Securing Change: Call for Volunteers

change

hello

uh so hi my name is Oliver day I founded a non-profit recently called securing change and uh today I'm going to walk you through uh where we've been where we've come from uh what we're going to do in the future and talk to you about some of our future projects and volunteer opportunities which is why I'm glad there are so many people in this room um all right so securing change uh has a mission to provide digital security to agents of change uh agents of change is a term that I borrowed from Peter Drucker and Drucker wrote about non-profits as uh entities that are trying to make the world a better place now this is in contrast to a for-profit

whose only goal is to maximize shareholder value now if uh if you look at the IRS they've got at least a million different non-profits registered uh a fraction of those have a budget an operational budget that is over a hundred thousand dollars now that hundred thousand dollars has to cover their rent their salary their infrastructure any software Hardware uh and most of them can barely afford the first three of those things so enter securing change right this is why we're here we want to help those guys with security because they cannot afford it if uh if you followed Wendy nather she has a term called the security poverty line right and that is to have a decent

security defense you need to have a certain set of core Technologies purchased configured and operated by staff and if you don't have uh this certain dollar figure and I think for for her it was like a thousand person organization uh and it was around like fifty thousand dollars uh so maybe for smaller non-profits that that number is going to be a little bit lower but all the same most of these guys barely have an I.T budget and their security budget is zero so this is what we're trying to work with people that have a security budget of zero but have just as many adversaries uh as Fortune 500 companies so in essence we're trying to lower that

security poverty line by offering Solutions and services that uh are going to be in this price range so we have a different type of Revenue model our Revenue model is pay what you can now you might as an organization only be able to afford zero dollars that's fine we can work with that we're more than happy to do pro bono work most of my directors uh are trying to convince me of this other side which is we can't actually charge some people some amount of money because if you look at form 990s which is what a non-profits have to file with the IRS every year some non-profit Executives make upwards of three hundred thousand dollars a year

it's a very small fraction but they do exist so for those guys I think we can still charge some amount of money and for those of you who have worked with the security industry you'll know that 75 dollars per hour is a pittance uh in our world right most charge between a hundred and four hundred dollars an hour but this allows us to have a very small fraction of our clients underwrite and subsidize the work that we do for those who live far below the security poverty line so you might ask well how how like how are you going to be able to offer so many people pro bono security uh if only a fraction of them are willing to pay

and that is a great question and that's where you guys come in uh that's why I'm so glad you're now a captive audience I need volunteers okay I need people that can come in and do one of two things right now uh the first thing is security scanning this is something that I think most of us have the capability of doing uh this is um running nessus or whatever tool you happen to like w3af whatever on these different uh websites for the most part I'm focusing on website security uh it's the most visible for any organization and even the smallest organization with like five people will generally have a public-facing internet site so think about that it's it's viewable to the

entire world any bad guy can reach it and they don't have any money to secure it so coming in running just a simple security scan against this and then explaining it to the security to the executive directors of these non-profits that's a huge thing that I need right now um yeah what's fun about this is that you have to be creative right I for how many people have done this type of work professionally just security scanning all right there's a small portion of the room now usually when you explain things to your client you say well okay you need to buy the following things you need to get some staff in place none of those

Solutions are going to work here you have to be creative sometimes the solutions that I've come up with are we need to get you a robust automatic backup system so the next time you are attacked you can recover in under an hour and not have to spend a thousand dollars on someone to come in and recreate your WordPress website from scratch right this is the type of solution that I need people that think outside the box that can come up with solutions they can Cobble together scripts this is what we need it's again it's challenging you have to be creative um the next thing I need are people to come in and do incident response we do get

calls where the attacks are ongoing sometimes it's fine it's just you know some dude that's selling Viagra or whatever took over the WordPress website it's not a big deal it's not scary at all right but sometimes right one of the things one of the classes of businesses or organizations that falls under agents of change is the NGO or the non-government organization these are people like human rights in China they have very scary adversaries when they're getting attacked it is not just a self Viagra people's lives are literally on the line and they don't have any money either so we need people to come in answer the red phone when they're getting attacked during the attack maybe

even afterwards come in go through the incident response process help them expel the attacker get their defenses back up show them what they did wrong and again you you're going to have to come up with Creative Solutions here um but these are the two main things I would say the most common uh incident response that we're having so far and that I predict in the future will just be website breaches so uh if you guys have ever heard the term uh drive by download this is a term coined by Niels Provost from uh from Google uh this is just where you know somebody somehow lost control of their website maybe their webmaster's laptop got popped so

now the FTP password is in the hands of the attacker and they're just uploading uh iframes and obfuscated JavaScript to the website this is the most common it's pretty simple to go through you rotate everyone's passwords you ask them if they have a clean backup to restore from try not to roll your eyes when they say they don't have a clean backup to restore from and and you know work with them you're going to have to go through and you know probably go through source code find where all the bad stuff is pull it out it's pretty simple to do if you don't know how to do it I'm more than happy to train you

