lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <97506d0e-8487-4233-ab4f-78dc646b12cb@schaufler-ca.com>
Date: Mon, 17 Feb 2025 07:45:34 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: "Dr. Greg" <greg@...ellic.com>, James Morris <jmorris@...ei.org>
Cc: linux-security-module@...r.kernel.org,
 Linux Security Summit Program Committee <lss-pc@...ts.linuxfoundation.org>,
 linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
 linux-integrity@...r.kernel.org, lwn@....net,
 Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [Announce] Linux Security Summit North America 2025 CfP

On 2/17/2025 4:45 AM, Dr. Greg wrote:
> On Mon, Feb 10, 2025 at 01:03:02PM -0800, James Morris wrote:
>
> Good morning, I hope the week is starting well for everyone.
>
>> The Call for Participation for the 2025 Linux Security Summit North 
>> America (LSS-NA) is now open.
>>
>> LSS-NA 2025 is a technical forum for collaboration between Linux 
>> developers, researchers, and end-users. Its primary aim is to foster 
>> community efforts in deeply analyzing and solving Linux operating system 
>> security challenges, including those in the Linux kernel. Presentations 
>> are expected to focus deeply on new or improved technology and how it 
>> advances the state of practice for addressing these challenges.
>>
>> Key dates:
>>
>>     - CFP Closes:  Monday, March 10 at 11:59 PM MDT / 10:59 PM PDT
>>     - CFP Notifications: Monday, March 31
>>     - Schedule Announcement: Wednesday, April 2
>>     - Presentation Slide Due Date: Tuesday, June 24
>>     - Event Dates: Thursday, June 26 ??? Friday, June 27
>>
>> Location: Denver, Colorado, USA (co-located with OSS).
> I reflected a great deal before responding to this note and finally
> elected to do so.  Given the stated desire of this conference to
> 'focus deeply on new or improved technologies' for advancing the state
> of practice in addressing the security challenges facing Linux, and
> presumably by extension, the technology industry at large.
>
> I'm not not sure what defines membership in the Linux 'security
> community'.  I first presented at the Linux Security Summit in 2015,
> James you were moderating the event and sitting in the first row.
>
> If there is a desire by the Linux Foundation to actually promote
> security innovation, it would seem the most productive use of
> everyone's time would be to have a discussion at this event focusing
> on how this can best be accomplished in the context of the current
> Linux development environment.
>
> If we have done nothing else with our Quixote/TSEM initiative, I
> believe we have demonstrated that Linux security development operates
> under the 'omniscient maintainer' model, a concept that is the subject
> of significant discussion in other venues of the Linux community:
>
> https://lore.kernel.org/lkml/CAEg-Je9BiTsTmaadVz7S0=Mj3PgKZSu4EnFixf+65bcbuu7+WA@mail.gmail.com/
>
> I'm not here to debate whether that is a good or bad model.  I do
> believe, that by definition, it constrains the innovation that can
> successfully emerge to something that an 'omniscient' maintainer
> understands, feels comfortable with or is not offended by.
>
> It should be lost on no one that the history of the technology
> industry has largely been one of disruptive innovation that is
> completely missed by technology incumbents.
>
> The future may be the BPF/LSM, although no one has yet publically
> demonstrated the ability to implement something on the order of
> SeLinux, TOMOYO or Apparmor through that mechanism.  It brings as an
> advantage the ability to innovate without constraints as to would be
> considered 'acceptable' security.
>
> Unfortunately, a careful review of the LSM mailing list would suggest
> that the BPF/LSM, as a solution, is not politically popular in some
> quarters of the Linux security community.  There have been public
> statements that there isn't much concern if BPF breaks, as the concept
> of having external security policy is not something that should be
> supported.
>
> We took an alternative approach with TSEM, but after two years of
> submissions, no code was ever reviewed.

1. Not true.
2. I have suggested changes to the way you submit patches that will
   make reviewing your code easier. You have ignored these suggestions.
3. Recommendations have been made about your approach. Your arguments
   have been heard.

>   I'm not here to bitch about
> that, however, the simple fact is that two years with no progress is
> an eternity in the technology industry, particularly security, and
> will serve to drive security innovation out of the kernel.
>
> One can make a reasoned and informed argument that has already
> happened.  One of the questions worthy of debate at a conference with
> the objectives stated above.
>
> I apologize if these reflections are less than popular but they are
> intended to stimulate productive discussion, if the actual intent of
> the conference organizers is to focus deeply on new and improved
> security technology.

Please propose a talk for the summit. Talks have a limited duration,
so do be concise.

>
> There is far more technology potentially available than there are good
> answers to the questions as to how to effectively exploit it.
>
>> James Morris
>> <jmorris@...ei.org>
> Best wishes for a productive week.
>
> As always,
> Dr. Greg
>
> The Quixote Project - Flailing at the Travails of Cybersecurity
>               https://github.com/Quixote-Project
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