 Hey everyone, thanks. We're back here after lunch in Austin. Well after lunch for some of us some of us still didn't eat lunch but We're in Austin at the Linux Foundation open security summit and I want to introduce you to a Gentleman named Jonathan Lightchew and I'm really proud to say that Jonathan is the first recipient of the Dan Dan Kaminsky's fellowship fellowship From the folks at human security, which of course was Dan's company and you know as someone who knew Dan for many many years I Don't know It's kind of bittersweet to tell I got to be honest. It's a little bittersweet, you know Unfortunately Dan passed away way way way too young and his 42. Yeah, and But I'm glad to see You know his name carried on and someone doing good work anyway, Jonathan welcome and thanks for joining us on TechStruck TV absolutely, so Well, let's let's kick this off first the Dan Kaminsky fellowship. What is it? so it was created after Dan's passing by human security to commemorate Dan's memory to allow an individual or group of individuals to Do work in open source that helps improve the the you know does something good for the world and helps improve and hopefully helps Improve the security the internet Dan was well known for his kindness and his giving back to the community He was also very well known for some of his really famous security research like the DNS vulnerability that you know He silently fixed by spending I think a lot of his own time to go to every single vendor and say this is a massive vulnerability Let's get this fixed and so to commemorate his memory human created a fellowship to try to Encourage and support someone going out into the world and making some positive change in the security internet. So good And congratulations to you for winning it Jonathan just some way of background. We spoke a bit off-camera You've been doing security research now for about four years four plus years three four years. Yeah, I found some Some some whoppers one of which was was the zoom. Yeah Vulnerability that came out. It was during COVID. I remember no no This is the one the year before COVID. Oh the year before cove. Yes. Yes. Yes. There was another one There was another one. Yeah, yeah, that was a couple of ones for COVID No, I know no knock on zoom it can happen to anyone. Obviously they're during COVID They experienced ten years worth of growth and ten years worth of vulnerabilities in a week Yeah, yeah a lot of people do yeah, but Anyway But you're also working with the Linux Foundation a little bit now and and why don't you tell our Yeah, so a little bit about that. I've been very passionate about vulnerability disclosure I do open-source security research. I find vulnerabilities. I'm not doing that very actively now I've the Dan Kaminsky Fellowship. I've pivoted slightly and I'm doing more Finding widespread common security vulnerabilities and then generating thousands of pull requests to fix those vulnerabilities But I have in the past. I have something like I Think 40 is low I think I have more like CVE numbers that I've had assigned for vulnerabilities that I've worked on and so I have some experience with Getting vulnerabilities found and fixed And I'm also working with someone named Madison. She works at github. She formally worked at cert at Carnegie Mellon and There's some other people together were working as a part of the vulnerability disclosure working group as part of the Open-source Security Foundation Linux group to come up with a guide for People who have found vulnerabilities either with intention or accidentally to help guide them through okay What is vulnerability disclosure? How do you do it? What's the like? What are the norms not like, you know, you must do this But like these are the norms and this is maybe some of the history as to why these norms exist This is what coordinated vulnerability disclosure is. This is what full disclosure is This is why you might want to use these disclosure methodologies, you know The suggestion that we're putting forward at least we're putting I'm putting forward is use coordinated vulnerability disclosure first If that doesn't work, you know, here are some escalation Patterns you or escalation paths you can go down if all us fails full disclosure At least it'll get it the information out there into the world so that people know they need to mitigate this vulnerability or remove Some vulnerable package or fix it in some way. So So look our audience is pretty sophisticated. Yep, but for those of you who are not familiar with vulnerability disclosure Protocol, right the idea here and you're an extra correct me if I'm wrong But I've been out doing this a long time the idea here is if you find a vulnerability And you want to just you know can't wait to tell the world that you as a researcher found a vulnerability You probably compounded that vulnerability by a thousand fold by just announcing it and putting it out there in the public Because now every bad guy in the world who maybe didn't know about that vulnerability is gonna say oh, there's a vulnerability here Let's find an exploit before these guys patch it. Yeah, so the concept of responsible vulnerability disclosure probably started in the early 2000s, maybe even before yeah, and and It basically back then it was much simpler than it is now But basically back then it was the idea of hey let the owner of the code the owner of you know Who has the vulnerability know about it give them a reasonable amount of time to get a fix out there? So that by the time this thing goes public or is announced publicly there is a fix in place and and you know these You know newly announced vulnerabilities are not exploited. Yep now a lot of You know funny thing happened on the way to the market right a a lot of companies You know would stick their head in the sand when told about Vulnerabilities yes, I refuse to do anything and they give a million-and-one excuses. That's why the term Responsible disclosures will been dropped from a lot of the common discourse and we've turned to the term coordinated vulnerability disclosure because the researchers are saying You know a lot of develop a lot of maintainers are saying well It's responsible if you disclose to us, and we're not going to give any information out and the rate researchers like no That's not responsible, and so there's this whole like the word responsibility and So coordinated vulnerability disclosure is the idea that researchers will come and say here's a vulnerability Here's a deadline that I'm going to disclose by we should have a fix out by then please If you don't okay, it's going to go public. You know if you want to fix protect your users This is the but you should work with me within this time frame, and that has had a Google project zero has a lot of statistics around That when you have a fixed deadline for a coordinated vulnerability disclosure that it actually has a very positive impact around getting fixes done In a very condensed amount of time and actually getting those out to users Would that being said there are? You know certain You know certain Situations where they just can't get the fix done in time and they'll work with the researcher and so okay We're gonna wait 120 days instead of 90 or whatever it is to give them time to get it out and get it out to the channel so to speak um You know and then and then of course there's the the announcement of it And then you know the good news is is over the years This