This year, the Kernel Summit is divided into two components:
- An invitation-only maintainer summit of 30 people total, and;
- An open kernel summit technical track which is open to all attendees of OSS Europe.
The security session is part of the latter. The preliminary agenda for the kernel summit technical track was announced by Ted Ts’o here:
There is also a preliminary agenda for the security session, here:
Currently, the agenda includes an update from Kees Cook on the Kernel Self Protection Project, and an update from Jarkko Sakkinen on TPM support. I’ll provide a summary of the recent Linux Security Summit, depending on available time, perhaps focusing on security namespacing issues.
This agenda is subject to change and if you have any topics to propose, please send an email to the ksummit-discuss list.
(One proximate cause of this is that, through the Python community, I've met multiple nice people who are organizing or championing PyCon North America in Cleveland in 2018 and 2019, and who will show me around a bit. Another is the United Airlines rep who, while trying to reroute us on our solar eclipse trip, said, "The only place in the United States I can get you tonight is Cleveland" which sounds more like a Call to Adventure than most bad travel news does.)
I'm particularly interested in hiking, walking tours, live folk and rock music, history (especially political, social, and science and engineering history), pair programming, and trains. I'll be there Friday October 20th through Sunday October 22nd. I'm also open to giving a talk or two while in Cleveland. Feel free to leave comments on this post -- the spam filter is rather aggressive but I'll fish things out regularly!
(One proximate cause of this is that, through the Python community, I've met multiple nice people who are organizing or championing PyCon North America in Cleveland in 2018 and 2019, and who will show me around a bit. Another is
I have had the great pleasure of getting to know Telle over the last number of years. A talented computer scientist, she took on the commitment of heading up the then-called Institute for Women and Technology in 2002 when her dear friend Anita Borg fell ill. Though CEO might not have been a role she expected to have, Telle embraced the challenge and lead the institute through incredible growth and impact.
I first met Telle when I was assigned as a Hopper volunteer for an ABI advisory board meeting during Grace Hopper in 2010. I was then invited to be part of the board and got to know Telle more over the years. Some of my fondest memories of her are on the dance floor, where she was always ready to bust a move with me like we were the best of friends.
I had the chance to meet Brenda Tuesday night before GHC started. The ABI advisory board no longer exists, but I had the chance to attend the Systers leadership dinner with the Anita|Bees committee. Brenda addressed our relatively small group with such warmth that I couldn't help but immediately like her. That she has such an impressive background, and founded the original 'computer science for all' initiative, just makes it all the better.
I'm also tickled that we had a bonding moment over breastfeeding. I was nursing my six-month-old Henry when she was going to introduce herself. After noticing what I was doing, she told me about her own experiences with her babies. I love connecting with folks on a personal level like that, no matter how "high-up" they are.
I think everyone can agree that great things lie ahead for AnitaB.org. I hope that Telle enjoys her well-earned retirement, and I hope that I'll have a chance to dance with Brenda someday as well.
If you'd like to learn more about Brenda, check out her interview on the AnitaB.org website.
You can find full details of the FOSDEM 2018 Community DevRoom CFP on Laura’s blog.
Last year, Laura and I started more collaborating on projects that weren’t a part of our day jobs. Our first foray was the Community DevRoom at FOSDEM 2017. Due to some unfortunate personal circumstances, I wasn’t really able to participate in much beyond issuing the initial CFP, and Laura made it all happen along with the room’s fantastic program committee. I’m so grateful to everyone for their efforts.
We’re back again for the 2018 edition of FOSDEM, and the Call for Papers just went live. Check it out, submit early and often, and we hope to see you in Brussels!
It seems we’re about due for another round of Shitty Infosec Dude Gets Outed As A Predator. If you don’t know what I’m talking about, I’ll link to it when stories appear. Having been through this myself last year, I want to stand in solidarity with other survivors, as well as to ask journalists to not be fucking assholes.
Some things I learned as a survivor coming forward:
- Coming forward is a HUGE step towards protecting other people. If you’ve done so willingly, thank you for your profound courage. We talk a lot in infosec about whistleblowers, but you should know that you are a goddamn whistleblower too. If your story has been told without your consent, I know that that’s a wretched retraumatizing experience and I am so sorry – but please do know that it’s not without impact and WILL keep other people safe in the future.
- Lock your online stuff down as best as you can. Here’s an extensive guide I wrote much of which covers security stuff as well as physical threats like SWATting, and here’s a short one that covers the computery essentials.
- Carefully vet the reporters you talk to. I have personally worked with and trust the opsec practices of Sarah Jeong, Selena Larson, and Kate Conger – journalists who are covering this, feel free to reach out and if I trust you and think it’s appropriate I will add you here. There is at least one male journalist sniffing around about this who I have personally seen mistreat women. Approach with caution. Another good tactic here is to ask if they’ve previously covered sexual assault and/or sexism in tech and ask for press clippings of previous coverage.
