Dev(Sec)Ops and the Hunter/Farmer model
Fabrizio Zeno Cornelli
CODEMOTION MILAN - SPECIAL EDITION 10 – 11 NOVEMBER 2017
Thanks to Randall Munroe: xkcd.com
Get a Good Password
$ dd if=/dev/random count=1
| base64 | cut -c1-22
c4EdYgLedpD30qKJ6YAKjQ
Use 128 bit
$ gsort -R ˜/dict/words.txt
| head -4 | paste -sd ‘-‘ -
Get a Good Password
Use dictionary
11 bits to index words.txt?
128/11 !" 12
Get a Good Password
How many words?
Why Password0! Is not good?
HOW TO CRACK A PASSWORD
How passwords work
stored[user] = hash(password)
hash(password) !" stored[user] $→ auth
How to crack a password
Retrieve stored hashes
Deduce hash
Plaintext? Done :
- Bruteforce attack
- Dictionary attack
Brute force Attack
Test every single possible password.
From ‘a’ up to ‘ZZZZZZZZ..ZZZ’
Dictionary Attack
hash(guess) !" stored $→ (^-^)
$ john stored.txt
stored = set(‘abFZSxKKdq5s6’, ‘ulMGRyl03i2gm’ …)
dic = [‘password’, ‘12345’, …]
rules = [‘:’, ‘u’, … ‘so0’, ‘cAz[0-9][!$§]’]
_guesses = jexpand(dic, rules) # [‘password’, ‘PASSWORD’, …, ‘passw0rd’, ‘Password0!’…]
[ g for g in _guesses if hash(g) in stored ]
How to crack a password
FABRIZIO [email protected]
CV
CTO, Enterprise srl
DEV / QA Manager, HT
Consultant, from 2016
DEVELOPER“if it ain’t broke, don’t fix it”
Design then code (and test)
High level languagesGood PracticesRTFMFrameworks and Libraries
Progra()ing skills (some languages)
Don’t reinvent the wheel
DRIVEN BY Sense of order Growth Collaboration Planning/OCD issues
Dev Proverbs
The ends does not justify the mean
Choose two: good, fast, cheap
Any fool can write code that a computer can understand. Good progra()ers write code that humans can understand. [M. Fowler]
HACKER“shit happens”
Deconstructive: Reverse Engineer
Subvert the manual
Shortcut / quick and dirty
Must be the first
Low level Languages
(C, asm)
DRIVEN BY Challenge Showing off Boring issues
Hacking Proverbs
the ends justify the means
a clever person solves a problem, a wise person avoids it
a lot goes a shecat to the grease, that she leaves the little arm
Comparative table
Deductive Inductive
Deconstructive Constructive
Reverse Engineering Progra()ing skills
Lateral Thinking Good Practice
Shortcut Design then code
Subvert the manual RTFM
Shortcut Frameworks and libs
Incautious Conservative
Low level lang High level lang
Hacker Developer
Discipline / Focus
Farmer Hunter model
B2B Sales model
Hunter focused on creating new sales opportunities, prospecting and closing. “eat what they kill.”
Farmer manages and sells to existing relationships. account manager
Hunter vs FarmerTake charge Let things develop
Aggressive Laid Back
Prospector Planner
Competitive Collaborative
Always be closing So, what do you think
Individualist Team player
Short term Long term
Risky Safe
Hunter vs Farmer
Really a coincidence? Is there any anthropologic root?
STONE AGEanthropologic session
Small clans
Nomadic
Hunters
Resources Developer
Languageand politics
Villages and cities
Farmers
Hunter vs Farmer
nomadic / autonomy permanent settlements
innovation tradition
initiative patience
indipendence collaboration
Are we changed?
We still “feel” the connection with cats and dogs
Trium Brain theory (Paul MacLean)
PALEOLITHIC HUNTER HACKER
NEOLITHIC FARMER DEVELOPER
Are we Hunters or Farmers?
Both of them
Be a hunter get your POC
Be a farmer: evolve an idea to a product
Make your team
0
20
40
60
80
POC Project Dev Maintain/PT
Hunter Farmer
DEVSECOPS“hunter as a service”
Defenders cannot win
Defenders cannot win
Defending is more difficult
Attackers can abuse any vulnerability
Multi Layer defence
Multi Layer defence
Defending is expensive
How can I prove that I’m secure?
Popper’s refutability
Popper’s refutability
the inherent possibility that a statement can be proven false
- Halting problem
- “this system is secure”
Popper’s refutability
POSITIVISM
proof $→ true
REFUTABILITY
paradox $→ false
DevSecOps’ Refutability
each part should be testable and tested
devsecops is the continuous invalidation process
security by obscurity
Russell’s inductivist turkey PART 1
Russell’s inductivist turkey PART 2
Hiring
“I’m looking for a hacker”
“We need a developer”
Hiring
You have a few hours to match
Does your candidate fits your job needs?
Does your job appeal to the candidate?
Is your candidate a person or a resource?
1,2,3,4,5?
That's amazing! I've got the same combination on my luggage.
Thanks
Fabio Sangiovanni
Mariachiara Pezzotti
Federico Gandellini
Luciano Colosio
THANK YOUhacked potato for you
(no animal was harmed in the making of this presentation)