A developer’s story about passion for Open Source and Security

This story is definitely a first for me. Not just because every story is unique in itself, but that it’s one of personal matter. The thing is, I quit my well-paid job, just to spend time on the things I’m very passionate about: open source development and information security. Not only was quitting my job a serious step, also the decision to share my personal story after 10+ years of working with open source software and security. Well, here you go. It’s my hope to intrigue others, find their passion in life and also go for it!

“My name is Michael Boelen and I’m an open source / security addict” “Hi Michael”

 

My first job

Let’s go back 10 years ago, the year 2003. I was 21, graduated the year before and had my first full time job. My first duties were to renew some of the services we had running for some time, like this old Red Hat machine. It was one of the mail servers, but the only one running Linux. But maybe not for long, so it had to be replaced and a new mail server had to be configured. This might be simple task for the seasoned Unix veteran, but I was a rookie at the time and had no idea where to begin. Also, my chief preferred to move away from sendmail, so we had to choose something else. It needed to be stable, feature-rich and flexible to extend. After some research we picked Exim.

From clueless to achievement

In the days and weeks following, many configuration snippets were tested and everything was tried to get this new server running. My chief in the meantime was challenging me in a good way, checking my progress and assisting if needed. Actually, although it took some time, we were able to build a nice new mail server. Even my earlier acquired PHP skills were used, to build a fancy management interface. The final product was not just a replacement of the Red Hat server, but a complete new solution. Besides the normal mailbox handling, it had decent spam filtering, customers could manage their own mailboxes and reporting capabilities were available. Best of all, the software did not cost a penny. Everyone was happy with the result. Although I already used open source before and I definitely programmed many times before, I never experienced this great feeling before. It was like Legos, building new things with just basic building blocks. Not much later our DNS server was getting revamped and the story was similar: I had no clue, I read a lot, a nice product was born, everyone was happy.

Lessons:
1) don’t make ‘difficult’ things too easy for clueless people, or they will definitely break it in a way you had not anticipated.

2) Sanitize your input.

 

DevOps

So during this time being a sysadmin/programmer, or what we call a DevOps now, my interest for information security was increasing. I played with all kind of tools before, starting from the time I had my first personal computer. With machines connected to the internet, it was now also about protecting “my” machines. So it was time to find some security tools and build up the defense. While hunting for great tools in the /usr/ports/security directory (FreeBSD), I discovered a tool named chkrootkit. With a freshly installed server available, it was quickly installed from the ports collection. But then during its first run, it gave me a shocking message that this server was most likely been comprised. This couldn’t be true.. So after validating it on a second machine, I knew for sure. It had to be a false positive, as these machines were definitely not compromised. So after showing it to my chief, I told him without hesitation: “This software can’t be trusted, I can make a better tool”. We laughed, but I was up for the task. The challenge was clear: create a tool to detect malware on at least FreeBSD and Linux.

First project

Most likely if I would have known what amounts of time it takes to develop, the tool was probably never been created. But less did I know, so I started with an initial piece of shell scripting and “Rootkit Hunter” was born. Since I wanted to keep my work duties and my new hobby separated, I only worked on it during my spare time. After all, I had enough to do during my normal work already, like researching new security tools.

After some weeks of development, it was time to release the first version, or beta, of my new security tool. It was announced on some mailinglists and actually people started trying it. They provided me directly with great feedback. Some even provided me with malware samples they discovered on their machines. I was amazed by the interaction and got in love with this “open source” thing. Quickly did I realize that using open source is one thing, but actually contributing to it, is a completely different league. During the few years ahead I kept programming in my spare time, even during my vacations. There was enough analysis to be done and the tool improved with every release. The amount of users and feedback only grew bigger.

Change

But then time passed and I had some other priorities, let’s call it “life”. It was around 2006 and although I did some work on rkhunter, it was simply not enough. The research itself was draining my energy as there were simply too much malicious scripts. Also I was wondering more and more about why I was doing this. The question is still valid at this very moment: why would one voluntarily put all his spare time into researching malicious pieces of code? Sure, the knowledge is valuable. But it definitely won’t make any impression on the girls..

Finally I decided to handover the project to a development team. They promised me to keep the project alive. The choice was definitely not easy. After all it was my baby, the thing I invested so much time into it. But on the other hand, I created the tool to be useful for others, not to be collecting dust. So this seemed to be a good alternative.

Lessons:

1) Pick product names of 8 characters or less, or people will abbreviate it for you.

2) Consider the time it takes to build something from scratch and instead provide a patch to an existing project.

So some time went by and it was 2007. Many changes in my work environment were happening, good and bad. Then it struck to me, I needed a new project. This time not something which only discovers malware, but one that actually helps people improving their systems. Also, it should not matter if the last version was 6 months old. The software had to remain useful.

The new project

Again, I looked at the existing software packages. With the experience from Rootkit Hunter freshly in my mind, I knew what I could expect. Yet, finding the right idea, name and building it, was a completely different story. But as always, at times you are not actively searching for an idea, it suddenly shows up. What I really liked to do, was checking systems and improving them. What better project could there be than creating an audit tool? It was checking systems, it was automating tedious work and its goal was to improve systems. Great, that would be the project!

