I have just recently returned from attending the Google Summer of Code 2007 Mentor Summit. It was a great experience to be able to meet many of the other organizations that participated this year. I want to thank Google for supporting the OSVDB project and being such an incredible host as well as taking such good care of us while we were onsite. I want to also take a moment to personally thank Chris DiBona and Leslie Hawthorn for all of their support and efforts to make this program possible.
This is the second year that OSVDB has participated in GSoC. Each year we continue to learn a lot about the program and our own organization. Much of the success from last year we were able to build upon and we were also able to implement some additional improvements. Once again we learned the importance of spending the appropriate time during the selection process and picking the “right” student is critical. We were able to build upon our development documentation and continued to use our Wiki as the main place for student updates. We also learned that we need to continue to build our development community and instead of request teamwork we need to enforce it. We have found that many students have incredible technical skills but really want to work in a vacuum. This past year was extremely challenging for us as some of our students only wanted to be reviewed based on their code and not their interactions with the project and the other students. It is critical for students to understand that communication and teamwork are key factors to ensure success in an open source project or any organization.
During the Mentor Summit we were able to get a few security projects together to have an Open Source Security Project session (hopefully Fyodor took notes!). We had a great session and had representatives from OSVDB, Nmap, Umit and EFF (Tor). There were some healthy conversations about each of our projects and we spent a fair amount of time sharing successes and issues with GSoC as well as Open Source Security projects in general. I am hopeful that we can get the information between the organizations flowing!
Next year if Google continues with Summer of Code I would encourage more organizations (specifically security projects) to apply to be part of the program. GSoC is a great program that can bring a lot to your project! Don’t be afraid to apply – Google has been extremely supportive of OSVDB and I would expect nothing less for your projects as well!
We are pleased to report that OSVDB has successfully completed three projects from the Google Summer of Code 2007! We are now in the process of taking the next steps to determine how to integrate and rollout the projects into production. Here is just a quick overview of each of the projects:
Researcher Confidence Project – Timothy F. Tutt Jr. Mentor: Brian Martin Description: This project is an enhancement off of a project from last year. We would like to start tracking researchers reliability. In OSVDB we track any person that is credited with disclosing a vulnerability. However, we have noticed that some researchers provide more accurate reports than others. In fact, many reports from researchers are incorrect. We would like a project created that we determine the confidence level of a researched.
Vulnerability Notification Service – Sergios C. Pericleous Mentor: Lyger Description: To ensure timely notification of security vulnerabilities we need to create a very flexible notification service for OSVDB. It should be have the ability to notify based on vendors, products and keywords. The notifications should be via email, possibly chat/pager/SMS/etc.
Report Generator – Willis Vandevanter Mentor: Sullo Description: Create a reporting engine that security consultants and security software can use to generate well formatted reports, suitable for presentation to clients or for integration into software. Output formats include HTML, XML, PDF and plain text, and should optionally allow customization of data fields to be included. Input should be retrieved via formatted URL or web form based on OSVDB-ID (and possibly other identifiers, such as CVE identifiers).
There has been a pretty good buzz about MP3 spam in the past couple days……… Some folks at GFI sent us the following and thought it would be worth sharing…
Spammers are back with a new trick, this time round sending messages with MP3 attachments that contain the latest pump-and-dump stock scams. One sample identified this morning by GFI, was a heavily distorted 30-second MP3 file. A synthetic female voice was used to promote a particular stock. This voice is distorted to avoid filtering approaches based on the file signature. Once again, spammers are taking advantage of the fact that the MP3 format is one of the most common in use today, another attempt at social engineering GFI Software have uploaded a sample on their website, if you want to listen to it, click here. For further details read GFI’s mp3 spam roundup.