The Imperfect Penguin
|Project:||Various including OpenSSL, GnuTLS, OpenWRT, Python, PERL, Ruby & more|
FOSS is one of the most important and rewarding things to happen in our lifetimes, but as we all know it's far from perfect.
Information security problems, despite "many eyeballs" are not uncommon in FOSS projects and some like Heartbleed are so serious that they can only come about after multiple forms of failure.
This talk will overview a broad range of FOSS projects from 'Internet of Things' devices through to infrastructure private clouds depend on, highlighting vulnerabilities, some serious incidents, and how they may have been avoided, or at least handled better.
Lets be honest, doing security right is not easy. This presentation will also take a few steps back and view the larger problems of faulty design, patch fragmentation across platforms and what it means for the average well meaning person.
It's not all doom and gloom however. FOSS has what it takes to overcome these problems; vibrant communities, patch management tools, code signing, swift responses, setting clear expectations and the wisdom of its elders all make it better placed than closed methodologies to get security right.
Marco is an Information Security Analyst for AusCERT, and has been an active member of various open source groups and endeavours. Since the early '90s Marco has been hands-on with linux, deploying it along with other FOSS goodness in infrastructure within one of Australia's larger universities. When it comes to the desktop Marco attempts to be slightly distro agnostic always using both a dpkg and rpm based distro in tandem.