LCA 2008 Security Blogging Contest

January 20, 2008 | etbe

I have decided to run a contest for security related blog posts that appear on Planet Linux Conf Au [1]. That Planet is for people who are attending Linux Conf Au [2], and the prize (or prizes) will be given out at the conference.

The aim will be posts on the topic of computer security from people who are not experts. Anyone who has been employed as a security consultant or developer of security software or who has spoken at a conference such as LCA on a topic related to security can enter but will only be eligible for an honourable mention. Any such expert who enters for an honourable mention MUST note on their entry that they are not eligible for a prize to avoid any possible confusion.

Only blog posts of a positive nature will be well regarded by the judges. Negative reviews are only acceptable if they have positive suggestions for improvement and/or bug reports linked from them.

You may submit a series of posts on a theme, and multiple posts on different security issues will help an entry – we will judge the contributions of the person not a single post.

The prize pool is currently $50, which I hope to expand – but such expansion depends in part on the quality and quantity of early entries, so if some good entries are submitted soon then there will be more and bigger prizes. Currently the prize pool comes from the pockets of me and Casey, commercial sponsorship will be accepted and may increase the prize pool significantly.

The duration of the contest is from this moment until at least lunch-time on Friday the 1st of February. We may extend the contest until Friday night and announce the winner(s) on Saturday – but at this time you should not count on such an extension and plan to have your entry or entries in by mid-day on Friday the 1st of Feb (Australian eastern daylight savings time).

So far of the people I have invited to join the judging panel only Casey Schaufler has accepted. Casey and I will consider offers to assist in judging from people who have a combination of security and blogging experience that is significant, but note that as of this time all prize money comes from the judges…

When you write a post that you wish to submit for the contest please comment on this post with the URL to make sure that the judges don’t miss it. Entries submitted on the last day may need some other form of notification, I will write a future post which clarifies this issue.

Some issues related to selecting the winners have yet to be determined, I will write future posts with more information. But please don’t hesitate to enter now, well written posts that have a positive tone are what you need. Also entering quickly will help increase the prize pool, more prizes means a greater chance that you will win one!

One thing I am considering is how to manage commercial sponsorship if it is offered. One possibility I am considering is allowing a sponsor to declare that half of the money they pay will be used as prizes for entries that relate to their product. That would give an extra incentive for people to blog about topics related to the sponsor but still give extra prize money for other topics. In that situation the relation between the sponsor’s product and the prize winning entry or entries would be liberal, so a post about standard Unix security features would be eligible for prize money from any commercial Linux distribution.

Finally you must have your own individual blog to enter the contest. Guest-posts on other people’s blogs or group efforts are not eligible for anything other than an honourable mention.

Update: The contest is over and was not a success. See this page for the details [3].

Victoria Hotel Melbourne

January 12, 2008 | etbe

I have just stayed at the Victoria Hotel Melbourne. I booked it through www.WotIf.com and paid ~$110 per night instead of the list price of $186 per night.

The location is great (little Collins St near Swanston St). It’s a short walk from most things that are in the central city area and the nearest tram stop has a tram that goes directly to Melbourne University which will be good for people attending LCA (although it’s close enough that you might want to walk and save a few dollars). The price is pretty good too (you don’t get much cheaper than that in the central city area).

But there are some down-sides. The hotel is old and has an old design. It has small windows and air-conditioners are retro-fitted into the window (as opposed to the modern design of having huge windows and A/C in the ceiling). The air-conditioning is barely adequate and once the hotel walls heat up the room will be warm all night. The window-based air-conditioning also greatly diminishes the possibility of looking out the window, and for people who are tall enough to see over it they will probably find that the bed is too short for them (I stayed in a twin room, maybe a double bed would be longer – of course if I was alone in a double bed then I could probably sleep diagonally).

