Security

Why should enterprises and

individuals care ?
Closer to web developers:
 Security problems from a financial
perspective
Bugs within software. A small subset of bugs
cause security problems.
Customer A pays Company A in Mauritius to
develop a website: list of requirements.
Does the list of requirements include being
secure ?
Observation: 99.9% of Customers don't want to
pay for security at the start of ANY project.
 Consequences
One time contract (ship and forget)
For software companies, no financial incentives to maintain
websites/apps.
Security is a process, not an add-on.
Foundation, with feature A, B,C
Customer A has a time period, and feature A will be show-
cased, Feature B will be acceptable,and Feature C will be
barely working, and dangerously hanging on A & B.
Software Company needs developers working on Customer
A to move to customer B. (Wrap it off and ship it)
 Go back in time
Moriss worm (1988)
The U.S. Government Accountability Office puts the
cost of the damage at $100,00010,000,000
It is usually reported that around 6,000 major UNIX
machines.
Internet was around 60,000 machines at the time.
The Morris worm prompted DARPA to fund the
establishment of the CERT/CC at Carnegie Mellon
University
 And in 2014
According to the hacker's estimate, there were 1.3
billion IP addresses used online in 2012.
Behind each IPv4 address, many people have a
smartphones. (multiply by 3)
3 billion machines make up the internet.
Heartbleed happened, Shellshock still happened,
and vulnerabilities in wordpress & drupal still pop up.
Have the customers & software companies learned
their lesson ?
 CII
Millions of dollars of shared vigilance.
Many big companies pour money.
Prevent the next heartbleed.
[Side-note: Hackers.mu did submit security
patches to OpenSSL & discuss architectural
changes to BASH on public mailing list]
 In 2016
But now that the Heartbleed publicity has worn
off, donations have slowed to a crawl, says
OpenSSL Foundation co-founder Steve
Marquess
No more funding for NTF NTPD from CII
will reluctantly be forced to reduce our support
for OpenBSD and related projects, says
OpenBSD Foundation director Kenneth
Westerback
 Observation
Linux & Open Source is a victim of its own
success.
Companies pay developers to develop features.
Few companies want to pay for security, because
of the way the IT industry works.
We can do better in Mauritius: target niche
markets where security is required. Don't compete
for low end: compete for contracts where quality
matters.
 Mauritius & Linux/Open Source
Security

How do we measure your expertise ?

Metrics

How many security vulnerabilities did person A find ? (I found 6 in a

previous company where I worked that were confirmed by the
developer team)
How many CVEs have company A or person A found ? (2
Mauritians)

How many Mauritians are writing patches to fix security problems in

Linux/Open Source ? (Hackers.mu, and ?)

We still got a long way to go, if we use the above metrics.

 Operation C.R
Security audit of Linux & Open Source software
by Hackers.mu
Based on initial findings of Mr Chamberlain in
FreeBSD.
Read the wikileaks papers for Vault 7.
Apply a similar patch in other Open Source
projects such as libarchive, uclibc-ng, prism
GDK, webkit, opnsense, ipfilter, pfsense, etc
Acknowledgement
 Further acknowledgment

Tim Kientzle (US): Software engineer at Apple. (ex software engineer at Google)

Wbx(DE): uclibc-ng maintainer (used in tons of embedded products)

Franco Fitcher (DE): Firewall company in Germany & Opnsense core team (nice guy)
Loos (BR): freebsd developer working at PFSENSE.
Last slide