uh other things oh sorry other things that we do uh if you're local to the client uh we go in we look through their computers we look for root kits um if they don't have certain types of defenses in there we go ahead and install it for them uh this can be stuff like Komodo or you know um a little snitch just to see when outbound connections are coming up but then also follow-up coming back three and six months later to see if they've disabled everything because it's annoying and they do that a lot um so it's it's it's nice because we aren't getting paid and so we don't have to worry about whether or not it affects

our bottom line if you're too busy as the the initial volunteer we can just reassign a new one this is the model that I'm hoping for all right so that's where we came from that's what we're doing right now so hopefully some of you are interested in this stuff um next I want to talk to you guys about where we're going some of the stuff that I've been thinking about that I'm going to build in probably the next six months um the first is a mirroring Service uh so part of this is that uh these guys tend not to have backups right they just they're really bad at it um they don't understand the power of it

so I was really inspired by the eff's mirroring project they just had a page that showed wget and this is what wget does these are the command switches that will make a static copy of your entire website I want to take that to the next step and offer all agents have changed the ability to have us automatically capture static copies of their website so worst case DDOS knocks them out or someone infects their website we can provide them with a clean static copy of their website that they can put back online while they figure out how to deal with their issues um that's version one version one is pretty simple it's going to be what wget

plus cron plus probably a git repository uh version two will be backing up the actual Source right the server-side source code their PHP their database that's going to be a little trickier because now I either have to store their credentials which I really don't want to do or I have to hand out credentials which again I really don't want to do but we'll work it out we'll figure something out this is the project that I'm really excited about a lot of my life right now is is whatever I am executive director or whatever for this organization is writing grants and so this is the one that I'm really hoping is going to hit home with some of these

Grant making agencies and we might be able to get some money from that one uh the next one this came from a conversation with my first client where I was like Hey so if I can set up automated logs for you would you actually or someone in your organization look at them and he looked at me and he was like you know that's literally the least important sounding thing I could do on any given day

what we can do is just make a collective security operations center right I've talked with a guy at Splunk at least that time maybe he was drunk he sounded really enthusiastic about the idea of giving me a license and we can just collect all of their server logs uh if they if they have uh you know antivirus or whatever we can have all that stuff coming into one of our secure servers and then have volunteers go through that stuff and look for actual threats and the reason I think this is going to be really powerful is that we'll see attacks coming in over multiple organizations and we'll see patterns that maybe no one else is going to see

this one's a little scarier and trickier because now I'm exposing people who I might not know personally because I'm going to have to really build a volunteer Organization for this uh to look at logs which may or may not be sensitive right there's this is going to require a little bit more thought um but I'm really excited about the core of the idea okay so I wanted to leave enough time for questions so hopefully there are some if not I'm going to pitch you guys on something else so uh questions yes we currently have three clients which I know is not an impressive number okay uh since roughly October of 2012. uh it took me a while to figure out how to

form a 501 CPU Corporation by the way we're still not right It's Tricky so we're recognized by the state of Massachusetts as a non-profit which means we can operate if someone sues us they can take whatever assets I have in the organization which is pretty much zero but they can't sue us personally which is important um the rest of it was building infrastructure I just finished getting the website up email uh and I've set up request tracker I don't know if you guys know what that is it's a fantastic ticketing system so now if you if someone writes an email to help rt.securingchange.org a ticket is automatically generated I can bring in volunteers and scale it without just

doing it on a spreadsheet which would just fail in like five hours um I'm still working on getting more clients that's really one of the more challenging things for me you would think offering a free service would be super easy it's really not um I had to get letters of recommendation from my first client he just didn't know who I was didn't want to trust me with the security so I kind of understand it I think once we get out there a little bit more and instead of me talking to and no offense you guys but instead of just talking to my cohorts my my own peoples I need to get out into the non-profit World there are

actually non-profit conferences those are the ones that once I'm starting to talk to those guys I think the clients are going to start coming in in droves um the follow-up question which I'm hoping you're going to have is how many volunteers do we have currently 14 that's how many we have and so I'm hoping with this room we can at least double that number of volunteers yes foreign

one per month oh how many he wanted to know what the minimum level of commitment is I'm just making up a snarky answer I would say one hour per month is probably the minimum where you can do anything worthwhile and I mean literally with one hour I think what you could do is if someone else ran a vulnerability scan but didn't have time to explain it to them you could look at it and go okay false positive false positive no one cares about that no one's going to do that okay this one's important and then either email the guy or gal and you know or talk to them over Skype whatever like it's not like at

