muellis blog – Page 9 – …und alle so “Yeaahh!”

OWASP AppSec Research EU 2013 – Hamburg

I was lucky to be able to attend OWASP’s AppSec EU Research conference in Hamburg, Germany. I’ve been to the one in Dublin and looked forward to the German edition. With 400+ attendees I thought that the conference was surprisingly well attended. And rightfully so. The people organising it were doing a fantastic job. Everything seemed to work smoothly and although I volunteered I was able to see a good bunch of talks.

The program looked promising and most of it was quite good. I was told that there will be recordings soon which is also quite remarkable. The video team definitely deserves a round of applause. So does the venue. We were locked up in the upper most floor of the Emporio, which allowed for awesome views over Hamburg. Although I’ve lived in that beautiful city for so long, I didn’t realise one could actually get such a nice view from a conference room. Sometimes it was hard to not get distracted by the views during the talks…

The first talk I attended was given by Paul Stone and he showed us how he reads your browsing history and pixels. This is amazing work. He examplified the significance of these attacks by showing how to obtain the Google+ profile information. His trick was to apply some obscure SVG filters to HTML elements. Based on the amount of time it took to do so, he could deduce whether the pixel was black or white. He leveraged that possibility to read source code by analysing properties of the fonts used and what key pixels exist to tell which character was rendered. So amazing. If you have time to only watch one talk, it should be this one.

The next talk on Burp was given by Nicolas Gregoire. I was not so impressed, because it was mainly a tutorial as to where to click to make it do $things. But I was told by people actually using burp that it was insightful and interesting.

Taras Ivashchenko from Yandex was talking about Content Security Policy (CSP). I was surprised to learn that Yandex have their own browser. And that their bigger service is mail. I thought it was search. The title of the talk promised an answer to the question whether the CSP was actually useful. He didn’t deliver though. But it gave an insight to how a big company with a well used web site deploys CSP. Unfortunately, he couldn’t tell how much effort it actually was and whether it was actually an economical decision.

He reminded us that the CSP was a second line of defense. It’s not a solution to broken code which does not escape properly. It’s merely a parachute to land safely in case you screwed up. I found it interesting that he mentioned ten contexts that one would potentially need to escape for. My conclusion is that JavaScript is probably the worst language to use on the Web as it offers only two escaping functions. And not even for the most important contexts like plain HTML. I’m curious to learn about all ten contexts. Another interesting idea he presented was that CSP may allow inline scripts if they are “signed”. The “signature” was a random string that is shipped with a header and the script element on the page must carry a “nonce” attribute with that random number.

Matryoshka was the theme of Eduardo Vela’s talk. The Google guy showed various hacks, one of them was “wrapping overflow leaks on frames (wolf)”. It was possible to get an idea of the word rendered on a page with mocking around with the page’s width and height. With the information about the dimension you could detect when a scrollbar was placed and hence can find out how wide the wrapped word was. He claimed that especially new performance APIs were going to create a whole lot of privacy related issues. Another problem was the lack of a JSON format validator, he said. Several problems such as deep array parsing would currently exist. If you serialise a big enough array, you could get into trouble, he said.

A great show was delivered by Mario Heiderich talking about the The innerHTML Apocalypse. He compared the three currently distinguished types of Cross-Site scripting (XSS), namely reflected, stored, and DOM-based XSS, with the three horsemen. The fourth horseman, he said, were “mXSS”, mutation-based XSS. Essentially it is circumventing HTML filter libraries by using mutations done by the web browser.

The problem, inappropriately shortened, was that people use “document.write” to inject elements into the DOM instead of using proper DOM APIs. But that is, he claimed, due to convenience. A call to “document.innerHTML” was so much easier than calling out to “createElement”, “addChild”, etc. And it is true. Too bad that, as we’ve learned earlier, using JavaScript is totally inappropriate to write web applications as it cannot even escape for the HTML context. Anyway, the browser is quite relaxed and accepts slightly malformed HTML. It will even do optimisations or transformations for you. Internet Explorer, for example, will happily drop quotes around arguments to HTML tags for you.

