July 20–24, 2015
Portland, OR

For the greater good? Open sourcing weaponisable code

Laura Bell (SafeStack Limited)
1:40pm–2:20pm Thursday, 07/23/2015
Protect E145
Tags: Featured
Average rating: ****.
(4.89, 9 ratings)

Prerequisite Knowledge

Basic understanding of open source concepts.

Description

I am a strange sort of software developer.

I write tools that help people stay safe in our interconnected world. I do so because I believe that the internet is a wonderful thing and we all deserve to get the most of it without risk of attack or vulnerability.

The trouble is that to do this I have to do bad things.

I write systems that attack people – electronically. Tools that intentionally try to trick and deceive actual real people and organisations. Tools that emulate some of the darkest most deplorable behaviours in the online world.

My tool, AVA, is an automated human vulnerability scanner. It creates a repeatable and scalable way to simulate a human security attack, so that we can learn how our people react and measure the risk we face.

While these tools are written with noble intention, they are without a doubt weaponisable. For every good-natured defender in the world using them, there are a dozen potential attackers that could benefit from the same toolkit (albeit with a few tweaks).

This is the story of what happens when you open source a tool like this… a tool that could be a weapon in the wrong hands.

This is the true story of the challenges I faced legally, ethically, and technically in making this decision.

This is the story about what happened next and what I learned, of people, vulnerability, and the importance of open source culture in security.

Photo of Laura Bell

Laura Bell

SafeStack Limited

With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into organisations of every shape and size. An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset. Laura is the founder of SafeStack, a specialist security training, development, and consultancy firm. She lives in Auckland, New Zealand with her husband and daughter.