 All right, let's get this thing started. This is Amir Monteseri from OSTIF, which is the Open Source Technology Improvement Fund, and he's here to give us a talk about things. So if you're interested in things, then you are in the right place to learn about things. Don't forget about stuff. Okay, yes, things and stuff, which is more than I would be able to talk about. So I'm gonna pass it off to him, and he's going to give us all of the knowledge in his brain. Beautiful, thank you, Diego. Hi, good morning, everyone. My name is Amir Monteseri. I'm the Vice President of Development for OSTIF, the Open Source Technology Improvement Fund. I'm gonna be saying OSTIF a lot today, so hopefully you'll know about us by the end of the talk. Out of curiosity by Shove Hands is, have you heard of us before, OSTIF, before? All right, cool, see a couple hands, that's good. Super excited to be here with you all today. Talk to you about the great work that we do and the work that we've done with Monero and the Monero Research Lab. The objective of my talk today is to talk about our model for improving open source software, kind of how that came to be, and then talk more about the work that we've actually done. Hoping you'll all walk away today feeling empowered because, similar to Jeremy's talk this morning, I do believe we have the power in our hands to change our technology, to improve our technology, and have a technological solution to the problems that we see in today's digital world. So with that, we'll go right into it. As I mentioned, OSTIF is the Open Source Technology Improvement Fund. We were founded in 2015, essentially by our own need to exist. Derek Zimmer, the CEO and founder and myself, saw that not enough work was being done to improve open source software. There was really no one advocating for strong open source software and good security and infrastructure that we have. Especially with transparency as well, not enough transparent and impactful work was being done to improving open source software. So as I mentioned, we were founded in 2015. We are a 501C3 charity, a nonprofit organization, meaning that donations to OSTIF are tax deductible and because we are a nonprofit, we're not driven by bottom lines, endorsements, things like that. What we do is we connect open source projects with much needed funding and logistical support. Similar to when I mentioned about how we came together, we noticed that a lot of these open source projects, because they're mostly run by volunteers, people who are passionate about this stuff, they're severely lacking in resources, especially with marketing, funding, and actually focusing on security and improving the software. And we do that through corporate sponsorships, which are sponsorships from organizations, as well as direct public support with the mission of strengthening technology for everybody. So we had this great idea. We said, hey, let's come together. Let's do this. We kind of didn't know what we were doing at first. We just ran with it and learned a ton in the last couple of years. And in the last about three years now, we've really started getting into a groove with applying our model for improving open source software. And I'll talk a little bit about that track record that we've developed. So our first project, and it was really kind of our first proof of concept moment into applying our software improvement model was the audit of Veracrypt 1.18, where we conducted an audit of the software through the audit firm Corks Lab based in Paris. And that audit resulted in eight critical, three medium and 15 low impact vulnerabilities found and patched. At a high level, that resulted in removal of unsafe encryption implementations, unsafe libraries removal or replacement of unsafe libraries, as well as fixes to the new bootloader implementation. So in short, it resulted in improved protection of data, improved encryption and protocols. As I mentioned, this was performed by Corks Lab out of Paris, a fantastic security firm. And the total cost of the audit was about $25,000. So kind of tying into the title of the talk, the cost of good open source software, I'm hoping that you all see today that this work is extremely possible and attainable and does not cost nearly as much as you would think. And this project was done thanks to our top sponsor DuckDuckGo, another privacy focused organization. So kind of coming off of that big proof of concept moment, kind of getting our first notch in our belt and going from really an idea to an organization that was actually doing this stuff, we continued to build on that momentum to coordinate the audit of OpenVPN 2.4.0 in which we brought a coalition of over 30 organizations and countless other individuals who contributed to the fundraising for this audit which resulted in one critical, high, one medium and five low impact vulnerabilities found and patched. And again, at a high level that related to the correction of a pre-authentication denial of service attack which is important, as well as the correction of an authenticated user denial of service attack as well as fixes to certificate handling, service handling and user suggestions for safer practices because the usability is also important and having access to knowing how to use this technology is just as important as having good software and good technology itself. So again, at a high level that resulted in improved security and functionality of OpenVPN. This was again done by the audit firm Corks Lab based out of Paris and the cost was around $70,000 which again is an