
I was asked to write about what I do at
Canonical and what I do in the
Free Software community at large. There is obviously a great deal of overlap, but I ll start with the things I m involved with when I m wearing my
Ubuntu hat.
My primary job at Canonical is keeping Ubuntu secure. This means that I, along with the rest of the
Ubuntu Security Team, coordinate with other Free Software distributions and upstream projects to publish fixes together so that everyone in the community has the smallest possible window of vulnerability, no matter if they re running Ubuntu,
Debian,
RedHat/
Fedora,
SUSE/
openSUSE,
Gentoo, etc. Between
vendor-sec,
oss-security, and the steady stream of new
CVEs, there is plenty going on.
In addition to updates, the Security Team works on
pro-active security protections. I work on userspace security hardening via patches to
gcc and the
kernel, and via
build-wrapper script packages. Much of this work has been related trying to
coordinate these changes with Debian, and to clean up unfinished pieces that were left unsolved by RedHat, who had originally developed many of the hardening features. Things like
proper /proc/$pid/maps permissions, real
AT_RANDOM implementation, upstreaming
executable stack fixing patches, upstreaming kernel
NX-emu, etc. Most of the kernel work I ve done has gotten upstream, but lately some of the more
aggressive protections have been hitting frustrating upstream roadblocks.
Besides the hardening work, I also improve and support the
AppArmor Mandatory Access Control system, as well as write and improve
confinement profiles for processes on Ubuntu. This work ends up improving everyone s experience with AppArmor, especially now that it has gotten
accepted upstream in the Linux kernel.
I audit code from time to time, both on the clock with Canonical and in my free time. I m no
Tavis Ormandy, but I try. ;) I ve found various security issues in
Xorg,
Koffice,
smb4k,
libgd2,
Inkscape,
curl+GnuTLS,
hplip,
wpa_supplicant,
Flickr Drupal module,
poppler/xpdf,
LimeSurvey,
tunapie, and the
Linux kernel.
With my Canonical hat off, I do all kinds of random things around the Free Software ecosystem. I m a sysadmin for
kernel.org. In Debian, I
maintain a few packages, continue to try to
push for security hardening, and contribute to the
CVE triage efforts of the Debian Security Team.
I ve written or maintain several weird projects, including
MythTVFS for browsing MythTV recordings,
GOPchop for doing non-encoding editing of MPEG2-PS streams, Perl s
Device::SerialPort module, and the TAP paging server
Sendpage.
For a selection of things I ve contributed to other project, I ve implemented
TPM RNG access in rng-tools, made contributions to
Inkscape s build and print systems, implemented
CryptProtect for
Wine, wrote a PayPal
IPN agent in PHP that actually checks SSL certificates unlike every other implementation I could find, added additional protocol-specific
STARTTLS negotiations to OpenSSL, implemented the initial
DVD navigation support in MPlayer, updated serial port logic in
Scantool for communicating with vehicle CAN interfaces, tried to add support for new types of timeouts in
Snort and
Ettercap, fixed bugs in
mutt, and added HPUX audio support to the Apple ][ emulator
XGS.
As you can see, I like making weird/ancient protocols, unfriendly file formats, and security features more accessible to people using Free Software. I ve done this through patches, convincing people to take those patches, auditing code, testing fixes and features, and doing packaging work.
When I go to conferences, I attend
UDS,
DefCon,
OSCon, and
LinuxCon. I ve presented in the past at OSCon on various topics including
security,
testing, and
video formats, and presented at the
Linux Security Summit (miniconf before LinuxCon this year) on the need to upstream various out-of-tree security features available to the Linux kernel.
I love our ecosystem, and I love being part of it. :)