awards cover DanNagle - Global CISO Forum Podcast - Awards Series: Dan Nagle

In this Podcast:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards Finalist! For the next three weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year. Learn more about our finalists here.

Listen

Download this Podcast

Transcript

Amber:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation InfoSec Tech & Exec finalists. For the next 3 weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the year, certified CISO of the year, most improved security program of the year, and most innovative security project of the year.

Announcer:
Welcome to the Global CISO Forum. The podcast for information security executives.

Amber:
With me today is Dan Nagel. He is the principle software engineer for the SVSI division of Harmon Professional Solutions. But more importantly, he is a finalist for the innovative security project of the year with the infoset tech awards that we are giving out in September, alongside Hacker Halted. Welcome to the show, Dan.

Dan:
Thank you. I’m very happy to be here.

Amber:
And we’re so happy to have received your nomination. The innovative security project of the year is a very cool category of our awards, and it attracted a very cool nomination. You were nominated for your packet sender project. Can you tell us about that?

Dan:
Sure. Packet sender is a package generator tool. I’m sure you’re audience are somewhat familiar with packet generation. But what makes mine unique is that it generates TPC packets, UTP packets, and these are raw, arbitrary packets. You can specify to the hex level what type of data you want to send, and it sends it out. Hex is also a fairly innovative space where you can use short codes. Such as /r, /n, /t, or /some hex number, so you can quickly edit a packet and send it out.

The emphasis of packet sender is that it is very easy to use. You could take packet sender, pre-make some packets, zip it up, and put up on a website. And then any layperson can download it, and within a few minutes they are sending packets. And that’s been done in tech support circles a lot. It’s very convenient. I put a lot of emphasis on the user interface just to make sure it’s easy to use.

I think what may be the most innovative feature and what interests a lot of people in the security field, which I didn’t know was of interest to the security field, is that it has built in servers. It has a UTP listener, TPC listener, on any arbitrary port that you want, so it can capture these packets unsolicited. Within a few clicks you can save off that packet and just send it right back out to another address. Or right back to the original sender. That’s all built in in the UTP use. It’s available on Windows, Macs, and Lennox. And since 2015 it’s also open sourced.

Amber:
Do you … is this a paid service?

Dan:
No, this is an app that you download. You just go to packetsender.com, download it, and you’re good to go.

Amber:
For free?

Dan:
Yes … completely free.

Amber:
Oh wow. So it’s open sourced and it’s free. That’s awesome. How many people are using it?

Dan:
Open … that’s a hard estimate but in 2015, 100,000 people downloaded it.

Amber:
Oh wow.

Dan:
And right now, I just looked at the stats for the latest release, which was, if I remember correctly I made a new release in July, and that one’s been averaging 300 a day.

Amber:
Wow … that’s impressive.

Dan:
Right … this utility has really taken off in just the past couple years.

Amber:
Do you know where people are downloading this, where in the world your users are?

Dan:
On my site, using web referrals and google analytics, I have a tracker on there so I can get an idea of where they’re coming from. As far as the downloads … I don’t have direct access to the referral download. I can see how people are landing on the page. There’s a very strong presence in the Silicon Valley area, which is understandable because this is a tech product, there’s a lot of tech companies there. What’s interesting about this is that it didn’t used to be there. It used to be the only downloads were places that I’ve been and mentioned packets under.

It’s interesting to me how it’s now taken off and now it’s heavily centered in the Silicon Valley area. That’s interesting to me. There’s also a lot … fairly good presence in the north Alabama area, which is where I’m located.

Amber:
Oh, okay.

Dan:
That makes perfect sense. When I give a presentation about it, a lot of people go home and download it. And as far as countries go, number one is United States, which makes perfect sense. Number two is China. I thought that was very interesting.

Amber:
I do too. What do you think about that?

Dan:
I don’t really know. They actually gave me an award. Open-sourced China awarded packet sender number 86 for 2015 open-sourced projects of the year. I had no idea that it was popular in China until I started getting tons of referrals from China. I’m looking at this, like, what’s going on here.

