November 17, 2023

Episode 213

9 minutes

Overview

As we ease back into regular programming, we cover the various activities the

team got up to over the past few weeks whilst away in Riga for the Ubuntu Summit

and Ubuntu Engineering Sprint.

Goings on in Ubuntu Security Community

Ubuntu Security team at the Ubuntu Summit (00:48)

Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint from Episode 212

In the last episode we previewed a couple talks by different folks from the

Ubuntu Security Team - recordings for these will be available but currently

there is only the livestreams from the main plenary room - as such, right now

you can go watch Tobias’ talk “From Asahi Linux to Ubuntu: Running Linux on

Apple Silicon”

https://youtu.be/XIGxKyekvBQ?list=PL-qBHd6_LXWZqbxr3542fZs_IMn0gAb2B&t=20272

Andrei publishes The Open Source Fortress (01:41)

https://discourse.ubuntu.com/t/the-open-source-fortress-is-now-live/40183

Back in August, Andrei put out a call for topic suggestions for a

vulnerability discovery workshop that he was putting together, with a

particular focus on open source code bases

He presented this in a 90 minute session 2 weeks ago on the final day of the

Ubuntu Summit

He covered a number of topics with a focus on practical application of each

using dedicated tooling, e.g.:

Threat modelling with OWASP Threat Dragon

Secret scanning with Gitleaks

Dependency scanning with OSV-Scanner

Linting with Bandit and flawfinder

Code querying with Semgrep

Fuzzing with AFL++

Symbolic execution with KLEE

So not only did participants learn about a given technique, such as what

fuzzing is etc, but also how they can easily apply it with standard tooling to

find real world problems

Due to the success of the workshop, he has decided to make the contents

publicly available

Online wiki https://ossfortress.io/

Presentation from the Summit

Github repository with example projects to run the various tools against

Pre-built docker images for the various tools used in the workshop

Designed to be worked through in your own time

UbuCTF at the Ubuntu Engineering Sprint (04:15)

Emi, Nishit, Andei, Amir and David from the team organised and held the first

UbuCTF at the Engineering Sprint the week after the Ubuntu Summit

Organised around a story of cyber crime fighting against a criminal gang in Riga

5 days, 26 challenges, 64 players

Challenges covered a variety of topics

Networking

Web

Crypto(graphy)

Reverse engineering

Pwning

Vulnerability Patching

Gave experience using tools like Wfuzz, Pwntools, cutter / rizin / radare2,

Ghidra, Wireshark, insomnia and more

457 flags submitted (110 correct), 47 patches submitted

Result was very close - won by Anton Troyanov (Senior Engineer on the MAAS team)

Ubuntu Security team members were barred from competing as we had previously

worked on these challenges - BUT shout out to Sudhakar Verma who just joined

our team only 4 weeks ago and so didn’t have any prior experience with this

CTF - managed to solve every single challenge 💪💪💪

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

November 17, 2023

Episode 213

9 minutes

Overview

As we ease back into regular programming, we cover the various activities the

team got up to over the past few weeks whilst away in Riga for the Ubuntu Summit

and Ubuntu Engineering Sprint.

Goings on in Ubuntu Security Community

Ubuntu Security team at the Ubuntu Summit (00:48)

Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint from Episode 212

In the last episode we previewed a couple talks by different folks from the

Ubuntu Security Team - recordings for these will be available but currently

there is only the livestreams from the main plenary room - as such, right now

you can go watch Tobias’ talk “From Asahi Linux to Ubuntu: Running Linux on

Apple Silicon”

https://youtu.be/XIGxKyekvBQ?list=PL-qBHd6_LXWZqbxr3542fZs_IMn0gAb2B&t=20272

Andrei publishes The Open Source Fortress (01:41)

https://discourse.ubuntu.com/t/the-open-source-fortress-is-now-live/40183

Back in August, Andrei put out a call for topic suggestions for a

vulnerability discovery workshop that he was putting together, with a

particular focus on open source code bases

He presented this in a 90 minute session 2 weeks ago on the final day of the

Ubuntu Summit

He covered a number of topics with a focus on practical application of each

using dedicated tooling, e.g.:

Threat modelling with OWASP Threat Dragon

Secret scanning with Gitleaks

Dependency scanning with OSV-Scanner

Linting with Bandit and flawfinder

Code querying with Semgrep

Fuzzing with AFL++

Symbolic execution with KLEE

So not only did participants learn about a given technique, such as what

fuzzing is etc, but also how they can easily apply it with standard tooling to

find real world problems

Due to the success of the workshop, he has decided to make the contents

publicly available

Online wiki https://ossfortress.io/

Presentation from the Summit

Github repository with example projects to run the various tools against

Pre-built docker images for the various tools used in the workshop

Designed to be worked through in your own time

UbuCTF at the Ubuntu Engineering Sprint (04:15)

Emi, Nishit, Andei, Amir and David from the team organised and held the first

UbuCTF at the Engineering Sprint the week after the Ubuntu Summit

Organised around a story of cyber crime fighting against a criminal gang in Riga

5 days, 26 challenges, 64 players

Challenges covered a variety of topics

Networking

Web

Crypto(graphy)

Reverse engineering

Pwning

Vulnerability Patching

Gave experience using tools like Wfuzz, Pwntools, cutter / rizin / radare2,

Ghidra, Wireshark, insomnia and more

457 flags submitted (110 correct), 47 patches submitted

Result was very close - won by Anton Troyanov (Senior Engineer on the MAAS team)

Ubuntu Security team members were barred from competing as we had previously

worked on these challenges - BUT shout out to Sudhakar Verma who just joined

our team only 4 weeks ago and so didn’t have any prior experience with this

CTF - managed to solve every single challenge 💪💪💪

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

Share Episode 213

Sign up to save your podcasts

Episode 213

Episode 213