- If you’re talking to the press, email interviews are a great hack. You get the time to consider what to say and make sure that it won’t open you up to litigation, you can just decline to answer some of the questions (because cripes, the questions people will ask you…). Working over email also lets you run your responses by a trusted and hopefully less-traumatized friend to make sure they’re unambiguous and don’t reveal more than you intend.
- Some useful language re: the press. Know the difference between these terms, and get the reporter you’re talking to to agree to the one you prefer before you say anything:
- On the record: can be published, can be attributed to you by name
- Off the record: can’t be published, can’t be attributed to you by name
- On background: can be quoted or paraphrased and used as a story detail without direct attribution but with a vague organizational affiliation, eg. “a person in the White House who was not authorized to speak to the press” – this is the usual “anonymous source” mode
- On deep background, not for attribution: can be quoted or paraphrased and used as a story detail without any attribution
- When you want to say something on either “background” and “deep background,” it’s useful to give a clear definition of what you mean, just so you’re both on the same page. The definitions given above are commonly used. If you want, copy/paste those exact sentences into the email with the reporter so you’re unmistakably clear about your boundaries.
- You can ask for anonymity. You can ask for press time to be delayed. You can negotiate anything as long as you do it before you give the quote. If you have conditions, make sure your agreement is hashed out in advance. Journalists are not bound to conditions imposed after the fact.
- If the reporter is working for a magazine, sometimes they will ask you for a phone number so that a fact-checker can call you. Don’t be freaked out: this is common practice and doesn’t mean you’re going to be de-anonymized. Incidentally: the fact-checker is not obligated to read back to you verbatim what’s going to be in the piece, but you will get a sense of what’s going to end up in the piece based the questions they do ask.
- Again, if this freaks you out, negotiate a different process before you give the quote, such as doing the fact-checking over email.
- You can do things like “anything below this line is on the record” or “anything in italics is off the record” – just get an agreement in writing with the journalist as to the shared format
- The rules around on the record / off the record / not for attribution / anonymity and so on are built to give journalists flexibility in dealing with sources who have power, like the PR divisions of major corporations. If a journalist pushes the outer bound of ethics really far with a victim, that has entirely different consequences than doing that to a company. Keep in mind that corporations and government sources negotiate these kinds of terms with journalists all the time, and very aggressively: there’s no reason why they shouldn’t be in your toolkit too.
- It is up to you whether this is a good time or not to be open to hearing from other victims. Last summer, I noted in my post that I wasn’t ready to listen to other survivors’ stories, and directed folks to appropriate counselling resources. Almost everyone respected this. I have since spoken with many other survivors of the same assailant and it has been a very important part of my healing process, but it was important to me to take the time to just process the media drama with close and trusted friends first.
- Therapy is great and has been an essential part of being resilient in the face of garbage fires like you’re going through. If you’re employed, your work may have an EAP that will get you a therapist with minimal fuss. If it’s not covered by your insurance Captain Awkward has a guide to locating low-cost mental health services in the US and Canada, and a newer post on other free and low-cost mental health resources.
Now I’m not actually an expert on how reporters should treat survivors of sexual violence, so I’ll mainly link to some exisiting guides. Please comment or ping me if you have resources I should add. But what I will note is a few things I learned from my experience last year:
- If you’re sleeping with the perpetrator, don’t report on this story. The disgrace to the profession of journalism I’m subtweeting here knows who she is.
- Don’t name victim’s employers unless it’s actually relevant to the reporting. William Turton did this to me last year. He never reached out to me for comment about my report of harassment, just went straight to naming my employer in his article. Gross.
- I’m going to write more here soon including some of the more egregious Bad Questions I got asked but wanted to get this posted for survivors first.
Finally, some resources for horrified bystanders:
- What you can do
- No more rock stars: how to stop abuse in tech communities
- The Al Capone theory of sexual harassment
A: "I saw the eclipse in Nashville."
B: "Oh I'm from Nashville!"
A: "Oh cool! Did you see it there too!"
B: "No, I didn't, I don't live there anymore."
A: "So you're from Nashville. Do you play an instrument? Are you a musician?"
B: "No, I'm not."
A: "Is that why you had to leave? Is there some age by which the Machine sends you a notification that you have to choose an Instrument and perform at the Audition?"
C: "I'm imagining that scene from A Wrinkle in Time, the street of identical houses, everyone in a row on the sidewalk, with their guitars."
A:"Playing 'Wonderwall', all at the same time. And you show up at the Audition, like, 'I'm Divergent, I'm not gonna choose an Instrument, I'm leaving!'"
B: "This is actually a little too real."
(You may also enjoy Randomized Dystopia, a.k.a. Assorted Abrogations.)