17:00:11 #startmeeting security 17:00:11 Meeting started Thu Aug 20 17:00:11 2015 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:13 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:15 The meeting name has been set to 'security' 17:00:19 hi 17:00:20 #chair hyakuhei 17:00:20 Warning: Nick not in channel: hyakuhei 17:00:21 Current chairs: hyakuhei tmcpeak 17:00:23 yo 17:00:29 hi 17:00:48 hey there 17:00:51 o/ 17:01:17 hyakuhei: take it away 17:01:32 hyakuhei: Error: Can't start another meeting, one is in progress. Use #endmeeting first. 17:01:41 it's already going :) 17:01:46 you're chair 17:01:48 oh hai 17:02:05 So my first topic was going to be the meeting topic :) 17:02:12 It should always be security 17:02:22 isn't it? 17:02:22 not ossg, openstack-security, security group etc 17:02:35 o/ 17:02:35 It is this time, we have 4-5 in the IRC logs 17:02:40 doh 17:02:45 oh yeah, I think those are old 17:03:02 Just makes keeping track of the logs tricky, “ossg” was last week - not a big deal, just a quick thing to note 17:03:10 (I was making wiki edits immediately before this meeting 17:03:27 ahh crap, my bad 17:03:42 No worries, never actually formally set a policy around it 17:03:47 Bad management if you ask me 17:03:51 Ok, Agenda 17:04:08 lol 17:04:13 Anchor, Bandit, TA Efforts, Encryption, MidCycle 17:04:15 What else 17:04:34 fuzzing 17:04:42 +1 17:04:59 (assuming the right folks are around) 17:05:09 cool, do we have anyone here that’s involved with the fuzzing workies? 17:05:31 jian5397: ^ 17:05:43 Cool 17:05:57 So tkelsey and viraptor(who isn’t here) have done a bunch of Anchor work 17:06:07 We just committed a bunch of stuff that breaks the API 17:06:13 I hear people like it when you do that 17:06:20 oh, always 17:06:23 excellent 17:06:31 :D 17:06:32 btw, Magnum is going to be using Anchor 17:06:38 redrobot thats awesome 17:06:46 well we created a 0.1.0 tag before the breakage 17:07:00 and possibly barbican ca as well 17:07:03 and the API is now versioned, so this _shouldn't_ happen again 17:07:06 It is? Excellent, I’ve recently been looking more closely at Magnum 17:07:20 redrobot: I thought Barbican had it’s own snakeoil CA 17:07:38 we do, but it had a bug when they evaluated it 17:07:44 o/ 17:07:47 lol 17:07:51 * sigmavirus24 apologizes for being late 17:08:06 oh interesting, well the new changes don’t take much effort to keep up with and will make future work much easier 17:08:08 sorry that I am late. 17:08:27 Lots of internal changes, not using pyCryptography any more (for now, long term plan is to use it) 17:08:47 So we have some built in ASN1 munging to do the things we can’t bind easily through pyCryptography 17:08:49 one thing we should pay attention to is that I heard from a 3rd party that they plan on using an interface for provisioning the certs 17:08:50 tkelsey: anything to add? 17:09:05 redrobot: like what? 17:09:09 so that anchor and/or barbican can be put behind the interface 17:09:10 o/ 17:09:11 nope, i think thats about it 17:09:22 So Castellan for Certs ? 17:09:23 something like oslo.ca or oslo.certificate_issue 17:09:28 hyakuhei yeah basically 17:09:47 Seriously, Inception must be the favorite movie of every stacker 17:09:53 so many levels of indirection... 17:10:00 but yay Anchor :) 17:10:04 hehe 17:10:09 ok 17:10:11 #topic Bandit 17:10:14 what’s the story? 17:10:24 im pushing on docs still 17:10:33 story is that we had a couple of bug fixes last week that necessitated new versions 17:10:33 the WIP is now removed, since 0.13.2 landed 17:11:03 TIm is pushing docs like a crazy man, viraptor is doing his usual whirlwind of performance improvements 17:11:29 yup, viraptor dropped some good perf patches 17:11:50 sweet 17:12:09 that's roughly it 17:12:12 i cleaned up all of the bugs that were released 17:12:18 we have a lot we want to do at midcycle 17:12:26 namely better unit testing, release automation, etc 17:12:28 browne: I noticed, good stuff :) 17:12:29 a bunch were left in fix commented 17:12:39 ahh yeah, thanks for that browne 17:13:08 if we can carve out some cycles at midcycle for Bandit we should be in great shape 17:13:16 I'd like to circle back and start selling to projects again 17:13:21 Yeah we have some time laid down in the etherpad 17:13:22 look at how much fun bknudson is having, etc etc 17:13:55 o/ 17:14:07 hard to convince reviewers to prioritize my bandit config updates over all the other work 17:14:17 bknudson: how can we help? (if at all) 17:14:20 it's nice just to have it running 17:14:29 +1 17:14:32 bknudson: I’ll volunteer to reach out to people if that helps 17:14:32 do lots of reviews in keystone and become core reviewers 17:14:44 lol 17:14:48 +1 17:15:11 that's all I had for Bandit, unless anybody else wants to add something 17:15:17 Thanks tmcpeak et al! 17:15:21 #topic Threat Analysis 17:15:38 threat analysis? 17:15:41 So this has stalled pretty much as the ncie chap that was leading it has been absent for a long time 17:15:50 threat modeling? 