ISIS proportionally counts more women than the tech industry

Few days ago, Wikipedia Founder’s, Jimmy Wales, recently told CNBCThe proportion of women working in technology is “disastrous” for the sector“.

According to a recent article in CNET by Roger Cheng, the number of women in technical position at large tech companies range between 10% and 20%:


And as extracted from Paul Ford‘s “What is Code?” on demographics taken from Stack Overlow’s 2015 developer survey, women count less than 6%


In 2014, French media France Info pointed out that 25% of the people who left France for ISIS were women. Back in January, Le Monde – mentioned that women represented between 10-20% of the Western fighters. And more recently, in April 2015 – Le Figaro studied the number of alert calls received for March 2015 included 52% of women were leaving for ISIS as alerted by their families, against 45% in the past.

Few weeks ago, International Center for the Study of Radicalization published a report entitled “‘Till Martyrdom Do Us Part’ – Gender and the ISIS Phenomenon” by Erin Marie Saltman & Melanie Smith that focues on the demographics of the ISIS fighters. AFP compiled the following infographics out of the report:


Yes, it’s that bad.

From 2007 to 2015, a cyberwarfare tale on nuclear matters to “prevent” WW III.

In March 2014, Le Monde journalists – Martin Untersinger and Jacques Follorou, released an article providing documents from the Communications Security Establishment Canada (CSEC) accusing France of cyber-attacks against Iran between November 2009 and 2010 including the Atomic Energy Organization of Iran (AEOI).

In July 2012, two years after the first discovery of Stuxnet, Meghan Kelly wrote for Venture Beat mentioning that an Iranian AEOI scientist sent an SOS e-mail to F-Secure Chief Research Officer Mikko Hypponen, saying the AEOI was under a cyber attack. In his email, the scientist explained the malware shutdown the AEOI their automation networks in Natanz and Fordo facilities. As a reminder, Stuxnet is believed to be a joint project between the U.S. and Israel as covered by David Sanger for the New York Times back in June, 2012.

In conclusion, those events provide additional context on the political alignment between the U.S. and France on the current talks over Iran.

Last week again, during his polemical intervention, Bibi raised his “concerns” on Iranian Nuclear capabilities and urged the congress to “act quickly” because “time is running out”. As Jon Stewart and the Intercept recently reminded us, Bibi made a strangely similar claim in front of congress 19 years ago. In addition of the Israeli concerns on the Iranian nuclear capabilities, adds the 2007 Israeli airstrike during the night of the 5th September targeting Syria’s Al Kibar Nuclear Reactor as covered by Erich Follath and Holger Stark for Der Spiegel in November 2009. This was also one of the first notable cyber-attack, as initially covered by David Fulghum for Aviation Week in November 2007 – that subscribes to the “War on Fear” Era. Pierre Razoux, Head of Research at NATO, provided a detailed analysis of the raid mentioning that the North Korean supplied nuclear components were part of the targets of the airstrike.
An airstrike where the U.S. denied any involvement:

There was no U.S. active engagement other than consulting on potential target vulnerabilities, says a U.S. electronic warfare specialist.

The recent discoveries of BABAR, EVILBUNNY and CASPER are currently putting French General Directorate for External Security (DGSE) in the spotlight of current nation state cyber-attackers due to the allegation from CSEC. Although, BABAR (allegedly French malware) and STUXNET (allegedly U.S.-Israeli malware) seem to share the same political goal, the motives behind CASPER, which had been discovered in April 2014 on the Syrian Judicial Private Investigation Commission website (, still remain unclear.

This translates as three different alleged main actors who targeted Iran and Syria on nuclear matters since 2007, the third and most recent potential actor (France) is not so surprising if you remember the nature of the relationship between France and Iran was in late 2009. On 25 September 2009, David Sanger and William J. Broad wrote an article for the NYT explaining that the U.S. and France were “warning” Iran over “Nuclear Deception” where we can read the following:

President Nicolas Sarkozy of France was more blunt, giving Iran two months to meet international demands, and Mr. Brown said, “The international community has no choice today but to draw a line in the sand.”

WMI Query :: “SELECT * FROM AntiVirusProduct”



One of the technique shared across from BABAR, EVILBUNNY, and CASPER – as highlighted by Marion Marschalek and Paul Rascagneres – is the ability to to retrieve AntiVirus information by using the following WMI Query “SELECT * FROM AntiVirusProduct”. A very simplistic trick as you can see in the above screenshot, but which only publicly appeared during 2008. The first occurrence of the above WMI SQL Query is from May 2008 in a blogpost of a Microsoft employee, Alejandro Campos Magenci who first provided a proof of concept (POC) VB script – then a second occurrence appeared few months later on a French online forum called “Comment Ca Marche” (How Does It Work, an online collaborative website like StackOverflow) by user operating the nickname cs_omnia and authored by Hanteville Nicolas on the 12th September 2008. This time, the POC appeared as a C++ implementation – providing enough information on using the Win32 WMI APIs – making it the first public usable C++ implementation. If the authors are the French government as what the CSEC suggest, this suggest that the authors heard of this trick from this French collaborative forum.


