 GitLab exists today in large part thanks to the work of a vast community of open-source contributors around the world. As a company, we are deeply committed to being a good steward of the GitLab open-source project. To give back to this community who gives us so much, we want to enable teams to be more efficient, secure, and productive. We believe the best way for them to achieve this is by using as many of the capabilities of GitLab as possible. Through the GitLab for open-source program, we offer our top tiers plus 50,000 CI pipeline minutes per month for free to qualifying open-source projects and organizations. Kali Linux is a member of the GitLab for open-source program. It is an open-source, Debian-based Linux distribution that is the de facto standard for information security professionals and hobbyists. Offensive security funds the development of Kali Linux. In this next talk, Ben Wilson will share why OFSEC funds this project and how it helps you as well as the greater OFSEC community. Enjoy. Good morning, good afternoon, or good evening. Thank you for coming today to listen to me talk about the dynamics between Kali Linux and offensive security. Here is an overview of what I'm going to be talking about today, but as time is limited, I'm just going to jump straight into it. Who am I? Online, I go by the handle of Got Milk. In person, Ben Wilson. I have been doing information security or cyber security if you're into your buzzwords for about 15 years, off which I have been with OFSEC for eight of them, and for the last two of those, I have been working full-time on Kali. I am responsible for the day-to-day activity as well as the general direction of where the project is going. So Kali is actually based upon four other projects, and these projects started about 18 years ago. Kali is the oldest, and it's been around now for eight years. Previously, it was called Backtrack, which I'm sure a few of you have heard of, and that's been around for five years. Prior to that, it was actually made up of two being Wax and Auditor, and they were around for about 18 months, and the first one that was was called Whoopix, and that lasted about 12 months. Now, the name changes is to signal there's been major overhauls to address problems that we have faced. At times, we may have changed the operating system or how we do our packages, and as a result, the supported platforms and architectures have changed. When the project first started out, our focus was on the tools. We were a collection of tools. These are the tools that you would use in a professional penetration test. We use Slack as the base operating system, as this allows for us to do a live boot so you could use without actually installing. But we noticed that people started to install us as their operating system, and they wouldn't do a reinstall with every release we pushed out. So their tools became dated, their operating systems became dated, as there wasn't a system in place to allow for upgrades. So we made the decision to move to Ubuntu, and Ubuntu was great for being a desktop. This allowed us to put our focus into the OS and tackle some of these problems. We then wanted to expand and move on to alternative platforms and architectures. And at the time, Ubuntu didn't really support this. Debian was a better fit. We also made the decision at this stage to treat ARM as a first-class citizen. And we made this called right at the start of Kali. Today, we like to think we have one of the best ARM supports out there as a result of this decision. The team itself is mostly made up of developers, and these are the people who have been responsible and working on the projects over the years. Until about two years ago, when we were in a place to then start to accept community input, an overview of Kali. Kali is an operating system designed for professional penetration testing. Someday, we hope to start to expand into other areas of InfoSec, but for the time being, that's our focus. Please note, pen testing is not the same as hacking. On purpose, we have opted out and we have done things to try and reduce anonymity online by not using Tor or I2P networks, as this rarely comes up when actually doing a penetration test. And on this subject, there's a tradeoff between security and privacy. You can't have an operating system that does both. We picked security and other operating systems are out there that went down the privacy route. This is because we want to support outdated and insecure methods of communication by using legacy algorithms. This is because Kali can then talk to more services. These services are generally older. They could be at end of life. There's probably more vulnerabilities in these as they are no longer supported. They are based upon older technology. As a result, there is then a bigger attack surface. There is more of a chance that you can get the initial foothold into a machine. In InfoSec, having the latest code is essential. Why? A method of getting access to a machine or network is by running an exploit. Now, for an exploit, you need to have a vulnerability. And vulnerabilities are getting discovered all the time. It's then a race between developing and hopefully being able to successfully create an exploit and then using it versus someone coming along and applying a patch. With Kali being a rolling OS, as soon as there is an update, we aim to ship it as soon as we can. We don't hold back. Now, there's a tradeoff between stability and bleeding edge. As a result, we have multiple abranches to accommodate this so users can pick their choice. This allows for people to say, hey, I am opting out of any form of manual packaging and testing that you guys can do. I want the code as quick as possible and I am relying upon your automated build systems and unit tests. And when it works, it works great. People have bleeding edge. They get their code quick. But for the people who can't take a chance, they need Kali to be as stable as possible for circumstances when they don't have internet access and they can't update, we do a point release four times a year where we do a much more thorough QA process both with the operating system and the tools and the integration of them both. And when we do a release, our goal is something to benefit end users and something to benefit us internally as developers. The direction of Kali is based upon our history on working with these projects, offensive securities penetration team and the feedback that we hear from the community. Kali today. Kali is more than tools or an operating system. We see Kali as a platform. Our vision is to have Kali on anything and everything. Hence the term Kali everywhere. So rather than you downloading Kali, we want you to get Kali. Our goal is to be accessible as possible and ready out of the box. There's some people, this may not be the case and there's various reasons why. Unfortunately, there are times where we just can't accommodate for them. Most of it is because they are wanting to use software with restrictive licenses. So to combat this, we actively promote and encourage people to take our build scripts and customize Kali to their needs. We've put out various guides on how you can do this, how you can take commercial software and integrate it into Kali for your use. You can also customize Kali and tweaking it in other ways like changing wallpaper or favorites as well as the window management. These build scripts that we publish are the same ones that we use to generate our images. Everything is public. Because of this, various projects have taken us, forked us and now use