Presentations

FreePBX is a key component of many VoIP deployments, making its security essential. This session covers real-world vulnerability discovery, responsible disclosure, and remediation based on Horizon3.ai's research.

In this keynote, Farzan Karimi draws on nearly two decades of experience leading offensive and defensive security teams at organizations including Google, Microsoft, Electronic Arts, and Moderna to explore what happens after the exploit, when human behavior matters more than technical skill. From red team operations that triggered internal friction, to incidents that escalated into arrests through cross-functional trust, this talk explores why the most dangerous zero-day in modern enterprises is not always found in code.

Join Cindy Cohn, Executive Director of the Electronic Frontier Foundation for a SCaLE 2026 keynote presentation.

Imagine transferring data and software from one computer to another in the 1970s, before the Internet.  What media could one use, and how did transfers occur?  This talk provides a glimpse into the technology of that world, and highlights how it affected the process of software transfer.

The advent of the Internet completely changed software transfer and enabled the open source movement.  The increased speed of transfer only forms part of the story.  The talk will outline significant advances that the Internet introduced, and describe how they enable the efficient software distribution scheme that we now enjoy.

Open source software is foundational to modern development and runs at the core of Microsoft’s platforms, cloud services, and engineering workflows. Over time, Microsoft has evolved from consuming open source to actively contributing to and helping sustain the ecosystem. As reliance on open source has grown across the industry, so have the risks. Attacks targeting repositories, build systems, package registries, and dependency chains have shown that supply chain security is now a practical concern for every developer and organization. In this talk, Mark Russinovich begins with Microsoft’s open source journey and then examines the open source supply chain end to end, highlighting the role of the Open Source Security Foundation (OpenSSF) and initiatives in strengthening trust across the ecosystem.

This session will guide participants through the essential steps of setting up Docker on a fresh server installation. Attendees will learn how to deploy a simple application within Docker containers, link a custom domain, and secure their server with Tailscale, a modern VPN solution. By the end of the demonstration, participants will gain practical skills in application deployment and private networking, empowering them to enhance their projects and professional environments with modern technologies. Whether you’re a novice or seasoned user, this session offers valuable insights into containerization and secure application management.

Language learning apps are used by millions of people around the world. Many of these of these apps operate on a freemium model and pay for their free versions with ads. The infrastructure for these ads can possibly bleed into the infrastructure of the paid versions. This study seeks to verify, using open-source tools, that the paid versions of Duolingo, Busuu, and Memrise are not broadcasting user data to advertisers.

A hands-on guide to successful document design with Scribus, the free-software desktop-publishing application. We'll make Scribus's distinctive tools and workflows accessible to users accustomed to office suites like LibreOffice and HTML+CSS design on the web. Get started with DTP, or learn how to tackle bigger and more professional-level document design and publishing.

Leveraging LLMs (Large Langage Models)/machine learning in an embedded environment can be riddled with surprises and challenges due differences on embedded devices and expectations. This session will look at challenges encountered by an embedded developer evaluating LLMs on an embedded Linux device along with trade offs in trying to fit an open LLM on an embedded device. The challenges will be illustrated with data from different attempts attempts on embedded Linux. Combination of both hardware and software will be looked at to address the challenges.

In this talk, Joshua will share his insights and experiences with OpenTelemetry, an open-source project that offers protocols, APIs, and SDKs for collecting metrics, traces, and logs from applications and services. He will cover the comprehensive toolkit provided by the OpenTelemetry community, including language SDKs, the Collector, and the OTLP formats for metrics, traces, and logs.

He will demonstrate how to instrument and monitor a microservices application running on a Kubernetes cluster, utilizing the full potential of OpenTelemetry. Attendees will learn how to use powerful open-source tools like Jaeger and Prometheus to effectively analyze telemetry signals from their applications.

By the end of this session, attendees will have a solid understanding of how to implement OpenTelemetry in their projects, enhancing their debugging and observability practices. Join us as we delve into the world of OpenTelemetry, unlocking the capabilities of this powerful technology for your development needs.

Update your testing skills with the latest features of the NixOS Integration Test Driver! In this hands-on session, we will move beyond standard VMs to explore the new Container backend for high-speed, low-overhead testing. Learn to debug flaky tests by freezing the sandbox, utilize VSOCK for interactive shells, and set up GPU-enabled tests. Whether you are a maintainer or a DevOps engineer, you will leave with the code to build robust, cost-effective CI pipelines.

To track state-sponsored malware and combat the stalkerware of abusive partners, you need tools. Safe, reliable, and fast tools. For the dark corners of the Android ecosystem, we couldn’t find a good tool to download packages on the command-line. So we made one.

Rather than just solve our own problem, we decided to make our new tool, apkeep, generically useful for everyone. We also wanted it to be reliable, safe, and fast. So writing it in async Rust made a lot of sense, and allowed us to deploy to a wide range of architectures and platforms. But we wanted to download not only from Google Play, but other app stores as well. And supporting these often necessitated employing Android reverse engineering techniques and dynamic analysis to look at real-time traffic being sent over HTTPS.

This talk aims to introduce apkeep as a tool, explore some of the novel obstacles we faced in building out this tool, and show some of the results of those who have incorporated it into their toolboxes.

