Unlike other security distributions is the Fedora Security Lab, speaking about the live media here, not standing alone. The Fedora Security Lab is a package set inside the Fedora Package Collection and a part of that package set is available as live media.

Everything, I mean everything, that is present in this package set can be used on a regular Fedora installation (some parts are also available for EPEL). You don’t have to switch to a different distribution to perform a security test, an assessment or doing forensics, simple use your day-by-day system.

tl;dr

DNS

• massdns – High-performance DNS stub resolver for bulk lookups and reconnaissance
• shuffledns – Wrapper around massdns
• aiodnsbrute – DNS asynchronous brute force utility
• dnstwist – Domain name permutation engine

amass is on the list.

Fuzzer

• wfuzz – Web fuzzer
• ffuf – Fast web fuzzer written in Go
• gobuster – Directory/File, DNS and VHost busting tool

patator and gospider are on their way

Slowloris

• goloris – Slowloris for NGINX DoS
• slowloris – Low bandwidth DoS tool
• python-friendlyloris – A Slow Loris package for Python

Android

• adb-enhanced – Swiss-army knife for Android testing and development
• python-adb-shell – Python implementation for ADB shell and file sync

python-adb, andriller, androguard and androwarn are just around the corner.

Reverse engineering

• aeskeyfind – Locate 128-bit and 256-bit AES keys in a captured memory image

rsakeykind, binee and angr are work-in-progress.

Misc

• kerberoast – Kerberos security toolkit for Python
• httprobe – Probing tool for working HTTP and HTTPS servers
• python-nessus-file-reader – Python file reader for nessus files

Every time when there is a new release of Kali Linux it doesn’t take long till people start to ask when a feature or tool will be added to the Fedora Security Lab.

This time the most asked feature is the “undercover mode”.

To make it short: Never.

The reason is that the Fedora Security Lab live media doesn’t need this. We are running Xfce (in the meantime for several years now) with the default Fedora wallpaper and a default theme. It pretty hard to tell (reading impossible if you don’t have the menu open) for a person who only get a quick look at your desktop that you have a lot of specialized tools at your disposal.

You are even stealthier if you only add the Fedora Security Lab toolset to your default Fedora installation. This make the Fedora Security Lab the perfect tool to perform security-related tasks in an office environment at customer’s sites.

I’m open to look left and right but like Fedora itself the Fedora Security Lab always leads and never follows. This means that only software is included which has passed a proper review that ensures that the package complies with the Fedora Packaging Guidelines.

The Fedora Security Lab was released as part of the Fedora 30 Candidate Beta cycle.

Grab it, test it and report back.

This time we don’t want to miss the release because of some last minute changes.

Grab it and test it.

For the Fedora 29 release cycle will be no Fedora Security Lab. All composes were failing after the Beta thus we are not able to ship it for 29.

It’s kind of frustrating that at a beta state changes can break a compose and there is zero (0) communication about it from the release engineering team. Yes, that’s what happen if you are not an objective.

I’m not blaming anybody but myself. Pagure.io is not really forcing high pace which is sometimes required and now we are pretty much back to the times were you have a change, made it publicly available and then you have to ask somebody to merge it.

Well, I’m working on to bring the Fedora Security Lab back.

Different to other years I split this blog post into different posts to keep them shorter and focused on one thing. This one is the general overview post.

–Transform applications into Flatpaks at Flock 2017
–Fedora IoT at Flock 2017

One disappointment was that there where a lot of “State of X” talk. I kind of don’t understand why, because the organization team wanted Flock do be a “do” event, announced it that way, and mentioned this a one criteria for sessions to be accepted. My guess is that it heavily depends on if it’s an objective or not. If it’s an objective then you are good otherwise not. I will be the person that complains here. There are always people who are looking for something to complain, right?. As one who was in the driver seat for organizing a FUDCon and several of the largest Fedora presences in Europe in the last decade I know what I’m talking about and the “step up or shut up” (if we are talking about FUDCon it only fair to use a term from that period in time) paradigm is not applicable here. Sorry.

Everything in one place is the way it should be. If the conference is at the same location where you sleep then you don’t need to move around a lot. It’s a bit risky to share a room with a person you never met before but I was lucky again. Like in the past I was able to learn a thing or two about the country where the room mate was from. For me it was a bit wired to see a security bar for securing the terrace door but it seems reasonable because outside was a golf course. Thanks to the dehumidifier in our room the humidity was not over 80%.

Back to the conference…During the “State of the Union” Matt talked about a lot of fires. There are a lot of fires but fires keep us warm. I always liked the fast pace Fedora is taking. If you explore new things the chance for a failure is there even if the fire was huge in the beginning. This is not limited to one particular group in Fedora. Also, fires which were high burning in the past are just left alone to die.

At one point in time. Sorry, can’t remember if it was during the pitching or Matt’s talk. The audience was asked about their involvement in packaging and interestingly a lot hands were thrown in the air. This leads to the question why is there such a huge backlog of review requests? I personally stopped to do reviews and submitting them as it feels more and more as a waste of time. On the other hand packages are the foundation of our distribution. Well, that not an objective and will not be addressed during a setup like Flock.

My session was a complete disaster. It will go into history as one of the three session, I know of, which didn’t had a single attendee. To me the issue is clear: it’s not an objective thus you fly some much under the radar that you are invisible. Or simply people don’t care about it. Last year I had 6 or 7 people for the same session and we discussed a couple of things and worked on issues. Now I’m pretty much alone. I perfectly agree to focus on the objectives and Workstation/Server/Cloud but Labs are bringing diversity. Most distributions are doing different kind of products and some of our Labs are unique which makes them great talking points. At a conference for Graphic design nobody cares about Atomic, Modularity or that we have a Workstation Edition but the Design Suite is something which could attract designers or artists.