To make the long story short: CSS escapes are badly handled in many of the existing escaping libraries. So you could break out of the element’s contexts by cleverly using some CSS escape sequences. Also, SVG should be avoided at all costs. It’s a can of worms, he said. You could do so many evil things within SVG, like executing JavaScript, loading remote resources or accessing attributes.

OWASP AppSec Reseaerch EU 2013 was good fun. The location was absolutely fantastic. Probably the most noble venue I was at to have a conference. The organisation looked flawless and everything seemed to work out smoothly. Thanks for giving me the opportunity to meet great people. I hope to be able to do so for the next conference.

GUADEC 2013 in Brno

I also attended this year’s GUADEC and it was quite good. Especially because the weather was so nice. It was so burning hot that I sometimes wished it wasn’t; especially in the night… My room in the Taufer dormitories, whose service was basic at best, was heating up so heavily over the day that it took until 4 in the morning to be cool enough to be able to sleep. When opening the cold (!) water tap, the water was as warm as a mildly hot shower… But well, GUADEC is not about sleeping anyway, right? 😉

I was kept busy with various meeting before, while and after the conference and I piled up work lasting for a few months, I guess…

The conference itself was nicely organised. The bar was set quite high last year, so I didn’t expect this year’s team to match the overall quality. And they didn’t, but they were close. The staff was helpful and professional. Issues were dealt with promptly and quite well. I hope, again, that the knowledge gained can be transferred to future GUADEC organisers.

As for the talks, I couldn’t follow many of them. The ones I have seen were mostly great. We had (too?) many keynotes which were generally interesting. Too bad the crowd didn’t notice it was trolled by Ethan Lee. He is a game developer who ported games to Linux. The message was poor and I doubt we, GNOME, profited from this keynote. The next keynote was given by the CEO of Endless Mobile, a company which tries to leverage the potential of the “middle of the pyramid” to get the next billion users and “get 50% of the market share”. The idea is to bring a cheap enough, but also elegant enough device to the people who can afford a 40 inch TV (via loans) but not a PC. As they want to sell ARM devices, he asked us to make GNOME run better on ARM chips. Cathy Malmrose, CEO of computer manufacturing company zareason, was keynoting the last day. The company puts only GNU/Linux systems on their machines before shipping them to customers. The computers they sell range from desktops over laptops to tablets. She told us that we were quite well positioned, because GNOME was so easily usable by people who don’t have much or any experience with computers. That was very refreshing and I am happy that she told us that we were doing very well. She was opening a perspective many of us probably didn’t think about before. She was really enthusiastic about Free Software and my feeling was that she cared more about the Freedoms than many of the participants.

Other talks by members of the GNOME community were lively and one the most enjoying talks was given by the sysadmin team. It was nice to be able to applaud for them in person, because they are doing such a great job.

There were Twitter walls (hehe) in every room (supposedly made with QML) and I found it to be mainly distracting while at the same time not very informative. The news running over it were mostly not worth the electricity they consumed.

Anyway, thanks to the local team and all the sponsors for making such a great event happen! If you have anything to say, leave your feedback on the wiki.

Individuals contribute 20000 USD to make GNOME more secure and more privacy aware

I’m so excited. I’ve just pushed the last update to the current Friends of GNOME banner. We received donations worth 20000 USD to make GNOME more secure and privacy aware. It’s so awesome to see so many individuals donating to make GNOME better for them and ultimately for all of us.

We got 250 one-off payments and roughly 650 periodic payments from payment plans over the last 7 months. During that period, 52 payment plans were created with the average amount of 10 USD per month (the default setting). However, 51 plans were cancelled :-\ The one-off payments were worth 17600 USD and hence the average donation was about 70 USD.

Depending on how you do the math, the cost of taking the one-off donations was between 3.3% and 4.4%. I find that number surprisingly low, probably because I still can’t make sense out of PayPal’s fee structure. But there are probably some hidden fees that turn up once you actually want to do something with the money, i.e. have it wired somewhere.

A very big “Thank You” to all the donors who generously allow us to continue our mission to produce a Free Software desktop for everyone. You guys rock. Seriously.

