Breakpoint 2015 Call For Presentations
Breakpoint 2015 Call For Papers Melbourne, Australia, October 22th-23th Intercontinental Rialto http://www.ruxconbreakpoint.com .[x]. Introduction .[x]. We are pleased to announce Call For Presentations for Breakpoint 2015. Breakpoint showcases the work of expert security researchers from around the world on a wide range of topics. This conference is organised by the Ruxcon team and offers a specialised security conference to complement and lead into the larger and more casual Ruxcon weekend conference. Breakpoint caters towards security researchers and industry professionals alike, with a focus on cutting edge security research. Breakpoint presents a great opportunity for our selected speakers to receive a complimentary trip to Australia and experience both the Breakpoint and Ruxcon conferences, not to mention the great weather, parties, and friendly people. .[x]. Important Dates .[x]. May 15 - Call For Presentations Open August 30 - Call For Presentations Close October 19-21 - Breakpoint Training October 22-23 - Breakpoint Conference October 24-25 - Ruxcon Conference .[x]. Topic Scope .[x]. Topics of interest include, but are not limited to: o Mobile Device Security o Exploitation Techniques o Reverse Engineering o Vulnerability Discovery o Rootkit Development o Malware Analysis o Code Analysis o Virtualisation, Hypervisor Security o Cloud Security o Embedded Device Security o Hardware Security o Telecommunications Security o Wireless Network Security o Web Application Security o Law Enforcement Activities o Forensics o Threat Intelligence o Incident Response .[x]. Submission Guidelines .[x]. In order for us to process your submission we will require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in presentation 7. Information on where the presentation material has or will be presented before Breakpoint * Preference will be given to presentations that contain original research that will be first presented at Breakpoint. * As a general guideline, Breakpoint presentations are between 45 and 60 minutes, including question time. If you have any questions about submissions, or would like to make a submission, please send an email to b...@ruxconbreakpoint.com .[x]. Speaker Benefits .[x]. Speakers at Breakpoint will be entitled to the following benefits: - A return economy airfare to Melbourne (total cost limit applies) - Three nights accommodation at the Intercontinental Rialto - Complimentary registration for Breakpoint and Ruxcon conferences - Invitation to all Breakpoint and Ruxcon parties - Unlock 'Presented on world's smallest continent' achievement * All speaker benefits apply to a single speaker per submission. .[x]. Contact .[x]. If you have any questions or inqueries, contact us at: * Email: b...@ruxconbreakpoint.com * Twitter: ruxconbpx ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On Sat, May 16, 2015, at 01:38, Dan Lukes wrote: > Mark Felder wrote: > >> Base OpenSSL in still supported releases is too old version and doesn't > >> support TLS 1.2 as well. > >> > >> Either TLS 1.0 is so insecure and should not be used, or is secure > >> enough for FreeBSD. > > > When the FreeBSD 8.0 (2009) and 9.0 (2012) releases were cut we didn't > > have these vulnerabilities or problems. > > All security patches are released because of something discovered after > release. So it is nothing new nor special. > > But it's not the matter of my comment. > > As far as I know, there has been no discussion on FreeBSD Security > related to fact that FreeBSD 9 will not receive security patches for > particular known security issue. Nor even announcement, if it has been > considered no topic for discussion here. > > So I'm confused (as claimed in previous comment). Other the issue is not > so severe, then I don't understand why TLS 1.0 needs to be disabled on > forums. Or it is so severe so I don't understand why there is still no > Security Advisory dedicated to it. Well, there may be no solution known > - but even in such case the issue should be announced. > > You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. If you want a fix for your entire OS, upgrade to FreeBSD 10 which has a newer version of OpenSSL in base that includes TLS 1.1 and 1.2. It's not ABI compatible with older versions. You can't just wedge it into FreeBSD 8 or 9. Sorry. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On 2015-05-16 07:20, Kimmo Paasiala wrote: On Fri, May 15, 2015 at 9:34 PM, Roger Marquis wrote: Mark Felder wrote: Another option is a second openssl port, one that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). This will never work. You can't guarantee compatibility with RELEASE and upgrade it too. How do you figure? RedHat does exactly that with every backport, and they do it for the life of a release. Redhat makes no promise of binary compatibility for locally compiled software. They can update OpenSSL as they wish from version 1.0.1 to 1.0.2, recompile all affected packages (all of Redhat "userland" is covered by .rpm packages) and push them to the users and advise users of locally compiled software to recompile what they have. This is unacceptable in FreeBSD that makes a hard promise that the ABI will remain compatible troughout the whole lifetime of the same major version line. I'm really glad that FreeBSD makes that promise. It means I have a long-lived and well-defined scope of compatibility for a given system. It makes freebsd-update and pkg possible in production. I no longer have to deal with localized system images. That's paired with support for linking to openssl from ports and FreeBSD's recent direction of decoupling network services from the base. I have systems where all of the user-facing services link to openssl 1.0.2 even though the base OS doesn't. That means the time it will take to reimplement and test on what will eventually become 11.0 won't interact chronologically with the security needs of my existing deployments on 10.x. It means "following -current in preprod" is no longer part of my dayjob. That's a huge deal. