CG - The Slings and Arrows of Open Source Security - Tod Beardsley & Mister X

yes awesome all right hello besid uh this is the slings and arrows of open source security um I'm Tod and that's Thomas Thomas I work on work on you may heard it you on open wi too so yeah that's us yeah

so yeah I don't have a funny name on the Internet anymore uh also I've been recently promoted uh to vulnerability manager for rabid 7 as well so if you have bugs and or or.com and you will probably talk to me uh so we do both inbound and outbound um I'm also Network D and I love open security and that's what we're going to talk about today so why open source um yeah for for me I want to share the stuff I was making I want to share the knowledge so that people could know how how stuff is done and uh I also wanted to share the code so everybody can see the code improve it help us

improve uh and that kind of stuff so and I love open source security because I want to spill all the beans um security like as an industry I don't know if you've noticed uh is somewhat obsessed with Secrets um we still have to deal with secrets in open source security as well but usually on a very shorten timeline um and and not and I'm not just talking about like vulnerabilities and exploits and day and all that stuff but even stuff like stuff that Thomas does was at one point considered somewhat secret it's a little bit of a black art when doing things like IDs or forensics or really anything involving security there's this like component of of mysticism involved uh at

least from the perspective of non-security people and so I think open source is really powerful is is a powerful way to uh bring that out kind of into the open you can attract you know maybe perhaps not fulltime security people to like look at your stuff and uh in in metas in particular because we deal with vulnerabilities all the time we also in open source um we can have we can devote the whole next hour talking about disclosure if you want because that's such an exciting conversation uh no um basically uh we practice all of this uh I kind of lean if I have the choice I will lean towards the last which is reasonable disclosure uh which is

basically responsible disclosure but I'd say what the timeline is um um and the timeline is not measured in hours uh we tend to do I I like 60 days I think anybody can do anything in 60 days like K patch out customers whatever um yeah we can talk more about that if you want but probably not um the main problem I see uh with open source security today at least in terms of like vulnerabilities is any

it yeah Mar are supposed to be reliable there we go okay perfect uh is the corrupting influence of money uh on vulnerabilities um if you just Google for something like e zero day economics uh you'll find pretty much the position paper on on uh paying paying for OD uh personally I'm not going to you know dictate we can also have that boring conversation if you want um but I'm not going to you know stand here and tell you like you should never sell your OD U go ahead sell it all you want um I am generally I don't have a problem with like Microsoft's Bounty programs Google Bounty program book spending program because generally these guys are buying

BS to fix them right um if you have information to the contrary on these then please by all means speak up because it's an open world um but these guys at least advertise that they're buying these bugs in order to make the world a better place um there are people who are not buying these bugs to make a world a better place they're using them for uh for Sig as has been revealed many many many times uh I don't think it's a huge surprise to anybody that or that buy bugs to exploit them and kind of more cowardly organizations that buy bugs to you know kind of sash them so they never have to deal with them um you

can you can kind of consider like litigation as a form of buying bugs too because they're just pay lawyers instead of you which doubly sucks um so I think disclosure is really important um just because when there are unpatched bugs out in the world uh it's it makes the internet less useful and I like the Internet it's my people yeah uh sure um when you're working in open source security uh I think you have more you're you're more likely to run into trouble um than in say like working on just some regular open non-security open source software like some you know JavaScript framework is we need more um never get love the um it's super easy

to get yourself in trouble with the Press when you are talking to press and you say words like yeah I um you know I can I found this vulnerability out on the internet on 30,000 machines like the followup question is how did you find that out and then you get into this whole like Port scanning is not a crime conversation uh and hey it turns out sometimes it is it doesn't matter hey c cfaa um yeah some for some people Port scanning is a crime um it can be a crime uh and so that's your first mistake is that you just admitted a crime in the Press uh using your because like I said I have no funny name uh have a funny

name that helps um you can run into the trouble with the law um in the US and outside the US like we infc security or infc is somewhat concentrated you know in EUR us Western Europe stuff like that um there are big swads of the world where like but uh what we do here is illegal period um there are big chunks of Africa where this is super not cool like if you writing say like a reasonable secure proxy software say as an open source security project uh don't deploy this in Ethiopia because the Ethiopian government will mess you up uh they have a uh a monopoly ISP uh model uh they're very interested in what all