amount which dwarfs the budgets of a lot of cybersecurity organizations and just the amount of money that is out there really doesn't really scratch the surface. And this was done thanks to our top sponsors Private Internet Access and iPredator as well as a lot of other VPN, commercial VPN providers that got on board who directly benefited from the improvement of the software. However, the beauty of improving open source software and open source infrastructure is that really everybody wins. Users are better off as well as the organizations that have their tools and their infrastructure built on these open source software. And so going along with that, we continued to build on that momentum right after OpenVPN where we coordinated our biggest project yet, which was two audits of OpenSSL which were really focused on two critical new features that were being implemented in the newest release. The first one was the pseudo random number generator and the second one was the TLS 1.3 implementation in OpenSSL. We had two different audit firms conduct the work which was interesting to see because we had different sets of results which goes to show that with very complex problems like technology and software, diversity really is important, getting multiple viewpoints and getting multiple perspectives from different groups really makes a difference. And the results were multiple issues related to again denial of service as well as improving the randomness of the PRNG were implemented before the release of OpenSSL into OpenSSL version 1.1.1. So this was a huge project for us because we felt that it put us and the work that we were doing and the impact that we were making in open source software up there with elite internet giants who have budgets 30 to 400 times what we work with. Yet as a small organization, as a very committed and focused organization, we were able to create work and publish work that was up there with those organizations. The total cost of both audits was around $150,000. It was a little bit more than the previous projects because of the complexities and simply the complexities of OpenSSL. And that was special thanks to our top sponsors Private Internet Access and DuckDuckGo as well as the countless other organizations and individuals who contributed to these audits. So it was really great. We saw that we might be onto something here and that our model for improving open source software seemed to be working. We had tons over about 2,000 hours of what they call man hours, audit hours, performed on critical software and hundreds of bugs found and patched. It was around the time of the OpenSSL results where we started working with Monero, the Monero community, as well as the Monero Research Lab. We had heard that they were essentially looking for services, the exact service that we provide. They wanted to, through their commitment to improving the cryptocurrencies functionality and security, we're looking to get some work audited, to get software audited, particularly with Bulletproofs and RandomX, which I'll go over. And we're looking for an organization that can help them coordinate that audit work because as we've learned from implementing and building our model, it's much more complicated than it seems. A lot of people are like, yeah, just coordinate and audit and you're good, but there's a lot of intricacies that go into it. And the nice thing was we were also committed to transparency and publishing our work publicly, which is very important for the Monero community. So we first started working with Bulletproofs, in which we coordinated two audits of Monero Bulletproofs. The first one was performed by Kedelsky Security and the second one by Quark's Lab. And this was another instance of seeing different sets of results from different audit teams, which I think is a testament to the importance of diversity and multiple reviews of software because it's never something simple. It's always an iterative thing improving software. So with Kedelsky Security's review, we found a number of low and informational vulnerabilities found and remediated. And with the Quark's Lab review, which was a little bit more in depth, they found eight critical, two medium and 20 low impact vulnerabilities found and remediated. And the important one here was that a live chain critical flaw was identified and fixed, which resulted in significantly improved security of the cryptocurrency, as well as kind of closing down a potential attack vector that could cause serious damage to the cryptocurrency's value and market value. And as well as the functionality. So Bulletproofs significantly reduced the size of Monero transactions, improving the performance of the blockchain and improving functionality and efficiency of the cryptocurrency. Again, the total cost of the audits was only around $70,000, which given the significant and critical flaw that was found, Monero's market value is somewhere around $2 billion, I think is a very good investment or insurance policy to take on something with that much value. And that was special thanks to the Monero Research Lab and the Monero community as a whole that all got on board and contributed to this project. And so moving forward with RandomX, with Bulletproofs, it was a great success. We were very happy with the results and I'd like to think that the Monero Research Lab and the community was happy with the results as well because they came right back to us and said, hey, let's do this again. Let's improve our software. Let's have it reviewed and improve the security and functionality