et mon habile jeu de jambes et de mains devant le public, mais les principes sont là. C’est par ici –>  Blockchain for all

S’il vous fallait retenir une seule chose sur la blockchain, ce serait le fait que c’est une technologie qui offre un moyen de modéliser et suivre n’importe quel type de transaction entre deux personnes (ou robots). Et que l’ensemble de ces transactions constitue une chaine, publiée, transparente, distribuée, construite collaborativement.Et ça, c’est le début d’une révolution…

En espérant que ce support vous aidera à engager votre reflexion sur les possibles de la blockchain  🙂

# une chaine de bisous sur vous !



W3C Advisory Board : job description !

ab job goup

W3C Advisory Board. What is the job, in the end ?
Well, being an advisor is about advising. The structure of W3C is a “benevolent” dictatorship. The director, Tim Berners-Lee takes any final decision,  taking advice from W3C team (73 people including 13 managers, 1 CEO) and from the W3C AB. It happens that the CEO, Jeff Jaffe, is also chairing the W3C AB, which makes the W3C AB advice landing in the right place.

In the last two years. As an elected W3C AB member, I had the pleasure to work in team on a large range of exciting topics.
– Organizing the conversation with members during the membership meeting, by setting up agenda, making sure important questions are echoed in the AB conversations,
– Helping with formal objection (with more then 400 members, unanimity is scarce) on accessibility strategy, content protection (aka EME, aka smells like DRM but is not DRM), creation of new group on hardware security…
– Process improvement, while the work is handled publicly by the W3C Process CG, AB supports it,
– HTML5 next steps, new features and WHATWG relations,
– New election voting rules with transferable vote (instead of voting for 5 people, you rank them, from your favorite to the less appealing and the magic helps to better balance the bias of champions, see @chaals from Yandex, for long beer conversations about it),
– Improving specification maintenance and good practice for creating new work in w3c (make sure W3C resources are well used for appropriate topics),
– Thinking about merging International Digital Publishing Forum and W3C for the sake of the EPUB format (see today’s announcement),
– Improving security W3C strategy, by supporting a clear security roadmap, with high visibility,
– Chair and editors community maintenance, making sure they get trained and heard, benefiting from modern tooling (aka Github for all, when possible),
– Synchronization with the W3C Technical Architecture Group (such fruitful conversations with the real architects of the web).

People knowing guessed that I put some special efforts on the security, consistency and community aspects. I think that the team progressed well and won, during the two years, ears from the W3C director, and positive feedback from the membership. I enjoyed it. And I believe I have influenced in a fair and objective way AB discussions, helping keeping good spirit and direction in the AB. That is the reason why I am jumping again in this W3C AB election. To get a seat and help the web 🙂

Another W3C Advisory Board mandate ? yes, sure !


Here we are. After 2 years enjoying W3C Advisory Board discussions, it is now time to renew or not my seat. And I have decided to follow up on that experience. Dealing with such fantastic topics as W3C governance, priority and conflict resolution was a super experience. I enjoyed sharing with other team members, suggesting directions and finding what would be best for members and the open web platform. And I think we did well with the AB members in the last years…

The ballot is open, there are 6 candidates, for 5 seats. And votes are made by each of the 410 members of W3. The other candidates for that election are Tantek Çelik (Mozilla), Daniel Glazman (Disruptive Innovations), Jay  Kishigami (NTT), David Singer (Apple), Léonie Watson (The Paciello Group). Nominations can be read here

Oh ! And if you support my presence in the W3C Advisory Board, don’t hesitate to tell your W3C representative !



Tech, Web and Society in W3C

Blowball II - M.C. Escher

It has been several years I have been involved in W3C.The ten thousands of hours of discussions I had with some of my W3C colleagues, mates, folks, peers, were deadly interesting. We were covering the technical web, but all the stuff coming with it. The web and the society. The technology as a tool, that anyone can handle and use, following its own rules, follow its own goal. We discussed about the reliable and equal web. But. What does it mean to maintain a reliable web, for all ? What does it mean when a group of people decides to develop technologies to break it ? What does it mean to break the web ? You know, all those questions that do not directly fall in the basket of W3C – after all, it is only a technical standardization body ! Since one year, I was convinced that this was  a missing dimension in W3C. And something happened. Slowly by slowly, this idea came on the table. Why not creating a place for the W3C members to exchange on the potential impact of the technology developed in W3C ? Why not keeping an eye on the way the web is used today, and debate on the potential impact on policies ?