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. This is why everyone is running like mad from SSL 3.0 and TLS 1.0. Right, there are two issues being discussed that should be separated. The thread was originally about SSL version weaknesses and the rational for that (keeping v1.0 around for the near term) was described quite well. The second issue was regarding base and ports versions of openssl and how to coordinate between them. I recommended an openssl_base port so that security vulnerabilities (not necessarily protocol weaknesses) could be more easily remediated (than installworld) and so 'pkg audit' could report on those. It was asserted and reasserted that this would be infeasible, however, no example or reason was given. Considering the time to write and test patches is the same in either case it is still an open question. The problem of multiple versions of the same libraries and binaries, however, remains a weakness in the FreeBSD security model. This may be one of the reasons why the EU recently recommended more widespread adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that can and should be solved in the most robust way possible. Roger ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On Sun, May 17, 2015, at 15:50, Roger Marquis wrote: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. This is why > > everyone is running like mad from SSL 3.0 and TLS 1.0. > > Right, there are two issues being discussed that should be separated. > The thread was originally about SSL version weaknesses and the rational > for that (keeping v1.0 around for the near term) was described quite > well. > > The second issue was regarding base and ports versions of openssl and how > to coordinate between them. I recommended an openssl_base port so that > security vulnerabilities (not necessarily protocol weaknesses) could be > more easily remediated (than installworld) and so 'pkg audit' could > report on those. It was asserted and reasserted that this would be > infeasible, however, no example or reason was given. Considering the > time to write and test patches is the same in either case it is still an > open question. > Again, this is not possible. You can't just "replace" the base OpenSSL. That port or package would also have to replace every binary and library in the base system linked to an OpenSSL library such as libcrypt with a version that was built against the updated OpenSSL. You might as well fork FreeBSD at this point. > The problem of multiple versions of the same libraries and binaries, > however, remains a weakness in the FreeBSD security model. This may be > one of the reasons why the EU recently recommended more widespread > adoption of OpenBSD (vs FreeBSD). Either way, it is a design flaw that > can and should be solved in the most robust way possible. > > Roger OpenBSD can do this because they roll a new release every 6 months. They don't support an OS release train for 5 years. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
pkg audit / vuln.xml failures
Does anyone know what's going on with vuln.xml updates? Over the last few weeks and months CVEs and application mailing lists have announced vulnerabilities for several ports that in some cases only showed up in vuln.xml after several days and in other cases are still not listed (despite email to the security team). Is there a URL outlining the policies and procedures of vuln.xml maintenance? Roger Marquis ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
Mark Felder wrote: Considering the time to write and test patches is the same in either case it is still an open question. Again, this is not possible. You can't just "replace" the base OpenSSL. That port or package would also have to replace every binary and library in the base system linked to an OpenSSL library such as libcrypt with a version that was built against the updated OpenSSL. Sure, when you must change the ABI you also have to rebuild linked libs and bins, but how many openssl 0.9 updates have required ABI changes? Roger ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On Sun, May 17, 2015 at 3:50 PM, Roger Marquis wrote: > I recommended an openssl_base port so that > security vulnerabilities (not necessarily protocol weaknesses) could be > more easily remediated (than installworld) and so 'pkg audit' could > report on those. > Exactly how would that differ from using freebsd-update? -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On Sun, May 17, 2015, at 16:08, Roger Marquis wrote: > Mark Felder wrote: > >> Considering the time to write and test patches is the same in either case > >> it is still an open question. > > > Again, this is not possible. You can't just "replace" the base OpenSSL. > > That port or package would also have to replace every binary and library > > in the base system linked to an OpenSSL library such as libcrypt with a > > version that was built against the updated OpenSSL. > > Sure, when you must change the ABI you also have to rebuild linked libs > and bins, but how many openssl 0.9 updates have required ABI changes? > > Roger This entire discussion has been about doing MAJOR updates to OpenSSL in base. Updates that obviously require ABI changes. Please tell me about a feature change between FreeBSD 9.3's OpenSSL 0.9.8za and the latest compatible 0.9.8ze that validates a port for OpenSSL that replaces base. I cannot find any that justify the effort. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On 05/17/15 22:20, Mark Felder: You're not understanding the situation: the vulnerability isn't in OpenSSL; it's a design flaw / weakness in the protocol. Sorry, my English seems to be so poor so you don't understand my very simple question. You are still answering other questions I didn't asked. Last attempt. I will try ti make question as simple as possible. If it will not help I will become silent. TLS 1.0 *protocol* is buggy, new protocol has been implemented in new version of OpenSSL, but such version will not be imported into FreeBSD 9 because of ABI incompatibility. Instead old version of OpenSSL and vulnerable protocol is still used by base system libraries and utilities. So base system IS affected by known vulnerability. Thus I'm asking. If TLS 1.0 is considered severe security issue AND system utilities are using it, why there is no Security Advisory describing this system vulnerability ? Dan ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
Mark Felder wrote: Sure, when you must change the ABI you also have to rebuild linked libs and bins, but how many openssl 0.9 updates have required ABI changes? This entire discussion has been about doing MAJOR updates to OpenSSL in base. I agree that this discussion has been about updates to OpenSSL but we're obviously not on the same page with regards to your definition of major. Leif Pedersen wrote: ... more easily remediated (than installworld) and so 'pkg audit' could report on those. Exactly how would that differ from using freebsd-update? You mean aside from being locally compiled? Does freebsd-update only update the specific libs, apps, files that need to be updated? Roger ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On Sun, May 17, 2015, at 16:28, Dan Lukes wrote: > On 05/17/15 22:20, Mark Felder: > > You're not understanding the situation: the vulnerability isn't in > > OpenSSL; it's a design flaw / weakness in the protocol. > > Sorry, my English seems to be so poor so you don't understand my very > simple question. You are still answering other questions I didn't asked. > > Last attempt. I will try ti make question as simple as possible. If it > will not help I will become silent. > > TLS 1.0 *protocol* is buggy, new protocol has been implemented in new > version of OpenSSL, but such version will not be imported into FreeBSD 9 > because of ABI incompatibility. Instead old version of OpenSSL and > vulnerable protocol is still used by base system libraries and > utilities. So base system IS affected by known vulnerability. > > Thus I'm asking. > > If TLS 1.0 is considered severe security issue AND system utilities are > using it, why there is no Security Advisory describing this system > vulnerability ? > It's not a vulnerability in software, it's weakness in the protocol design. By your logic we should have SAs for all of the following in the base system: hashes: MD5 SHA1 default passwd hash in FreeBSD 8: md5crypt (though phk did request a CVE to help usher its death) any openssl cipher using the following: MD5 SHA1 DES 3DES IDEA I'm sure there are even more examples. None of these problems fit the definition required to issue an SA. They're just a violation of widely-accepted Best Current Practices. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On 05/18/15 00:00, Mark Felder: If TLS 1.0 is considered severe security issue AND system utilities are using it, why there is no Security Advisory describing this system vulnerability ? It's not a vulnerability in software, it's weakness in the protocol design. Like protocol protocol downgrade triggered by MITM attack flaw or protocol design flaw in session renegotiation support. The first one addressed in FreeBSD-SA-14:23.openssl, the second one in FreeBSD-SA-09:15.ssl So the "is it protocol flaw or implementation bug" seems not to be true major criteria. OK, I wish I got best answer to my question possible. I'm not going to discuss SA issuing policy in this thread. Thank you. Dan ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Forums.FreeBSD.org - SSL Issue?
On May 17, 2015 4:49 PM, "Roger Marquis" wrote: > Leif Pedersen wrote: >>> >>> ... more easily remediated (than installworld) and so 'pkg audit' could >> >> report on those. >> >> Exactly how would that differ from using freebsd-update? > > > You mean aside from being locally compiled? Does freebsd-update only > update the specific libs, apps, files that need to be updated? > > Roger Maybe it would be a good idea to learn what freebsd-update does before continuing to give the developers who bring such a great OS to you a hard time. You have some good thoughts, but you may find that the need isn't as great as you think. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
