Loading…
DevConf.cz 2016 has ended
Can’t make it to #DevConfCZ for any reason? You can still attend virtually: youtube.com/RedHatCzech

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security [clear filter]
Friday, February 5
 

11:30 CET

Setting up SSL and IPSec VPN servers and clients in F23
This workshop will be a hand-on experience in setting up a VPN server and client for Fedora 23 using libreswan (IPSec) and Openconenct (SSL VPN). It will also dive into advanced configuration topics such as mobile phones, opportunistic security, and integration with the FreeIPA identity management system. It is intended for administrators or anyone interested in hosting their own VPN infrastructure.

Bring your own laptop for this event.

Speakers
avatar for Nikos Mavrogiannopoulos

Nikos Mavrogiannopoulos

Manager, Red Hat
Nikos Mavrogiannopoulos the manager of the Red Hat crypto team. He is a hand-on person with academic background, and is a contributor to several open source projects.
avatar for Paul Wouters

Paul Wouters

Project lead VPN Technologies, Red Hat
Paul Wouters is one of the core developers for the Libreswan IPsec VPN project. He is an active IETF member in security and DNS related working groups and author of several RFC's related to IPsec and DNS. He was a member of the ICANN DNSSEC Root zone Key Signing Key Design Team. He... Read More →


Friday February 5, 2016 11:30 - 13:00 CET
workshops A112 (64 places)

13:10 CET

Big SELinux troubleshooting chart
There are several ways how to resolve various SELinux denials by tweaking the SELinux subsystem. Some of them are recommended, some of them are not. This chart combines the most usual ones and helps you find the right ratio between security and usability.

Speakers
MM

Milos Malik

senior quality engineer, Red Hat
senior quality engineer in Red Hat, BaseOS QE Security team, takes care of SELinux related packages for RHEL


Friday February 5, 2016 13:10 - 14:40 CET
workshops A112 (64 places)

14:50 CET

Identity-Management with FreeIPA (1st part)
The workshop will give a general introduction into the FreeIPA framework and how it can be used to setup a central authentication solution based on OpenSource tools. Participants will learn how to install multiple server and client systems before start digging deeper into various features of the framework:

- X.509 certificate provisioning for hosts, services and users
- Host-based access control (HBAC)
- Centrally-managed SUDO
- SELinux policy management
- SSH key management
- Cross Kerberos-Realm Trust with Active-Directory domains

Participants are supposed to setup their own Identity-Management system and play around with the various features presented beforehand.

Participants should bring their notebook with them, ideally with a pre-installed Fedora inside a virtual machine.

Speakers
avatar for German Parente

German Parente

Principal Software Maintenance Engineer for IDM products in Red Hat.


Friday February 5, 2016 14:50 - 16:20 CET
f. E105 (72 places)
 
Saturday, February 6
 

10:40 CET

Identity-Management with FreeIPA (2nd part)
The workshop will give a general introduction into the FreeIPA framework and how it can be used to setup a central authentication solution based on OpenSource tools. Participants will learn how to install multiple server and client systems before start digging deeper into various features of the framework:

- X.509 certificate provisioning for hosts, services and users
- Host-based access control (HBAC)
- Centrally-managed SUDO
- SELinux policy management
- SSH key management
- Cross Kerberos-Realm Trust with Active-Directory domains

Participants are supposed to setup their own Identity-Management system and play around with the various features presented beforehand.

Participants should bring their notebook with them, ideally with a pre-installed Fedora inside a virtual machine. 

Speakers
avatar for German Parente

German Parente

Principal Software Maintenance Engineer for IDM products in Red Hat.


Saturday February 6, 2016 10:40 - 12:10 CET
workshops A112 (64 places)

14:50 CET

Security: Everything is on fire!
A day hardly goes by without another security story about something getting hacked, a new flaw, broken encryption, or some new way to break a device. Never before in history has security gotten so much attention, but what are we doing about it?

Red Hat has a plan!

In this session let's talk about Red Hat's security plans. What's our roadmap into the future. How will we work to stay out of the headlines, and is there any hope?