Amber:
Yeah.

Dan:
But, one of the interesting things about open source is that it can be used both for bad and for good. I like to think that there is an army of Chinese developers using packet sender to reverse engineer some malware to figure out how to prevent it. Maybe that’s not what they’re doing. Maybe. But I don’t really know. That’s one of the beauties of open source and the general public license, is that I can’t control what people do with it.

Maybe they’re doing something bad, maybe they’re doing something good. No hammer … you can hammer a person or you can hammer a nail. It’s just a tool. Depends on how you use it.

Amber:
Interesting.

Dan:
The other couple of countries that have a strong presence … another one is Germany. That’s probably number three. Then several places in Europe are probably tied for fourth, fifth, and sixth. Another interesting one is … if I go in and look at donations, I have a donation link on packet sender. That’s pretty much the main source of revenue. I don’t have ads, I don’t do any bundling, but there’s a donation link.

Most of donations are from Europe. I think I may have gotten one donation from United States. Maybe two. But United Kingdom had three donations, Czech Republic a couple donations, got a couple donations from Brazil. I thought that was very interesting.

Amber:
What does that say about the U.S.? It’s very strange.

Dan:
I don’t know. You would think that all that mass of downloading that’s going on in Silicon Valley could tout a donation this way. But it just doesn’t happen. But they sure like the tool.

Amber:
Do you have any insight into who is downloading it? The individuals themselves?

Dan:
I didn’t at first until emails started coming in. I put a contact page up there saying if you need any help with packet sender, feel free to fill out this web form. The people contacting me about packet sender help, it’s very interesting. There is lots of students that have emailed me. They are trying to learn TPC protocols, UTP protocols, and they did a google search and found my tool and want to learn more. Or they want to study my code and have a question about my code. That happens quite regularly.

Interestingly its usually not from the United States. There was a couple in Canada and there was a student in the Ukraine that emailed me. Another … you go up a step, college professors. I’ve had two college professors email me about packet sender. They’re using it for their classroom and they had a question. One was from, I can’t remember off the top of my head but I want to say France. Ingles, France. Two professors in France, they’re using packet sender to teach their class and they had a question about how I binded the sockets. They were telling their students that if you bind a zero, the operating system will decide which port to bind to. It was very confusing in my interface how that occurred. I actually, in my last update, I fixed that.

The other people that email me about about packet sender are developers. This was the main intention of packet sender. I didn’t really intend packet sender to be an infosec tool, it just kind of happened to be that way. The developers who using it to develop network products … but I started leaning towards infosec when a security researcher from the Czech Republic emailed me about packet sender. He just loved my tool. He said he was using it to reverse engineer malware, that it was very helpful, and he just wanted to send me a thank you. That was very inspiring to get that email.

Amber:
He was a security researcher and he explained why it was good for security? And you hadn’t realized that before, or what was that conversation like?

Dan:
He had just out of the blue told me saying that my program … he just wrote me saying ‘your program is really awesome. I love it. Thank you very much.’ And that was it. I replied back and I asked him what program are you referring to? This was three years ago when packet sender was good, but not quite as good as now. I poured a lot of effort into it. He told me packet sender, it’s great. I’m like, what are you using it for, why is it so great? He told me that he’s using it for malware research and sent a link to his company. He is a CEO; he started his own security company. He was using it to help fight malware. I asked ‘how are you using it to do that for?’ So we had a little back and forth. I thought, if this is so useful to security researchers, maybe I should try to learn more about security. And that was when I went to B-Sides for the first time.

Amber:
That’s a good way to start. That’s awesome.

Dan:
The following year I actually presented at B-Sides and I presented packet sender and it was pretty well received. Then later I open-sourced it.

Amber:
When did you start working on packet sender?

