Open Source Security
Welcome at

Security Week published my latest opinion piece about Developing Below the Security Poverty Line. I love the visceral impact of Wendy Nather’s phrase “security poverty line”. I wish we were all above the poverty line, using effective SDLC processes, but it sadly isn’t the case yet as the Black Duck survey vividly shows.

David Wheeler and I promoted the CII Best Practices Badge on FLOSS Weekly with Randal Schwarz and Guillermo Amaral. It was a fun show to do despite my aversion to video. And by the end of the day, we already had an issue posted by someone who watched the show, so it is definitely reaching the right audience. I’ve been a fan of FLOSS Weekly since I first heard about OpenROV on the show.

Gunnar interviewed Dr. David A. Wheeler and I about the CII Best Practices Badge program for an episode of The Dave and Gunnar Show called “Badge of Open Source Honor“. With a little editing, it even turned into something that I can listen to without cringing. 🙂 Thanks, Gunnar!

The show ended before we could shout out to Dan Kohn and Samir Khakimov to give them the props that they deserve.

SecurityWeek just published my latest article “No Exit: The Case for Moving Security Information Front and Center“. “No Exit” is a reference to Sartre‘s existential play where three people wind up locked in a room together for eternity driving each other crazy. They are in hell. They represent developers, QA, and security people for the purposes of this article (or three random devops guys, your choice).

After I wrote this, I read Josh Bresser’s take on the state of cybersecurity education and I think he makes a great point that we really need someone to study why we are failing so badly.

At some level, we haven’t solved the (unsolvable) problem of physical security either and I think that the analogy between cybersecurity issues and physical security issues is not the worst. As a society, we need to decide the level of acceptable loss and then set our spending to correspond to the level of security that we can live with. I just hope that it is a little better than we are currently doing.

P.S. For the record, I am a member of OWASP and a huge fan of the work they have done.

Security Week has published an article that I wrote called, “Establishing Correspondence Between an Application and its Source Code; How Combining Two Completely Separate Open Source Projects Can Make Us All More Secure“. I would love to see this concept come to fruition. IBM Research has had a long term vision for enabling this type of integrity which, years after I first heard about it, still astounds me how far ahead of their time they were and how durable their vision has been. The Debian Reproducible Builds project likewise amazes me because the leaders fearlessly took on a huge mountain of work and are making it happen. The glue piece is still missing. Someone will need to stand up and be willing to sign the file hashes with a recognizable and valuable key but we are inching closer to having the technology to ensure the integrity of the delivery chain between code and executable process. Yeah, yeah, yeah, there is still the problem of trusting the compiler and realistically being able to audit the source code, but solutions to the former problem have been posited and tools and techniques exist to deal with the latter (if you care enough to do it). We are inching closer.

Uber pulled out of Corpus Christi, Texas a couple of weeks ago. They are threatening to pull out of Austin if the vote in May goes against them. Venture capitalists are saying that Austin’s city council is “too hostile” and anti-tech because of the desire to regulate tech-enhanced old business the way that traditional old business is regulated. If you somehow haven’t heard, the debate in Austin (and elsewhere) is about whether security practices around hiring Uber/Lyft drivers should be the same as security practices around hiring taxi drivers. Effectively, Uber and Lyft are using their market clout to weaken security practices around only their own taxi services. Whenever cities don’t go along, they pull out and let the resulting market backlash force the city governments into weakening security. To do anything else is “anti-tech”.

This is a sad, sad state of affairs because it reveals the essence of why Internet security sucks. If you believe that continuing to require fingerprinting of drivers is “anti-tech”, then it follows that parts of the tech industry view even minor investments in security processes as “anti-tech”. At the very moment when security people are saying that Uber and Lyft should “build security in”, they are using their market clout to get security out claiming that the traditional security practices are too expensive.

The Uber driver mass shooter made all the news, but it wasn’t until then that I saw the reports of at least three Uber drivers raping their young female passengers and the reality is that there have been many, many incidents. This is not an academic issue, this is not a matter of the pain of recovering from identify theft, this is a matter of violent personal crime. If it is “anti-tech” to continue to require the simple security protocols of the pertinent industry, then I wonder whether the tech industry will ever have the will to solve the greater security problems. At the risk of touching the third rail and will full awareness that not all women agree with me on this issue, I will say that if ever there were an issue which shows the damning effects of insufficient diversity in the tech industry, then this is that issue.

