Tech Blog.

Thoughts, stories, ideas.

Hello FOSDEM 2020 World

17. February 2020

First things first: Happy Birthday FOSDEM!

I was surprised when Nicolas asked me, if I want to join the Free and Open Source Developers European Meeting together with some other colleagues. Back then I was the new kid in the block, working almost a month here and already got an invitation for a conference. I quickly checked my calendar and in the same minute I agreed to visit FOSDEM for my first time.

After a few hours of a smooth train ride, we arrived in Brussels, Belgium. The country known for its wafers, chips, (chocolate), tasty beer and of course FOSDEM. So these are the ingredients for this weekend. Two days packed with over 800 talks taking place at Université Libre de Bruxelles.

Day 1

After some good croissants, a warm tea and the opening talk, I start my journey through the talks I bookmarked in the FOSDEM app, which is really helpful to keep an overview of the schedule.

The Ethics Behind Your IoT

IoT devices can be very handy, useful and mostly try to make our everyday life easier. But at what cost? Most of these devices need an internet connection to work. You can’t set it up to only run in your local controlled network. For example smart surveillance cameras. They store the recordings in the cloud. Somewhere in the no-one-read-it-ever license agreement you agreed, that the manufacturer can access these recordings in the cloud and that they may be shared with government agencies.

Imagine now that your neighbourhood uses those cameras. As a teenager, you can’t just sneak away late at night or sneak back in, without no one noticing. So the next generation of teenagers, may don’t ever make that experience like the other generations did. If they know, there is someone watching, they stop doing it, because of fear of the consequences. This leads us to the known Chilling Effect.

So the question is: How does these kind of IoT devices change our life and what happens to society if more and more people use them? If you’re interested in this topic, I can recommend to check out the recorded talk of Moly de Blanc.

Secure logging with syslog-ng

How does Airbus ensure the integrity and confidentiality of their system logs in an airplane, so they can be used as a trustworthy evidence? Stephan Marwedel speaks about their creation of a plugin for syslog-ng and how they solved this problem.

The problem:

  • If the file was tampered, you can’t trust its content anymore.

The goal:

  • Detect changes of the file without throwing the whole file away, because it was tampered

The solution:

  • Encrypt every single log line in the file with a forward secrecy system.

In my view this is a very interesting topic, because how often do you check the logs after something happen? What if an attacker just removed his traces in the logfiles, you usually check? Especially when it comes to security monitoring log files are an essential part of it. Do still trust you logs? Details about this you can find in the talk recording, the slides or in the paper.

Mandos

Ever wondered how you can boot a server with full disk encryption (FDE) without typing a password and NOT storing the password on the server itself? Then maybe Mandos is something for you. This was a short 15 minutes lightning talk of Teddy Hogeborn, one of the maintainers.

While I was in the talk, I started to remember that I already read about Mandos. I was looking for this kind of solutions to use FDE on Linux clients without the users need to know nor to type a password at boot. Another tool which I found at that time, was Clevis and Tang. They both offer Network Bound Disk Encryption, this means your machine needs to be in the correct network to boot (at least). If it’s physically stolen, the attacker only sees garbage on the disk. Never forget the attack vector you wan to defend with these kind of solutions.

Some (hidden) sudo features

I sat in the same room as my colleague for this talk, so you point to his post or you go directly to the talk of Peter Czanik

The stands and sticker hunters

Somewhen between the talks I wandered through the building K, where the stands have been placed on two floors. All the bigger and smaller projects were present. The people at the stands are easy going and open to talk with you about their project. Some of them had flyers, mini events/challenges, t-shirts and hoodies you could buy and almost everyone had stickers. Stickers everywhere! And where you can get stickers, the sticker hunters are not far. It was funny to see that many hackers like to collect stickers of their favourite projects. So do I.

