4/16/2013 Source Boston Day 1 and 2

by Gene Kim on

#srcbos13

Ally Miler, Electronic Arts: Games We Play: Payoffs and Chaos Monkey

  • Amazon calls this "hypothesis driven development":
  • Dan Ariely: Choice Architecture, Framing, Anchoring, Loss aversion
  • .@selenakyle: "Ariely: on menu, 3 wines w/diff prices; middle one marked up the most; why? framing. it's chosen most often"
  • .@selenakyle: "Ariely: Mental accounting is why '$300 in bonus offers' works; $300 is too abstract for brain, concrete rewards arent; even though choosing what to spend on is usually better
  • @chriseng: Winning strategies depend on understanding human behavior, not just probabilities. @selenakyle

Zach Lanier, Android Security

  • @jwgoerlich: "The downside of open source: crappy code, code quality, and no CI infrastructure." -- @claudijd at

Jonathan Claudius: Attacking Cloud Services With Source Code

  • @jwgoerlich: "The downside of open source: crappy code, code quality, and no CI infrastructure." -- @claudijd at
  • "Hacking With Gems" by Ben Smith: gem install aloha-ruby-conference: business card
  • "what happens if I add malicious code to my rake specs" (unit tests run on CI server): talk on attacking cloud svcs w/src code
  • "to avoid getting kicked off of github, I created my own jenkins CI server and private repo"
  • "run on jenkins ci server: often little sandboxing; puts system (ls ../..)"; can export other ppls projects
  • "discovered that there's a lot of trust to github; ssh keys often r/w; can often commit malicious code back to repo
  • "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  • "showing demo of c7decrypt
  • "git push origin"; it's now in the github repo;
  • "password list sudo"
  • @jwgoerlich: Lifecycle. @charles_green taught me CI and rspec. @claudijd taught me to be afraid of it.
  • .@claudijk: Demo 2: using CI server to check malicious code into master, potentially where code pkging is performed
  • .@claudijk: "and now, voila; we've now trojaned the master branch; if someone were to package it, it'll be w/trojan code"
  • @jwgoerlich: @charles_green The demo has malicious rspec executing and getting a reverse shell on the CI host. cc @claudijd
  • Wow. @claudijk showing how CI/CD creates very new interesting attack surface for injecting unauth chgs cc @jezhumble/@jdeluccia
  • .@claudijk: "Parting thoughts: CI svrs are open by design; trust relationships exist & can be abused
  • .@claudijk: "Demo 1: CI used as an attack pivot; Demo 2: using github integrated CI prevent key trust issues (use deploy key)
  • .@claudijk: "Takeaway: test CI/CD servers for weaknesses; key risks: keys and shared CI svrs to access other ppl code/keys"
  • .@claudijk: "Look for CI svrs that modify repos (e.g., chg build numbers); think all code commits as potentially malicious
  • .@claudijk: "Vulnerability: many CI servers are building the pkgs; idea: commit code and just generate the trojaned RPMs
  • Wow. Really "enjoyed" @claudijk's talk. Entertaining and umm, unsettling... build chain attacks via ANT