The room lights are all halogen spotlights, that includes the reading lights over the beds. This is 90’s architectural fashion and not a functional design. If you want to lie on your bed to read a book or watch TV then you will be able to see at least three halogen lights from the corner of your eye. Seeing such a small intense light source in your peripheral vision is really unpleasant.

The pool is about 5M*5M in size and approximately 1.1M deep (it seems deeper than a 1.0M pool I recently swam in but shallower than a 1.2M pool).

In conclusion I think that the Oaks on Market [1] apartments are better value for money, altough Market street is less convenient.

Update: I forgot to mention one last failing. For curtains my room had nothing other than a Venetian blind. As such a blind does not cover the entire window space I was woken by the sun rise. It’s bad enough seeing a sunrise after a hard night coding, I definitely don’t want to see one when I had planned to sleep in. Curtains that properly cover the window is not an expensive feature to add.

[1] http://etbe.coker.com.au/2008/01/07/oaks-on-market/

Weather in Melbourne

January 9, 2008 | etbe

Some people have been asking about the weather in Melbourne in late-January in terms of what to wear for Linux.Conf.Au.

It is probably impossible to predict weather for a particular day this far ahead. But predicting a range for the week is not difficult.

I think that you should expect at least one day that is really hot with a peak of 37C or more and reasonable humidity with a possibility of another two days the same or similar. A day with a peak of 42C or more is not unlikely over the course of a week.

You should expect a range of temperatures, one or two days that are reasonably cool with a maximum of 25C would not be unexpected. Some heavy rain in short bursts is a possibility (based on the past few weeks – prior to that there was little rain and it’s possible that there may be some time without rain again), there is probably no need for a rain-coat if you have the option of waiting ~30 mins for the rain to pass before going outside. I expect that if there is any rain at a time when conference delegates are about to go out somewhere then things will be delayed.

I suggest that you wear jeans while on the plane but expect to wear shorts for your entire time in Australia. A t-shirt is a reasonable option but if you plan to be outside much then wear a long-sleeved shirt. As I don’t expect to be doing much work in traditional offices in the near future I’m wearing business shirts when I go outside, long sleeves with a collar is good for protecting against sun-burn and as they are light they keep me cool (t-shirts are tighter and thicker and keep you hot). However when at LCA I will be wearing t-shirts that I designed (which should be well suited to being inside and I don’t plan to do much outside during that week).

A Scott e Vest [1] is a good thing to wear. It has heaps of pockets for your electronic gear, is reasonably light, and can be worn on top of a t-shirt. The Scott company also sells a TEC shirt which is a long-sleeved shirt with plenty of pockets. I’ve had a Scott e Vest for a number of years and I might have to get myself a TEC shirt.

[1] http://www.scottevest.com/

Oaks on Market

January 7, 2008 | etbe

A few days ago I stayed in an apartment at the Oaks on Market [1] hotel which I booked through www.WotIf.com. The WotIf price was $159 per night – the list price was $376 per night. It was possible to get extra beds for $30 each per night if you wanted to get more people in the room.

All rooms are of the Suite / Apartment [2] style. The room was a basic (twin or queen) room, it was quite large and well equipped. The TV in the room was quite large and TFT, it had a range of inputs which seemed to include everything other than VGA and DVI (if I was running a hotel every TV would have VGA or DVI input for laptops).

All the basic kitchen facilities were there, including a microwave oven, a stove, and a toaster. There was even dish-washing liquid!

The hotel pool (indoor and heated) is 25M long and 1.2M deep, there is a spa and a sauna. The pool isn’t cleaned as well as it might be, there was a band-aid stuck on a wall and sand and other stuff on the floor of the pool (including a hair elastic with a rusty clip – it had apparently been in the pool long enough to rust).

The hotel is a short tram ride from the LCA venue, walking to LCA would be possible too (I walked further than that when at Dunedin). I can’t claim that this hotel is better than others, but it would do. Having a pool is a good thing, I recommend that all delegates bring their bathers for pool parties – the weather will probably demand such things.