Kiwi TCMS

At one stand I got in touch with the Kiwi TCMS project. It’s all about management of test cases. Testing can be hard, especially in bigger environments. This tool can help you and your organization to manage testing of your software, system, integration or whatever you want or need to test.

Day 2

The second day offered again a huge number of different talks you can choose from. I directly started in the community track, which even offered free cookies and cakes, a perfect way to start in the morning.

Applying Open Culture Practices across Distributed Teams

My first talk for the day, was about applying open culture practices across distributed teams. How do you work with people you never met face to face before? What needs to be done to keep staying in the loop without the chitchat in front of the coffee machine at the office? This is what Katrina Novakovic from Red Hat let us know.

A distributed team can already be the case if they work in different buildings, countries or even completely remote. Common challenges are very different and can be:

  • (Mis)Communication transparency and visibility
  • Changing priorities and productivity
  • Culture and language
  • Isolation, Balance and Burnout

We’ve got 40 different timezones! So don’t mind to regularly change the time for meetings, so every participant can join the meeting at their favourite time. If someone can’t join, because they may sleep at that time, how about recording the meeting? You can even include that person, if you say “Hi” to them and give them the chance for feedback after watching the recording. This also strengthens the inclusion of that colleague.

My main takeaways of this talk were:

  • Document everything! And keep it up2date!
  • Define how you use communication tools, doesn’t matter what tools for Sync/Async communication
  • Get to know the people. Not only work related but also what they do off-work.
  • Face2Face is very important. Ask in advance for video chats and if everyone feels comfortable with it. Can also be only a part of the meeting.
  • Try to create a blame free fail fast culture/environment, where you can try new methods without fear to find what best worked out in the team.
  • “People are looking for solutions without asking, why do I have the problem in the first place?” Peter Crone

The slides and recordings of her talk you find here.

The Ethics of Open Source

Don Goodman-Wilson is talking about the critical part of Open Source and its ethics. In the first place the focus have been on code. Everyone has the freedom to use the code, change it and do whatever they like to do with it. This is also true for evil people. This view doesn’t take morality and ethics into place. What do you think, if you created a great piece of code and companies weaponize your code to harm other people with it, because it’s their business case? For example face recognition to discriminate a minority?

What do we tolerate in sense of “openness”? To learn more about this talk, check out the recording and his link collection about this topic.

Few days after FOSDEM I came across the Hippocratic License which defines that aspects of a ethical use of code. Another source you can find at The Ethical Source Movement.

Reinventning Home Directories

I tried to enter the rather small room a session before, but it was already full and after the talk, no one left the room and behind me was a roughly 10, 15 meter queue of hackers who wanted to see Lennart Poettering live as well. So I moved on and watched the live stream instead.

Do you remember the last change how home directories are used?

Not? Yes, that’s the problem for today’s usage. With systemd-homed their is a new project focusing on requirements how a home directory would be of better use than today. For example: You can use your known homedir, including authentication and encryption, on a USB drive and just plug it to any computer with systemd-homed support and your known environment is ready to use. With the old concept of home directories this can’t be used that easy. That’s maybe the next big thing the systemd project changes in how we use home directories? Check out Lennarts talk here.

From Zero to Useless to Hero

Last but not least a talk from two guys working for Deutsche Telekom.

This talk is a story about how they created an awesome, distributed tracing tool, including logging and monitoring correlation starting at Day 1 of a big distributed software development project. They made a useless tool for their future users.

They were faced with cultural problems and needed to adapt how their users understand the usage and benefits of the operating and observability solution they built. Today no one of their users want to miss that tool and are shouting if it’s not available. So what did they do, to make their tool useful(= Utility + Usability)? Check out their talk here.

Summary

It have been two intensive days with a lot of information, interesting ideas, tasty food and beer. For me it was impressive to see so many people use their time on- or/and off-work for being a part in one of the many open source communities. I can recommend FOSDEM as a good organized conference to all, that never have been there before. If you starting binge watching all the talks, you would need over half a year to see them all.