Speakers
avatar for Josh Bressers

Josh Bressers

Josh Bressers is Red Hat's security strategist. He has been involved in open source and Red Hat's security for more than ten years.http://sobersecurity.blogspot.com/


Saturday February 6, 2016 14:50 - 15:30 CET
a. D105 (300 places)

15:40 CET

Let's Encrypt with Best Practices
Using the Internet from insecure networks like public WiFi hot spots is
omnipresent nowadays. Therefore it is important to provide encrypted services.
For this, certificates from a well-known certificate authority are often
required. There is now a new certificate authority called Let's Encrypt, that
makes it easy to use proper certificates.

In this presentation I will introduce Let's Encrypt, explain its
particularities and show, how it can be used to secure services. However, using
a valid certificate is not enough for secure TLS usage. Therefore, I will
round out the talk with an overview of additional security measures to be used
and implemented to enhance the security of TLS services.

Speakers
avatar for Till Maas

Till Maas

Penetration Tester, RedTeam Pentesting
Being a full time penetration tester at day and a Fedora contributor at night I have a deep insight both into the IT security and the FOSS world. In 2004 I took the opportunity to make IT security my profession by helping to establish a successful penetration testing company. The... Read More →


Saturday February 6, 2016 15:40 - 16:20 CET
a. D105 (300 places)

16:30 CET

LOGJAM: What you should know!
Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

This presentation covers some interesting facts everyone should know about LOGJAM

Speakers
avatar for Huzaifa Sidhpurwala

Huzaifa Sidhpurwala

Principal Product Security Engineer, Red Hat
Huzaifa Sidhpurwala is a Principal Product Security Engineer at Red Hat. Finds security flaws in his spare time, and has been the in the top 3 presenters at devconf.Czech Republic for the last 2 years!!


Saturday February 6, 2016 16:30 - 17:10 CET
a. D105 (300 places)

17:20 CET

Intrusion Detection in the Cloud
Administrators use Intrusion Detection Systems (IDS) to alert when hackers attack their systems. These tools have been very effective in traditional networks. But running an IDS "as-a-service" in OpenStack is a relatively unexplored topic and interesting questions arise:


--How does one configure an IDS within a software defined network (SDN)? What challenges do a SDN present?

--Do popular open source systems like Snort or Bro scale when monitoring many virtual machiness?

--And what happens to the hypervisor's performance when an IDS is busy monitoring logs and traffic?

This talk will discuss current work that engages these questions. In this instance, the IDS is run on a separate machine than the hypervisor, so processing network traffic does not degrade performance. We will show the virtual network that accomplishes this and point to future directions. We will also discuss the benefits of running a host-based IDS such as OSSEC to detect attacks on the hypervisor.

Speakers
avatar for Dan Lambright

Dan Lambright

Software Engineer, Red Hat
Dan Lambright is a principal software engineer at Red Hat, where he works on distributed storage systems. Prior to Red Hat is worked at EMC, DELL, and several storage startups. He also teaches as an adjunct professor at the University of Massachusetts, Lowell.


Saturday February 6, 2016 17:20 - 18:00 CET
a. D105 (300 places)
 
Sunday, February 7
 

09:00 CET

FreeIPA Integration into Openstack
At the last Openstack summit, we provided a proof of concept on how to integrate FreeIPA into Openstack deployments. We'll describe all the pieces and how they interact with each other.

In a live demo, we will show how we use FreeIPA to:
* kerberize the Openstack controller nodes and provide single sign-on; * set up TLS for the Openstack services;
* set up Barbican and Dogtag and enable volume encryption;
* use kerberos to secure the underlying databases and message queues;
* use a nova plugin to register compute instances as IPA clients

Speakers
avatar for Rob Crittenden

Rob Crittenden

Principal Software Engineer, Red Hat, Inc.
Rob Crittenden is a Principal Software Engineer at Red Hat working on the Ipsilon Federated Identity server. He previously worked on the FreeIPA identity management project and has dabbled in web servers, Openstack and general security.
avatar for Ade Lee

Ade Lee

Principal Software Engineer, Red Hat Project Lead - Dogtag Certificate System, Red Hat
Ade works for Red Hat, and has been involved in Dogtag development (and its integration into FreeIPA) for a number of years now. Most recently, he has worked to integrate Dogtag and FreeIPA with Openstack, becoming a core contributor to the Barbican project.


