Feb 26, 2013

the 5by5 race is on

At BruCON 2012 we announced that we launched our 5by5 project where we were looking forward to see submissions coming in from individuals or groups that we could support to drive or speed up development.  With a budget of €25000 we coud support 5 projects with up to €5000 and here we are today, ready to support the following projects:

1. OWASP OWTF (Abraham Aranguren)

More details on the Offensive Web Testing Framework can be found here : https://www.owasp.org/index.php/OWASP_OWTF

2. The Cloudbug Project (Carlos Garcia Prado)

The Windows OS integrates a mechanism to report technical information when a program crashes. This information is pretty useless to a normal user and the crash is going to happen anyway so why don’t do something useful with it?

By installing a small, nonintrusive program (it will only kick in if another program crashes) the users will be reporting anonymous information about the state of the application at the time of the crash. This information is invaluable to security researchers in order to find software flaws that could indicate critical security issues.

Data mining and reverse engineering will be performed on the submissions pool. The vulnerabilities found will be reported to the corresponding vendors for fixing. 

3. A tool a month (Robin Wood)

Over the last few years I've created and publicly released over 30 free open source tools. Almost all of these have been done in my spare time without any kind of monetary backing. I'm happy doing this as I enjoy creating new tools but doing it this way means that paid work comes first and so good ideas often get delayed or forgotten about.

If I were selected for the project I would use the money to take time off client paid work and build a selection of tools for the community. BruCON is at the end of September which gives about 10 months from selection date to conference so I propose to write/publish a tool a month each month leading up to the event. The tools would not be huge Metasploit sized projects, more along the lines of CeWL [1] or Pipal [2].

I have a bunch of ideas but would like to see what the community needs so I think I'd like to have 5 tools that I've thought up then open the other 5 up to community submissions. I'm sure there are plenty of people out there who would like to automate a task or have an idea they don't have the skills to program themselves.

4. Eccentric Authentication (Guido Witmond)

Eccentric Authentication (Ecca) is a protocol to replace password authentication with client certificates. By doing so we can:
  • make it easier to login and log out of web sites;
  • make it anonymous; you can sign up to site without providing any details that would tie the account to your person;
  • make communication more secure; with certificates, people can send encrypted and signed messages securely without revealing their identities. Ideal for a dating site;
  • make it possible to bootstrap other communication protocols securely.
If applied correcty, Ecca would take us out of the cryptographic bronze age into the silver age. From there we might lift ourselves into the golden age.

No comments:

Post a Comment