The new GNOME board, which is already serving since the beginning of this month, will meet during GUADEC and probably call for bids some weeks later.

Finding Maloney

Every so often I feel the need to replace the music coming out of my speakers with an audio drama. I used to listen to Maloney which is a detective story with, well, weird plots. The station used to provide MP3 files for download but since they revamped their website that is gone as the new one only provides flash streaming.

As far as I know, there is only one proper library to access media via Adobe HDS. There are two attempts and a PHP script.

There is, however, a little trick making things easier. The website exposes a HTML5 player if it thinks you’re a moron. Fortunately, it’s easy to make other people think that. The easiest thing to do is to have an IPaid User-Agent header. The website will play the media not via Adobe HDS (and flash) but rather via a similar, probably Apple HTTP Live Streaming, method. And that uses a regular m3u playlist with loads of tiny AAC fragments 🙂

The address of that playlist is easily guessable and I coded up a small utility here. It will print the ways to play the latest Maloney episode. You can then choose to either use HDS or the probably more efficient AAC version.

$ python ~/vcs/findmaloney/maloney.py 
mplayer -playlist http://srfaodorigin-vh.akamaihd.net/i/world/maloney/04df3324-4096-4dd5-b7c3-6f9b904e3f91.,q10,q20,.mp4.csmil/master.m3u8

livestreamer "hds://http://srfaodorigin-vh.akamaihd.net/z/world/maloney/04df3324-4096-4dd5-b7c3-6f9b904e3f91.,q10,q20,.mp4.csmil/manifest.f4m" best

enjoy!

GNOME.Asia Summit 2013

This year’s GNOME.Asia Summit took place in Seoul, Korea. It’s my second GNOME.Asia Summit after the previous one in Hongkong and it’s again amazing to see how nice the local team put everything together.

Initially I thought I’ll go to Seoul straight from LinuxTag which would have been quite stressful. Unfortunately, LinuxTag didn’t happen for GNOME :-\ We lacked people to run the booth and it’s insane to try to run the booth with only two or three people over four days. So I went more or less straight to Seoul. Via CDG. So far I didn’t like that airport because it is huge and transfers between terminals are very slow and the terminals themselves rather poor in terms of infrastructure (power, seats, WiFi, shops). But terminal 2E was surprisingly nice. It’s got designeresque chairs to sit in, lots of power sockets, free WiFi, some shops, water fountains, and it’s generally airy. So thumbs up for that.

As for Seoul, things went surprisingly well. While i did organise this GNOME.Asia Summit to some extent I didn’t expect things to work out that nicely. The local team, which was pretty much unknown to me, was surprisingly big and they found a good venue and good sponsors.

Lemote gave us a few laptops to give away *yay*. A raffle was organized and the best speaker got the biggest machine. I didn’t win in the raffle, but I got a machine as the best speaker. It’s a Lemote Loongson. I don’t know yet whether it is what I need. I have a very underspecced Lenovo ideapad which barely runs GNOME. Running anything that requires memory is really dreadful. Yes Firefox, looking at you. And some things like Gajim, an XMPP client, don’t even work because the machine starts to swap so heavily that every TCP connection times out. Again and again. I have to explore whether the Lemote laptop performs any better. It’s MIPS after all. And according to Wikipedia the CPU alone draws 15W.

Anyway, the conference itself was good and I felt that it was bringing together people nicely. I hope that it relevant Korean businesses are happy, too. We will have to see though whether any measurable output has been generated.

The reactions to my talk about GNOME 3.8 were, as already mentioned, positive. To my surprise I have to say. I was still a bit tired and jetlagged, but from talking to people afterwards I know that I inspired some folks to take a closer look at GNOME. You can find my slides here.

I found a surprising large number of other talks interesting, too. Unfortunately, the aforementioned laptop died while taking notes so I can’t provided a nice summary. The most interesting thing I found was a talk about seafile. A Dropbox-like tool which sounds really good. But to be ready they have to fix some design problems like depending on a local webserver or not using established authentication and encryption protocols (think SSH).