stake or you know Anderson or whatever they're called now where you have to fly out and meet with the guy we're doing everything cheap so you can Skype talk to them over the phone whatever I think in an hour you can pull that off you know again I guess my concern would be like I could commit maybe five hours one weekend and it might be you know sure sure yeah and it's actually it's child like I've worked in enough Consulting organizations I know how it's supposed to be but when it's all volunteers when you guys are giving me your time it's really more challenging because people are like dude I have my actual work needs me right now uh so what I've been

doing is sort of redundancy uh issues right so I'll assign two volunteers to one client and they're a team and they switch on and off as they both have free time and if one needs to drop off fine that's fine we have another guy right there and if he needs to drop off well as soon as the one drops off I'm going to reassign someone else and it's not it's not anything personal I know how it is but you know we're gonna have two people at all time just so that the client is never just you know staring into silence uh and waiting for someone to get back to him or her any other questions

yes

yeah this is going to be an ongoing issue right so uh right now I'm just tapping people out of my personal Network so I know what their skill set is um I did a call for volunteers and I got like two people this is just over the Internet just blindly I was surprised anyone said anything uh and basically like I just I I took a project that I knew like they needed someone to come in and just do a scan of the website and so I just said here do this if you said you can do it do it um and you know one of them didn't come back to me at all and I was like okay

I'm just gonna write that person off it was kind of flaky and the other one came back and it was you know there was a lot of false positives in there that they didn't really figure out yet yeah you know so we we had it's gonna be it's going to be difficult it's something I really need to work on a little bit more um I think really what it's going to be is you're going to get assigned something if you fail you're going to lose Karma points if you do awesome at it you're gonna you know build Karma points and I'll probably have tiers of volunteers like people that Oliver knows directly people at Oliver has worked

with a few times and have done an awesome job and then down and down and down right to like you just met Oliver on the internet and now you're volunteering um but it is scary for me too right because I have to trust random people from the internet uh who want to help so I'm gonna have to figure out a tier of services that those random people can do I like more people that I've met in person that I know that I have a relationship with um one of the other ideas that I'm working on is going to ISC square and I know it's a very divisive organization but they have 75 000 people with

certificates I want to make securing change able to offer CPE credits to those people so that way when you know they're trying to earn enough credits for their their certificate renewal they can do that and and do good for us as well right and and I think having an organization back someone will sort of up them in the tears of people like you know whether or not they're good or not at least someone's backing their name um with an organization so I know Issa is here as well I've been talking with the president of the LA chapter so I really want to get into these bigger organizations and find ways to harness all of their members

um so I'm not just putting out random calls on the internet and asking for people to come help me yes

yes absolutely um so there's two there so the first one the first one that I came up with and I probably shouldn't be saying this because it's being recorded um you cannot be a hate group okay if you are a hate-based organization we're not going to Advocate that people hack you but we're just we're not going to help you right I would probably call this the Westboro Baptist Church rule if I could but I'm not going to not publicly anyway but if you think about it they are a non-profit they're a church and they in their Twisted minds think they're making the world a better place I just disagree with them now I can't say well Oliver

doesn't want that and it's just not going to happen I have to make rules that make sense that anybody can step in if I get hit by a bus or my board's like dude that guy is crazy get him out of here and a new president gets uh appointed that those rules can still be applied in a very Equitable manner so if you're a hate-based organization if you Advocate hate or violence or bigotry you're on your own figure out security I'm sure you can hire someone on your your own um political groups are also kind of tricky right uh the IRS has rules about non-profit status that you cannot directly Lobby or directly support lobbying I have a legal team that is

looking into whether or not I can help people but like someone asked me the question like well if the Tea Party came and said hey do you can you help us would you and I was like well I might not personally help them but if we have volunteers that are like yeah I'm totally fine with that then sure again with political groups I have to find out if it's even legally possible for us because we are going to be a 501c3 soon we've have a law firm on retainer as soon as I raise twenty five hundred dollars I can pay them they're going to file the paperwork for us by the way that's the site for our donation uh if

you want to help out right there donate.html um right now not tax deductible as soon as we file our paperwork it is retroactively tax deductible um the reason I'm really interested not only because of the tax dedation stuff uh to be a 501c3 if you've ever heard of techsoup probably well some of you wow some of you actually have we want to do something like what they're doing a lot of software companies will offer free licenses if you're a 501c3 I want to be the United Way of that and for security licenses Hardware I want to aggregate those licenses and then distribute them to other agents of change on their behalf so take out all the paperwork for

them but also make sure that they're configured properly techsoup I love those guys don't get me wrong but they just throw the license over the wall they're like here's some Microsoft Office go with security stuff it's got to be configured properly so I want to be able to send people in with the licenses make sure they're installed configured come back three to six months later make sure they're still configured properly um okay so I think I might be running out of time I think I'm actually over uh so if you want to volunteer this is the email address I have a table somewhere back there uh come find me um any more questions before I go

all right thank you very much