After 100 years of searching, an international team of physicists has confirmed the existence of Einstein’s gravitational waves, marking one of the biggest astrophysical discoveries of the past century. It’s a huge deal, because it not only improves our understanding of how the Universe works, it also opens up a whole new way of studying it.
I actually saw this talk by Erik de Castro Lopo but didn't write about it as I arrived late and ended up sitting within arm's reach of the lectern... that and to be honest it's taken me this second viewing for it to sink in anyway.
The fuzzing technique provides:
- A method to test a program with random input.
- Provide a great leap forward in effectiveness.
- Allows you to find bugs before they're reported.
- Recommends AFL (American Fuzzy Lop)
- Spends some time walking through how AFL works and how to use it.
- Walked through sanitizers.
- Provides a demo you can clone from git and use.
- Covered the pro and cons rather extensively.
- Took a walk through some SSH code as example of code not designed to be fuzzed and to underscore coding with fuzzing in mind from the start.
- Provided a live demo and other cases.
An excellent talk, well worth watching if this is your field of endeavour.
This talk by Kayne Naughton was the most talked about talk that I did not see while at LCA2016 in Geelong, so naturally it's the first talk I've watched revisiting the conference.
The allotted 40 minutes was clearly not long enough for Kayne to delve into his obviously deep knowledge of security in general and specifically the Linux space.
What resulted was a faced passed, informative, insightful and humorous take on Linux security, how to do it properly and how to effectively deter most would be hackers.
There's some genuine laugh-out-loud moments and plenty of 'oh's as Kayne drops the penny for us more than once.
A great talk that lived up to it's at-conference reputation.
BUGHERD. It’s like sticky notes for a website. Just point, click and send to create visual bug reports. Check out Bugherd.com
This is another book I read as a teenager and decided to re-read. Frankly, its great. Confused teenager signs up for the British Army (or is conscripted, its not totally clear) and ends up as an artillery gunner. Has hilarious adventures while managing to still be a scrawny nerd. I loved it. A light hearted look at a difficult topic.
Tags for this post: book spike_milligan combat ww2 biography
Related posts: Cryptonomicon; The Man in the Rubber Mask; Skimpy; The Crossroad; Don't Tell Mum I Work On The Rigs; Some Girls: My Life in a Harem Comment Recommend a book
The reviews online for this book aren't great, and frankly they're right. The plot is predictable, and there isn't much character development. Just lots and lots of blow-by-blow combat. It gets wearing after a while, and I found this book at bit of a slog. Not recommended.
Tags for this post: book william_c_dietz combat halo engineered_human cranial_computer personal_ai aliens
Related posts: Halo: The Fall of Reach; The Last Colony ; The End of All Things; The Human Division; Old Man's War ; The Ghost Brigades Comment Recommend a book
Thanks to the absolutely amazing efforts of the LCA video team, they’ve already (only a few days after I gave it) got the video from my linux.conf.au 2016 talk up!Abstract
In mid 2014, IBM released the first POWER8 based systems with the new Free and Open Source OPAL firmware. Since then, several members of the OpenPower foundation have produced (or are currently producing) machines based on the POWER8 processor with the OPAL firmware.
This talk will cover the POWER8 chip with an open source firmware stack and how it all fits together.
We will walk through all of the firmware components and what they do, including the boot sequence from power being applied up to booting an operating system.
We’ll delve into:
– the time before you have RAM
– the time before you have thermal management
– the time before you have PCI
– runtime processor diagnostics and repair
– the bootloader (and extending it)
– building and flashing your own firmware
– using a simulator instead
– the firmware interface that Linux talks to
– device tree and OPAL calls
– fun in firmware QA and testing
I've started dipping my toe into federated social media. During LCA2016 I stood up an instance of GNUSocial. You can find it here social.mcwhirter.io and if you're already in the federated social media universe, you can reach me as email@example.com.
A few weeks ago I noticed a retweet by ESA, asking for expression of interest from space enthusiasts to attend and social-media (verb) the inauguration of a new antenna at their New Norcia deep spacetracking site in Western Australia.
After some um-ing and ah-ing, I decided to apply. After all, when I'm on holiday elsewhere I try to visit observatories and other space related things and am always a bit disappointed when a fence keeps me at a distance.
Last week I got an email with the the happy news that I was one of the fifteen lucky people selected to attend!
So, over the next week you'll probably see a lot of space tweets from me with impressive radio hardware, behind the scenes looks at things, and a lot of excited people.
Tags: spaceSocialSpaceWAESAdeep spaceastronomy
Yesterday at linux.conf.au 2016 in Geelong, I had the privilege of being able to introduce our plans for linux.conf.au 2017, which my team and I are bringing to Hobart next year. We’ll be sharing more with you over the coming weeks and months, but until then, here’s some stuff you might like to know:The Dates
16–20 January 2017.The Venue
We’re hosting at the Wrest Point Convention Centre. I was involved in the organisation of PyCon Australia 2012 and 2013, which used Wrest Point, and I’m very confident that they deeply understand the needs of our community. Working out of a Convention Centre will reduce the amount of work we need to do as a team to organise the main part of the conference, and will let us focus on delivering an even better social programme for you.
We’ll have preferred rates at the adjoining hotels, which we’ll make available to attendees closer to the conference. We will also have the University of Tasmania apartments available, if you’d rather stay at somewhere more affordable. The apartments are modern, have great common spaces, and were super-popular back when lca2009 was in Hobart.The Theme
Our theme for linux.conf.au 2017 is The Future of Open Source. LCA has a long history as a place where people come to learn from people who actually build the world of Free and Open Source Software. We want to encourage presenters to share with us where we think their projects are heading over the coming years. These thoughts could be deeply technical: presenting emerging Open Source technology, or features of existing projects that are about to become part of every sysadmin’s toolbox.