I’m happy for the GNOME.Asia. May it prosper in the future. I hope we can gain some more sponsors for future editions of the event and also for GNOME. As other people already stated: I’d like to thank the GNOME Foundation for sponsoring my attendance at the conference. I’d also like to thank the conference sponsors for their support, including NIPA, Lemote, LG, Google, Linux Pilot, ONOFFMIX and Bloter.net.

RIP Atul Chitnis

I am sad to read that Atul Chitnis passed away at the age of 51. I met him several times during FOSS.in and it was a pleasure to meet the driving force behind that conference. While certainly being a controversial figure in the Free Software world, he did a lot of good things for our communities and ecosystems. Let’s hope the FOSS.in team takes the heritage and continues to make great events for India.

A journey to an updated Linux 18

Oh what joy this whole GNU/Linux thing brings. I took a few days off to upgrade my machines. I had the pleasure to update one laptop twice, i.e. from the Ubuntu 12.04 LTS to the current 13.04 and a desktop from Fedora 17 to Fedora 18.

The Laptop was almost easy. It took long time for the system to install packages. And there are stupid dialogues to confirm which block the whole process. Not very nice. I let it run for a couple of hours, everything went more less fine until I couldn’t log in anymore. LightDM saved my GNOME preference but there was no gnome-session left. So I went to the console and got myself ubuntu-gnome-desktop (arr. stupid wordpress doesn’t render apt:// links).

The second update from 12.10 to 13.04 took as long as the first, with nothing noteworthy happening. Interestingly though, it didn’t want to install the 13.04 unless being told to install a “development release”. Bollocks.

Anyway, Ubuntu’s GNOME runs almost nicely on my tiny laptop. GNOME-Shell is very slow when it comes to alt-tab. It takes three or four seconds to switch a window. Distraction free computing at its best.

The Fedora desktop is full bucket of joy. The FedUp utility keeps what it promises. It’s surprisingly refreshing. This time, the whole upgrade procedure worked flawlessly. No really! In 2013! I’m amazed. It only took a while for it to fetch everything but then a reboot straight into the upgrade system made the magic happen. Very cool.

Not so cool was the surprise of the machine not booting. Of course. Systemd hung somewhere in NFS related daemons and bailed out because they failed. The old GRUB menu entry booted a little further, just until sendmail, and enabled me to investigate.

Sendmail could not be brought up, because “-bd is not supported by sSMTP”. Right. I have sSMTP installed. And to make a long story short, something did place an init script in /etc/rc.d/init.d/. And that script failed now. NOW. After a couple of years. It was probably never used but got activated with the migration to systemd. Anyway, you might want to delete your stray init scripts and eventually get rid of the packages altogether.

Then GDM wouldn’t come up. Only flicker. It took me a while to find the relevant log files (thinking that everything was in the Journal by now…) but grepping for the usual “EE” and “WW” didn’t reveal much.

# grep -r -e EE -e WW /var/log/gdm/
/var/log/gdm/:5.log.1: (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
/var/log/gdm/:5.log.1:Initializing built-in extension MIT-SCREEN-SAVER
/var/log/gdm/:5.log.1:(WW) Falling back to old probe method for vesa
/var/log/gdm/:5.log.1:(WW) Falling back to old probe method for modesetting
/var/log/gdm/:5.log.1:(WW) Falling back to old probe method for fbdev
/var/log/gdm/:5.log: (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
/var/log/gdm/:5.log:Initializing built-in extension MIT-SCREEN-SAVER
/var/log/gdm/:5.log:(WW) Falling back to old probe method for vesa
/var/log/gdm/:5.log:(WW) Falling back to old probe method for modesetting
/var/log/gdm/:5.log:(WW) Falling back to old probe method for fbdev
/var/log/gdm/:1.log.2: (WW) warning, (EE) error, (NI) not implemented, (??) unknown.

