My BSidesPDX 2023 Proposal

I am so excited that my proposal was accepted for BSidesPDX 2023! I have never been to this conference, but I have been wanting to go for years.

On a Monday morning in early 2001, I was doing my normal morning office routine. I got coffee, plugged in my laptop, and SSHed into my servers to check on them. Just before my first sip of coffee, I noticed a web server with really large Apache access logs. When I sampled the logs, I couldn’t find any requests being proxied to the app servers. I felt a sinking feeling in my stomach. We had data about users that they didn’t want on the internet. I needed to take a deep breath.

After taking a couple of deep breaths, I SSHed into the rest of the rack of servers and couldn’t find any evidence of a compromise. Within an hour, I realized that Apache had been configured to proxy the internet, and we had a security issue, but we didn’t have a data breach. "I set up a proxy to make app servers edge accessible not realizing it was open to proxy to any site on the internet" (source redacted for privacy reasons ;).

This experience made me consider the vastly different motivations and impacts of privacy and security. Twenty years later, as I was responsible for the privacy and security of user health data, I took a first principles approach to software and its relationship to security and privacy. I found that I cared morally, ethically, and empathetically about the privacy of the users I was responsible for. I was also chiefly concerned about the business impact of security breaches. If the primary use case is privacy, why are our programming interfaces not designed to safe guard user data?

So I created SNDL, a programming environment that treats privacy controls as the first-class citizen instead of security. SNDL (pronounced "san-dahl") is an experimental programming environment that is inspired by the desire to teach programming in an iterative fashion. It uses module/package sandboxes inspired by Capsicum and Pledge. It places configurable controls at the package name to limit access to resources (IO).

I am looking forward to presenting my work on SNDL at BSidesPDX 2023. I hope to see you there!