Those recent events demonstrate the alignment between the Five Eyes, Israel and France regarding Iran, Syria and North Korea on the nuclear matters – and this goes without mentioning the rise of Daesh (ISIS) cells from Syria & Iraq in Europe.

Although, cyber-attack attribution is known to be difficult, controvertial and that there is still a possibility that CSEC attribution to the French government may be erroneous. But as @thegrugq, an Operation Security expert, would ironically say:

After extensive research of the most likely suspect, it turns out over 5 million Chinese speak French! There are 1.3Bn Chinese, so 5/1,300 malware samples are expected to be in French – The Grugq


Date Description
1996 First Bibi’s congress speech on the Iranian nuclear plan concerns.
6 Sept 2007 Israeli airstrike on Syrian Nuclear Plant (with nuclear components supplied by North Korea)
12 May 2008 Microsoft employee, Alejandro Campos Magencio, posted trick to retrieve antivirus using WMI on Microsoft MSDN blog
12 Sept 2008 French developer cs_omnia released published first public C++ implementation of WMI “SELECT * FROM AntiVirusProduct” trick, authored by Hanteville Nicolas, on “Comment ca marche
Sept 2009 President Nicolas Sarkozy of France was more blunt, giving Iran two months to meet international demands
Nov 2009 Allegedly French malware BABAR (SNOWBALL) discovered by CSEC.
Nov 2009 The Story of ‘Operation Orchard': How Israel Destroyed Syria’s Al Kibar Nuclear Reactor by Der Spiegel
Mid-2010 Allegedly French malware SNOWMAN (Improved version of SNOWBALL) discovered by CSEC
2010-2011 STUXNET, DUQU, and FLAME – were all spotted in Iran and were mainly targeting Iranian Nuclear interests.
2011 CSEC internally issues SNOWGLOBE: From Discovery to Attribution report
25 Oct 2011 EVILBUNNY compile time as highlighted by Marion Marschalek
1 Jun 2012 an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called “Operation Olympic Games”, started under President George W. Bush and expanded under President Barack Obama.
24 Jul 2012 an article by Meghan Kelly from VentureBeat reported how the Atomic Energy Organization of Iran e-mailed F-Secure’s chief research officer Mikko Hyppönen to report a new instance of malware.
21 Mar 2014 Le Monde released initial partial documents on SNOWGLOBE
7th Apr 2014 CASPER XML configuration file timestamp
28 Apr 2014 Vyacheslav Zakorzhevsky (Kaspersky) observed that the website “” was hosting two Flash zero-day exploit
2 Sept 2014 Syrian Judicial Private Investigation Commission website defaced by anti-Iranian hackers
17 Jan 2015 Der Spiegel release complete documents on SNOWGLOBE The Digital Arms Race: NSA Preps America for Future Battle
18 Feb 2015 Common patterns between EVILBUNNY and BABAR identified by Paul Rascagnere and Marion Marschalek
5 Mar 2015 Common patterns identified between BABAR, BUNNY and CASPER

EDIT1 (7th April 2015):

SwishDbgExt goes open-source.

As the world is shaking because North Korea is intimidating American public companies with “the most sophisticated” cyber-attacks ever seen, I figured it would be a good timing to support intelligence agencies by open-sourcing my Windows Debugging Extension designed for Digital Forensics and Incident Response.

But also, I’m unfortunately lacking of time to support that extension – but I am sure open-sourcing it may results in interesting development from the community. I apologize in advance, I wrote that extension in 1-2 months so don’t expect it to be perfectly designed or written :-)

Happy Holidays !

Features request for international mobile users

Here is a short-list of missing features for international mobile users. Feel free to contact me on @msuiche or over e-mail if there is any feature you think is missing but more necessary than changing the colors of your icons at every release.

1. Smart address book
There is no reason your contact book would not allow you to automatically sort your contacts out per country using the Prefix Country Code, nor per city or region using the prefix following the country code.
Moreover, a map-based browsing would be more intuitive for its users – as per example the illustrative screenshot below.

And also timestamps your contacts to provide better triage mechanism based on time / day / month / year.

2. Smart international keyboard
There is no reason Messaging application could not remember what keyboard layout I use for different contacts. If you message different people using multiple languages, your app should at least remember your preferred keyboard layout per contact.

3. The end of the single number identity
There is no reason applications would tie your identity to a single number. Applications such as messaging applications (WhatsApp, etc.), food delivery applications, or even car booking applications (Uber etc.) only allow their users to have one single number. Users should have the ability to have multiple verified numbers, people who travel usually have one number per country.