Gene Kim: Why We Need DevOps Now

  • @kohlerbn: Ops and dev like to beat up #infosec @RealGeneKim at @SOURCEConf
  • @shawnvalle: #sourcebos glad to see the full keynote. Gene Kim leading the show.
  • @SOURCEConf: RT @GreenAhab: @Gmanfunky @RealGeneKim it was a really good talk I am excited to read the books he recommended great talk at
  • @SOURCEConf: RT @Gmanfunky: Caught the end of @RealGeneKim keynote at #srcbos13 . I think he planted the seed for some reluctant converts.
  • @darkuncle: RT @effffn: "You don't choose chaos monkey, chaos monkey chooses you!" @RealGeneKim
  • @0xdanad: Would love to make this change: "@realgenekim Allocate 20% of dev cycles to fixing technical debt."
  • @chriseng: Marty Cagan (eBay): Allocate 20% of your cycles to technical debt reduction. [or you'll end up spending 100% on it] @RealGeneKim
  • @AppSecDude: Does anybody pay down 20% technical debt on each release? #srcbos13
  • @chriseng: "Do painful things more frequently, so you can make it ess painful [in the future]." @adrianco quote in @RealGeneKim keynote
  • @chriseng: "Do painful things more frequently, so you can make it less painful [in the future]." @adrianco quote in @RealGeneKim keynote
  • @chriseng: 89% of high performing orgs use infrastructure version control; 82% of them use automated code deployment. @RealGeneKim
  • @ternus: Infosec/ops "hopes and dreams are impossible because organizations can't escape unplanned work and technical debt." -@RealGeneKim
  • @chriseng: What is your lead time for changes? i.e. How long to go from code committed to code running in production? @RealGeneKim
  • @chriseng: The four categories of work: business projects, internal IT projects, changes, unplanned work. @RealGeneKim
  • @mfukar: RT @chriseng: High performing orgs deploy 30x more frequently and 8,000x faster than their peers.
  • @andrewsmhay: Attendees taking notes…good sign of a good keynote by @RealGeneKim
  • @jwgoerlich: RT @chriseng: When talking deploys per day, don't conflate "deploys" with "releases". A deploy can be a single content change.
  • @jwgoerlich: Yep. Excited. @RealGeneKim has me excited to be part of #devops.
  • @chriseng: High performing orgs deploy 30x more frequently and 8,000x faster than their peers.
  • @awpiii: InfoSec is the Redshirt guy. @RealGeneKim
  • @ternus: Technical debt -> delayed release schedules -> downward spiral -> Infosec/devops burnout - @RealGeneKim at
  • @0xdanad: Getting schooled on #devops by @RealGeneKim at
  • @ternus: "Show me a developer who isn't causing an outage and I'll show you one who's on vacation." -@RealGeneKim's devops keynote at
  • @joshcorman: RT @ternus: "I have an unusual man-crush on this person. The details of our bromance require an NDA." -@joshcorman on @RealGeneKim
  • @jwgoerlich: And we are off! @RealGeneKim takes the stage at #srcbos13! #devops #ftw

Dino Dai Zovi: Strategic Analysis of the iOS Jailbreak Development Community

  • OH: "Most iOS jailbreaks done by teams of 4-6 ppl. Except for Carmacks (?) who works alone, who's transcended rest of mortals"
  • Zovi: "Best iOS jailbreak: Boot ROM vuln, b/c no countermeasure possible; can only be fixed on new platform/model"
  • Zovi: "
  • @RealGeneKim: “@chriseng: @RealGeneKim That would be @comex [the uber iOS jail breaker, who has transcended feats of mortals]” Thx!
  • Zovi: "Apple patched the XXX vuln developed by @comex in 10 days; which probably took @comex much longer than 10 days to develop"
  • Zovi describing iOS vulns beng used for jailbreaking: Adobe PDF font VM, VM in raster character renderer, kmalloc, etc...

