#BSDCan #FreeBSD #devsummit: Day two. More live tooting. We'll kick off this day with an update by the FreeBSD Security Team (secteam@).

#BSDCan #FreeBSD #devsummit: The security officer position has its own charter. The challenges facing the security team are quite difficult:

1. Extremely broad mandate
2. A lot of hurry up and wait activities not conducive to a friendly employment environment
3. Very high level of very technical knowledge required to respond to the large variety of issues

#BSDCan #FreeBSD #devsummit: There's a lot of burnout. Especially so since there's few qualified people to work on the security team.

#BSDCan #FreeBSD #devsummit: They're fixing these challenges by splitting vulnerability response and mitigation implementation.

#BSDCan #FreeBSD #devsummit: FreeBSD needs technical resources and need people who are willing to work on issues that cannot be disclosed outside.

#BSDCan #FreeBSD #devsummit: [Personal note: Gordon's moving pretty fast. I won't be able to capture everything.]

#BSDCan #FreeBSD #devsummit: Two basic workstreams:

1. FreeBSD only response:
- No NDA or explicit embargo
- Only applies to FreeBSD (and maybe Net/Open)
- No major risk of exposure
2. Multi-vendor coordinated response:
- NDA and/or explicit embargo
- Coordinated response via private party or CERT/CC
- Requires limited internal disclosure to contain risk of exposure

#BSDCan #FreeBSD #devsummit: Note on exposure: Some bugs details have leaked because a security team member disclosed to their employer the bug, even when they weren't supposed to do so.

#BSDCan #FreeBSD #devsummit: We don't want to end up like #OpenBSD where vendors don't notify us of vulnerabilities due to violating embargoes.

#BSDCan #FreeBSD #devsummit: There were FreeBSD committers that were notified of Meltdown by Intel via unofficial channels prior to the secteam's official notification in late December. Those committers did not notify secteam.

#BSDCan #FreeBSD #devsummit: How the FreeBSD Foundation enables secteam:

1. Holder of NDA and vendor relationships
- Survivability of changeover of security officer
- Vendor relationships
2. Funds resources
- Pays for Ed's time
- Pays for Gordon's travel
- Pays for development resources to enable response (kib@ specifically)

#BSDCan #FreeBSD #devsummit: Once CERT/CC was involved with CVE-2018-8897 / SA-18:06.debugreg, FreeBSD was able to give pre-embargo patches to pfSense.

[Personal note: this is rather... interesting...]

#BSDCan #FreeBSD #devsummit: FreeBSD uses Coverity, but doesn't pay much attention to it.

#BSDCan #FreeBSD #devsummit: From Ed Maste: the FreeBSD Foundation interns worked on Syzkaller. FreeBSD is hoping to help enhance its FreeBSD support.

#BSDCan #FreeBSD #devsummit: Question in the audience: do these embargoes have rules regarding early disclosure by other vendors (ie, #OpenBSD)?

Answer: embargoes are usually negotiated with the researcher. You'll notice that the embargo dates fall around the Blackhat conference.

#BSDCan #FreeBSD #devsummit: [Personal note: there seems to be some hostility towards #OpenBSD by multiple people here.]

#BSDCan #FreeBSD #devsummit: Ed Maste: I certainly don't want a reputation of blowing embargoes.

#BSDCan #FreeBSD #devsummit: From Allan Jude: Should secteam@ have a phone number?

#BSDCan #FreeBSD #devsummit: secteam update finished. On break for a half hour.

#BSDCan #FreeBSD #devsummit: The devsummit is about to continue with FreeBSD 12.0 planning.

#BSDCan #FreeBSD #devsummit: FreeBSD would like to get #OpenSSL 1.1 in base for the 12.0 release.

#BSDCan #FreeBSD #devsummit: Bikeshedding how to take notes.

#BSDCan #FreeBSD #devsummit: Desired to get in to 12.0: geli UEFI support.