us. This may be done in public or it may be done privately. Kali has become a source that others are making deliberative work from. People rely on Kali, both as users and developers. One thing to note is that Kali's purpose has changed over time as the industry has changed we've had to adapt. And this has changed due to changes in technology, advancing and attack surfaces changing. An example of this is in the early days of wireless. There was either no encryption or web and web turned out to be horribly broken. To crack it, you had to do something to your drivers. You had to patch them to allow for injection or monitor mode. And this is something that Kali did for you out of the box making the attack super simple. Wi-Fi now has moved on in today's world. We now have WPA3. So even though the attack method is still the same, it's less relevant because the technology has moved on. The idea is still there though. Kali is ready out of the box. So how does Offsec come into all of this? Well, let's have a look where the project started as well as Offsec. So Matty, who online is known as Moots, who is the founder with it all, he was doing a pen test. He was doing an air gap assessment. So he downloaded all the tools that he needed and he placed it onto a live CD. He could then take that live CD, go into the environment and boot from it and he had everything he needed was ready to go. Now he was really proud of the work that he created. So he shared it online and then he kept on updating it and tweaking it and improving it. This went on for a little while. Now, out in Las Vegas, there's a few big security conferences out there. One of them is called Black Hat. He was walking around and he saw other people were using his work and he got excited about it. However, upon closer inspection, he noticed what people were saying was either incorrect or just didn't go into enough depth. So he figured he could do better and he started to offer his own training around it all. This is how Offsec got its start. This is in January 2007. So you can see how open source software exists. This is the company's roots. It's how the company got started, which is why Cali is still an Offsec project today. An Offsec knows with the whole open source life cycle as a whole that if you're going to use it, you need to give back and Cali is one of the ways that Offsec gives back. Outside of Cali, they also do sponsorship for tools. This is to help and encourage tool authors to keep on developing their software. Like I said before, Cali is more than tools, but it also understands that you need tools for it to be there. So helping tool authors develop their code not only benefits Cali, it also benefits the open source and the InfoSec as a whole. Offsec also has various other community projects such as exploit database and Von Hub. Cali also works upstream with tool authors and which tools is based upon Offsec's judgment. This could either be from their pen tests or from their educational side. We take their tool lists, their suggestions and we work with their authors to improve their code. This could either be working with Cali or just how the tools function as a whole. I'm also super happy to say that I'm in a lucky place that Offsec gives us the space to handle things the right way. Offsec's not looking for a sale lead. They're not trying to force anything on users. There's no tracking, there's no telemetry, there's no registration or giving up an email address. No newsletter is forced upon people as all of this would be the wrong thing to do. Cali is free. It's easy to get. We want it to be accessible to everyone with as little friction as possible. Offsec also uses Cali. Cali is used in all the pen tests that they do for their customers. It is also in their training programs. So who else helps Cali? GitLab, thank you very much. All our source code is stored there. This could be for our packages, for our tools. We have also now putting all our tickets, either the public ones or private ones and we are hosting various web pages there using GitLab pages. Cloudflare for a CDN. This is how people are now downloading Cali as well as getting updates. Ampere for hosting. We are using them to actually build our packages on. We also have at the time of this presentation 35 mirrors from the community. These people are helping also share downloading of Cali as well as distributing our updates. With this system in place, you are hopefully being able to access a mirror and server that is close to you, giving you the quickest speeds possible. How to get involved? Traditionally, we haven't put out the welcome app for new people. This is because as the projects have been funded by OFFSEC, they were all OFFSEC employees. Now, we recognise this and we wanted to change and this was about two years ago. So behind the scenes, we have redone all our foundations, we have put a new structure in place. As a result, it has started to open up some new possibilities with even more coming up. We are now able to start accepting community input to help contribute towards Cali. We are also doing more in the open and with the aim to do even more. On a personal note, we are not where we want to be and I know it will always be an ongoing item. So for anyone who wants to get involved, now is the time and please do so. There are various links here to get a start. You can also reach out to some people, so anyone on the Cali team, and we can then help you. So where do we want to go? We want to make things even easier for the community to get help and be involved. We already publish all our tools allowing for anyone to copy what we do, but we want to expand on this. We're using Git as much as possible as it allows for us to be open and accept other input. An example of this, our webpages were using WordPress. So we've dropped using a database and instead we have moved to a statically generated site. Now everything's done in Markdown and it's powered by Hugo. We've already ported over part of our documentation as well as the main website with the aim of soon doing our tools documentation. Why? Again, Cali's tools is a big part of our work. Not everything, but a big part. And we have a site around it with documentation in mind and this is great for people who use Cali. And based on the feedback we have gotten from tool authors, they really like it too. But it's only as valuable as it is correct. With people and so many tools updating their work, it's difficult to keep up to track. And we've had various people who are wanting to either add new stuff or update it, but with the closest and that we currently have, it just doesn't allow for it. And when we make this move, this will all change. We also want to start doing more publicly. Like I said, we want to reduce the amount of internal tickets that we are making and make them public as this will then allow us to build up a public roadmap. Rather than thinking from release to release, we can then strategically think of a bigger picture. We also want to come and revisit the real time chat. We want to relook at what we are doing with forums as well and the bug tracker. We've also hopefully, if everything aligns up correctly, towards the end of the year, we will have a nice present for the community as well. Thank you very much for listening to me. If you want to reach out, please do. I do reply. It just takes me a while. You can find me on IRC or Twitter. Or if you want to reread the slides, there's a link or the QR code you can scan if you dare. Thank you very much for listening to me talk and I hope you enjoyed the rest of the conference.