Lynis

So I had to come up with a name. After all, every project needs a name. After some thinking and fiddling with letters, the name “Lynis” showed up. The word had no further meaning, just a small word, with enough consonants and vowels. When searching on Google for the name, not many results showed up. So it was uniquely enough to use it. Secondly, it matched my “Should not be longer as 8 characters” rule. What I didn’t release at that time is that the pronunciation would be tricky for some people. But well, people can always invite me to their podcast to hear my version!

The name was chosen and it was time for some serious development. Many spare hours went into the initial version. When it was ready, I announced it a similar way as with Rootkit Hunter. The timing of this first version was very interesting, as it was exactly between two jobs. The project was so much fun to work on, that I delayed my start date at my new employer with a month. This gave me a full month of “vacation”, or better, development time. After this month of development, I started at my new employer with 5+ years of fulltime experience and two open source tools in the pocket.

Something new

This new employer was completely different: consultancy. Big companies hired their people, including me, for consultancy work. During my almost 6 years with the company, I was performing Unix administration, followed by some data storage management. In the meantime I expressed my passion for information security. It didn’t take long and the opportunity was there to do fulltime information security. Great! After an outsourcing deal and a few years of being a security officer, it was time for a new challenge. Later I ended up in a very interesting role as service manager. Sometimes it’s better to take a step sidewards, to determine if you are still following the right path.

Something lost

During the time at some big companies I learned an amazing amount about companies itself, about other people and even more about myself. Writing down all the learned lessons could actually become a book (one day..!). To summarize 6 years: I was so deep into my work, I completely had forgotten about my passions. No longer was I doing the work because I loved doing it. It was done to satisfy others, including earning their bonuses. So something had to change and I knew directly what it was: invest time in my projects again. It was always the answer! However this time it would have a slightly different goal. Not only would I do development just for the usage by others, but it should benefit me as well. I mean that in a positive way, not a selfish one. It should be in this way, so I can reinvest time into the project, while enjoying it and also growing on the ideas and work. Because one thing I definitely learned during the last 10 years, is that open source can provide great PR to your company or your personal brand.

With an interesting chain of events, I finally made the decision. So I quit my job and decided to go for it. Nothing is worth more than following a passion, right? Sure, it was safer to do it besides my day job, but this definitely gives more opportunities. Secondly the combination of passion and dedication is a much better mix, than passion and “when I have the time”. So back to open source and development, doing the work I love to do.

Doubts

While thinking about the possibilities open source can provide, I had also some worries. Like my personal finances, or how will it impact Lynis as being a free and open source tool. I studied several other projects and came up with a great alternative: let Lynis as-is and don’t overcomplicate it. No nasty crippling or letting it die. We have seen those open source projects in the past and honestly, I don’t think that’s the open source spirit. Let me be clear: Lynis will remain free and open source. Additionally, the development will be active again and new tests will be added on a regular basis.

Lynis and the enterprise

Lynis will be used in a way similar to a client/server solution. In this case Lynis is the client and the server is a managed solution with enterprise capabilities. Examples include, but are definitely not limited to, reporting, enhanced documentation, mapping to compliancy requirements/standards and central management. It will also provide guidance like ready-to-use snippets and secured baselines. Additionally, you won’t have to read very long benchmarks and hardening guides anymore! I know your pain and will fix it: just run the tool, check the gaps and Lynis Enterprise will tell what to fix and how to fix it. No longer researching many systems, or fiddling with configuration settings. Let’s finally harden our servers the proper way!

The next big step now is to incorporate Lynis into a full solution. It’s a work in progress and development is active (and fun!). Best of all, users can keep using Lynis for free, companies can invest in an affordable security solution and I get the resources to do the work I really love to do!

So now what? Well, I created the corporate entity (CISOfy), a business plan and launched the website last week. Right now I’m working on Lynis Enterprise. Interested? Go to http://cisofy.com/lynis/

My biggest lessons

It’s safe to say I learned a lot during my last 10 years. If you are interested in technology and open platforms, consider the option of contributing to open source projects. It will provide you new insights, brings you in contact with other smart individuals and might be useful for your personal brand. Additionally, a passion is worth more than every job. Even if you can’t afford to quit, then start something small. It will always provide you with something unexpected (a nice story, a new job, new friends).

Call to action

If you made it till the end of this article, nice job! Time to come in action. Let me give you 3 options:

  1. If you liked this article, share it with others. That’s the open source spirit!
  2. If you care about the security of your systems, go to http://cisofy.com/lynis/, read the page and give Lynis a try. 2a) If you already used Lynis, then send me an e-mail and tell me what is you keeping up at night. Provide me feedback and let me help you!
  3. Think about your passion and take action.

Kind regards,

Michael Boelen
CISOfy / Rootkit.nl
Open source developer and security enthusiast