[UbuntuWomen] Getting Invovled in Security for Ubuntu?

Mon Jun 15 09:09:44 UTC 2009

On Sun, 2009-06-14 at 21:23 -0500, Jamesha Fisher wrote:
> Hey, 
> 
> I'm a first time poster, long time lurker. Today, I just graduated
> with a Bachelor's in Computer Security(it has a different name, but
> it's kind of a mouthful). However, with the recent economic downturn,
> I really don't have an opportunity yet where I can add on to my
> talents with the badly needed experience. I wanted to know if there's
> anyway I can get involved in Ubuntu Security Team. I'd really
> appreciate any responses, I believe I could contribute as well as
> learn a lot from being invovled in this team. I know this isn't the
> place I should be asking, but I really don't know where else. 

Hello,

I'm sure the Ubuntu Security Team would be very grateful for your help.
I can certainly give you some suggestions of who to talk to and where 
to look to get started. I'm interested in which area of security you
would like to work in though.

One of the main areas of security work in Free software is dealing with
vulnerability reports. This is taking a report (usually with a patch),
working out on which releases it is exploitable, patching each version
that is, testing, and then pushing out the fixes. This is quite similar
to normal packaging work, but it just requires a bit of specialised 
skill to know what is exploitable and to try and spot other problems
while you are there. It's also a bit more high-pressure than normal
packaging work, as when something lands in the -security updates it
is instantly pushed out to a very large fraction of users, so there's
little room for mistakes. It is however an incredibly valuable job,
trying to keep all the Ubuntu users safe from the known exploits.

The second area of work is auditing packages (and perhaps also other 
things, like the wiki) for vulnerabilities. This is trying to spot the
problems before they are a problem. This requires skill in knowing what
common mistakes are made that lead to security problems. It is usually
done at the code level, looking for buffers that can be overflowed and
the like, as well as looking for things like services running as root
when they don't need to. It would also be possible to do things like
look at the use of crypto in a system to look for mistakes in the way
they have designed that. As you can probably guess, there's loads of
work to do here.

The third area is trying to make Ubuntu harder to attack, under the
assumption that there will always be vulnerabilities. For instance,
there has been an effort to turn on extra compiler flags by default that
check for common issues, and also add things like stack canaries, etc.
They also work on firewalls, MAC, etc. to limit the effect that a rogue
program could have. There's also possibility for some design work here,
trying to work with developers to ensure that something they write is
good from a security perspective. For instance, the current 
implementation of the "Users and groups" tool in the menus doesn't use
the normal stack for changing your password, which has led to many bugs,
coming up with a change to that design, or a redesign, would be 
appreciated (and implementing it would be doubly so).

The Ubuntu security team works in all of these areas, so if any of them
take your fancy you would be able to help out, and having seen the 
amount of work that they were discussing at UDS I'm sure it would be
appreciated.

If you have any ideas about what you would like to work on then I can
point you in the right direction (all of it is an acceptable answer :-).
Otherwise I think the ubuntu-hardened mailing list is the place that
they all hang out

  https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

Thanks,

James