The Advisory Board and the W3C team have been working on the creation of the Technology & Policy Interest Group. A group which will be open to W3C members, a group which will gather state of the art on topics such as deep linking (or can we forbid to reference a resource), DMCA-like challenges (or how to allow researcher to stay on the legal side, while researching on the web, and thus potentially hacking it) and Surveillance (you know, government and companies monitoring all and everything). And this is, as a starter. The Tech & Pol  Interest Group, chaired by Jean François Abramatic, ex W3C CEO, will work in a W3C-member-only mode and will deliver some Analysis. Analysis is a new format, to avoid saying the group will deliver Note or normative Recommendation. First, those Analysis may be only a collection of problem, a list of solutions, and it will be up to the directors, with members consultation to do something from that.

That Interest Group is a fantastic chance to have a place to discuss those important topics, to have the craftsmen and craftswomen of the web, exchanging on technology impact, all together, and potentially raising the question on which type of web we want for all.

The creation of the Interest Group depends on the support it will gain in the W3C membership, and on the number of objection its review will collect. So, if you think this group is a good idea, and if your company is W3C member, I can only encourage you to ping your AC rep and tell him/her what you think…


Illustration: Blowball II – M.C. Escher



Ladies, go for cool networking !


In the series of actions I find key for addressing my constant wish to learn and have a rich professional life, I have been trying to keep an always ongoing activity which is about “meeting humans”. Working in tech is great, being productive is great, but having a drink with smart people is even cooler. And, going further, having a passionate discussion with someone you don’t know yet, sharing vision and skills, is gold. Among other additional things, I am encouraging women to do so, because this is a smooth way to learn a lot.

It has been several years that I am now canvassing locally, entering different networks, keeping contacts, attending after work sessions. This is not only because I have decided to test my resistance to alcohol. This is because I believe the people I meet there, help me to grow up and they can benefit from my own experience.

So what do I mean by cool networking ? I am not talking about networking for selling product and services. I am talking about something that would happen in addition to your normal work. A networking where your income does not rely on. A networking where you do not expect anything – yet, except enjoying sharing. This is what I call “cool networking”. There are different criteria that I have experienced, that do work quite well for that expectation.

Spirit. I have decided to invest my time in networks which I have respect for and no fear. I mean, leveraging values I appreciate, because there is nothing like having a conversation with people with whom you have some common important values. My criteria are collaborative, openness, and direct talks. You might have yours, this is just an example.

Location. Taking care of a network means being there, not just *thinking* about it. And to be pragmatic, for cost and time reasons, you should go local. Meetup, association, forum, specific events. Try all of these. And if there is no network around you, just create it ! There are always means to identify people in your location that seems to be creative and dynamic (I use Twitter a lot for that). Find them and just get  organized !

Freedom. Entering a tribe is good if you don’t have to report every other morning why you were not here at the last meeting, and why is that you did not prepare a tomato tart for the recent joint dinner. Cool networking – as I suggest to maintain – is about being comfortable with others, and not being judged. So participating whenever I can, and just keeping track of the community remotely when I really can’t be there is what I call cool networking.

Gap. I want to meet people from whom I can learn something. Meeting people with the same-job-same-age-same-book-reading would be interesting, but not enough maybe that I spend an evening with this tribe rather then being with my friends and family.

In the end, my top list of tribes I belong to at the moment are Girls In Tech Marseille and #LittleFrenchTech, I am also ‘god-mothering’ for girls belonging to Duchess France, as I think it is a cool idea. All of this is taking few evening a month, but it is worth doing, as I met some fantastic people around it. Some are friends, now, some can help me in my job, some others I help … This has definitely enriched my social life.

It’s your turn now to experience cool networking and see how it goes…


Web developers, you want to use Web Crypto ? let the world know !

Dear web developer, web technologist, web curious,
If you have a plan. And if you your plan is about integrating more security in your web development. And if you have been expecting an interoperable library in browsers for managing secret keys, ciphering your users sensitive data, signing a set of data.
This is your time ! This is the time for you to speak loud. 
The W3C standardization work is in the last miles – despite our Cartesian principles, we all know those are usually the longest.
What do we have up to now ? We have :
But we are still missing :
  • some bug review and resolutions on the implementer’s side,
  • Some decision making to clarify bug features in the specification,
  • Some complete set of tests.
So, if you want to have a chance to play with RSA or AES in your web app one day, and if you already have some pending development or experiment, just let us know.
Help to demonstrate some traction from the web developers community. This will definitely motivate browser makers to maintain their efforts on the development and maintenance of the W3C Web Crypto API.
Please, send reference to your projects, crypto wish list, or offer to support the WG operations to the W3C Web Crypto WG public mailing
The open web platform will definitely need you !