the traffic is coming in and out and you to evate that uh you get knocks on your door pretty quick so you should be aware like generally of your legal framework that you're operating in um and you should be aware that I'm not a lawyer and none of this constitutes uh legal advice please don't Su me from that this and that's it so um and I don't know like there there are a lot of ambiguities there are some State statutes in the US that can describe things like teaching criminal behavior is a crime and that's and the language is so um you know there's there was something recently pass I think it was PED in Texas where I'm at um where yeah

uh something about like hacking for any benefit and benefit could be defined as like LOLs uh you know um which is now like more criminal um you know accessing accessing computers that you don't have authorization to access but yet you can never find out what that authorization is you know it's it's there's a whole pile of stuff to get in trouble with uh with this so just you know kind of go into whatever your open Social Security project is with your eyes open that's all just don't like this computer you don't you're not allowed to and good luck finding out you're allowed to you not allowed to access we I something I a few few years ago

when I was giving a training BR on Wi-Fi cracking I was told that um the computer crime unit in B was there was of training so they asked me to then not to hack the other access point I guess they wanted to make sure that we're not going to access the other access

points so I'm going to talk about a little bit how to create a successful project and different steps involv in there and different that's that can happen to you uh you have to pick a project you can go to a hiper space to see what's going on can go to conventions uh make sure that's something doable uh like not I'm going to crack that whole big thing that takes ages T yeah yeah one fun in AES and so uh make sure it's not illegal I've seen a couple of months ago like gu had a project of scanning the whole internet or something unfortunately don't compion

to yeah if you do have Pest and yet you have authorization to to do stuff uh you can contribute to some project that you find online on GitHub and stuff uh make sure that you're interested so if you're not interested and you want to create your own project that's not going to last very long and you have to be very passionate about what you do if you not in a few few months later you're going to drop a project you won't have time because it's kind of it takes a long time a lot of time to work on that so to run a project here we have a few different things that you need uh

you need a hosting there are some free stuff and assembler if you still want to use track and stuff s Forge still pretty good got play from Microsoft and I've heard couple more so lots of different Stu I think it's buet yeah B buet is a like competitor basically Victorious um thanks i' I have some stuff on Source forch um still and it's not

bad's I hear great things about

you open project can request a free license and have a bunch of uh plugins that you can add have online Stu that's pry nice uh or you can roll your own stuff uh which is based on your needs so you can inst whatever you want it can be more convenient uh but that means do means how to do maintenance yourself and that thing takes a long time I spend way too much time on managing servers updating stuff updating all the different I have the Forum the wi track uh I see if beb that to rain and stuff so and it can become expensive since you have to sometimes get your own server is expensive uh another fun stuff um since

you're doing security you are a target people are going to try to hack you uh cyber spading on domains so for that domains pretty make sure to grab uh small modifications of your name Dash I took W and we have Das NETCOM B info Etc doain you cing right now on I own.com is the real one don't it just it's for professional it's for it's only for professional you're going to get do or D do I had that a while ago uh basically the provider that was giving me one giving me was paying for that g me the BB at 2ab a month so it should have been more than enough unfortunately the way it counts the

traffic is that when you request the fire start loing it it counts the am the size of the fire as taken even though even if you stop downloading it so a nice day guy in Spain May a script or something and to the whole B to asked me to pay for money to get my back before the end of the month that was not fun I'm glad the community was there to help so I posted something on my blog say hey guys could you help me to to get a website back and I was surprised I got a lot of help and even more to continue paying for hosting for a few more months very

nice uh just on the on the Dos we had a we had a pretty nice dos attack on us uh a few years ago um one dude uh decided that they wanted to just like straight up S flood us uh but they were s flooding if they were s flooding and uh track like how that was working and they were going by uh DNS we control the DNS so okay you want to send CL med.com well that's great med.com is going you uh and then that went away because it was he was deing himself forever um and so that only took like a day so men.com was down for like a day you'll see like in the uh in the the