Some LCA Melbourne Advice

January 6, 2008 | etbe

At the end of the month we are having linux.conf.au (one of the best Linux conferences in the world) in Melbourne. Here is some quick advice for people who are attending:

If you have not yet booked a hotel then www.wotif.com is a good option to try, it’s a hotel booking web site that is aimed at last-minute bookings and offers significant discounts over the list price. A quick search on WotIf reveals that there are currently 5 hotels that are available for $140 per night or less for the time period of LCA. The rate listed is an approximation as the hotel may offer several rates for different types of rooms (it’s usually one of the cheapest options available from the hotel). I believe that some hotels don’t offer their rooms on WotIf until close to the day in question, so some more rooms may become available between now and the start of the conference. However the Australian Open [1] Tennis tournament ends on the 27th of January, if you plan to attend the LCA mini-confs then you will want to arrive on the 27th, so booking a hotel for that night at the last minute would be a risky strategy.

If you want to stay somewhere that is comfortable but not overly expensive then you might want to read my post about hotel apartments [2].

My post about public transport in Melbourne [3] has some information that can save you some money. One possibility to consider is that if you use 10 * 2 hour tickets and don’t completely use them up then you could sell them to locals. I would be happy to buy some partially used tickets for the full value of the unused part on the last day of the conference to save people wasting the unused value.

Note that my documents blog contains posts that will be updated whenever I have more information and the time to write it down (this blog is generally write-once). I will be updating the post about public transport significantly in future.

submissions for LCA and other conferences

June 10, 2007 | etbe

In this post I recommended that job seekers not publish their CV. In a comment Gunnar suggested having a special CV for conferences. I think that Gunnar’s idea is good and have started writing my conference CV at http://etbe.coker.com.au/conferences. When I complete it I will make it part of every submission for speaking at a conference.

The LCA 2008 call for presentations is now open. One of the most interesting, noteworthy, and slightly controversial items is the suggestion that people submit a video. I think that the video submission is a great idea, either a video or testimony from audience members from past presentations should be required for all submissions (NB I’m not involved with organising LCA2008 so my opinion means little in this regard). The reason is that I have attended many presentations which fell far short of their potential due to poor speaking skills. I’ve been to great presentations by people with strong accents, by people with speech impediments, by people who are incredibly shy, and by people who just don’t have a clue about public speaking. However my observation is that if a speaker has more than one of these disadvantages then the presentation is likely to fail. I have previously written at length about how to give a good presentation to a technical audience (such as is found at LCA).

Dave Hall blogs about Should I do a presentation at LCA 2008. He mentions lack of a web-cam as a disincentive, but I am happy to lend him my digital camera (which makes really high quality movies) to solve this problem. In fact I have considered recording some short Linux talks at the SGI office during lunch breaks (Dave and I both work for SGI).

Dave also mentions a nightmare scenario about a laptop not working with presentation hardware. My post about getting laptops working for presentations will hopefully help some people in this regard.

I’m not sure if I’ll make an offer for LCA this year, I haven’t been doing much cutting-edge work recently. Maybe I’ll just offer some talks for mini-confs, I could probably get several offers accepted by mini-conf organisers if I try.

what is a BOF?

April 10, 2007 | etbe

BOF stands for Birds Of a Feather, it’s an informal session run at a conference usually without any formal approval by the people who run the conference.

Often conferences have a white-board, wiki, or other place where conference delegates can leave notes for any reason. It is used for many purposes including arranging BOFs. To arrange a BOF you will usually write the title for the BOF and the name of the convenor (usually yourself if it’s your idea) and leave a space for interested people to sign their names. Even though there is usually no formal involvement of the conference organizers they will generally reserve some time for BOFs. Depending on the expected interest they will usually offer one or two slots of either 45 minutes or one hour. They will also often assist in allocating BOFs to rooms. But none of this is needed. All that you need to do is find a notice-board, state your intention to have a BOF at a time when not much else is happening and play it by ear!