of the cryptocurrency. So a total of four audits were conducted for RandomX. We actually just this morning on our website, HTTPSostiff.org, just released the final report for RandomX. So for all of you highly technical people who really like to get into the technical details, I highly recommend looking at our audit reports because that really goes over the intricacies of the work that's done. I kind of just supply a little bit more of a high-level overview of it. But the result, again, was a total of 41 recommendations for improving the security and functionality of Monero. Again, these audits only cost about $70,000, which again barely scratches the surface of some of the budgets that these bigger organizations have for improving their software. And this was again special thanks to the Monero Research Lab and the Monero community. And to give you a little bit of a sneak peek of another upcoming project with the Monero Research Lab and the Monero community is CLSAG, which is code that is designed to further reduce the size of transactions and boost blockchain performance. And this really was a result of a great symbiotic relationship that Ostiff had with the Monero Research Lab because the Monero Research Lab and the Monero community has shown great interest in improving their software, really investing in the software and improving its security and functionality. And that interest has been met with action where the Monero community has contributed, the Monero Research Lab has contributed and pushed for more projects to be done. So this is still kind of in the works in terms of the audit cost and the audit firm that's gonna be doing the work, but we're estimating it's only gonna cost between $30,000 and $40,000. And for the audit firm, again, still being determined so we can find the best audit team to do the work. And once again, this is all special thanks to the Monero Research Lab and Monero community. And so to give you a little bit of a preview on what we're working on next, which actually kind of ties into Jeremy's talk this morning, so I'm really excited to be talking about this stuff. We have two really cool projects on the horizon. The first one is Unbound DNS, which is open source secure DNS. This is a critical component for secure certificate authority, i.e. Let's Encrypt. This project actually came at the recommendation of the Let's Encrypt executive director who emphasized the importance of having this software reviewed because it is such a critical component. Because what we see is, especially with software because of dependencies and components of software, you can have one piece be extremely secure, but kind of like what Jeremy was talking about this morning, if one component of that isn't secure, that essentially breaks down the whole thing. So as of June 2019, we successfully funded the audit. The audit is currently in the scheduling process. Again, it's a lot more complex process than one would think, but we are in the process of scheduling it. And something really cool that's happening with this project in particular is because of the situation and proximity, we've actually arranged for the audit team and the development team to have a meeting, a one-on-one in-person meeting that's likely gonna be in, I believe it's Denmark and Copenhagen. And the really cool thing about this is that it really eliminates a lot of learning curves and the development team can really kind of guide the audit team and say, this is how we intended the software to work, this is how it should work so that the audit team can kind of audit against that and have a significantly better results from auditing the software. So the projected result, of course it's not done yet, so I can't tell you what the direct result is, but we're anticipating significantly improved security on the web because Let's Encrypt is fantastic. Jeremy talked about it this morning and then securing a critical component of it will just kind of feed into that ecosystem of a strong and secure software infrastructure. And the total cost of this audit is only around $74,000 and that's a special thanks to our top sponsors, Private Internet Access and Let's Encrypt. And again, the countless other organizations and individuals who have contributed as well. And then our next project that I'm really excited about, which I think really tied in perfectly with Jeremy's talk this morning, is the Meek Heavy project. So we are looking to harden the soft spots in Meek's domain fronting and the really cool thing about this is that it's actually a new anti-censorship tool that we are developing and as part of our anti-censorship efforts, the focus is on implementing exactly what Jeremy was talking about this morning, encrypted SNI and DNS over HTTPS. And this is in partnership with two great organizations, Greatfire.org and the Operator Foundation. These are two organizations that are really focused on anti-censorship and putting the freedom of information and the internet back in the hands of the people who use it. And so the result is gonna be a new tool with hardened security and resistance to censorship. And we are actually working on having this be an API, so essentially you can use it concurrently with other softwares or an open VPN server. So it's gonna be a lot of interoperability and it's not just gonna be a standalone thing, it's something that can be implemented in other tools, which is really exciting. And I'm excited about it too because part of our mission, as I mentioned earlier, strengthening the technology that we all rely on, part of