open network stats like you'll see like that for one day that was that so yeah I mean you if you're in the but that's the thing right like if you're in the security space you you should probably know how to deal with this um you're you're doing open source security anyway you probably know a couple guys even if you don't know everything about everything like which nobody does you probably know somebody who know something about what you're doing so you can get good advice like that so oh yeah one more thing do backups even if you even if they say we have backups for a month I've got the Forum that was hosted on a

cloud system from from my provider fortunately that thing stopped I couldn't access that thing anymore and because they were doing maintenance they were not allowing to reboot anymore so they stop it and to data MyQ data for was on the this that was not stored so whenever I turn out the machine everything disappear so make sure you have backups and now they won't let me access that machine anymore they were supposed to give me access uh last month so I can receive an all backup from a year ago I'm still waiting for them I'm going to B them next week so development uh you going have fun with licensing um make sure to deal with that it's B

something very boring as a developer I don't care I want to make code I don't care about licensing I want to get my stuff out but the thing is you would need a license or if you don't do that you would end up having running to trouble uh I had something some issues with the dbm licensing because some of the files didn't have a license so they asked me to to get license to make sure that all that code was GPL BSD fortunately there is one guy that is that going to contact anymore because is worked on that like six or six or seven years ago it started way before that so eight years ago so I have

no idea where that was the only contact I had was on the next number Forum it was a correct guy and uh I never I was never able to contact him I guess we fig out was public domain or GPL since he contributed to GPL make sure to pick a license TP is good I like it very much for I

do for light BD is much more simpler I'm not a lawyer like I said before and neither are you uh probably no cool almost good so what so what's the best license so almost legal advice no idea know you're there um but this is a lovely website it's from uh the GitHub guys from like two weeks ago I think it launched um it's a pretty it's a really good overview like it's another one of these like overview in human language you know not legal of the features of all the license of all all your more likely licenses so you'll have GPL for certain things and BSD for other things I like BSD because I don't want to put any

restrictions on you because I'm big old anist you should be too um a the Apache License everything so super great side check it out so for the codes uh make sure to use standard tools use libraries don't be the wheel that takes uh yeah comment your Cod uh you're going to regret it if you don't do that like five or six years later saying what the hell did I do here why did you do this thing that looks like crap so make sure to com something isual just give big steps so I guess you guys know uh use Source control it's very useful use comments when you comment I remember a company I was at use

uh Microsoft sa safe you can use that that's I hate it um and the guys were using that like a hard dis so basically you have to check out all the F when you work on it so some there's no way two people can work on on the same FES it's kind of hard and I when just oh at the end of the day com to all my f no commment so go figure out what what they do what they did so methodologies uh depending on how how you work if you work in a company uh methologies yes you should use them if you are on your own well that's going to be kind of hard to follow

some make sure to keep developing your stuff so if you don't people are going to lose interest they not going to use your project anymore program like uh we've been using qu guys heard zebra PFD btpd so it does that stuff so people don't remember projects if they if you haven't worked on it so kind of as a fo to that like a special I I don't know if this is a specially security because I'm mostly security guy I'm not really much of a software engineer by um in security we have this have conference with right like you develop a thing for a month right around cfp time and then you like fix all the bugs like

a week to an hour before your talk uh you might get some commits in there afterwards and then you're done you're done forever uh this like so please please don't do that um if you're going to do that like that's that's cool and everything just make your license like super open so someone else can pick it up if it's at all interesting um but yeah I mean that's that seems to me at least it seems kind of inmic inity so that's my big quality trael so open source means everybody can see it uh that means uh potential future employers so make sure you do it one since you have a lot of time to do it uh you might don't get

it know know the language at first so just do it and then you can rewrite the code sometime later uh make versions then because we I keep developing so keep releasing people are going to forget sometimes people just follow the project for just a version uh and not the subversion I have a lot lot of comments on the subversion and not many releases I haven't had a release in like three years and I released a few few months ago rele often you always want to perfect it to make sure that everything is is right but sometimes you you have to make a release so that people can try it there are some people that will use uh the

code in sub verion but most of the bug reports you're going to have is when YouTu release people are going to test that yeah let's let's talk about Q for a little bit shall we um in yes in in security software uh in general um there is a surprising of um the QA software well sure uh but I think it's more insecurity because like the the Cadence me and my my counterpart by the way from right there we talk about this constantly um the uh the uh the Cadence for your typical security project is okay I have my Discovery I need to pocket out super fast so I can confence um or exploit the bug because