Sunday February 7, 2016 09:00 - 09:40 CET
d. E112 (156 places)

09:50 CET

Security for the Cloud with SCAP
SCAP is a set of specifications related to security compliance. The primary use-case is to ensure a system is configured according to a predefined policy. It is heavily used in government, defense and finance industries.

In this talk we will explore how to use SCAP in the cloud-age to do security compliance of virtual machines and containers. We will start by installing the tools and preparing the SCAP content. Then we will proceed to scan a virtual machine for compliance, further refining the content. After that we will explore how to scan containers.

In the last segment we will discuss how to get content suitable for your infrastructure. We will explore sources of content and talk about customization options.

Speakers
JL

Jan Lieskovsky

Software Engineer, Red Hat
SCAP, compliance, security audits
avatar for Martin Preisler

Martin Preisler

Sr. Software Engineer, Red Hat, Inc., Red Hat
Martin Preisler works as a Software Engineer at Red Hat, Inc. He is working in the Security Technologies team, focusing on security compliance using Security Content Automation Protocol. He is the principal author of SCAP Workbench, a frequent contributor to OpenSCAP and SCAP Security... Read More →


Sunday February 7, 2016 09:50 - 10:30 CET
d. E112 (156 places)

10:40 CET

SELinux nowdays
System resources. Integrity. Usability. Understandability. The most
frequently mentioned terms in questions about SE Linux policy used on
the current RHEL/Fedora installations. And the more mentioned words in
questions related to  containers hosting platforms. Does Security
Enhanced Linux as a  technology for process isolation provide a solution
other than the  current used policy? Does it bring performance
improvements?  Is a  technology more usable? Red Hat SELinux team will
give you answers based on the recent SELinux developments and introduce
kernel  optimalizations, improved kernel testing, a new SELinux policy
language with re-written userspace toolchain and a vision of a new
policy for Atomic.

Reference materials:

Blogs.

http://www.paul-moore.com/blog/
https://mgrepl.wordpress.com/
http://blog-bachradsusi.rhcloud.com/

SELinux git respository.

http://git.infradead.org/users/pcmoore/selinux
https://github.com/SELinuxProject
https://github.com/TresysTechnology/refpolicy

Speakers
MG

Miroslav Grepl

Manager, Red Hat
avatar for Paul Moore

Paul Moore

Kernel developer who likes playing with security things
Paul Moore has been involved in various Linux security efforts since 2004, first at Hewlett-Packard and now at Red Hat. He currently maintains the SELinux, audit, and labeled networking subsystems in the Linux Kernel as well as the userspace libseccomp library.


Sunday February 7, 2016 10:40 - 11:20 CET
d. E112 (156 places)

11:30 CET

Post-Quantum Crypo: What is it and Do we need it?
With the increased experimentation with quantum computers, what does that mean for our traditional security systems. What systems are at risk and which aren't. What are the options which can replace these systems and why aren't we using them yet? Do we need to?

Speakers
avatar for Bob Relyea

Bob Relyea

Principal Programmer, OASIS PKCS #11 co-chair., Red Hat
Bob Relyea is a principal programmer at Red Hat working on the Network Security System Library. Bob is also the co-chair for the OASIS PKCS #11 technical committee, having worked with PKCS #11 and PKCS #11 integration into NSS since 1995.


Sunday February 7, 2016 11:30 - 12:10 CET
d. E112 (156 places)

11:30 CET

The future of disk encryption with LUKS2
For years Fedora provides disk encryption option
in basic installer configuration. The LUKS (Linux Unified Key Setup),
implemented through cryptsetup library, provides convenient way to
configure such a basic disk-encrypted systems.

In this presentation we will focus on new requirements
for deploying disk encrypted storage in modern systems.
We will present the new LUKS2 format definition that will allow
implementation of these requirements in future.