Josh Corman moderating Dan Geer and Richard Thieme

  • Geer: @Veracode: RT @451wendy: I caught an APT *THIS BIG!! #srcbos13 @Veracode http://t.co/qLevPn3r8L
  • Geer: "The fastest method of technology is a person; steal ideas from smart people"
  • @jwgoerlich: "Any field of study that teaches you to think prepares you for the security field. This field is a renaissance field." -- Greer at
  • Geer: "Looked at half-life of security literature; authors getting older, half-life shorter; indicates specialization"
  • Geer: "Conclusion: infosec must specialize, can't be generalist" (I completely disagree. Need boundary spanners @joshcorman)
  • @andrewsmhay: become a serial specialist, not a generalist - Geer
  • @andrewsmhay: avg number of authors of security papers is rising, avg life time is falling - Geer
  • (My proof point: infosec is a team sport; answers to global questions won't be found in deeper study of infosec)
  • @chriseng: Thieme characterizes the diversity and technical expertise of the security industry of 20 yrs ago as far superior to today.
  • Geer: "Infosec world exploded w/intro of free TCP/IP to Win 3.1; 120 days later, CERT incidents spiked, like rocket igniting
  • @sergeybratus: RT @chriseng: Geer: "All security technology is dual use; it can be used for offense or defense, good or evil."
  • Geer: "2nd driver was motive transitioning from notoriety to money; 3rd driver was computing beyond computers (phones, etc.)
  • Geer: "Everyone in this room is the security officer for their expanded family" (haha)
  • @ITSecurity: RT @chriseng: Geer: "All security technology is dual use; it can be used for offense or defense, good or evil."
  • Geer: "Yes, I'm probably sounding like an old guy... And it's coming to me more easily these days." Haha
  • @lotusebhat: 1st such punctuation was the intro of the Tcp/ip stack into WINOS. Also made every sociopath ones next door neighbor (via Geer).
  • @jwgoerlich: RT @ternus: Geer: "Technology generates new facts, and then we reflect on how to be ethical about them" e.g. 4th Amendment
  • @andrewsmhay: Geer leaves his doors unlocked, keys in car. Completely opposite of his life online.
  • @ternus: "'Just remember, public is public' - there are days when I think 'you're so right' and days when I think 'Just shut up'"
  • @andrewsmhay: "You can't go wrong sharpening your sword against his intellect" Thieme to Geer
  • Thieme: "you know what they called group learning, social media & networking in my day? Cheating." "I was great cheater
  • Thieme: "Emergence of group learning is like cells realizing they're part of greater whole, vs. ending at cell wall"
  • Thieme: "What would 45 yr lifer at NSA worry about now? Makerbots; And worry about in future? DIY biolife
  • @chriseng: Thieme: Biohacking today is where computer hacking was in the 80s/90s. We should be talking about the ethical quandaries.
  • @TripwireInc: RT @andrewsmhay: "Are we getting better?" asked by @joshcorman / "That's not the right question" - Thieme
  • @HackerHuntress: RT @jwgoerlich: Geer: I am fast losing control over my online life, unless I want to return to a pre-industrial life.
  • Thieme: "Power lives in any node in the network. You start by contributing; nobody can stop you & u'll find fellow travelers
  • Thieme: "In book written in 60s on men's phases of life: ended at age 65 in phase called senescence" (ah, yes, twilight yrs)
  • @ternus: Thieme: "We may have one foot in the grave, but we have three or four other feet that we've spliced on via gene hacking"
  • Geer's wife (a neuroscientist): "Remember, if you live long enough, you'll become demented"
  • Geer: "Complaining abt those in power eventually becomes tiresome" "Requires taking positions where success is far from assured
  • @jwgoerlich: Thieme: Leadership is communicating clearly and consistently where the water is going. Just do it.
  • Geer just read some amazing poetry here. Does anyone have citation?
  • @jack_daniel: Dan Geer reciting Kipling's "If".
  • @RealGeneKim: Thank you. Hearing Dr. Geer read this was amazing... RT @jack_daniel: Dan Geer reciting Kipling's "If".
  • @marshray: RT @chriseng: Geer closes by reciting Kipling poem "If..." #srcbos13 http://t.co/Y3Iu1SbNgA

Misc

  • RT @jwgoerlich: Lifecycle. @charles_green taught me CI and rspec. @claudijd taught me to be afraid of it.
  • RT @jwgoerlich: @charles_green The demo has malicious rspec executing and getting a reverse shell on the CI host. cc @claudijd
  • Howdy, all! In Boston, at #srcbos13, or just interested in #devops? Come join us at 6pm, Piano Bar, Marriott Courtyard!
  • @andrewsmhay: Every time we #srcbos13 speakers mention The Phoenix Project in our talk, @RealGeneKim buys us a beer…as I understand it ;)
  • @RealGeneKim: @presidentbeef @ndm Look who I’m hanging with here at #SRCBOS13! @claudijk and fellow fan @jwgoerlich! :) http://t.co/z7ML7Lcjq9
  • True! 6pm today! :) RT @andrewsmhay: Every time #srcbos13 speakers say #PhoenixProject, @RealGeneKim buys us a beer…as I understand it ;)
  • @RealGeneKim: I've posted my notes written w/@tweetscriber: See 4/16/2013 Source Boston Day 1 and 2 #srcbos13 http://t.co/YiuczFG7L6
  • Haha... RT @451wendy: I caught an APT *THIS BIG!! #srcbos13 @Veracode http://t.co/qLevPn3r8L RT @jwgoerlich: Geer: I am fast losing control over my online life, unless I want to return to a pre-industrial life. RT @jwgoerlich: Thieme: Leadership is communicating clearly and consistently where the water is going. Just do it. Thank you. Hearing Dr. Geer read this was amazing... RT @jackdaniel: Dan Geer reciting Kipling's "If". @RealGeneKim: Thank you. Hearing Dr. Geer read this was amazing... RT @jackdaniel: Dan Geer reciting Kipling's "If".