Girls, promote your success


Dolores peacock costume


Few months ago I wrote some thoughts I felt important to share with girls in tech. It was about killing usual culture, that refrains some girls (but also boys), from being free and natural at work, like feeling miserable or sorry for no reason. I now realize that part of girls (and boys) success in tech, is also about promoting correctly their achievement, realization, contribution. This may be a general worker problem, not a gender problem, but it seems to me that girls tend to forget more that special part of our job : promoting our success. This stroke me when I heard a colleague of mine commenting after a presentation I gave on a successful project ‘Well, Virginie, wonderful, that was clear and understandable, as usual, thanks you so much’. I did not have the feeling that I was outstanding, I just made my job. But I just got from that remark that promoting my work was beneficial for me and for the project. But the key is to do it efficiently.

What does it mean to promote efficiently ? It means building a message, adapted to your audience. A message, that will not get them lost, and overload them with inappropriate details. Of course it depends on the context, audience, and topic. Working on technology innovation scouting, meeting lots of people and companies and having to report different aspects, from market to strategy and technology, I had to think about my own classification on what to say to whom, and when. That classification might not be universal, but you can get the principles, depending on the context. Here it is.

But first. Never ever. Whatever is the situation, never ever get into the direction of sexist joke and naked girls (or boys), footbalistic analogy, Apple and Google systematic reference. This is forbidden – if your plan is to stay credible. While this may be the easiest way to have people with you, this is simplistic. And by avoiding reproducing that simplistic view of the world, you do not really miss anything, you just show you worth more then that.

Jump on opportunities. You meet the right person in the corridor, you need her or his advice, don’t miss it. Target one sentence and one smile. That is teasing time. You’ll have to say what is stake, which solution you believe you should go and make your request. Then smile and be silent to get an answer. Note for weird people : I am not talking about hot seduction attitude here, but just staying tuned, kindly.

The people agreed to meet you and you have time. It’s serious stuff, here, you are consuming time from some people. They have to know why you are here, what you are talking about. And to do so, I recommend to stay high level, talk strategy, express the key notions, expose the frictions, list the market actors and suggest solutions. And, because, you need to keep them happy with you, you can make jokes (aka, be relax and smart, alright, not making bad bar jokes). You must keep some time for concluding, making sure everyone agrees on the solution (action plan, next steps, …). That is normal communication rule. But (and that is the key point). During all this interaction. You should say ‘we’, when it was a team work and say ‘I’, when it was your own work. Don’t dilute your contribution, be transparent-cristal-clear about it. That is key to value your work.

You are on stage, in a conference. You may not have anything to learn from me if you already made the decision to be on stage. The only recommendation I would give is : build your talk like a story. You need a ‘fil rouge’, you need little anecdotes, you need surprise (taddaaaaaa, here is my program, wouaou, here is my design…). For the others. And if you are just thinking about applying for a conference talk, I would say that you should not hesitate anymore. Conferences are key event to force you to be synthetic and clear. This will give positive visibility to your project. And conference organizer will make their best to help you to be good on stage (it is their interest). Finally, you will be able to re-use your talk elsewhere. You just need to find the right conference, with the right audience.

You need to talk about your work, but... I know you want everyone to know that while going go from SuperProduct v1.3 to HyperProduct v1.4, you made some choices, you managed some shit, you were about to be killed by 2 engineers, and had to dance with your enemy, but… lets admit that, sharing those details in a decision meeting, or while reporting about your project success will not help you. You are professional, you are managing correctly your tasks and making decisions. That is why you are getting paid. But the good news is that you will have to leave evidence of your work. Digital archive, for voluntary and curious colleagues, or to have it somewhere for later reference. In this archive, you can play with all the secret details of your work. You can use your every days professional life vocabulary and habits. Acronyms, architecture, references to geek literature, bugs number, product version, test suite, clickable urls, little stories of your battles, multi-bullet points slides, matrix (with titles), text with different policies for super cool effects, resource planning, exhaustive list of participants, detailed figures… And this is the only place where you should play that game of entering into the boring details. Right ? Unless someone weird ask you detailed questions about it…

My 2 cents, hoping it will make you going out and showing your technical work to the world…