My observation is that about half the ideas for BOFs actually happen, the rest don’t get enough interest. This is OK, one of the reasons for a BOF is to have a discussion about an area of technology that has an unknown level of interest. If no-one is interested then you offer the same thing the next year. If only a few people are interested then you discuss it over dinner. But sometimes you get 30+ people, you never know what to expect as many people don’t sign up – or have their first choice canceled and attend the next on the list!

To run a BOF you firstly need some level of expert knowledge in the field. I believe that the best plan is for a BOF to be a panel discussion where you have a significant portion of the people in the audience (between 5 and 15 people) speaking their opinions on the topic and the convener moderating the discussion. If things work in an ideal manner then the convener will merely be one member of the panel. However it’s generally expected that the person running the BOF can give an improvised lecture on the topic in case things don’t happen in an ideal manner. It’s also expected that the convener will have an agenda for a discussion drawn up so that if the panel method occurs they can ask a series of questions for members of the BOF to answer. My experience is that 8 simple questions will cover most of an hour.

One requirement for convening a BOF is that you be confident in speaking to an audience of unknown size, knowledge, and temperament. Although I haven’t seen it done it would be possible to have two people acting as joint conveners of a BOF. One person with the confidence to handle the audience and manage the agenda and another with the technical skills needed to speak authoritatively on the topic.

Some of the BOFs I have attended have had casual discussions, some have had heated arguments, and some ended up as lectures with the convener just talking about the topic. Each of these outcomes can work in terms of entertaining and educating the delegates.

But don’t feel afraid, one of the advantages of a BOF is that it’s a very casual affair, not only because of the nature of the event but also because it usually happens at the end of a long conference day. People will want to relax not have a high-intensity lecture. One problem that you can have when giving a formal lecture to an audience is nervous problems such as hyper-ventilating. This has happened to me before and it was really difficult to recover while continuing the lecture. If that happens during a BOF then you can just throw a question to the audience such as “could everyone in the room please give their opinion on X“, that will give you time for your nerves to recover while also allowing the audience to get to know each other a bit – it’s probably best to have at least one such question on your agenda in case it’s needed.

Note that the above is my personal opinion based on my own experience. I’m sure that lots of other people will disagree with me and write blog posts saying so. ;)

The facts which I expect no-one to dispute are:

BOFs are informal
Anyone can run one
You need an agenda
You need some level of expert knowledge of the topic

meeting people at Linux conferences

March 3, 2007 | etbe

One thing that has always surprised me is how few people talk to speakers after they have finished their lecture. A lecture might have many questions and the questions may be cut off, but when the speaker leaves the room they will usually do so alone.

When I give lectures at conferences I’m always happy to spend more time talking to people who are interested in the topic and disappointed that so few people choose to do so. It seems that other people have similar experiences, there have been several occasions when I have invited speakers to join me for lunch and no-one else has shown interest in joining us.

Usually the most significant factor in making someone offer a talk at a Linux conference is the opportunity to teach other people about the technology that they are working on. People with that motivation will take the opportunity to teach people at lunch, dinner, whenever.

Linux Conf Au has an event called the “Professional Delegates Networking Session” which is regarded by some people as the way to meet speakers (about half the delegates don’t attend so the ratio of speakers to delegates is significantly better than at other conference events). But it seems to me that it’s more efficient to just offer to buy them dinner. When I worked for Red Hat the maximum value for a gift I could accept was $100US, I expect that Red Hat has not changed this policy since then and that most companies that employ speakers at Linux conferences have similar policies. $100US is more than a meal costs at most restaurants that are near a Linux conference.

