RMLL Security track : why, how and for which results

What are your goals when you set up that kind of conference track about Free Software and Security ? What are you doing to reach them ? How do you know you have reached them ?

Here are some of the questions that you can ask to yourself when you are an organizer of this kind of event.

We (doegox, moutane and cbrocas), the current RMLL security track chairmen) will try to answer to these questions as honestly as possible 🙂

Why ?

To understand the objectives and the spirit, Peter Czanik, lecturer, gives us some answers through the report of his participation in the RMLL 2017.

Here is how he summarizes his coming this year:

“I participated again in Security track … “Participated” as I did not only give a talk on syslog-ng there, but also sat in to most of the presentations and had very good discussions both with visitors and fellow speakers. The organizers brought together talks from diverse IT security-related fields, a very good opportunity for cross-pollination of ideas“. (Note: emphasis is on our own)

Peter has perfectly synthesized what we are trying to achieve through the RMLL Security track  year after year:

Do our best to facilitate meetings and exchanges between lecturers and the public. The goal is that these exchanges generate collaborations between developers or projects but also produce new features in free software of the Security sphere.

How?

Here, we are not going to give a detailed list of things we think that have to be done but rather, a short list of important (according to us) levers that helped us to reach these goals.

First of all, while respecting the technical and free software DNA of the Security track, we try to ensure that as many security disciplines as possible are represented in the subjects covered by the conferences given.

In 2017, you were able to participate (or read / review later) interventions on the following topics:

  • privacy ,
  • digital forensics ,
  • networks and systems security ,
  • cryptography,
  • low level offensive
  • or retro-engineering.

We want both attendees and speakers to confront to different subjects or disciplines of Security that are not always familiar to them.

This allows everyone to discover new fields of exploration and to pick innovative solutions that she/he can reuse in her/his projects or work.

Beyond the different and varied subjects, we also try to establish a climate as friendly as possible in order to maximize exchanges. During the conference, it is very rare to find a “star attitude” among our speakers. They are all free software users and/or developers and so, perfectly understand the importance of sharing with and helping people.

During talks, we do our best to encourage attendees to interact with speakers both during the session and during breaks or later during the event.

It is also very important for us the speakers  feel comfortable for coming and attending : they usually don’t know the event (and so attendees), the city and even sometimes the country. So we provide far before their arrival:

  • a dedicated mailing list,
  • complete information : how to come, to find accommodations, to do their talk, to contact us, to be reimbursed etc.

The goal is for all lecturers to come in confidence, get rid of most of their practical questions to be able to take advantage of the event in the most open way.

During the event, we also set up a speakers’ dinner. The goal is to provide them yet another opportunity to get to know each other better, exchange and let ideas “pollinate” 🙂

For what results?

In terms of measuring tools to collect and quantify these results, we do not have a lot of resources.

We systematically conduct a survey of the speakers while the organizers of the global edition do the same (or not ;-)) with the participants. It serves us (try to) to improve us year after year. But it also serves to identify the positive things that could happen :).

Contributions

Here is a “living” list, certainly not exhaustive, of the contributions and interactions born of these moments of exchanges.

Who came ?

You will find below some of the speakers who came to the RMLL Security track year after year :

RMLL 2015 security track Call for Paper

RMLL (Rencontres Mondiales du Logiciel Libre) are an open access and free of fee conference about Free Software. They are hosted each year in a different town. This conference tries to make it possible exchanges between you (the experts) and a wide audience, from the kernel dev to the libertarian hacker ou the simple free software user.

After Geneva, Brussels and Montpellier, RMLL will be held in Beauvais (north of Paris) from 6 to 10th of July, 2015.

And last and the least (or not 😉 ), @moutane, @doegox and myself will curate the Security Track !

So, if you :

  • have pushed the limits of some audit or forensic free software ,
  • have coded a free software for a Security task ,
  • like P0wneys, kiwis, onions or BeEFsteak ,

Come to speak about it at the RMLL Security Track !

Note : all the talks will be done in English (exceptions will be accepted only with very good reason 😉 ).

Wit Mathieu and Philippe, we also would like to see the following topics covered during the RMLL Security Track :

  • crypto from hardware to JS (troll on) ,
  • open hardware and Security ,
  • malwares on mobile as on server,
  • vulns in free software (why do you say OpenSSL ?).

Practical informations :

RMLL are a volunteer held event, free as in free speech, so our ressources are limited. But, we can cover travel expenses (not hotel but train or plane flight) of some speakers. Do not hesitate to indicate this requirement in your submission. We will support low ressources speakers first, of course.

Note : nothing to present but you like beer ? Come, our beer is … free as in freedom 🙂

Spread this CFP as it was the best worm you have encountered !