I'm on I'm on site cont tester and I'm you know banging out my my code works for me uh so I'm going to publish and move on and that's it that's the that's being the end no testing no QA no nothing uh if you do that you will you will regret something uh later because you might not notice it at first uh but you'll notice it later especially like three months from youuu when you try to do the same thing like what um so staying testable is like we uh talked about before uh commenting um continuous integration is totally a thing um and we use continuous integration on met we use travisci it's open source it's great like every G

commit it runs through the standard set of tests now if you haven't written any tests you're going to pass um if you WR one test say like did it crash like you'll probably hopefully pass but hey if that one doesn't pass then hey it's better than nothing right it's pretty easy to write you just have to add the the that's Y in in your project route and register to Travis and Link into your project and that's very very easy I have one for we think all to to get and we use Travis to St so.org you see any declining contributions when you started imposing these sorts of uh software engineering so that was you know that's that's a

it's a fear that you're going to chase away everybody um not really like now partly you know we're kind of popular I mean people have heard of it um yeah but yeah yeah I mean it gets some use uh on but on the other end um yeah I mean you're going to get rid of some people like some people are say like screw this I I I ain't got time for testing nobody got for that um but then you're going to attract in you know like people who might have more software engineering background they might not be so much security guys uh but that's great because now you have it's it's a teachable moment for them and a

teachable moment for you like you'll learn some engineering practices they'll learn like how to and if you don't like Travis you can always have build so you inst python script I used to have that is very nice you that on a few different machines and you see waterfall with all the compiling stuff you can even do testing with it on some machines sometime G to see stuff that fails I was surprised that something that works on on one machine on one distribution doesn't work on the other hey so yeah turns out this different distributions are different and yeah you have Windows that's thing you have mac that's right yeah yeah so like just do the job you don't have any of these

problems yeah

go uh what's OB use for you is not for yours uh your code well that's obious for you it works you know you know it but it's not really with the others so make sure to command it and explain how how your stuff work if you don't explain how your stuff work nobody's going to use it you're not going to have any Community around it uh read the code is I said people not everybody knows how to how to read code sometimes the code is not readable yeah and um you have two documents uh supported you have I you have free which is completely free for any open project register your Forum register you can

even have a custom clo so that people don't see your IP address and don't try to yeah it's pretty nice you can that to contributors and other people who have with the project uh email sometimes you might want to support over email depends what you want to do uh yeah the so and I have a URL all the things um I take my marching orders for documentation from a book called producing open source software it's kind of like an orangey red b super super great um by I'm going to say and it's it's mostly like the the subversion story it's like hown came to be um the the stricture in or the uh the prescription in there is

uh you want to have you want to be fascist about referring to your else like have a fact obviously but when people are asking questions that you might not have had a fact for but you remember because you know you have this giant brain that Social Security fine um you remember from two months ago there was some email conversation like that refer to that because you're going to have your email all archived this gets harder for IRC IRC is much more ephemerial and it's it's somewhat uhe have a bot we have a bot in the channel so for the common things that people ask frequently ask questions drivers and stuff we have a question mark and most

of people know that thing so it's very nice so you don't have to repeat yourself and try to remember check Che your Che theil right now our B

is users aren't devs but sometimes are crial um yeah so when you're in I think we touched on this a little bit earlier not only is what you're doing possibly illegal in some jurisdiction somewhere um but someone's end use of your thing may be illegal in jurisdiction somewhere and conspiracy churches are a thing so uh if you have some many asking you it's like hey I am having a real hard time you know circumventing the firewall on this IP address using your you know awesome firewall circumvention tool that you wrote goers yeah don't say yeah don't say oh hey let me help you with that and they give you the IP address and then like of course you caners and

