JOHN MENERICK OPEN SOURCE FAIRY DUST - DEF CON · 2014-08-23 · open source fairy dust john...

O P E N S O U R C E FA I R Y D U S TJOHN MENERICK

S E C U R I T Y D R A G O N @ N E T S U I T E

T H E V I E W S A N D O P I N I O N S E X P R E S S E D H E R E A R E M Y O W N O N LY A N D I N N O W AY R E P R E S E N T T H E V I E W S , P O S I T I O N S O R O P I N I O N S - E X P R E S S E D O R I M P L I E D - O F M Y E M P L O Y E R ( P R E S E N T A N D PA S T ) O R A N Y O N E E L S E .

M Y T H O U G H T S A N D O P I N I O N S C H A N G E F R O M T I M E T O T I M E ; T H I S I S A N AT U R A L O F F S H O O T O F H AV I N G A N O P E N A N D I N Q U I S I T I V E M I N D .

W H AT W E A R E N O T TA L K I N G A B O U T

W H AT W E A R E TA L K I N G A B O U T

THE INTERNET - C IRCA 2007

N O O N E S A I D I T WA S S E C U R E

N O O N E S A I D I T WA S S E C U R E

O O P S !

O O P S !

” O P E N S O U R C E I S M O R E S E C U R E . ”

O O P S !

” O P E N S O U R C E I S M O R E S E C U R E . ”

O O P S !

I N T E R N E T S O C I E T Y P R E S I D E N T

E V E RY B O D Y ’ S J O B I S N O B O D Y ’ S J O B


“This is a story about four people named


“This is a story about four people namedEverybody,


“This is a story about four people namedEverybody,Somebody,



Anybody, and



Anybody, andNobody.


There was an important job to be done and Everybody was asked to do it.


Everybody was sure


Somebody would do it.


Anybody could have done it, but


Nobody did it.


Somebody got angry about that,


because it was


Everybody's job.


Everybody thought


Anybody could do it but


Nobody realized that


Everybody wouldn't do it.


It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done.”

Financial

Fun

Hobbyist

Activist

Financial

Fun

Hobbyist

Activist

“ O P E N S O U R C E P R O J E C T S P L AY A C R U C I A L R O L E I N T H E D I G I TA L A G E B U T A R E M A I N TA I N E D B Y A S M A L L ,

S T R A I N E D C A D R E O F V O L U N T E E R S . ”

Functionality

UsabilityPerformance Security

Stability Compliance


Stability Compliance


Stability

Performance Security

Stability

Performance

Stability

Performance

Stability

” T H E R E A R E L O T S O F C R I T I C A L L I B R A R I E S M A I N TA I N E D B Y V O L U N T E E R S T H AT A R E N O T G I V E N E N O U G H

AT T E N T I O N ”

C / C + +

C / C + +

” W H E N Y O U C A R RY P O I N T E R S A R O U N D A N D C A N N O T T R A C K W H E T H E R T H E Y A R E A L I V E A N D

H O W L O N G T H E Y A R E , I T ' S G O I N G T O H U R T. ”

J AVA

“ I T I S N O T L I K E J AVA G O T I N S E C U R E A L L O F A S U D D E N . I T H A S B E E N I N S E C U R E F O R Y E A R S . ”

NO STRATEGY

N O S E C U R I T Y C O N TA C T O R R E P O R T I N G D E F I N E D

Inconsistent coding styles, usage, or complex code

”System administrators hate change when they have to bear the brunt of adverse effects of change.”

CHANGE IS HARD

”System administrators hate change when they have to bear the brunt of adverse effects of change.”

WHAT DO WE

DO NOW?

Hadoop HDFS 2.4.1

Free Radius 3.0.3

( A N D S O C A N Y O U ! )

WHAT IS YOUR INCENTIVE?

F U L L D I S C L O S U R ES T R E E T C R E D

L U L Z

TOOLING

TUNING AND CORRELATION

• hacktheplanet.ninja/index.html

O N E M O R E T H I N G …

2788: char name[PATH_MAX]; // 4,096 Bytes

2802: fscanf is 33,554,431 bytes

JOHN MENERICK OPEN SOURCE FAIRY DUST - DEF CON · 2014-08-23 · open source fairy dust john...

Documents

Transcript of JOHN MENERICK OPEN SOURCE FAIRY DUST - DEF CON · 2014-08-23 · open source fairy dust john...