has become a little bit more. I don't want to say codified But normalize which is healthy to be normalized You run into a lot of bug bounty programs and a lot of vulnerability disclosure programs that still have NDAs associated with them where they say if you disclose to our program You're not allowed to disclose unless you get permission from us And that's been a difficulty and that's one of things that I am warning people about in this guide is if you're engaged in a Vulnerability disclosure program or a bug bounty program where you found a vulnerability like a lot of the times I find vulnerabilities unintentionally or intentionally, but I'm There are a lot of bug bounty researchers or bug bounty hackers that look for Programs that have money to do the disclosure right. I'm going the other way I'm looking for vulnerabilities and then saying I found a vulnerability here It is right but when you run into these programs a lot of them have non disclosure agreements and you have to get agreement from the maintainer to disclose and You have to be really careful about that because a lot of the times when I'm looking at vulnerabilities No one saw software you need a CVE number you need disclosure and so you have to Articulate that potentially beforehand you have to say to the person. Hey, I'm not going to disclose this vulnerability to you under these terms First you need to be you need to intentionally you need to waive these terms for me before I'm willing to give you the details of the vulnerability because you can set yourself up for potential legal issues or if you're on bug crowd or hacker one You can potentially get thrown off the platform Which means that you can't make money off of other research that you're doing potentially so there's a lot of pitfalls And so communicating those pitfalls in these guides to make sure that people are making an informed decision about how they're doing vulnerability disclosure Let me just play devil's advocate. Yes So the flip side of this is if you speak to many maintainers and you say hey man What's the deal the researcher found the bug? Fix it. Yeah, you got 90 days. That's an eternity fix it. Yep You know that they're come back to you is well He only really gave us or they only gave us 45 days Or they threatened unless we give them an exorbitant amount of money, you know, that's extortion That's not that's called extortion. Yes, and and that's you know in a nice way what they're saying or You know this security researcher is so A publicity hounded yep that they just want to get it out there to get their name with it They don't care about the security implications involved in doing the responsible disclosure or coordinated disclosure. Yeah, so You know Jonathan's presenting the security researcher side But all I'm saying is you know how life is I've lived long enough to know that there's always a Million sites to every story. There's the black the white and the gray and there's a lot of gray in between Yeah, but the good news is as we sit here today. It's a lot better than I was coming up I mean I've heard a lot of the stories from previous companies and like you do any security research and you just get chased by lawyers Right Microsoft everybody. They were really really bad about that in the past and it's it is has got seen seemingly more normalized now The DOJ security researching. Yes general security researchers went You know you either a black hat. Yeah, we're doing it for nefarious purposes Or you were a white hat people saying what the hell are you doing for a living? Yeah, right? You know, what do you make a money at and so now you make a lot more money as a right is that doing stuff for the good Yeah, you could be you could be a white hat security researcher and make a living And it's thanks to Dan and people like that really who made that possible Watching one of his talks he's like, you know talking about research and stuff like that And he's like can my hat be any more white? Yeah, he was one of the good guys with it I mean because back then like with the DNS thing He literally had to go after all these vendors and say please please please. He said I think he had he said So I went to get the DEF CON group held a funeral for him And somebody told a story about he's like like somebody asked him Like do you what would you do if you found another one of those types of vulnerability? He said I wish I hope I know he said I hope I never do Because it was so much work right because he did the not that he would he would have done the work again I think but he has like it was broke well But yeah, he felt a moral obligation to work Yeah, and so he was like I just hope I don't find another one like that because it's it's it's a lot of work It's a lot of work to do that sort of coordination and and though I think it would be easier today than it was. Oh, absolutely. I think so. Yeah. Yeah, I mean I don't think that I could be wrong, but it was back in 2008 They were still cert and a lot of those things either were either didn't exist or were in very early in their maturity and stuff I think it might have been earlier. It was yeah, I was around away. I'm gonna fit. All right. Yeah I'm still secure. Yeah, that was that was when DEF CON the I think that was the year I could be completely wrong. I think it was around away. Yeah So yeah, I still secure as a company I co-founded I left in a way don't mind After DEF CON that summer. Yeah It's around that. Yeah. Anyway, um, I Wanted to go back to what you do with Linux Foundation. Yes, you work in with a bunch of folks and org and orgs. Yeah So um So Primarily the work that I'm I'm attending a lot of the different meetings the other interesting discussions that are going on I've been particularly passionate about security of repositories the repository security I Formerly worked for Gradle and Gradle is a build tool used to build 90 it's built used to build 50% of all Java applications and 99% of all Android applications So if you have an Android device you are you are you? Well, you're not running Gradle, but you are your Yeah, the app that's on running on your phone got there because Gradle was used to build it. So And so I've been very passionate about the security of the supply chain and vulnerabilities in that area and I've been kind of hoping for a group to come together to discuss the security and the risks and the Like hopefully long-term sharing threat intel around these things in this space And so I'm really glad to see that there's finally a like a grounding broad a place for like in our Community circle to for these conversations to like finally come together and have discussions around You know, what are the things that we're doing to secure these things? What are the good like controls that we can put into place to protect our end users and protect the supply chain that like is feeding you know Multi-billion-dollar companies and you know small projects, right? Like how do we protect this stuff, right? And Gradle is used to build signal, right, which is a very important Like security app, right like so how do we protect all these things? And so I'm really glad to see that these conversations are finally happening. I know it's a long time coming. Yeah Anyway, hey Jonathan, we're probably way over time and I know you supposed you supposed to get lunch lunch. Yeah I'm gonna let you go eat. Yeah, congratulations. Thank you be proud. Thank you keep up the great work and and stay in touch