Thinking about the future, though, also means thinking about where our community is going. Open Source has become massively successful in much of the world, but is this success making us become complacent in other areas? Are we working to meet the needs of end-users? How can we make sure we don’t completely miss the boat on Mobile platforms? LCA gets the best minds in Free Software to gather every year. Next year, we’ll be using that opportunity to help see where our world is heading.
So, that’s where our team has got so far. Hopefully you’re as excited to attend our conference as we are to put it on. We’ll be telling you more about it real soon now. In the meantime, why not visit lca2017.org and find out more about the city, or sign up to the linux.conf.au announcements list, so that you can find out more about the conference as we announce it!
- New Zealand Open Source Society
- LCA 2015 give-aways of ARM chromebooks
- Linux on ARM chellenge
- Call to Arms
- x86 != Linux
- Please consider other archetectures
- Open Source GPS and MAP sharing
- Android client and IOS to come
- Create a group, Add placemaps, Share location with a group
- Also run OpenStreetmaps tileserver
- stackptr.com/registration – Invite code LCA2016
- Hat Rack
- code is in githug, but what about everything else?
- How to ack stuff that isn’t code?
- bit.do/LABHR #LABHR
- Recommend people, especially people not like you
- Melbourne 12-16 August
- DjangoCon Au, Science and Data Miniconf, Python in Education plus more on 1st day
- CPF open in mid-March
- Financial assistence programme
- Kiwi PyCon
- 2016 in dunedin
- Town Hall
- 9-11 September
- Have fun
- Open up the government data
- 29-31 July across Aus and NZ
- JMAP: a better way to email
- Lots of email standards, all aweful
- $Company API
- json over https
- Single API for email/cal/contacts
- Mobile/battery/network friendly
- Working now at fastmail
- Support friendly (only uses http, just one port for everything).
- Batches commands, uses OOB notification
- Upgrade path – JMAP proxy
- http://jmap.io , https://proxy.jmap.io/
- “Devops is just a name for a Sysadmin without any experience”
- Lets get back to unix principals with tools
- Machine Learning Demo
- Filk of technical – Lied about being technical/gadget type.
- Randomness at 1MB/s
- Copied from OneRNG
- 4x4mm QFN package attached to USB key
- Driver in Linux 4.1 (good in 4.3)
- Just works!
- Building up smaller batches to test
- Hoping around $30
Free as in cheap gadgets: the ESP8266 by Angus Gratton
- I missed the start of the talk but he was giving a history of the release and getting software support for it.
- Arduino for ESP8266 very popular
- 2015-2016 maturing
- Lots of development boards
- Sparkfun ESP8266 thing, Adafruid Hazaah, WeMOS D1
- Common Projects
- Lots of lighting projects, addressable LED strips
- Wireless power monitoing projects
- Copy of common projects. Smoke alarm project
- ESPlant – speakers project built in Open Hardware Miniconf – solar powered gardening sensor
- Moodlight kickstarter
- Not a lot of documentation compared to other micro-controllers. 1/10 that of similar products
- Weird hardware behaviour. Unusual output
- Default baud rate 74880 bps
- Bad TLS – TLS v1.0, 1.1 only , RSA 512/1024 . 2048 might work
- Other examples
- FOSS in ESP8266
- GCC , Lua , Arduino, Micro Python
- axTLS , LWIP, max80211, wpa_supplicant
- Wrapped APIs, almost no source, mostly missing attribution
- Weird licenses on stuff
- Does this source matter?
- Anecdote: TLS random key same every time due to bad random function (later fixed). But still didn’t initially use the built-in random number generator.
- Reverse Engineering
- Wiki , Tools: foogod/xtobjdis , ScratchABit , radara2 (soon)
- esp-open-rtos – based on the old version that was under MIT
- mbedTLS – TLS 1.2 (and older) , RSA to 4096 and other stuff. Audited and maintained
- Working on a testing setup for regression tests
- For beginners
- Start with Ardino
- Look at dev board
- Hopefully other companies will see success and will bring their own products out
- but with a more open licenses
- ESP32 is coming, probably 1y away from being good and ready
secretd – another take on securely storing credentials by Tollef Fog Heen
- Works for fastly
- What is the problem?
- Code can be secret
- Configuration can be secret
- Credentials are secret
- Secrets start in the following and move to the next..
- directly code
- then a configuration file
- then an pre-encrypted store
- then an online store
- Problems with stores
- Complex or insecure
- Manual work to re-encrypt
- Updating is hard
- Not support for dev/prod split
- Requirements for a fix
- Dynamic environment support
- Central storage
- Policy based access controls, live
- APIs for updating
- Use Case
- Hardware (re)bootstrapping
- Hands-of/live handling
- PCI: auditing
- Machine might have no persistent storage
- pwstore – pre-encrypted
- chef-vault – pre-encrypted
- Hashicorp Vault – distributed, complex, TTL on secrets
- etcd – x509
- tree structure, keys are just strings
- positive ACLs
- PostgressSQL backend
- Apache Licensed
- Client -> json over ssh -> secret-shell -> unix socket -> secretd -> postgressSQL
- Encrypting secrets on disk
- Admin tools/other UIs
- Tool integration
- Enrolment key support
- Why not sqlite? – Cause I wanted at database. Postgres more directly supported the data structure I wanted, also type support
- Why do just use built-in postgress security stuff? – Features didn’t exist a year ago, also requires all users must exist as DB users.