He is especially popular on Twitter where his account @fs0c131y is followed by more than 240,000 followers. Baptiste Robert, expert in cybercrime and OSINT (Open Source Intelligence), open source intelligence presents itself as an “ethical hacker”. A veritable Robin Hood of data, which gives back to the most disadvantaged digitally, their rights. “The most rewarding thing for me today is to have an impact on people’s lives, for example by restoring confidentiality to leaked personal data”.
The 30-year-old from Toulouse, who cut his teeth during the “yellow vests” crisis, became famous by spotting security breaches, mainly on French, Indian and American government sites and mobile apps. Today at the head of Predicta Lab, his own company specializing in digital tools to facilitate open source intelligence, he continues to distill his advice online in all benevolence, in particular concerning the war in Ukraine and the mass of information available on social networks.
To begin with, what is an “ethical hacker”?
You know the series mr robot ? It’s the story of a hacker, Elliot Alderson, who is psychotic and paranoid; he’s trying to bring down the biggest bank in the world. What purpose ? That of giving money back to people. That’s exactly what I wanted to do when I “rebranded” my Twitter account in 2017: if Elliot Alderson existed in real life, how would he tweet? On what issues? I wanted to embody an impertinent character, who breaks the rules (since he’s a hacker) and who at the same time wants to do good, all sprinkled with a good touch of ethics. This is my common thread and I always try to stick to it, to honor this “ethical hacker” costume.
I do cybersecurity for people: when I find a security breach, my interest is, for example, to restore the confidentiality of personal data that has leaked. I like the technical side and the complexity of the details, but these are not my driving forces. The most rewarding for me today is to have an impact on people’s lives. There is a real benevolent approach to say to companies, companies, governments or others: “I have found a security breach, I come to help you without problem and without compensation, to improve your security”. I’m not here to hack you, to extort money from you, I’m not interested. I will make sure that the product you created, which has some issues, can become better if we fix it together.
When did you start donning this “ethical hacker” costume?
In 2017, like any technician, any developer, I had the idea of a side project in addition to the “work of the day”. To grasp it, I dug up my Twitter account which I cleaned up, I changed the photo and @fs0c131y was born. This nickname is the name of the group of hackers in the series mr robot, who inspired me a lot to create this activity. It also features a nod to L33T writing, a tradition among hackers.
My side project at the time was to understand what was on my One Plus laptop, if it had any security flaws. I found some information and posted it on my account in November 2017. It went very quickly and very hard, with in particular the discovery of security flaws in the Indian Prime Minister’s mobile application in early 2018.
What is your background ?
I am a graduate of ENSEEIHT, I am a telecom and network engineer but I have never exercised this profession. When I left school, I did mobile app development at Intel, where I learned a lot of things for almost three years, which allowed me to know the innards of the operating system relatively well. Android. Then I specialized in Android customization, I was a developer and I made clean versions of Android. Then I worked for a telephone company, Doro, which makes devices for the elderly, sold in supermarkets, in Fnac… Then, I slipped into cybersecurity, where I worked in the search for vulnerabilities and misinformation, particularly during the “yellow vests” crisis. For Twitter, it’s an opportunity: I saw light, I walked in, and it quickly took off.
Why did you create Predicta Lab in March 2020?
I have done several analyzes on the movement of “yellow vests”. Wearing my “ethical hacker” hat, I tried to shake up the status quo and find new, transgressive ways to attack a problem in a different way. For the “yellow vests” for example, while discussing on Twitter with my international community specialized in cybersecurity, I realized that foreigners had a really biased perception: it was a mess of course, but it was not war. . So I asked the question: is there an attempt to manipulate the perception of the “yellow vests” movement? A very specific question. And then: What data will I be able to capture and then analyze to check for attempted manipulation? If so, who is behind it?
Following this analysis work, which was moreover widely reported in the press, I discussed with the government information service (the SIG) to try to understand how it proceeded. However, their technique proved ineffective: by ordering three studies from three start-ups on the same subject, he obtained different conclusions, with data collected that were not identical. In short, he was unable to foresee the movement and during the demonstrations, he passed through the radars. Not to mention the money spent.
So I thought about a solution capable of automatically extracting information on all sites for everyone. I had already done Osint, but on the sidelines. I found that the open source intelligence community is mostly a user of the available tools but not a creator. I knew we could do better and faster. Logically, I created Predicta Lab and I now manage eight people.
How to come to “audit” the application of the Indian Prime Minister?
Back in 2017, my rule of thumb was, “I’m going to audit a site or app if I have four or five people messaging me on Twitter about it.” This was the case for the application of the Indian Prime Minister. I found security flaws there and it went very high: I was in direct contact with the Prime Minister’s Office and my name was mentioned before the Indian Parliament. The government of India, following my visit, launched a campaign to secure its sites and apps. Some of them have been closed or updated. The repercussions have been concrete in the country.
On the war in Ukraine, what advice do you give?
I urge you to be especially careful and think carefully before releasing open source information about this war. We must not trivialize a conflict where people are killed, where the information communicated can be used for evil purposes.
The war in Ukraine today is an opportunity for many journalists and, in fact, for a growing part of the French population, to discover what Osint is. Many Twitter accounts post photos or videos, try to find the location of these media and get into geopolitics. There is a significant amount of content created from open sources. However, this growing interest in Osint also has a darker side: what do we do with intelligence, this vital information communicated to everyone? Behind this publication, what will be the consequences on people’s lives? In this context, we are talking about a conflict with civilian and military populations. Locating Ukrainian troops, passing cars, civilians, okay, but who uses these publications?
How to get started in Osint?
It is a discipline that requires a lot of time. You have to hang on, try, test, experiment, have a lot of method, discuss with others, communicate your ideas. By definition, OSINT is collaborative.
You also have to be inventive and creative about how to retrieve information, pay attention to details: who, what, what, how? The results are not necessarily there from the start, but do not hesitate to discuss with the communities, and even with the “influencers of the field”, those people who have a large audience on social networks. To improve in skills, you have to persevere. This is not an area where there is necessarily a return right away. But there is room for everyone, do not hesitate to get started.