Those security entries for security and ethics makes me want to shut down my computer and disintegrate it to individual atoms. Its like the technologist handed STASI their wet dream while trying to improve the world...
> Its like the technologist handed STASI their wet dream while trying to improve the world...
The error here is assuming that for all technologists "[handing] STASI their wet dream" and "trying to improve the world" are mutually exclusive. I am beginning to think they knew[/know] exactly what they were[/are] doing.
I can not agree with applicability of that aphorism in this case.
We have had a very vocal feedback loop of raising issues ("stupidity", "misunderstandings", "neglect") with OP conference as one type of such feedback.
Nothing has been corrected. Do you happen to know of another aphorism that covers the "willful stupidity", "willful neglect" etc. and what it all means (as I certainly don't desire hitting London.)
Obviously those with their hands on the production pipeline of tech disagree with the feedback. Is that really a controversial observation? Really?
That's Grafana[1]. You can build such dashboards from data in Graphite, Elasticsearch or other sources. IIRC, they now also have support for alerting based on these metrics (something for which we are using Bosun currently).
I recently came across the software they use for mixing their livestreams, and it looks really useful for anyone trying to build out a system to stream or record talks:
And if you have seen the intermission screens and wondered how these work: They run my software info-beamer (https://info-beamer.com/hosted) on a Pi3 in each Hall. Basically those intermission information screens are written in Lua. My info-beamer software uses both hardware accelerated video decoding as well as OpenGL(ES) to make things run smoothly. I'll release the complete Lua source code early next year. If you want to see how these worked last year, take a look at https://github.com/info-beamer/package-32c3-screens
> Our operating system detects even the tiniest corruption to files and will automatically restore them from our service. The system is completely self-healing.
Sure. The base system is quite minimal an runs from a squashfs read only image. Total size is ~40mb. The squashfs file is stored on the first partition (FAT formatted) which is not mounted rw during normal operation (only while updating the system which happens rarely). The second partition is the data partition. It stores images, videos, the Lua code and other files that are required to actually show content on the screen. This partition is mounted rw.
info-beamer hosted always stores those files using content based addressing. So every file that enters the system gets hashed and is then addressed by that hash both on the website itself as well as on the devices. On the website this might look like this: https://cdn.infobeamer.com/dynimg/blob/image-c40ba24410fb9ca..., on the device they end up on /space/cache/<hash>. This is great for all kind of reasons: Cache invalidation and offline verification. For the website, all files can be cached indefinitely as the url changes once the content changes. On the device each file required for a visualization must only be downloaded once, as it's trivial to see if the same file was already downloaded earlier by just comparing filenames. So fonts that might be shared by visualizations are only downloaded once. Also the device can trivially verify that all files are still correct by hashing all cached files and comparing the result with the filename. If it matches, the file is correct. If it doesn't, something is wrong and a new sync is started to repair the problem.
Sadly just people I talked to. As I understand it, they felt that the technical stuff would be overshadowed by other stuff, and that things weren't clear enough, so instead of potentially picking a side, they refrained from both. Unfortunately this is all second or third hand, so take it witha grain of salt.
Are they doing quality control on submitted talks this year, or are they still fine with talks that spread outright and clear lies to people who come there to learn and don't know any better?
Edit: They still let Rubin talk, so probably no quality control.
He found vulnerabilities in (very old) third-party software written in Perl (that's the 1%) then did nothing but lie and attribute them to the language while demonstrating his (accidental or willful) lack of understanding of the language. His code slides often aren't even valid Perl, which is an achievement in itself.
Are you talking about CGI.pm? That was removed from core modules in 5.22 (in 2015) which was only the year before his talk. Debian Jesse even has Perl 5.20 as the stable version[1]. Centos 7 ships with 5.16. Of course you can have your sysadmin install an up to date version, but CGI.pm is still in play as part of Perl.
Maybe this year he'll talk about Perl 6 since 5.x is all old hat. ;)
No, the vulns were in software that used CGI.pm and used it naive ways. CGI.pm had a design decision in its API, that can lead to, but does not constitute a vulnerability, and is a feature to those using it appropiately.
Examples, with explanation of wrong in comment. First talk:
print $hash; # he accompanied this by a dump of the hash, when in reality it would print the reference id
print ($a, $b, $c); # same thing as above, pretends it does a dump, when the reality is wildly different
He does these repeatedly in his second talk:
$arg1, $arg2 = @_; # assigns the length of @_ to $arg2, instead of unpacking args. only the newest of newbies would get this wrong
if(ref $arg1 eq 'HASH') print $arg1{'key'}; # perl does not have block-less pre-fixed ifs
else print $arg1; # same with this, entirely nonsense
The entire style of his code (paren-usage, quoted hash keys) also smells of code copied from bad (w3schools) perl tutorials.
For two years in a row Rubin has given talks about Perl, "exposing issues", in talks that are 99% straight lies or at the very least gross misrepresentations. They cannot in any good conscience be characterized as anything other than intentional trolling and spreading of FUD.
He has been thanked by CCC orga directly for his contributions as well, thus making it clear that they support such shenanigans.
As far as i am concerned, every talk at CCC is highly suspect, since they either don't give a damn as to whether it is correct, or they actively support talks being given in bad faith to an unsuspecting audience.
Or you just simply have to accept the fact that congress is more than 100%-always-correct-scientific-talks but rather is about entertainment too. And that is a thing Rubin can bring to congress.
His talks were in the Security track, not the entertainment track. At no point in the talks did he acknowledge that it wasn't meant to be factual either. Additionally, there's a wide gulf between 1% correct and 100% correct he could've aimed for.
I would be understanding if the CCC orga put him in the entertainment track, but they did not do that for two years in a row despite having received feedback.
He was intentionally spreading misinformation and the CCC orga supported him in that. These are simple facts.
I remember a talk of his about Perl sec issues in bugzilla (I think - correct me if I'm wrong here). Even though it was a problem that was a result of clearly bad code, he still blamed Perl for it.
At first, I thought he was going for a darker Brooker-ish humor, but in the end, the lack of research showed. I got the impression that he tried to shoehorn some corner-case examples into the general "Perl is a security nightmare" narrative.
It could have been someone else, but it sure sounds like him. It's a bad thing to do in a talk either way.
Edit 1: I've found a rather angry response[1] to the talk I was thinking of (Perl Jam 2). This is just for reference, I don't necessarily share the blog post's opinions.
He really seemed strange to me when I saw him at first,
I have no clue about perl, but even to me he made some kind of impression, that he has not really done his research.
His character and presenting seemed really strange to me.
I was honestly totally confused by his presentation and couldn't make out if this was supposed to be funny or if he is serious.
And if it was supposed to be funny, I didn't find it funny at all.
All in all, I was really irritated by his talk and avoided all his talks ever since.
reading your comments, it seems that was the right choice
* Schedule: https://fahrplan.events.ccc.de/congress/2016/Fahrplan/
* Media archive: https://media.ccc.de/
Edit: formatting