Jonathan Brossard

Career

Jonathan Brossard, known by the handle endrazine, is a French hacker and engineer who holds a professorship in computer science at the Conservatoire National des Arts et Métiers. He has built a career spanning academic instruction, corporate security leadership, and independent security research, serving as Director of Security at Salesforce. His work has been presented repeatedly at leading industry conferences including DEF CON, Black Hat, and USENIX.

Research

Brossard's research career in public security disclosure began in 2008, when he presented the first known public vulnerability affecting Microsoft BitLocker full disk encryption software at DEF CON. His generic exploit extended to other full disk encryption products, including TrueCrypt, as well as Intel BIOS firmware.

In 2012, he presented what became his most widely recognized work: a proof-of-concept BIOS and PCI firmware malware named Rakshasa, demonstrated at both DEF CON and Black Hat. Rakshasa is considered the first known example of a permanent hardware backdoor, achieved by embedding a bootkit within firmware from either the BIOS or network interface cards. MIT Technology Review characterized the attack as "undetectable and uncurable."

In 2015, Brossard and the Salesforce security team presented at Black Hat the first public attacks against Microsoft Edge and the Windows 10 operating system, demonstrating credential theft over the internet via a Server Message Block vulnerability. The same vulnerability was subsequently found to affect Google Chrome as well.

Brossard is the primary author of the Witchcraft Compiler Collection, a reverse engineering framework that enables the transformation of ELF binaries into shared libraries. The framework has been presented at DEF CON, Black Hat, and USENIX, and is available in Linux distributions including Debian, Ubuntu, and Kali Linux.

Media and Industry Consulting

Brossard has served as a security expert for major media outlets on topics including the XKeyscore surveillance program disclosed by Edward Snowden, mass surveillance initiatives, and the alleged NSA interception of French President Nicolas Sarkozy's emails. He was also among the early voices warning the industry about car hacking, doing so as early as 2012.

In 2014, Brossard served as the principal cybersecurity consultant for Ubisoft's Watch Dogs, presenting the game to an international press audience in Chicago, with coverage spanning Australia, Germany, France, and Spain. He reprised this role in 2016 as lead consultant for Watch Dogs 2.

Hacking Culture and Community

In 2012, Brossard joined fellow researchers Chris Valasek, Matt Suiche, and Jon Oberheide in submitting a computer-generated bogus article about Nmap to Hakin9 security magazine, as a protest against the publication's persistent unsolicited outreach to prominent researchers. The stunt drew praise within the hacker community. Hakin9's response — which included legal threats directed at Nmap author Gordon Lyon — was widely condemned and earned the Pwnie Award for Most Epic Fail in 2013.

Brossard is co-founder of the international cybersecurity conferences Hackito Ergo Sum and NoSuchCon. He also serves on the review boards of Shakacon (Honolulu, USA) and Nullcon (Goa, India).