But. There were also the logs for the “slaves”. They contained:

gdm-simple-slave[1030]: WARNING: Failed to give slave programs access to the display. Trying to proceed.
gdm-launch-environment][1046]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
gdm-launch-environment][1046]: pam_unix(gdm-launch-environment:session): session closed for user gdm
gdm-simple-slave[1030]: GLib-GObject-CRITICAL: g_object_ref: assertion `object->ref_count > 0′ failed
gdm-simple-slave[1030]: GLib-GObject-CRITICAL: g_object_unref: assertion `object->ref_count > 0′ failed

And there was a hint given by systemd:

# systemctl status gdm --full gdm.service - GNOME Display Manager Loaded: loaded (/usr/lib/systemd/system/gdm.service; enabled) Active: active (running) since Fr 2013-05-03 12:22:04 CEST; 9s ago Main PID: 1843 (gdm-binary) CGroup: name=systemd:/system/gdm.service └─1843 /usr/sbin/gdm-binary

Mai 03 12:22:07 bigbox gdm[1843]: gdm-binary[1843]: WARNING: GdmDisplay: display lasted 0.510350 seconds Mai 03 12:22:07 bigbox gdm-binary[1843]: WARNING: GdmDisplay: display lasted 0.510350 seconds Mai 03 12:22:07 bigbox gdm-simple-slave[1997]: WARNING: Failed to give slave programs access to the display. Trying to proceed. Mai 03 12:22:08 bigbox gdm-simple-slave[1997]: GLib-GObject-CRITICAL: g_object_ref: assertion `object->ref_count > 0' failed Mai 03 12:22:08 bigbox gdm[1843]: gdm-binary[1843]: WARNING: GdmDisplay: display lasted 0.507905 seconds Mai 03 12:22:08 bigbox gdm-binary[1843]: WARNING: GdmDisplay: display lasted 0.507905 seconds Mai 03 12:22:08 bigbox gdm-binary[1843]: WARNING: GdmLocalDisplayFactory: maximum number of X display failures reached: check X server log for errors Mai 03 12:22:08 bigbox gdm-binary[1843]: WARNING: GdmDisplay: display lasted 0.509609 seconds Mai 03 12:22:08 bigbox gdm[1843]: gdm-binary[1843]: WARNING: GdmLocalDisplayFactory: maximum number of X display failures reached: check X server log for errors Mai 03 12:22:08 bigbox gdm[1843]: gdm-binary[1843]: WARNING: GdmDisplay: display lasted 0.509609 seconds

Aha! There is the problem! But.. what is it? No indication whatsoever. Not even a tiny hint as to where to look next.

I decided to make baby steps and tried to bring up X on my own. My computer liked “X”. But it didn’t “startx”. That in turn revealed a missing library. libicule.so.48. But the current version is .49. Why on earth would something try to link against an old version? “yum distro-sync” proves me right that my packages are up to date. I thus set out to find the weird library causing me trouble. But there were many!

# ldd /lib64/libgailutil-3.so | grep not libicule.so.48 => not found libicuuc.so.48 => not found libicudata.so.48 => not found

I thought I got rid of them by doing

for f in /lib64/*.so; do ldd $f | (grep -q “not found” && echo $f); done | xargs yum remove -y

but that didn’t help. The ldd resolves symbols recursively but I really want to know the symbols needed by the library itself, not its dependencies. Readelf comes to mind. And after chasing a few libraries manually, I was tired so I came up with

for lib in $(cat /tmp/libs); do echo $lib; for l in $(readelf -d /lib64/$lib | grep NEEDED | cut -d[ -f2 | cut -d] -f1); do echo $lib: $l; done; done | less

which showed nicely which library the culprit was.

It was /lib64/libharfbuzz.so.0 from harfbuzz-0.9.13-1.fc20.x86_64. Where does this package come from, you may ask. So did I. I didn’t know how to make yum tell me, but I found out that it belonged to the F17 texlive repository.

Interestingly enough, yum check told me that there was a problem but couldn’t handle it. The solution, very similar to the command above, but with an important difference:

yum --disablerepo texlive distro-sync

Hope this will be useful to someone in the future. Chances are quite good.