You could be watching a training video in your pajamas, but you chose to be here because you want real, lasting connections that can transform your career. In a world where AI blurs reality, face-to-face networking gives you an edge that online courses can’t match. Whether you’re an introvert or an extrovert, this session will help you set a conference goal and turn networking from daunting to delightful. We’ll cover how to keep conversations going, exit gracefully, and make connections that last, with practical tips and interactive exercises that boost your confidence and help you make the most of every event.

Some have dreamed of the day where we can plug our complex systems into stereo speakers and know when there's trouble just by listening to the result. Monteverdi is a new Open Source platform that rethinks Observability and gets us closer to the dream.

This talk is a tour of application features, the pattern matching algorithm, a modular Plugin system that enables MIDI output, the TDD-based approach in Golang, and a look at its own metrics in OpenTelemetry. Along the way we dig into technical details like using GitHub Actions with GoReleaser to publish separate objects, or how it can be extended with Plugins to employ AI. The app will be displayed live and demoed, making sound through a MIDI device and DIY setup, using live system metrics to power the music.

Migrating existing services to OpenTelemetry is rarely just a “drop-in” change—especially when you’re trying to standardize across teams with different stacks, maturity levels, and release rhythms. This talk covers the practical challenges we hit while moving to OpenTelemetry at scale, and how we addressed them with a home-grown, self-service solution built on Pulumi.

The storage directory settings in systemd help define where services store their data. Two important features have been implemented for these directories. The first one is id-mapped mounts, which is a filesystem feature that allows a mount namespace to show a different UID than what is stored on a file. Storage directories now support id-mapping, so that the files within the mount namespace of a service defined with DynamicUser=yes are owned by its unprivileged UID/GID. The second feature is storage quota support. Storage limits can now be defined in terms of percentages or absolute values to enforce quotas on the consumption of State, Cache, and Logs directories. These features enhance the security and resource management of systemd services.

Arm64 instances offer the best price/performance on every cloud these days, but application migration can be a bit scary for the uninitiated. This presentation will walk you through the basics of why and how to migrate applications to multi-architecture Kubernetes clusters.  

In this presentation, we will run through the basics of how to start running your Kubernetes applications on hybrid arm64 and x86 clusters, including:  

- Why add Arm64 compute nodes to your Kubernetes clusters?
- Building multi-arch container manifests
- Workload placement and orchestration in Kubernetes
- Easing migration with continuous delivery patterns 

By the end of this presentation, you will have the confidence to build and run your own applications on the fastest growing architecture for cloud deployments.

SLAC National Lab uses particle accelerators to run the world's most powerful X-ray laser. We also process Vera C. Rubin Observatory images - the largest-ever astronomy dataset. This talk is an infrastructure-focused introduction to Scientific Computing. Learn about how open source is at the core of how we collect, store, and process data for cutting-edge scientific research.

I never had a need for home automation, until I got a cabin in the woods. I wanted a simple camera security system, sensors, and other automation so I could monitor my cabin when I wasn't there, and tell whether I remembered to lock the door! I wanted control over my personal data, so I went with Home Assistant, open source home automation software that's easy to use, can run from a Raspberry Pi, doesn't depend on cloud services, and has wide compatibility with home automation hardware.

In this talk I will explain how I set up Home Assistant to monitor my cabin including camera security, remote sensors, and how to set up alerts to keep me up to date on the family of foxes that visit my property.

Doc Searls, co-founder of Customer Commons and lead of the IEEE P7012 “MyTerms” effort, explains how machine-readable personal privacy terms can flip the script so sites accept user-set terms, replacing opaque cookie banners with true first-party control.

AI stacks look like the perfect use-case for Nix: Massively multiplying dependency matrices, double-digit-GB OCI images, tedious, Sisyphean build → push → pull → test loops. In ML/AI dev, "It runs" literally means "It runs … on this machine." So … why aren't more ML teams using Nix? This talk is a field guide to the logistics and sociotechnics of what it takes to make Nix happen in AI. Its point of departure is the following question: "Why do we ship what we ship the way we ship it? Either Nix fits the conveyor belt people already ship on, or ML teams learn a new way to build → ship → deploy software. So what will it take to fit Nix to this conveyor belt?

Nix builds hermetic binaries, but they are prisoners of the store. Running them on standard Linux distros usually ends in a cryptic "file not found" error. In this talk, we perform live surgery on ELF binaries to make them truly portable. We explore using patchelf to rewrite dynamic loaders, convert absolute paths to portable $ORIGIN lookups, and even patch Python interpreters to load system libraries. Join us to learn the dark arts of binary relocation.

At Anthropic, developers expect Nix builds to Just Work on their K8s dev environments. But Nix's builds demand sandboxing support.
This is the war story of "just" enabling sandboxing: upgrading K8s, deploying user namespaces, monkey-patching container runtimes, and rearchitecting our Docker stack.
 

PlanetNix Unconference space

NixOS has always locked you into Linux, but what if you could run NixOS on a FreeBSD file server, an OpenBSD firewall, or even an ancient NetBSD VAX? For the past several years we've been working on NixBSD, which gives you all the declarative and reusable configuration features of NixOS on another operating system.