The second day of LinuxCon in Seattle started with an announcement by Linux Foundation Executive Director Jim Zemlin about the Core Infrastructure Initiative. The CII will have a new free badge program. According to the program site, "Projects having a CII badge will showcase the project's commitment to security." The first draft of the badge criteria is available on GitHub, and community feedback is encouraged.
Bruce Schneier on cyber attacks
Security expert Bruce Schneier joined via video chat to talked about online attacks, including the Sony cyber attack. "This was destruction and coercion," he says. He also talked about how secure an organization is isn't as important as how secure it is relative to others in the same space.
In Sony's case, attackers hit the company for political reasons. "We know that on the Internet today, attackers have the advantage," Schneier says. A motivated attacker will get in. "On the other hand," he adds, "Sony had some pretty bad security ... I won't go into details, but they're embarrassing."
You used to be able to tell who attackers were by the weapons they used. Governments used tanks, so if one rolled up outside your house, you'd know a government was behind it. Online everyone uses the same tools and techniques, so it's hard to tell whether the attack was from a government source, or two guys in a basement, Schneier says. The Sony attack shows that attribution can be difficult.
"[It's] my belief that a lot of attacks from Western countries go through China," Schneier says. Making an attack look like it comes from China is a good way to hide who's behind it. He talked about the importance of attribution. Knowing who is behind an attack helps determine who will help provide support (local police vs. military).
Hopefully the Linux Foundation recorded Schneier's great talk and will post it online soon. SUSE's Michael Miller and Oracle's Wim Coekaerts followed Schneier in the morning keynotes, and then we headed off to sessions.
How to secure systems with SELinux
After the lunch break, I went to Susan Lauber's talk about how to secure systems with SELinux (we also interviewed her for our series). Susan used examples from the SELinux Coloring Book, which she gave away at the event. You can also download and print your own copy (PDF). It's always nice to talk to people in person after you've "met" them online.
DevOps for students
Next, I sat in Lance Albertson's talk about DevOps for students. Lance is the Open Source Lab (OSL) director at Oregon State University. He started with an introduction of what the OSL does (provides hosting for FOSS projects, including the Apache Software Foundation and the Linux Foundation), and services it offers, such as virtualization, managed and unmanaged hosting, email, DNS, and mailing lists.
"We're not a traditional IT shop at OSU," Lance says. "We try to have a startup culture within a university." Lance then took a deep dive into the OSL student experience. "First off, they're getting full root," he says. That can be scary (for everyone), but tends to go well. Students get interviewed before being accepted into the program and go through a background check, which helps prepare them for similar experiences they'll have in the real-world.
Lance explained the challenges that come with creating a student curriculum that focuses on devops and open source, and integrating it into the university programs. The program gives students experience with a variety of open source tools, which prepares them for when they enter the workforce later and helps make them competitive candidates for tech jobs.
He concluded with what he and his team learned over the past two years of the program, including:
- Student participation ranges from 30 at the start of the year and dwindles toward 15 near the end.
- Weekly meetings are too frequent for students.
- Creating quality content takes time and practice.
- Being flexible with the schedule and topics is important.
- SSH keys, Vagrant, and VirtualBox are a pain for beginners.
Read our LinuxCon interview with Lance to learn more about teaching DevOps and open source to a new generation.
Read more from LinuxCon in my Day 1 highlights.
This article is part of our LinuxCon, CloudOpen, and ContainerCon North America 2015 series. LinuxCon North America is an event where "developers, sysadmins, architects and all levels of technical talent gather together under one roof for education, collaboration and problem-solving to further the Linux platform."