Scale Text to the maximum of a page with LaTeX

Being confronted with having to produce a simple poster that holds just a few letter but prints them as big as possible, I found myself needing to scale text (or a letter) on a page.

At first, I found \scalebox, which unfortunately takes a scaling factor, and not two dimensions. Instead of trying to do math, I found \resizebox which does take dimensions (width and height).

You could think that simply scaling up to the \textwidth is enough, but it’s not as you can see from the following “l” which was typeset using this code:

\documentclass[
landscape,
a6paper,
]{scrartcl}
\usepackage[pdftex]{graphicx}
\usepackage{palatino}
\begin{document}
\resizebox{\textwidth}{!}{l}%
\end{document}

And here’s the result:

So the character doesn’t scale well in the sense that if it is too narrow, it would grow too tall. Unfortunately, it doesn’t automatically keep the aspect ratio and it doesn’t take such an argument as \includegraphic does. Fortunately, you can still make it keep the aspect ratio by globally setting the appropriate flag! So the following will work as expected:

\documentclass[landscape]{minimal}
\usepackage[showframe,a4paper]{geometry}
\usepackage{graphicx}
\setkeys{Gin}{keepaspectratio}

\newcommand{\vstretch}[1]{\vspace*{\stretch{#1}}}
\usepackage{palatino}
\begin{document}
\resizebox{\textwidth}{\textheight}{l}%
\end{document}

Another last thing is then multiline and centered output. The awesome people over at texexchange have a solution:

\documentclass[landscape]{minimal}
\usepackage[showframe,a6paper]{geometry}
\usepackage{varwidth}
\usepackage{graphicx}
\setkeys{Gin}{keepaspectratio}

\newcommand{\vstretch}[1]{\vspace*{\stretch{#1}}}
\usepackage{palatino}
\begin{document}
\topskip0pt
% This seems to fully work
\vstretch{1}
\centering\noindent\resizebox*\textwidth\textheight{\begin{varwidth}{\textwidth}%
\centering%
foooooooooooooooo

\centering
bar%
\end{varwidth}}

\vstretch{1}

\pagebreak
% Trying to other method with the table
\vstretch{1}
\centering\noindent\resizebox*\textwidth\textheight{\begin{varwidth}{\textwidth}%
\begin{tabular}{@{}c@{}}
foooooooooooooooo\\

bar
\end{tabular}%
\end{varwidth}}
\vstretch{1}

\end{document}

And the rendered result:

20th DFN CERT Workshop

I was fortunate enough to be able to attend this year’s DFN Workshop which happened to be an anniversary as the event turned 20. Needless to say that I didn’t make all 20 😉 Well, I did a few anyway.

The keynote was surprisingly political. Marcus J. Ranum (Tenable Network Security) talked about Cyberwar – A Matter of Logistics and Privilege and made witty and thoughtful points. So he asked questions such as whether Stuxnet was an act of terrorism and whether its victims could sue the US to get their damages reimbursed. Highly interesting subject, highly interesting speaker.

Jan Ole Malchow presented “distPaste”, a HTML 5 based webapp that uses all the browsers to store data. So a distributed storage. Might be related to the fun project FillDisk.com.

Jens Liebchen from the awesome Redteam Pentesting did again a nice presentation this year. They got a new “Multi Function Printer” like a Canon C5051i (so a huge thing…) and had certain requirements regarding its security. He presented a threat model and shared some insights he gained while dealing with the vendor, and, more importantly, after having analysed the machine himself. It turns out that the device has a regular hard drive and runs some flavour of Linux with a big BLOB for their services. However, data was found to be spread over the partitions even though they bought a licence for “secure deletion” of data. They, rightfully, did not expect to find traces of their print or scan jobs. He mentioned that the security properties of such devices were not assessed yet. So there are loads of toys to play with.

Also funny was the work of Benjamin Kahler and Steffen Wendzel who did “Wardriving against building automation“. Basically, the question was how easy it is to break into a network and remote control the building, i.e. open doors and windows. Turns out, there are standard products which are not well secured and the deployment is usually not done properly either, so that network boundaries either don’t exist or can be passed easily.

