Saturday, 6 February 2016

LCA 2016 - Day 4

Day 4 opened with a keynote by Jono Bacon, director of community at Github. Jono spoke of the evolution of the Open Source and Linux communities moving towards what he called "Community 3.0" where the expectations of open-source infiltrate into society at large and become part of the "common core" of society. He stated that dignity is a fundamental human requirement and right and that dignity is a product of several factors:

  • Dignity, requires
  • Self Respect, which stems from a persons ability to
  • Contribute, which requires
  • Access

Jono described system 1 and system 2 thinking and outlined the SCARF model:

  • Status
  • Certainty
  • Autonomy
  • Relatedness
  • Fairness

The two golden rules are:

  1. Accomplish goals indirectly
  2. Influence behaviour with small actions

Community 3.0 = System 1&2 thinking + Behavioural patterns + Workflow + Experiences + Packaged guidance

I guess it goes without saying that I got a lot out of this keynote.

Day 4 also saw a marked improvement in the quality of the food offerings at morning tea. I think I ate 5 or 6 of these delectable goodies. I must learn to make them at home.




4/1 - Using Persistent Memory for Fun and Profit by Matthew Wilcox


The title of this talk sounded interesting, but I quickly worked out that there was very little I could gain from this. Persistant memory is memory that retains its state after powering off. Matthew works for Intel and they just so happen to be about to release 3D XPoint DIMMs that do this - however they will be expensive.

Applications must be written to take advantage of persistent memory - hence the need for intel to encourage developers to do so.

I couldn't help the feeling of deja vu with this talk. Persistent memory used to be a common thing: The PDP11 had it with core memory, my MicroBee had it with CMOS memory. We have come full circle.

4/2 - Hardware and Software Architecture of The Machine by Keith Packard


Another vendor talk, this one from Hewlett-Packard. This talk focused on The Machine - which I had never heard of, but apparently a lot of the delegates had.

Much of this talk was dedicated to the challenge of dealing with 320TB of RAm shared amongst several processors. The handle this a new paradigm was developed where memory is addressed in "books" instead of pages stored in "shelves". Memory is made available by the "Librarian".

In order to support the architecture of the machine, Linux needs to be modded to support:
  • Fabric attached Memory
  • File system abstractions
  • Librarian file system

4/3 - Tutorial: Hunting Linux malware for fun and $flags by Marc-Etienne M.Léveillé


After lunch was a gruelling workshop where each participant was given a virtual machine infected with malware with the instructions to detect and defuse it and see how many 'flags' we could capture. Somehow we were meant to do this while listening to his talk.

These sort of workshops are generally bad for my ego. I like to think I'm pretty good at this sort of stuff, but once you're shoved in a room full of people as good as or better than you, you start to feel like a clueless noob. I eventually captured five flags of the ten available flags but the malware was still persistent on my machine and I had to resort to the cheat notes. This is where I found out that the email sending was made persistent through ssl injection.


I would have liked to have more time to study and understand the mechanisms. This was certainly a valuable tutorial with direct application to the real world.

4/4 - edlib - because one more editor is never enough by Neil Brown


While admitting that the last thing Linux needs is another editor, Neil explained his justification for doing so. He described the deficiencies of current editors from the Model-View-Controller perspective and detailed how his new editor aimed to overcome them. It was enough to make me wish it wasn't in alpha.

https://github.com/neilbrown/edlib


4/5 - Playing to lose: making sensible security decisions by assuming the worst by Tom Eastman


In a classic case of leave the best 'til last, Tom described how security is enhanced by assuming the worst. He started by describing the potential threats:
  • Script kiddies, all the time in the world, in it for the lulz
  • Organised criminals
  • Former employees (top threat)
  • Hacktivists
  • Nation-state actors

Tom then went on to explore each of the 'attack surfaces' of an online presence in detail:
  • Web server
  • App server
  • Database
  • Front-end interface
  • Infrastructure

I took a several pages of notes from this excellent talk. His key recommendations are:
  • White-list input validation on all user-generated input
  • Escape all data appropriately for display
  • Mitigate cross-site scripting using Content Security Policy. Key: ensure inline javascript is never executed.
  • Log and check CSP violation reports. 

No comments:

Post a Comment