Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

2015: Year In Review

For the second year I am publishing a year-in-review – something I had generally avoided in the past, as the tone of these posts is typically just cynicism and negativity. Looking back at 2015, it wasn’t all positive (what year is?), but there was certainly some good, and there are great things to look forward to.

In a season filled with empty marketing pitches, worthless predictions, and pointless projections – it’s important to look at the good and avoid the cynicism overload that is all too common. As a community, there is a great deal of good that we can do, changes that can be made, lessons taught, and minds opened – it is critical that we focus on the good we can do, not all the negative that we encounter on the way.

2015 In Review #

A brief, personal, and not entirely positive look back at 2015. It was a complicated year with a lot going on; some goals were exceeded, others missed completely. Lessons were learned, and progress was made.

Last you I said I would spend more time on research:

Research – I plan on spending more time evaluation open source applications for security issues. In just a few hours a week, can have a real impact on making applications and users more secure.

How did I do? Well, I added only one CVE to my list (CVE-2015-8267) – so publicly, I didn’t publish much, though I did more privately. This work likely didn’t have as much of an impact as I had hoped, though there were some small quiet wins.

Speaking #

I spent more time speaking, especially to developers. I spent quite a bit of time talking to developers about cryptography – it’s a topic that is complicated, hard to grasp, and has too little good documentation that tells developers what they need to do. A lot of time was put into this effort, but I truly believe that it made a real difference.

Security conferences, while important to me personally for the interaction with others that I don’t get to see often, took a backseat as I focused on developers. I still spoke at a couple, but less than last year.

A major accomplishment was BSides Knoxville; had a great team, exceptional speakers, and an excellent team of volunteers that made it happen. Organizing a security conference is quite a bit of work, but is, without question, one of the things I am most proud of.

Personal #

This year was certainly less trying than last year; from finances to stress levels, the year was better. In May, my wife and I had a daughter – Ava Marie:

There were issues though; in October, my wife and I separated after being married for seven years – we have remained friends, though she and our kids moved closer to her family, several hours away. While life has been less trying, other things have been quite difficult.

One of my goals for last year was to be more transparent:

Personal Transparency – I’ve always been very concerned with my professional image, and as such tend to keep many details of my life to myself. One personal goal for this year is to be just a bit more open and transparent.

There are some people who are very good at this; they can share intimate details of their life, I am not one of those people. I’ve attempted to share more, to be a more open person – I think I’ve failed at this. For example, a bit over a week ago I was in the hospital – a fact that very few people were aware of. It may just not be in me to be less guarded.

Projects #

Various projects took up much of my available time this year; here’s a quick update on them:

SMIMP #

The SMIMP project was a response to the failures of email security – trying to bolt security on to a protocol that has no concept of secrecy or privacy will never work. It was an interesting attempt at designing a from-scratch replacement to email, I enjoyed the effort. At this point, it’s a failed project and I don’t anticipate spending more time on it. There simply isn’t meaningful movement (in any direction) on finding a real fix for email.

I still have hope that something will happen, but we simply aren’t there yet.

CurveLock #

CurveLock was an experimental high-security message and file encryption application for Windows. Simple, easy to use, and designed to be a bit paranoid when it comes to security level. A stable version was released; at this point the project is stable and usable.

EncryptingCamera #

EncryptingCamera is an effort to create camera applications for popular mobile devices, that perform seamless encryption – ensuring that if a device is later stolen or seized, the photos on it can’t be accessed.

The idea was solid, but unfortunately due to limited time, the project has advanced little over the last year, though hopefully it still has a chance.

Blog #

Blog – Last time that I promised to blog more often, I didn’t post again for months, so I’m hoping that I don’t repeat that this time. But I promise to write more, and do my best to keep the content interesting.

Last year I published 16 articles with 18,040 words – this year it was only 14,104 words. This is largely due to one issue: I published nothing between May and November. During this time, I didn’t get much writing done, my open source projects fell behind, as a matter of fact, with competing priorities, most things lost. I’ve been working hard to turn this around.

In 2012 I moved to Octopress, I really liked that it was a static site and extremely fast (withstood being at the top of hacker news with less than 10% CPU) – what I didn’t like was the workflow. As time went on, it became more of a hinderance to writing than an aid. A few weeks ago, I switched back to WordPress – it may not be perfect, but the workflow is better. It’s far easier to write and update, especially when on a mobile device. Based on recently productivity, I think this change is working; more writing, and more updates to published content.

The Novel #

Novel – I intend to have either a deal signed with a publisher, or to publish as an ebook on Amazon before the end of 2015. One way or the other, I’ll be done with it by the end of the year.

Nope. Completely missed that goal.

The novel is still a work in progress, I still haven’t talked to any publishers, but it’s making progress (as I find time). Writing fiction is certainly a challenge, but a rewarding one.

Looking forward to 2016 #

  • Blog – I’m trying to spend more time writing about current events, but only in cases where I can add real value to a topic. It’s easy to find high-level summaries of an event, such as the Juniper incident, so in that case I tried to provide useful insight. If I can’t add something over what you’d get at your average news site, I just won’t say anything.
  • Novel – I don’t know when it’ll be done, but I’m hoping to see it published sometime in 2016. Fingers crossed.
  • Research – Performing publishable research is important to me – it takes time, which is in limited supply, but still deserves the time it takes. I’m going to do my best to identify and report more issues (that can be publicly documented).
  • EncryptingCamera – There is still real value to this project, and I’m hoping to jumpstart it so we can get it released.
  • Escaping The Echo Chamber – One of my goals for 2015 was to spend time outside of the echo chamber; I think I did that and it made a difference. I plan on continuing this trend.
  • Open Source – Except for the time when I wasn’t getting anything done, I did more work on my projects, and others. Hopefully I can spend more time working on these projects next year.

Overall, the year was less productive than I had hoped, but it was a good year, and 2016 will be something special.

Adam Caudill