The security of Android-App’s SSL/TLS usage was presented by Matthew Smith. They examined many many “Apps”, decompiled them and statically analysed how well they handle various conditions when building up a TLS connection. Apparently, many programs just do not care about the security properties of their TLS connection so that they just disable the verification of the certificate chain. The model is said to be too complex and too burdensome to set up during development. They also recommended to introduce a new privilege, namely sending data unencryptely. So that a user could select that an application must not transfer data as plain text.

Besides listening to the talks and chatting to people, I tried to get on the wireless in the hotel. Turns out, they interfere with your traffic, i.e. they block everything and redirect your web traffic to present you a landing page from which you are supposed to log in to the gratis wireless. The credentials to be entered were the room number and the last name of a guest of that room. Well, given the speakers and attendees list (or some knowledge of popular names in the region) it seems easy enough to just poke some data in and hope for the best. Or, instead of doing that manually, have a program doing that for you. Voila, je vous presente “petitelysee”. A simple Python script to try to log in to a landing page. As I’ve said, it’s the result of three hours or so work. So it’s not very nicely done and I obviously didn’t try it out. It has just been coded in a way that I *think* might work.

GNOME.Asia 2013 is now Calling for Papers

A shameless copy from over there:

GNOME.Asia 2013 is calling for papers. GNOME.Asia Summit is Asia’s GNOME user and developer conference, spreading the knowledge of GNOME across Asia. The conference will be held in NIPA Business Center, Sangam-dong Seoul, Korea on May 24 -25, 2013. The conference follows the release of GNOME 3.8, helping to bring new desktop paradigms that facilitate user interaction in the computing world. It will be a great place to celebrate and explore the many new features and enhancements to the ground breaking GNOME 3 release and to help make GNOME as successful as possible.

Call for Papers

Submit a Talk!

Important Information

The deadlines:

Submission: March 8th, 2013
Notification of Acceptance: March 15th, 2013

Conference:

Conference Date: May 24th – 25th , 2013
Venue: Nuritkum Square – Business tower(3F, 4F), Sangam-dong 1605, Mapo-gu, Seoul, Korea

Main Topics

Possible topics include, but are not limited to

How to Promote/Contribute to GNOME in Asia
- GNOME Marketing
- Promotion of Free and Open Source Software
- How to run a Local GNOME User Group
- Asia Success Stories/Local GNOME Projects
- GNOME and Education
- GNOME Outreach Program for Women
- Google Summer of Code
Hacking GNOME
- Lastest Development in GNOME
- GNOME 3 & GNOME 3 Usability
- GNOME Human Interface Engineering (Icons and Graphic Design)
- Bugsquadding in GNOME
- GNOME Accessibility
- GNOME 3 Coding How-to
Adapting GNOME to New Types of Devices
- Develop GNOME on mobile device, like smart phone, tablet PC
- Develop GNOME on embedded system or open source hardware
- On-going Projects, Success Stories
- Find FOSS Friendly Hardware Manufacturers
Localization & Internationalization
- Translation
- Input Methods
- Fonts
Other topics

Any topics related to free and open source which are not listed above is still welcome.

Lightning talks

A five-minutes presentation to demonstrate your work or promote an interesting topic. Reservation and on-site application are both accepted.

A standard session at GNOME.Asia 2013 will be scheduled as 45 mins (35 mins talk + 10 mins Q&A). Please take into consideration any time you will need for preparation. The session could be a technical talk, panel discussion, or BOF.

If you’d like to share your knowledge and experience at GNOME.Asia 2013, please fill in the form at http://2013.gnome.asia/cfp before March 8th, 2013. Please provide a short abstract about your proposal (under 150 words). Include your name, biographical information, a photo suitable for the web, a title, and a description of your presentation . The reviewing team will evaluate the entries based on the submitted abstracts and available time in the schedule. You will be contacted before March 15th, 2013 on whether your submission has been accepted or not.

All interested contributors are highly encouraged to send in their talks. Please help us to spread the invitation to other potential participants. Even you do not plan to be a speaker, please consider joining GNOME.Asia 2013. This is going to be a great event!