Dan:
I registered the domain name in 2011 and it started off as a mobile app. I had this device on the network and I wanted a quick and easy way to send network packets. This is a very common problem with developers who develop network code. You just send an arbitrary packet to test the device. I noticed lots of developers, they write a quick script to send network code. This is such a common problem I thought ‘why don’t I just make one to do it well and that can be the one everybody uses?’ So our member … mobile is big. Everything’s mobile, that’s what you hear all the time. So I thought, okay, this should be a mobile app cause everything’s mobile these days. I wrote the mobile app and put it on google play and nobody cared …

Amber:
Was that distracting?

Dan:
It was a decent app, too. I put a lot of effort into it and I made it free. I put it up there and made it free, and it got no downloads, no one cared, no hits on the website. But I used it myself to test packets. Then I noticed what was going on. I was working on the device to send packets, and I reach over and I pull up my phone to send the test packet. I go back to my desktop and I’m thinking, this is just a complete waste of time. No wonder nobody wants to do this. I’d rather just do everything on my nice desktop screen.

So I rewrote it for the desktop. That was the version I put on the website. I had both running and it was pretty clear that no one cared about the mobile version. I eventually canceled that and the desktop version was the one that got released. I dropped the mobile one; the desktop one is the one I started getting emails for. Then it started taking off.

Amber:
Yeah.

Dan:
I’ll just cover the highlights.

Amber:
Okay.

Dan:
The first version of packet sender was single threaded, slow as snot. You had tabs on the top and you had to click send. It would take about three seconds for the interface to update for you to get the response. Then you would click on the tab to go to the traffic logs. It worked, but it wasn’t very pleasant to use. That was the version that the security researcher talked about. That was the one he was actually using.

What happened was after I went to B-Sides and I heard that people might actually want to use this, I went back and thought, I just need to make this thing better. Over the next year I overhauled the website. I don’t know if you’re familiar with WordPress but it’s a very common EMS. But it’s really slow, so I dropped WordPress and went to a static word site. That made the website faster. I took the user interface and I overhauled it so there were no tags. Now you look at it, you can see the packet generating up at the top. In the middle you can see the saved packets. Down below you can see your traffic log. Then there’s UI sliders if you want to have a better view of one interface versus the other. Its significantly easier to use.

Then I overhauled the back end. I made it to where every process is multi-threaded. Now instead of a 3-second update, the logs update within a few hundred milliseconds. That was a significant performance improvement. Also, the connections are persistent. If you want to connect to it you can hold the socket open and do data back and forth, as well as the server itself that’s persistent. Significant performance improvements going on over the next couple years.

What I noticed … 2013 was the first version that was worth using. 2014 I did the significant overhaul and that’s when traffic picked up a bit. 2015 I open-sourced it and that’s when traffic really picked up. 2016, that was after a year of public speaking at various places about packet sender and I noticed traffic pick up even more.

Amber:
How do you support your work on this if it’s open-sourced? Are you making any money on it?

Dan:
One, I’m fortunate that Harmom pays me a decent salary so I don’t have to collect money from this. This is just a hobby project that I thought was useful. It’s kind of doing well and that’s a source of pride, to have created something on my own and put it out there that people find useful. That’s a source of pride to keep working on it. There’s the donation link. I’ll go ahead and give you some numbers. I find numbers interesting.

As far as donations go, it averages around $30 a month and people clicking on that donation link. You can do a bit of math in your head and say ‘okay, so this has been downloaded 300 times a day. And it generates $30 a month in donations.’ That’s basically the life of the open-sourced developer.

I don’t know how much people have actually clicked on the donation link and sent in a donation, but my guess is my results are pretty typical.

Amber:
That’s a little discouraging.

Dan:
Right, it is discouraging. But there is a way some people make money off of open-source. It’s not through donation links. One way is advertisements and bundling for your project. I don’t do either. I don’t have advertisements on my site or the app because I personally find ads annoying. I would think that it would be pretty hypocritical of me if I put ads on something when I personally don’t like that. The same with app bundling.

As an aside, there exists a version of packet sender with bundled malware on it.

Amber:
What?