It should go without saying, but of course someone will mention it if I don’t – no one security control will solve all security problems and that is certainly as true of fingerprint based background checks as of any other security control. I am not claiming that none of the Uber/Lyft security incidents would have happened if fingerprint based background checks were in use. I am arguing that rolling back the security protocols of the taxi industry is ill considered.

As a mother of young daughters and as an advocate for security in the tech industry, I hope that we will not continue to follow the path of convenience at all cost.

P.S. Since this is a more political and contentious issue as most, I will remind you that as always on my personal blog, opinions expressed are my own.

I wrote a blog post for Linux.com on how to approach dynamic analysis of large projects. The tldr is to use afl if you can. If you can’t, then you will probably have to write your own tools.

After a lengthy hiatus during which I focused on building secure things on top of open source and with open source rather than on building actual open source, I’m back to focusing on open source security in my day job. I hope that will give me more time to focus on things that I would be willing to discuss here, on my blog. I also hope that I will be able to discipline myself and focus on technical topics, such as my most popular and wildly outdated post on maximum password length from eons ago. But I fear that I will never be able to wean myself entirely from the “someone is wrong on the Internet!” type of post, because they are fun, cathartic, and easy to write.
Don’t be jealous, but I now have the best job in security. Make no mistake, I still speak for myself and not for my employer.

USA Today has two eye popping stories on the NSA crypto capabilities. The first story is entitled “Why NSA’s decrypting is OK” in their mobile app and The Case Supporting the NSA’s PRISM decrypting in their online version. The title already gives an idea of the slant that the article will take. The article starts with a bold statement “A consensus is gelling that the NSA — in using brute-force password hacking techniques, cracking into Virtual Private Networks and Secure Sockets Layer services and taking steps to weaken certain inherently weak encryption protocols – is simply doing what the NSA has always done, and was, in fact, created to do: keep the U.S. competitive in the spy-vs-spy world.” The article never defends this assertion and it is wildly at odds with the consensus that I see gelling on Facebook and on the technical cryptography mailing lists which I browse. To give the author the benefit of the doubt, I could be convinced that this is a consensus of NSA mouth pieces.

The second story is entitled Latest PRISM Disclosures Shouldn’t Worry Consumers and proves that the author the the story has no conception of why people are legitimately angry about the revelations. “Should the latest disclosures of decrypting techniques used as part of the NSA’s PRISM anti-terrorism surveillance program keep you awake tonight? Only if you do not believe President Obama and NSA Director Army Gen. Keith Alexander that any and all spying techniques are used strictly in very narrow circumstances to target suspected foreign terrorists, under a federal court review process.” You would be crazy if you did believe this because the NSA themselves have admitted that the techniques have been abused. Google LOVEINT for a clue.

“‘The people who work on PRISM are working to protect us,’ says Tom Kellermann, Trend Micro’s vice president of cybersecurity. ‘They don’t care what movie you’re going to or whether someone is cheating on his wife.'” Whether they care or not, they shouldn’t have access to that information.

“‘The big revelation is that the NSA is actually able to view more encrypted data than anyone thought,’ says Chris Petersen, chief technology officer at security analytics company LogRhythm. ‘What this will really do is put our adversaries on notice that they need to invest in stronger encryption. This really has no bearing on the average citizen.'” Spoken like a person who does not believe in democracy and freedom.

I won’t quote anymore from that article. I wish I could give the people quoted in the article the benefit of the doubt – that, as usual with reporters, their comments were taken out of context. I will say to the people quoted in the story, if this is really what you think, then you are the problem.

I post these because it is fun to see what people on the other side of the debate are thinking. And because I want to take note of the people in the industry who said these crazy things. And because it is sometimes just *fun* to read these types of articles and get outraged.

Apropos of nothing, this squiggled my funny bone this morning: Pew Research reports that there is a glass ceiling for female white collar criminals. It sounds like they are doing it wrong: “More than half of all women (56%) did not personally profit from the fraud”. Some backbone is needed: “Still others said they knowingly committed illegal acts simply because they were instructed to do so by a superior”. Sigh. They couldn’t at least ask for a candy bar? I heard the story on NPR this morning during my commute.