These requirements are both technical (for example integration
to an enterprise key management systems) but also based
on new advancements in cryptographic algorithms (for example
new key-derivation functions more resistant to massive parallel
systems used by attackers for password cracking).

Another current requirement is an ability to change encryption
parameters without need of complete disk re-formatting.
We will describe prototype of a re-encryption tool that allows
such a change on a fully running system without any downtime.

Last but not least we will mention some interesting answers
from users participating on a survey questionnaire focused
on usage of disk-encryption systems.

Speakers
avatar for Milan Brož

Milan Brož

Milan Brož is a principal software engineer working for Red Hat and upstream cryptsetup/LUKS maintainer.
OK

Ondrej Kozina

software engineer, Red Hat
I'm software engineer working for Red Hat in storage/LVM team and also RHEL cryptsetup maintainer.You can discuss cryptsetup, LUKS2 and reencryption with me.


Sunday February 7, 2016 11:30 - 12:10 CET
f. E105 (72 places)

12:20 CET

New Cryptography for Binding Data to Third Parties
Keeping secrets is tough. It is hard enough when you have control over the full computing chain. But now we are expected to keep secrets while storing those secrets in cloud and SaaS infrastructures. At least we can trust the network providers, right? Of course, the answer is to encrypt the data. But then how do we know who should have access to the data and when?

This talk will look at the new cryptographic techniques implemented by the Deo open source project. It forgoes complex (and compromise-prone) key management infrastructures by using simple algorithms to bind data to third party entities. Come see how to integrate Deo into your infrastructure or software project!

Speakers
avatar for Nathaniel McCallum

Nathaniel McCallum

Senior Principal Software Engineer, Red Hat, Inc.
Nathaniel is a Principal Software Engineer for Red Hat's Security and Identity group. By day, he tackles tough security problems. By night, he tackles his five children. He is the author of a variety of security related technologies, including: 2FA for Fr


Sunday February 7, 2016 12:20 - 13:00 CET
d. E112 (156 places)

13:10 CET

Ipsilon: how can you use it to deploy identity management
I have been a main contributor for the Ipsilon project for a long time, and would like to show people what it can do, and how they can use it to implement federated identities at their websites and APIs.
I will give a live demonstration of how to deploy it and set it up with one or two applications, and the new features.

The project is located on https://fedorahosted.org/ipsilon/.

Speakers
avatar for Patrick Uiterwijk

Patrick Uiterwijk

Software Engineer, Red Hat
Patrick is the Fedora Infrastructure Security Officer, responsible for all things security in the infrastructure. He also helps wherever help is needed, among which has been Bodhi.


Sunday February 7, 2016 13:10 - 13:50 CET
d. E112 (156 places)

14:00 CET

Tactics of Code Auditor
Source Code Auditing is an important part of security. Being proactive in looking for security bugs before the software is shipped is great way to cut down the risks. Though Source Code Auditing can be performed before the code is shipped or after the code is compiled and shipped as binary. In this talk I would share some of tactics and tools that I use to perform code auditing and explain different types of vulnerabilities present in code caused by for e.g Buffer Overflows, Heap Overflows , data type, arithmetic computations and etc. Some parts of this talk would have live demo and also might go into live pentesting according to time frame.

- Introduction
- Why we need to perform source code audits
- Defining scope of audit

- SoftWare Auditing Tactics [ C/C++ ]
- Attack plan with limited time frame
- Where to attack
- How to attack
- Which tools to use
- Understanding the impact of vulnerability

This talk is only focused on auditing software written in C/C++. But one can take some parts of this talk and would be able to implement into their own working environment.

Speakers

Sunday February 7, 2016 14:00 - 14:40 CET
d. E112 (156 places)

14:50 CET

Turris Omnia
In 2013 we started a research project regarding SOHO networks security called Project Turris. As a part of the project we developed our first open-source SOHO router. Turris Omnia is a spin-off project from the original project Turris and it aims to bring to the market afordable, powerful and secure SOHO router which is completely open-source and open-hardware. This talk will cover few topics such as motivation for starting this project and developing of our own hardware and software.

Speakers

Sunday February 7, 2016 14:50 - 15:30 CET
d. E112 (156 places)