Cheers Christophe Brocas, Mathieu Blanc et Philippe Teuwen

Image under CC by license : https://www.flickr.com/photos/geekshadow/21096599835/

My first Unix session was a password hijack experience. It was in … 1989 !

I discovered Unix (not Linux) at college in Bordeaux, in 1989. After a first course about Unix and its concepts, our professor gave us our credentials to be able to login on our school Unix system.

This computer was a HP 9000 server running a Unix OS. The “machine room” was in fact divided in two rooms. The first one was the “white room”, a restricted access with only the big box inside aka the main server : 1,5m high and several meters long. The second room was the room dedicated to the twenty passive terminals (VT100 emulation I think) used to login on the Unix system.

So, with my user account and password, I sat in front of one of the terminals. I entered my user account and my password. Failed. I just thinked that I mispelled one of them, I retried and I managed to log in. The rest of the session was successful : I was able to try the few commands I learned during my first lesson.

But. The day after, I was not able to log in anymore. 2nd year students were just laughing in the terminals room. I asked why. They stopped laughing, picked a terminal and introduced me to the .logout functionnality. It is used to execute a set of commands when you leave your current session. They have customized their own .logout script in order to display a screen almost identical to the normal login screen.

Yes, you see ? My first try to enter my credentials the day before was done on a faked login screen 😉 The student who was connected before me got my credentials and just has to change my password. After getting my credentials, the commands executed by the .logout script ended and the student session also. So I retried to enter my credentials in front of the real login screen.

It was in 1989. On a Unix system. Connected to … nothing : no network available at this time on this server. And password theft was aleady a game 🙂

Image published under CC by license : https://www.flickr.com/photos/ajmexico/2478197231/

[RMLL 2014] Security Track CFP

RMLL (Rencontres Mondiales du Logiciel Libre or LSM for Libre Software meeting) are a conference with technical talks about Free Software. RMLL are hold each year in a different town and it allows you to meet a very diverse audience from kernel dev to punk hacker or next door user.

RMLL celebrates this year their 15th anniversary from 7th to 11th July 2014 in Montpellier, South of France. And last, myself and Mathieu Blanc will curate the Security Track !

So if you recognize yourself in :

  • you broke the security of a Free Software ;
  • you develop or heavy use a Security Free Software ;
  • ”you love kiwis, onions or BeEFsteak” ;
  • you are very late for ”SSTIC CFP” — french security private joke, sorry ;

-> come to speak about it during RMLL Security Track !

With Mathieu, we also would like to see following subjects covered during the track :

  • Privacy and crypto : Tor, GnuPG and their security ? speak about them !
  • Defensive : forensics in RAM, on hard drive or everywhere or almost … network and system security : show them on stage !
  • Offensive : offensive tools ? Vulns on Free Software ? Demonstrate them !
  • Mobility & web : new security apps ? new mobile security models ? Let’s troll about them !

Special point : you love firewalls ? kernel dev and developers ? good point ! The 10th Netfilter Workshop, Netfilter developers meeting, will be hosted by RMLL this year : come to speak with Eric, Pablo and all Core Team folks !

You hate Free Software ?
Meeting bearded hackers or libertarians just hurts you ?
Still come to Montpellier … Meeting RMS is always an experience 🙂

Instructions and pointers :

Make this CFP the best malware you can spreading it worldwide (and also relaying it to your best sec friends and to preferred security mailing lists).

Thanks ! Christophe Brocas and Mathieu Blanc

Image under CC license : https://secure.flickr.com/photos/yobibe/14673892883/

Samsung NC10 : change your HDD by a SSD

I have got a Samsung NC10 for 3 years, that I almost always use under Ubuntu. Computer launch, its stop and the applications launch are very slow.

So I decided to install a 128Gb Crucial M4 SSD

To do it I follow :

  • this how-to for openning the NC10,
  • this video explaining clearly the opening of the delicate portion, the back of the computer.

The results :

  • launching time under Ubuntu 11.10 with the HDD :
    • from GRUB to Ubuntu users selection screen : 42 seconds
    • from Ubuntu users selection screen to the fully operational desktop : 25 seconds
    • total : 1 minute 7 seconds
  • launching time under Ubuntu 11.10 with the SSD :
    • from GRUB to Ubuntu users selection screen : 12 seconds
    • from Ubuntu users selection screen to the fully operational desktop : 15 seconds
    • total : 27 seconds

Always under Ubuntu 11.10, LibreOffice Writer launches : 6,5 seconds.

But Firefox with Sync activated requires always 15 secondes to launch. CPU and network dependencies tend to reduce the SSD benefits.

Conclusion : The NC10 does not become a blazzing fast netbook but as seen with the different figures, the SSD helps the NC10 to run quite quickly.