Dan:
Right. Packet sender is open-sourced. It’s GPO and part of a GPO is that you can bundle the app with other things. Somebody took packet sender, attached malware to it, and started bundling that. I actually found a review of packet sender online that said, basically, app is great, but beware, comes with malware.

Amber:
Woah.

Dan:
It’s very annoying and there’s nothing I can do about it. That’s something the GPO allows. Like our previous discussion, you have to take the bad with the good as far as tools go.

Amber:
Right.

Dan:
But the main source revenue for open-sourced developers is paid gigs based on the people finding the app and wanting to hire them for customizations.

Amber:
Oh, I see.

Dan:
That’s very common. So far I’ve accepted three paid gigs to customize packet sender. I don’t need the payment, but what they are proposing I thought was an interesting addition. Things that I was thinking about adding to packet sender anyway but they offered to pay to accelerate that development. I thought great, I’ll do it.

One of the paid additions was IPD6 support. For the … there was a version of packet sender that supported IPD6, it didn’t support it very well so I dropped it. A person in Brazil hired me to add it back and add it properly. That was interesting.

Another person wanted a customized tweak to packet sender and I was able to supply that. I think he was located in London. Then there was another one located in Canada. That was a small tweak.

I’m getting international, there’s not much going on in the U.S.

Amber:
It’s so …

Dan:
I think there was one in the U.S. Right, there was one in the United States. It was a very small contribution, but it’s there. So we did get the United States.

Amber:
Okay.

Dan:
We hit three continents and we do have the United States. That’s it.

Amber:
Yeah. Well, at least we’re on the map a little bit.

Why did you choose to open source it?

Dan:
That was something I picked up from a B-Sides conference. I got that email saying I should look into infosec, I went to B-Sides, then I went the next year. Then somebody came up to me and wanted to put it in their Lennox distribution. Actually he didn’t come up to me physically, he emailed me later. It was the Arch Strike Lennox distribution. It’s sort of like Kelly Lennox, or one of those other Lennox distributions. One of the common things that I’ve noticed from information security and security in general, is that they’re all huge fans of open source. They all love open source, it’s a huge focus. I can see why. If it’s open-sourced, you don’t need to trust my code, I don’t need to trust my code. I can look at the source directly and see what it’s going to do or what it should be doing. I thought it was really cool that my utility might go into Lennox distribution. One thing about Lennox ,it’s a whole lot easier to get supported if you’re app is open-sourced.

That was the main motivator. Another motivator was I had had it up for free forever anyway. The other motivator was I couldn’t think of a way to monopolize it that would not be annoying to me. I didn’t want to put ads on it. I thought about charging money, but it’s already been free forever. I just decided to go ahead and make it open source.

Amber:
Well that’s cool. This may be a dumb question, and you can tell me if it is, but how does making it open source help you make money on it?

Dan:
It doesn’t. It does the opposite of making money. Say I do a bad job maintaining packet sender, or packet sender goes off in a direction that the general community does not like. Someone could just take my code, recompile with a different name, and move on without me being attached to it anymore. What open source does do is make the app potentially more popular because they know that they can trust it more. They know that the source is right there. The tool will always be available. If they don’t trust the installer, they can look at the code. It becomes a more popular … I noticed there was a traffic spike shortly after open sourcing. Before it was open source, packet sender was getting maybe a 150 downloads a day. After open sourcing, it’s now up to 300.

Amber:
I see. Well that makes sense.

Thank you so much for coming on to the program. I really appreciate you taking the time to tell us about your project and fingers crossed for next month in Atlanta.

Dan:
I’m looking forward to it. Thank you so much for having me.

Amber:
Thanks, Dan. Bye.

That’ll do it for this episode of the Global CISO Forum Podcast. The show is produced by Saba Mohammad, edited by Shandiin Tome. You can help the show by subscribing on iTunes or Stitcher, and if you would leave a review for us, that would help other people find the show. Until next time, this is Amber Pedroncelli.

Announcer:
Thank you for tuning in to another edition of the Global CISO Forum. The podcast for information security executives.