This Needs to be Fixed, and Other Jokes in Commit Statements

DEF CON 18

Presented by: Logan Lodge, Bruce Potter
Date: Saturday July 31, 2010
Time: 12:00 - 12:50
Location: Royale 5
Track: Track 3

Open source. These two words mean lots of things to lots of people. Some say, because it's open source it's more secure because you have complete transparency. Some say, because it's open source it's less secure because amateurs are writing the code. Well, one thing is true, with open source you have free reign to see the code and all the commentary left in there before it's compiled away. Ever wondered what was in those comments? Is there some lingering bug with a comment left behind to remind someone to go back in to fix it later? How many times did the developer leave a comment behind with the word 'bollocks' in it? These are the questions we set out to answer and this talk is about those answers and how we got them.

During our talk we'll cover how we went about crawling the Internets for any and all public repositories, how we parsed the source code and commit statements in the repos we found, how we store the results, and of course the results. Some of what we find will be security specific.... much of what we find will just be comedy. We plan on releasing access to a web interface to perform your own queries against our results to see what interesting comments you can find in which repositories.

Bruce Potter

Bruce Potter is the founder of the Shmoo Group of security, crypto, and privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network analysis, trusted computing, pirate songs, reusing bios, and restoring hopeless vehicles. Mr. Potter has co-authored several books and writes monthly articles for "Network Security".

Logan Lodge

Logan Lodge s a member of the Shmoo group and an avid Python developer. When he's not dominating in TF2, or blogging about the benefits of test driven development, he's likely on a golf course somewhere testing the limits of a golf ball's flight trajectory or attempting to drive a dispenser off of a boat to see if it's flight worthy.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats