Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170324123201.GA24912@openwall.com>
Date: Fri, 24 Mar 2017 13:32:01 +0100
From: Solar Designer <solar@...nwall.com>
To: James Morris <jmorris@...ei.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: [ANNOUNCE] Linux Security Summit 2017 - CFP

Hi James,

With all due respect to you and recognition of the importance of this
event, as I had pointed out last year, I wish you either informed
oss-security of the outcomes of each year's LSS or didn't post the CFPs
in here.  Posting only a CFP and then nothing until next year's CFP
sort of works on other lists, but not on oss-security.  Please re-read:

http://www.openwall.com/lists/oss-security/2016/03/25/7

Unless there's anything from LSS besides this CFP posted to here until
next year's, I am going to reject next year's LSS CFP, as we should have
been doing per the published oss-security guidelines in the first place.

The same applies to other events focused on open source security,
including non-Linux ones: CFPs only "no", generally useful material from
such events "probably yes", CFPs from events for which there were other
accepted postings "possibly yes".  Currently I don't recall any events
with relevant focus that bothered communicating their materials to here,
but they should have (if any of the substance could be provided in
text/plain; for videos only, no).  For events not focused on open source
security, I intend to make no exceptions regarding CFPs, not even if
some materials were relevant and discussed in here.  So overall our "no
CFPs" policy is still in place.

This applies to oss-security only.  Having this same CFP on the
kernel-hardening list is OK and desirable.  (And it's already there.)

On Fri, Mar 24, 2017 at 12:26:43PM +1100, James Morris wrote:
>   Topic areas include, but are not limited to:
> 
>     * Kernel self-protection
>     * Access control
>     * Cryptography and key management
>     * Integrity control
>     * Hardware Security
>     * Iot and embedded security
>     * Virtualization and containers
>     * System-specific system hardening
>     * Case studies
>     * Security tools
>     * Security UX
>     * Emerging technologies, threats & techniques 

diff from last year's:

-    * Trust systems
-    * Storage and file systems
-    * Identity management
-    * Code analysis
-    * Security analytics
-    * Secure development and operational practices

+    * Iot and embedded security
+    * System-specific system hardening
+    * Security tools
+    * Security UX

To make my posting useful, let me inform those not on kernel-hardening,
but interested in how the project is doing, that it's been doing OK at
least(*) in terms of activity lately, with last month being the busiest
month so far by number of messages posted:

http://www.openwall.com/lists/kernel-hardening/
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

(*) I say "at least" because I know that opinions vary as to the utility
of such activity.

Another good resource are Kees Cook's blog posts on "security things" in
each new Linux kernel release:

https://outflux.net/blog/archives/2017/02/27/security-things-in-linux-v4-10/
https://outflux.net/blog/archives/2016/12/12/security-things-in-linux-v4-9/
https://outflux.net/blog/archives/2016/10/04/security-things-in-linux-v4-8/
https://outflux.net/blog/archives/2016/10/03/security-things-in-linux-v4-7/
https://outflux.net/blog/archives/2016/09/30/security-things-in-linux-v4-6/
https://outflux.net/blog/archives/2016/09/28/security-things-in-linux-v4-5/
https://outflux.net/blog/archives/2016/09/27/security-things-in-linux-v4-4/
https://outflux.net/blog/archives/2016/09/26/security-things-in-linux-v4-3/

and his other blog posts as well, such as on security bugs' lifetime.

These are so much more useful (or rather, to more people) than a CFP
with no follow-ups.  I wish Kees, James, and others posted this kind of
material in here in text/plain, in addition to blogging.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.