it's like some like giant Bank in Brazil you may want to like think about how much want to help the dud um you know yes I'm not standing in Brazil but do you really want to be enabling criminals generally when these kind of questions come up like far too often on the metas U uh mailing lists uh we politely and sometimes less politely say listen dude this is for penetration testers uh you really shouldn't be publishing your clients IP space here you know let them know that you're not going to talk um in other cases huh oh it's not my client yeah no no I'm totally robbing this dud I mean no literally I mean this happens way more

often than you would expect um we've had we've had guys come up in the channel in email in plus like just harassing us and harassing us to like hey I'm trying to get some help on writing some malware can you help me and by the way I'm from this like organization that is unfriendly to the United States is that is that cool with you no um yeah yeah don't engage in these guys because hey you know how the FBI like uh catches terrorists they terrorists yeah we even have rules for IRC and stuff so when people know not to hack other other people access point and stuff but sometime we still got people who don't Fe don't

care I don't need to read and you can cop them is pretty good Bas if you start your project so do not hack something that doesn't to you I don't support anybody would ask you to do that even if it's really friendly yeah even if it's really friendly and like because I'm going to give you money I mean you're you're working in open source right so right yeah I'll give you money you need money everybody want money I like money too um everybody like you're working in open source you're clearly person already right um but you really like I mean this a serious business right um You need to uh just go with your guys if something

feels wrong it's probably wrong I mean this is like you know how the mob stays out of jail and how you'll stay out of jail and know which is nice is that users people on the for on IC start to know uh contributors start to know that and that others and now we surpris from time to time I see theer people that have never been there just supposed maybe one times told another guy hey what you're doing is not it's not your AC for you can do that so I guess pry nice um well you have to talk about it so you can go to hacker space it's a very small audience uh sometimes I've been to

hacker space talking about Bitcoins uh there was like maybe eight people in the audence that was pretty nice and it allows you to get you interest so see how your confence go how how you talk is going to go and you can get feedback since there not that many people and uh sometimes they need a bu you and Abstract but depending most of the time they won't need that so feel free you can present the presentation more than welcome there there's a death cont groups all over the US there's even some in Europe there's one in London country yeah Google your city hackers and you're going to find like organizations that just different groups uh hacker space just Google hacker space

and your state name I'm pretty sure you're going to find one if not just Google next big city next uh you can go to conventionals um they require a b abstra so you have to talk a little bit small paragraph about you and a small paragraph about what you're going to talk about uh you go to a selection so you might not get selected don't be offended they get a lot of people asking to to talk uh sometimes I don't have enough slots I'm sorry dude we we don't have time to to add you but don't feel offended you can always try other conventions lots of them besides they really nice next to like um sometimes they can Headway

travel and lodging if you really need it uh smaller con won't do that bigger like death I don't know if does it um black guat does it but I think they require you to talk at Le for a full hour to to get access to a convention uh you have access to of course um but us that means you're speaking so make sure you do a good presentation don't do something that scrap so if you do something like that you might not uh they might not let you talk anymore and people in conventions have connection in other conventions so make sure to that you really want to talk and that you don't do a good job

with last minut installation happy about that so try to find some somebody last minute uh I've seen that happen in uh at a convention and the guy is not really welcome anymore to to speak there so unless you have a good atq somebody died in the family or baby on the way presentation you have two prepare and practice Lots uh don't be stressed uh a stress presenter mean that the is going to West so practice imagine that you're talking to your friend and that you're presenting some stuff to your friend great and make sure your stuff is ready when present unfortunately that my gu it was to be reliable I had everything ready uh and be careful when joking I

remember uh I was uh at school uh I was on doing internship I to present what I did during that those four months of the internship before I got my degree and uh all the people that were um taking care of the different student that came to the company were there so there was like 10 uh 10 different companies and one guy tried to make a joke when I was presenting forun I didn't get the joke so it wasn't funny for him I don't know and if you if you ever want to make a joke during presentation yourself make sure that it's easy to anal it's not a technical joke or nobody's going to get

