The Security Kitchen

On Saturday and Sunday, FOSDEM was happening in Brussels (Belgium) and since I didn’t make it to Shmoocon, it was a nice alternative. FOSDEM is a yearly gathering focusing on Free and Open Source (FOS, ha) development but they also feature systems and security track. I first learned about FOSDEM two years ago when HD Moore came over to present Metasploit 3.

This year there were 3 security talks scheduled, the first by the OWASP people, but I missed that talk because sunday morning is supposed to be family time. I have to keep the balance somehow.

The second talk was about FreeIPA, an open source alternative for Identity, Policy and Audit management. The talk wasn’t bad, it layed out how they approach the first build of the solution, based on the Fedora Directory Server and MIT Kerberos 5 as the main components. It also includes a CA (self-signed FTM, ugh), an Apache server to deliver a webbased admin interface, a command line, etc … etc … (it also includes a DNS server)

All in all FreeIPA seems like a nice hobby project to learn the concepts of IdM, Policy and Audit but I don’t feel the project has a real future. What amazed me is that while it touts the Open Source horns loudly, it sees itself as the solution that covers all IdM in a corporation revolves around. From what I understand, to use FreeIPA I have to make all the components in my infrastructure talk Kerberos. It may work in a greenfield approach, but I personally haven’t seen any greenfield IdM projects. For me, personally, IdM revolves around a) workflow and b) provisioning.
The solution does neither

The contradiction in the solution is also, while it pretends to be ‘Open’, it doesn’t feel that way. It tries to do everything by itself. A good example is the DNS server. I can’t think of an environment that doesn’t have a DNS server these days. Why would I want a new DNS infrastructure just to support FreeIPA ? The same for the directory server. I may have one (or more) LDAP directories in my environment, why not be open to what I have and deliver additional building blocks for a complete solution ? That, to me, is what Open is about.

From what I read on their website (instead of focusing what the presenter said) it seems like it’s meant to be a SIEM solution for Identity, Policy and Audit information. I’m a little bit lost now.

The third security talk was about Fusil, the fuzzer, by Victor Stinner, a French hacker. Fusil is a python library, mainly focussed on fuzzing command line programs. Victor gave a great talk, with good momentum (I could see he was nervous, but he didn’t have to be) and great slides. I loved this talk and the tool might be something to look at for all you security researchers out there that want to put programs to the test.

In the end, FOSDEM was nice. I had the chance to chat up with @security4all and of course I’m looking forward to FOSDEM 2010. See you there !