Back from FOSDEM! A few days ago, I posted here my schedule and it didn’t changed.
The first three presentations were in the same room and covered security topics. The FOSDEM is an event for open-source developers and not fully dedicated to security like BruCON but developers must be aware of security. I hope that next editions will continue to propose tracks about our favorite topics.
The first presentation covered the last release of the OWASP Testing Guide. Matteo presented the different chapters with interesting examples ie. a CRSF attack via the “<img>” tag and explained how sessions can be hijacked via cookie stealing.
Then, Simo presented the FreeIPA project: “Identity Management into FOSS Project”. The project goal is to build a complete platform to identify and authorize users on a network. Based on several strong components (LDAP, Kerberos, Rsyslog, Apache), the project is at the first release. Interesting but features are too limited IMHO. The next version should be stronger.
The last security topic was about Fusil, a fuzzer written by Victor Stinner. Fuzzing is a way to test applications by providing to them random data. By example, to submit to an application completely random data, over-sized data or data in a irrelevant format. This kind of tools are very interesting to discover bugs (they must be used carefully because they often crash the application!). Funny, someone asked to Victor if he tested his code with his own tool. Answer: “no, they are known bugs” ;-) A good conclusion about this presentation: developers must take care of any data passed to the application.
In the afternoon, I followed topics more oriented to the “system” itself. The first one was also security related: How to use SElinux to secure your OS. I learned nothing new about this component. The main problem when you deploy SELinux is the lack of existing profiles for applications. The classic ones are supported (Apache, sendmail, …) but once you use something more “exotic”, you have to write your own profiles. So boring…
Finally, the last two presentation were respectively about the Syslinux project and the upcoming new file system ext4. Presentations were very professional and gave a lot of details. A funny demo was made by Peter Anvin, the owner of the Syslinux project. He booted a virtual box with a kernel downloaded from the US via the HTTP protocol.
As usual, lot of geeks, lot of user-groups stands which proposed your favorite distributions (no flame war here). I met friends even customers. Thanks to the FOSDEM team for the organization. See you in 2010!