FOSDEM 2026 Day 1 | Robin's notebook

This post contains the notes that I took during FOSDEM 2026. The big new topics this year seemed to be on AI & digital sovereignty. But off course the main subject matter of the conference will always be ~~beer~~ open source.

The following notes are some ramblings combining what the speakers said and thoughts I had while listening. I took them for future references and decide to publish them because 🤷 why not.

Notes on day 2.

Stands

It’s always fun to see the myriad of OSS projects having a stand at FOSDEM. After coming here a few years I had seen most of them already so I did not spend too much time browsing around. I did make sure that a picked up some stickers off course!

I did learned about privacyidprivacyIDEA “a modular authentication server”. Honestly I am not exactly certain what it is, it’s not an Idp like keycloak but focusses only on MFA. It seems like way to centrally mange (hardware) tokens & keys for organisations.

The radio amateurs had an interesting stand as always and I was reminded that hamcon will take place later this year.

Main track on desktops

Speaker with a slide that says My grandma is now a Linux user Picture actually taken on day 2.

Wayland compositors for fun and profit

Turns out that building a wayland compositor can be fun and apparently easy because of existing rust libraries. Wayland can even work on the small screen of the Turris opeon source router.

KDE at 30: Still looking ahead

🤔 I have always loved the KDE destkop, but I keep switching between KDE & GNOME (at the time of writing I’m on GNOME). Maybe I should consider switching again, and maybe trye NixOS as a desktop distro.

I learned some new things such as that KDE started in Germany and KHTML started as a KDE project and became webkit over time, which is now used a lot by Apple.

KDE hardware: Slimbooks, Steamdeck.

End of 10 campaign: not all old Windows 10 devices need to be thrown away.

Plsame mobile 6: Difficult to install on mobile because of protected hardware. Some new device called Mecha?

Plasma bigscreen is still a thing.

Linux on the Desktop – Why Digital Sovereignty Starts Here

For organisations that we work with/for it’s important to achieve digital sovereignty. To avoid price gauging, to have freedom of choice and decentralization.

Linux Client Management: Foreman, Config management (SaltStack, Ansible, …), GitOps.

OpenDesk: Zendis (German government digital sovereignty agency) office suite. Existing FOSS tools such as Univention for Identity management and Nordeck for video conferencing.

An EU OS?

Securing enterprise linux: antivirus & disabeling USB device access.

🤔 IS ClamAV actually usefull on a linux desktop? Becasue AFAIK it mostly searches for fingerprints of windows viruses.

Challenging to integrate with proprietary software. No fully sovereign solution at the moment.

Immutable OS is nice to have: Secure, easy to manage.

Sovereign IDM, Himmelblau from samba: seamless Azure Entra ID and Intune integration for Linux.

Security Devroom

All your keybaords are belong to us

Van Eck phreaking: signal leakage, live demonstraion on the BBC youtube: BBC tempest, skip the shakespeare part demo of stealing contents of PC monitor.

Tempest: A signal problem

Books: Spy Catcher & The SPY in Moscow station.

Type writer noise can be used to determine text, soundproofiing help the attacker: improving signal to noise ratio.

Skype-Type: Keyboard acoustisc eavesdropping tool during call. Nowdays difficult due too noise filters.

Markus G. Kuhm: Large paper on emissions

Recording of the rest of the talk on DEFFCON.

The invisible key: Securing the new attack vector of OAuth tokens

Hackers don’t break in, they login.

– Corey Nachreiner (probably)

You can’t apply conditional access to tokens. 🤔 Is that not what the Shared signals framework tries to solve?

Five major conserns:

Longevity of token and forgotten access
Scope / privilege creep
Supply chain risk: the domino effect
Token leakage
Revocation gaps and off boarding failure, Off boarding a user does not mean off boarding a token.

Common attack vectors such as during the attack on salesforce. By Gangs: Scattered spider, ShinyHunters. Attacks still often involve social engineering.

How to avoid: Audit OAuth Apps, Centralize logs, use canary tokens

Stop granting overprivileged permissions to applications.

Conditional access requires support on the browser? (🤔 not sure what the speaker meant with this).

Use mTLs for certificate bound client credentials flow or DPoP.

IPSIE, which is the OpenID working group tackeling shared signals.

Dynamic Bot Blocking with Web-Server Access-Log Analytics

You don’t have to use cloudflare for bot detection.

Tempest-tech.com

DDOS prectection & Web security

Fingerprinting of user agents: JA3/JA4, p0f, tempest.

Log shipping to clickhouse.

Stands¶

Main track on desktops¶

Wayland compositors for fun and profit¶

KDE at 30: Still looking ahead¶

Linux on the Desktop – Why Digital Sovereignty Starts Here¶

Security Devroom¶

All your keybaords are belong to us¶

The invisible key: Securing the new attack vector of OAuth tokens¶

Dynamic Bot Blocking with Web-Server Access-Log Analytics¶