it points make sure to make to have something small just a few bullet points talk around the bullet points don't make a huge blow of text and read it if you if you do that just write something on the blog isn't worth it people are just going to read presentation enough follow just hold us leave or whatever the other ways I as I said you can use a Blog which blog is pretty nice you have time to prepare you can always change it if you see people telling you that say something wrong there wrong com line or something like that uh post news on your website that's very important so that people see that your project is

alive and it's not that and uh you can do YouTube screencast to present how you stuff work how to set it up that's very nice people love it people love screencast like you do screencast your amazing life especially if you have like lots of people dig that yeah explain to how to install your stuff that's the one of the most important thing and how to use it is a job yeah until it's also yeah for me kind of second one time job so after work only if you're wildly successful right even at the beginning you have to especially in the beginning you have to work a lot more so you're going to be exhausted most of the time long hours 16

hours day it's a lot of fun whatever um you can uh make a living with it but it will pretty much Tak a lot of time uh I don't make a living with it but I got a job thanks to it so that's very nice and job that I really love and check your company policy it might not allow you to create a new project or the project might belong to company so make sure to check that almost certainly so yeah you're going to want to get some kind of sign off yeah just go talk to your manager CEO if you know it yeah um and speaking of talking to management um you know if you can like

you can totally sell your open source project to your manage it I mean this is possible especially if you are really good at BP like this like I mean you need to achieve strategic synergies with proven client Centric open source methodologies that deliver results in Roi like you slip that in man it's magical they're like eyes light up like oh you're one of me you're one of my people so they want to know that their their money will get value return yeah like I know right I know but that's the thing right it's like I'm not a marketing guy I'm not a sales guy I'm not I'm not a BC I don't I'm an anarchist yeah yeah um but like if you

say Roi instead of like Yo dude you're GNA make money like that will fly a lot better what's up before you write a liquor code go check all the laws because there are gazillion of them and nobody understands right yeah we talked about that a little bit earlier in the at the at the top of presentation I'm not a lawyer we here that also doesn't know almost almost I'm sorry don't no I'm talking aboutt what you mean all the California laws if you're in California highly favor your employer so if you write anything I don't care if it's in your sleep no matter where you are right there is a very good chance your employer owns that and it's in

Texas tooon up in big trouble and if you're working for the government in any way you got to check all of that you have to check um your contracts the Contracting law check all of that before you start releasing your yeah if you're not writing classifi law classified stuff to [Music] uh you have to check all of it

most of the stuff that we're going be working on is not going to be if it's space

related and if it's not in the law that it belongs to your company it's probably going to be on the contract anyway stuff to make you not want to do anything it's boring that's very important really have you just go to your employer and tell them that you're Mak this thing that doesn't provide them with business value sh sign thing says it's your for it i' a couple times yeah that's why you don't do any St switch too know what I think we 10 minutes 10 minutes yeah I think is 6:45 yeah 64 uh so once your pro gets known who things next uh you users make sure you listen to them uh there's a people who

use your project and use your stuff that thank to them uh you're there so you wouldn't be there if there were using a project uh if you need help always ask that's what I did for example when I had a DS I did more money than what I had so I could use it for hosting a little bit longer and U explain how to contribute it's very important people don't always know sometimes they have to sign up for bad sometime they don't there should should should I do that thing before should should I add a comment on top of the patch uh explain all those things that's obvious for you that might not be obvious for everybody

else uh the team uh you cre the project you're the leader don't be a dictator uh you you see we still have the the last word but listen listen to your teammates yeah be nice to other people don't be a Jer uh and I be thankful for people that works with you U works for you uh because most of the time also for them it's uh to do to doing after after the job so and um another thing you might want to consider is that sometimes there life events that prevents people from contributing project I've had a few few guys that contributed quite a bit and somebody they couldn't because they had other Stu coming up

and U don't expect anything I've got lots of people say hey I'm going to contribute I'm going to help you translate I'm going to help you doing some good and in the end you start working and they don't do anything so and just be happy when somebody actually does something if you're if you're expecting something some people when you give them a credential for contributing he would be very disappointed don't take a person I said don't become a jerk and uh you can become an expert but you can you will always sometimes be wrong I'm some wrong and I prefer I want somebody tell me that hey that that thing you said here is wrong I don't want to to keep