Talking about diversity. There was a workshop about this topic. While spending over 20 years of my professional life in an engineering and highly technical area of the industry which is dominated my males, I became interested in the topic of diversity a while back. Thus it’s only natural to be interested about the diversity in the Fedora community as well. Most Open Source communities are formed out of an over represented group. You know which group I mean. I’m part of that group and you perhaps too.

Sure, it would be nice if the community is more multi-cultural, multi-lingual, multi-age, multi-gender, and multi-*. The problem is that Fedora is very much in the end of the line and there is only a certain amount of contributors. The society still defines the role allocation of females and males. This leads to the present situation. At least in Switzerland there are a couple of initiative on-going to bring underrepresented groups like women into the tech or engineering world. Unfortunately we will see the outcome from the “Töchtertag” (in US “Take our daughters to work day”) only in the next 5 to maybe 15 years. In the short term we will not see much change. In engineering classes (computer science, electrical engineering, or mechanical engineering) at most Swiss universities the female representation is still under 10%. In wood work engineering even below 5%.

It already pretty hard to get new contributor out of the over represented group. Nowadays there are a lot of Open Source communities active and the people usually join multiple communities and spread their time where they think that they have the biggest benefit. Over the past couple of years we found in average one new contributor at an event. Not with a T-Shirt or a Surface Pro but because he was intrinsically motivated.

70% of the top contributors are not paid by Red Hat at least this is the message of a slide from 2016. But when it comes to Flock it’s the other way around 30 % or less are not Red Hat employees. Due to the simple fact that the typical Fedora contributor is a volunteer he or she will never be able to put in a 40 hours week to work on Fedora. Also, spending 1/4 of the available holidays per year on one event is a blocker. Diversity starts right under our noses. We may like it or not.

For the future we need to make sure that we don’t end up doing the “Old wine in new bottles” things and change things for the sake of change or because they are old. If there is an alleged new ideas or a solution for something it’s needed go through the archives because some contributors have had good ideas in the past already.

Overall Flock was a nice experience. My goal was to get in touch with people out of the Fedora community I didn’t know before and not to talk to the same bunch of people over and over again during the conference. When it comes to spare time, of course, I hung around with guys I have a history with. The US was different than I expected but most people are very helpful and friendly. It’s strange to see prices and to know that it’s not the amount you have to pay because the taxes are not included. I guess that it would require more than 4 days to get used to that :-).

As I will be already on the move, the possibilities are high that I will attend CLT 2017.

https://labs.fedoraproject.org/en/security/

As Flock has already started we grabbed our badges and joined the fun. The talks covered a lot of different topics. It’s interesting to see that hypes from a new years back like Spacewalk, Sugar, or JBoss no longer play a role at Fedora events. Containers do. I like LXC and the new kid systemctl-nspawn. Docker right? Docker is popular but I never really got warm with it because I don’t really need it and we do basically the same thing with virtual machines and configuration management.

Over the years I spent a huge amount of time working on packages. Especially, Python. A tool to create packages in one way or another would be nice. As we all know this will probably work for 80 % of the packages but the rest will take 80 % of the time to manually fix the spec file.

For the first time ever during a FUDCon/Flock I did do some sight-seeing. The walking tour of the old city center was a pretty nice idea. Our guide was a funny one and beside the jokes there was something to learn.

Over the years I saw a couple of concepts of doing at a FUDCon/Flock. First we did barcamps, then we tried a mixture of barcamps and pre-arranged talks (FUDCon 2009) then with Flock only scheduled talks take place. The evolution lead from a lot of ‘let’s get shit done’ to a classic conference. I think that only if you do conference-style you can get talks like “Secure Automated Decryption”. It was the first time that I heard and read the words “ElGamal encryption” during a talk at a Fedora-centric event.

It was nice to see that a bunch of people showed up for my Fedora Security Lab hackfest on Friday morning. After a couple of years it’s “Lab” again instead of “Spin”. I showed some slides for the intro. After 20 min I was done and quickly started the conversation with the audience. In the last years we didn’t got much feedback, I like to think that “no news are good news”. If Python 2 will no longer be available this will definitely hit us hard. A large number of tools we include in the Fedora Security Lab are old but still useful and no substitutes are available. There seems to be a need for the not-so-official Fedora Security Lab Test Bench. Well, there are LXC containers So, replace those with Docker and create a larger virtual environment with multiple instances and services? Maybe. Start packaging tools and web application we include in the Test Bench? No, shipping PHP shells and vulnerable web application is out of scope for Fedora. To avoid any further implications it maybe best to rename the Test Bench and make it own project out of it.

One conclusion is that it’s a huge advantage if the conference and the accommodation is at the same location. This saves a lot of time if you don’t have to take public transportation for half an hour to get to the venue. At the other hand the enticement to take one more beer before going to bed it very high.

The conclusion for Flock is that we are talking about the same stuff over and over again when it coming down to the community. Reimbursement again, budget boring, swag gähnnn…I guess that we did a really bad job in documenting the work, decisions, and alike in the past. Every new entity (read person or working group) try to re-invent the wheel, create it’s own footprint in the eco-system, or try to make a name for itself.

On Saturday we visited Oskar Schindler’s Enamel Factory and the Museum of Contemporary Art. During my compulsory schooling we learn a lot about this period in time and thus it was cool to see the physical place. I’m not a huge art fan but both museums are very close we walked through that building too.