If I was a manager at a company that sent employees to a Linux conference I would first send email to some speakers who were working in areas of Linux development that were related to the projects that the employees were working on. I would ask the speakers if they would be interested in having dinner bought for them by my company and give them the option of bringing one or two friends along for a free meal (the friends would probably be people who work in similar areas).

lifetime failures (LF)

January 17, 2007 | etbe

This morning at LCA Andrew Tanenbaum gave a talk about Minix 3 and his work on creating reliable software.

He cited examples of consumer electronics devices such as TVs that supposedly don’t crash. However in the past I have power-cycled TVs after they didn’t behave as desired (not sure if it was a software crash – but that seems like a reasonable possibility) and I have had a DVD player crash when dealing with damaged disks.

It seems to me that there are two reasons that TV and DVD failures aren’t regarded as a serious problem. One is that there is hardly any state in such devices, and most of that is not often changed (long-term state such as frequencies used for station tuning is almost never written and therefore unlikely to be lost on a crash). The other is that the reboot time is reasonably short (generally less than two seconds). So when (not if) a TV or DVD player crashes the result is a service interruption of two seconds plus the time taken to get to the power point and no loss of important data. If this sort of thing happens less than once a month then it’s likely that it won’t register as a failure with someone who is used to rebooting their PC once a day!

Another example that was cited was cars. I have been wondering whether there are any crash situations for a car electronic system that could result in the engine stalling. Maybe sometimes when I try to start my car and it stalls it’s really doing a warm-boot of the engine control system.

Later in his talk Andrew produced the results of killing some Minix system processes which show minimal interruption to service (killing an Ethernet device driver every two seconds decreased network performance by about 10%). He also described how some service state is stored so that it can be used if the service is restarted after a crash. Although he didn’t explicitely mention it in his talk it seems that he has followed the minimal data loss plus fast recovery features that we are used to seeing in TVs and DVD players.

The design of Minix also has some good features for security. When a process issues a read request it will grant the filesystem driver access to the memory region that contains the read buffer – and nothing else. It seems likely that many types of kernel security bug that would compromise systems such as Linux would not be a serious problem on the HURD. Compromising a driver for a filesystem that is mounted nosuid and nodev would not allow any direct attacks on applications.

Every delegate of LCA was given a CD with Minix 3, I’ll have to install it on one of my machines and play with it. I may put a public access Minux machine online at some time if there is interest.

Some ideas for running a conference

January 16, 2007 | etbe

Firstly for smooth running of the presentations it would be ideal if laptops were provided for displaying all presentations (obviously this wouldn’t work for live software demos but it would work well for the slide-show
presentations). Such laptops need to be tested with the presentation files that will be used for the talks (or pre-release versions that are produced in the same formats). It’s a common problem that the laptops owned by the speakers will have problems connecting to the projectors used at the conference which can waste time and give a low quality display. Another common problem is that laptops owned by the conference often have different versions of the software used for the slides which renders them differently, the classic example of this is OpenOffice 1.x and 2.x which render presentations differently such that using the wrong one results in some text being off-screen.

The easy solution to this is for the conference organizers to provide laptops that have multiple boot options for different distributions. Any laptop manufactured in the last 8 years will have enough disk space for the
latest release of Debian and the last few Fedora releases. As such machines won’t be on a public network there’s no need to apply security updates and therefore a machine can be used at conferences in successive years, a 400MHz laptop with 384M of RAM is quite adequate for this purpose while also being so small that it will sell cheaply.

A slightly better solution would be to have laptops running Xen. It’s not difficult to set up Xephyr in fullscreen mode to connect to a Xen image, you could have several Xen instances running with NFS file sharing so that the speaker could quickly test out several distributions to determine which one gives the best display of their notes. This would also allow speakers to bring their own Xen images.

This is especially important if you want to run lightning talks, when there is only 5 minutes allocated for a talk you can’t afford to waste 2 minutes in setting up a presentation!

In other news Dean Wilson gave my talk yesterday a positive review.

etbe – Russell Coker

Linux, politics, and other interesting things

Category Archives: Linux.conf.au