that involves having to innovate and essentially innovate on current tools or existing tools to improve them and make them better. So we're really excited about this me-kevy project. So I'm hoping that you all today learned more about OSDF and what we do and see value in the work that we're doing. I highly recommend telling your organization about us and recommending that they get involved and donate to us. We are all essentially volunteers. We work for the cause, because we believe in the mission and the work that we're doing. So over 90% of all the funds that go into OSDF go directly towards these projects and towards improving open source software. We are heavily focused on transparency, so you can see exactly what work that we're doing, the results of our work, how the money going into the organization is spent and where that goes. So you can feel good about where your contributions are going, which kind of ties back into what motivated us to start this organization is that other organizations that were talking a big game about improving software and improving open source software essentially had zero transparency. You couldn't see what they were doing, what the results of their work was, and that kind of defeats the purpose, if you ask me. We're heavily committed to transparency and showing everybody the work that we do so they can feel good about the work that we're doing. So in terms of working together, I ask that you all join the movement for better open source software. We have different sponsorship tiers for corporate sponsorship to go over those really quickly. We have our Platinum sponsors, those are organizations that donate 120,000 plus annually, either in one payment or over monthly payments. That gets Steering Committee membership, which means you can actually help guide OSTIF and the work that we do and kind of the direction that we take and to future projects and where we go next. Next would be Gold Membership, which is 25,000 plus annually or over monthly payments, as I mentioned, which gets recognition on published media, which to kind of tie that back into Platinum sponsors, so all of our work is released via audit reports. So these audit reports are published publicly for everyone to see and we've seen that they get a significant amount of coverage, especially among the security communities and so our top sponsors, they get recognition on those reports, so they get significant coverage as a result showing that they are participating in improving open source software. Another perk of Gold Membership is what's called advisory council membership, which is essentially a direct line to the OSTIF board to kind of help guide us as well and help us with our work. Lastly, we have Silver and Bronze, so that gets shout outs on social media and allows you to support a great cause. You can also follow us on Twitter, we're at OSTIF official and our website is HTTPSOSTIF.org, which on the website is where we maintain our transparency blog, again to go into the transparency part of it. We keep everyone abreast on the work that we're doing and everything that's both happening now and coming up in the future, so you can always be up to date on what we're working on, as well as view all of our previous audit reports and a lot of the work that we're doing there and the different individuals and organizations that we've been able to bring together to improve open source software. Yeah, and so again, I'm really hoping that you're all feeling empowered today as a result of this talk because I firmly believe that us as individuals, we have a lot of power, we essentially are the masters of our own world and have the ability to believe what we want and think how we please, and as a result, we influence those around us, our friends, our families, our coworkers, and there really is a lot of power in that, especially when people come together to support great causes and to support great causes and to do impactful work that's really gonna benefit everybody. And so I'm really hoping that you feel empowered, you get involved. Every bit helps. We are on Amazon Smile as well, which in which Amazon donates a small portion of your Amazon purchases, which if you're like essentially everyone nowadays, I know you all buy all your stuff on Amazon now. So it's the easiest way to support OSTIF because you literally have to do zero work. Just go to smile.amazon.com and choose OSTIF as the organization you'd like to support and we get a small portion of all of your Amazon purchases. Another way you can get involved is personally, again, tell your organization about us, spread the word. If you have any questions, as Diego mentioned, I'm gonna be at the table up here for a little bit. So I'd love for you guys to come over, let's have a discussion, let's talk about how we could work together and increase our impact on open source software and securing the technology that we essentially all rely on. And I'd be happy to take your questions over there. I just wanna thank everybody again. I wanna thank Justin and Serang and everybody from the Monero Research Lab and the Monero community that helped make this happen. And I wanna thank you all today for being here. I know I'm a little done a little couple minutes early, but that gives you some time to freshen up, get some coffee or water or something. But again, thank you guys so much today. I really appreciate you all being here. Thank you DEF CON and everybody and the Monero Village. And yeah, I look forward to talking to you all and yeah, have a great rest of your day. Thank you.