Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Community contribution: joining forces or multiply solutions?

Published: 2018-11-11
Last Updated: 2018-11-11 14:29:44 UTC
by Pasquale Stirparo (Version: 2)
1 comment(s)

Today’s diary will be less technical than usual, and more “philosophical” let’s say (because, why not, we need those too :)) Last week I shared a thought on twitter, saying that sometimes I wish in our community we would stop “reinventing the wheel” by developing yet another FOSS tool that solves the same problem, instead of joining forces and build fewer but better and longer term solutions. This generated few interesting conversations both online and offline.

Please keep in mind that, for me, there is no right and wrong side on this, I think both have valid arguments, but nevertheless I felt I would like to hear more you about this, since it’s a topic that I hear in more and more often into, and of course the “dream” of one day seeing this happen. There are several ways to contribute in our community:

  1. Write a full fledged tool/framework that solves one or more problems (e.g. Metasploit [1], plaso [2], MISP [3], Viper [4], TheHive [5], YETI [6], Volatility [7], etc.). This is something you definitely need be capable of to do, and not everybody is able to (I’m certainly one of those who is not).
  2. Write scripts / smaller solutions that solve one specific problem (yours or someone else’s). These is extremely useful because you solved a specific problem, and even if this is yet another command someone may need to run, maybe someone else will pick it up and integrate that functionality into a bigger framework.
  3. Use and test tools written by other, and report bugs as thoroughly documented as possible. Now, this and the next point are largely underestimated. Submitting bugs to the author(s) of a tool is super useful and super important for the continuous improvement of such tool. Also, the author(s) could never run into all possible use cases, therefore some bugs will show up and be fixed only if you all report them. Please, do it!
  4. So many ways to contribute without the need to know/wanting to code, some examples:
    • Write/update documentations for tools you use.There is an extreme lack of (updated) documentation, and I cannot stress enough how important such contribution would be. Tools author(s) are often (and understandably so) very busy keeping up fixing bug and implementing new features, and documentation is not the obvious priority. So one way to give back would be by doing so. And we all would be extremely thankful to you.
    • Contribute to projects where there is actually no code to write, but rather collect, centralize and organize information such as ForensicArtifacts [8] or mac4n6 Artifacts Project [9][10] (shameless plug, I know, but I think it’s a good use case for this). All you need to do for the two above examples is to share artifacts location you have found across your investigations.
    • Etc.
  5. You name it… so many ways (no more excuses not to contribute).

The focus of my original thought is mostly on the first of the above points. There are not too many people (compared to the overall size of the community) able to code at such level, and sometimes seeing the fragmentation of big good projects which overlap 80-90% in functionalities makes me wonder of the potential those developers could reach if joining forces on the same project.

I totally agree, it’s not easy, and motivations to do so are as valid on both sides. The most common initial reason I hear is “well, none of the tools out there covered all my needs, so I (we) decided to write it from scratch.”. Fair point. However, is it really worthy to do so instead of bringing in those 10-20% new features you need into the existing project?

Some people feel like writing it in a different language would boost performance and longer term maintenance/development, or simply are good at a different language, and this would go against the author(s) of the original tool. Some other want to have the control of the long term development, and you definitely have if you own the tool. Still others advocate for more diversity, I definitely do agree that diversity (as always and in every context) is good. Having multiple solutions which can help you double check your findings is great (never blindly trust one source only). But is too much diversity in tooling still good?

As I wrote on twitter, this is a dream, I’m aware of it. But whether you are one of those gifted who can Code or not, I would love to hear your opinion.

One final message: clearly, you do not need to know how to code to contribute to FOSS projects. Pick one and start contributing today!

Happy Hunting,
Pasquale

References:
[1] - Metasploit, https://github.com/rapid7/metasploit-framework
[2] - plaso, https://github.com/log2timeline/plaso
[3] - MISP, https://github.com/MISP/MISP
[4] - Viper, https://github.com/viper-framework/viper
[5] - TheHive, https://github.com/TheHive-Project/TheHive
[6] - YETI, https://github.com/yeti-platform/yeti
[7] - Volatility, https://github.com/volatilityfoundation/volatility
[8] - ForensicArtifacts, https://github.com/ForensicArtifacts/artifacts
[9] - mac4n6 Artifacts Project, https://github.com/pstirparo/mac4n6
[10] - mac4n6 Artifacts Project, https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=1317205466

---

Pasquale Stirparo, @pstirparo

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Video: CyberChef: BASE64/XOR Recipe
Nov 10th 2018
2 days ago by DidierStevens (0 comments)

Playing with T-POT
Nov 9th 2018
3 days ago by Tom (3 comments)

Tunneling scanners (or really anything) over SSH
Nov 7th 2018
5 days ago by Bojan (3 comments)

Malicious Powershell Script Dissection
Nov 6th 2018
6 days ago by Xme (0 comments)

Struts 2.3 Vulnerable to Two Year old File Upload Flaw
Nov 5th 2018
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

Mobile Forensics tools - suggestions?
created Oct 8th 2018
1 month ago by Gary (0 replies)

issues with webpy service
created Oct 1st 2018
1 month ago by Alvaro (0 replies)

Pi Honeypot
created Oct 1st 2018
1 month ago by Alvaro (0 replies)

Attempting to report (msg body missing) -- Powershell malware in zip with jpg
created Sep 10th 2018
2 months ago by W60 (0 replies)

SSL Labs vs. SecurityHeaders.io
created Sep 7th 2018
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
10 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)