saying that same stuff all over every single time and keep being wrong looking like an idiot and uh he can write books uh training mys and stuff I did uh a training with offensive security uh Wu if you guys have heard about it uh you can go teach I'm doing that too work two times a year and you can get a job in your project field and that's a lot of fun since you like the project that's what you're passionate about uh that's prob what you want to get uh yeah and to kind of go along with like become an expert on your thing you want to you want to avoid specialization um this this is more in like kind of

components of your code if you have say a packet parsing library and you have like an IPv6 guy and anything having to do with the IPv6 stuff you just like kind of kick over to him I mean you have a couple problems here obviously you have sing point of failure the bus Factor um sometimes um but on top of that like you kind you kind of start developing these Fs in your code base where people will feel either uncomfortable committing to that part of your a library because they're not that guy um that guy can start becoming a jerk and uh you know kind of dissuade people from contributing to my beloved chunk of code that is that is a

reflection of me as a human um yeah so you want to avoid kind of doing that obviously um because if you find yourself kind of down that road and I think it happens even in in like regular software projects all too often um you know kind of call it out and like get taught on like what this guy was thinking and or and how you could you could be you know a backup and like hey I would like to understand how all your you know IPv6 magic works because that stuff is freaking Voodoo um you know because then you can just start teaching each other and now you have youve raised your bus Factor this goes back to

testing it goes back to like accepting you know Patches from people okay success uh everybody has to get his own you have to get your own definition of success uh it could be getting a job in a project field it could be doing what you like so your employeer gives you the chance to to do to work on your project for like a few hours a month or a few hours a week uh speaking at convention you can write books about your your stuff books about squ yeah uh you can even create a business nut um you get yeah for some people sucess for some people it's not yeah you might want to keep keep your own stuff for you and

then not being inquired that's the thing right it's like different different definition some people are really that some people are not TR old problems yeah so what's next after that you have to keep going keep developing keep cre doing versions advertising for uh news and stuff you can go inspire people and uh be prepared to change and uh share your experience with others like we do

now you know uh you will learn a lot uh I learned a lot myself when doing the projects I've got lots of surprises some were less fun than others uh partnering is a key to success uh you might want sometimes to get the success for yourself but if you partnering with people you're going to get more visibility and you're going to get both success and sure that with people that's how you going to be successful with your project even for a business uh and the words advantage on ra me uh so make sure it's good code and uh or if it's not good code start rewriting it post new hey I'm rewriting that thing I know that Cod it's a piece

of where that like two two or five years ago when I didn't know how to code um also never back then uh sometimes going to get hacks uh again people that going to Def face your website uh it's going to happen uh you have been doing that thing for so long just keep doing it it's not it's just one small thing just don't stop at that um you can watch that video it was pretty good it was uh open embedded I think yeah it's a Intel like how how to like Market um open source code both like externally and internally kind of back even if you know marketing it uh you might to to look at

it they they have very good points that are very useful for creating new projects yeah and by the way you don't have to like start the next the next big thing you you can contribute to um every open source project on Earth always wants more contributors uh security is no exception if you are a user of like for me like as a producer of Open Source software like I want like a certain percentage of my users to like graduate into at least Buck rep reporters and of those guys I want to them into hey contributors that would be awesome um so that can be everybody yeah and cont contributing is not really about code you need documentation uh you're going

to need people to help during I heads when you're not there and stuff so it's not only about codes there even I I need people to to help me with a server stuff because I think takes lot of time there are a lot of people that are looking to head project but most of the contribution we know is codes yep at met plate we have we have about about 210 or so like historical people who have contributed to code um easily four times that people who have never committed but who have absolutely like been a part of success you know uh they've been teaching they've been writing doing step YouTube video know I mean it's great so like and you can do

that too like hey put on your resume like I'm involved in the whatever

project yeah get started um here are two projects to get started on that you can get on both websites and tabs can go back and for you can have links to to both those and that's it thank you one question and one question only we can dig question outside yeah you can go to the QA room at the end of the hall perfect okay thank you all right zero questions