17:16:05 same diff (at least for this meeting) 17:16:18 Lots of orgs are doing TA work 17:16:22 on OpenStack 17:16:38 and we are overalapping on a lot of things 17:16:42 and all missing things too 17:16:45 if orgs aren't doing TA work they should be 17:16:50 bknudson: +1 17:16:58 bknudson: some who should, aren't 17:17:02 anyway - digression 17:17:19 I want to do some combination/normalization 17:17:25 and then push the results into the open 17:17:26 interesting 17:17:30 hyakuhei: +1 17:17:37 Do we know what have been done? 17:17:40 with continued efforts to progress and update 17:17:54 michaelxin: HP’s done everything that’s in our product portfolio 17:18:02 (Not bragging but we have 3-5 FTE on it) 17:18:15 hyakuhei: +1 17:18:17 Openly we’ve done only one small part of Keystone (The OSSG) 17:18:33 hyakuhei: will you guys share? 17:18:38 yeah 17:18:47 hyakuhei: +100 17:18:51 but we don’t want to be the only ones showing the world our underpants 17:18:58 you should brag about that 17:19:15 bknudson: I’m happy to but not in the context of the Security project ;) 17:19:36 we also have some data flow diagrams for some projects 17:19:40 Anyway, I’m hoping to make this work either at the mid-cycle or during some of the summit sessions 17:19:59 devil is going to be in keeping the upstream TA's synchronized 17:20:06 #link https://wiki.openstack.org/wiki/Security/Threat_Analysis 17:20:15 ^ Current, abandoned efforts 17:20:20 and ensuring that participating organizations continue to contribute, etc 17:20:29 s/abandoned/stalled/ 17:20:38 Yeah there’s lots of chasing things 17:20:43 hyakuhei: sounds like a good effort 17:20:45 The idea is to only review the “Core” stuff 17:20:51 might be easier to document the threat analysis now that we've got more docs 17:20:53 which we’d have to simply agree by a show of hands 17:20:57 and the docs are in rst 17:21:07 ;) 17:21:16 our respective orgs would have to do delta reviews on our add-onn value-add whatever 17:21:47 hyakuhei: this is a good idea though, all these saved hours can go into making OpenStack more secure/better 17:21:55 So I don’t have any actions for any of you other than please think about this, if you work for a big vendor I’m going to be knocking on your door soon 17:21:56 no sense in 5 parallel efforts to TA Nova 17:22:09 tmcpeak: +1 17:22:28 Superb 17:22:40 So the problem tends to be getting the right people in the room 17:22:51 As you really need cores/PTLs to make it work 17:23:12 and how will we do "in the room"? 17:23:18 Indeed 17:23:38 At one point we discussed sending some of our folk to 3-5 of the mid-cycles 17:23:45 Trying to spend a day at each one deep diving 17:24:02 yeah, I'm not sure 1 day there is enough 17:24:10 It depends on dept 17:24:12 *depth 17:24:15 the people that are working on it for us spend weeks tracking things down, revising diagrams, etc 17:24:25 The inital approach attempted to do full functional decompisition 17:24:36 we can pick one for exercise purpose 17:24:45 See what works and what does not 17:24:51 tmcpeak: True, though most of the heavy lifting on that is the firt set of documentation 17:25:00 Keystone might be a good choice since we have bknudson and could probably get ayoung to play 17:25:15 after that (major re-writes notwithstanding) it should be deltas that need reviewing 17:25:18 hp has a few cores and PTL in keystone. 17:25:22 hyakuhei: +1 17:25:28 Yeah, I don’t want to get too far into the detail here 17:25:42 IRC isn’t the best format for what is a lengthy conversation 17:25:44 michaelxin: we (Rackspace) have a few Glance cores + a couple OSSG members 17:25:51 but I think the time has come to reboot these efforts 17:25:59 yeah, sounds good 17:26:04 sigmavirus24: +1 17:26:08 maybe we can carve out a few hours planning at midcycle? 17:26:10 +1 17:26:15 I’m happy to lead but it might be a nice opportunity for someone else to pick up an activitiy 17:26:27 tmcpeak: +1 I’m adding it to the etherpad shortly 17:26:49 Security has a much bigger profile than the last time we tried so fingers crossed we’ll get more traction this time. 17:26:55 * sigmavirus24 sighs 17:27:03 I'm going to miss so much by not being at the midcycle 17:27:11 I told you mr. virus 17:27:21 hyakuhei got a link for the etherpad? 17:27:29 tmcpeak: does "YOLO" apply here? 17:27:31 #link https://etherpad.openstack.org/p/security-liberty-midcycle 17:27:48 sigmavirus24: kind of ;) 17:29:40 tmcpeak: then I invoke "YOLO" (whatever that means) 17:29:43 (dang kids) 17:29:47 lol 17:30:02 lol 17:30:05 #topic Crypto 17:30:14 There’s lots going on at the moment 17:30:29 There’s the audit stuff we wanted to do but nkinder was leading and has been too busy 17:30:44 Then there’s oversight and tracking of the openstack native encryption services. 17:30:51 Both need work and attention 17:31:30 It’s another opportunity for someone to become the shining light of OpenStack security 17:31:58 or I’ll try to get around to it - possibly also something that could get bootstrapped at the mid-cycle 17:32:16 Thoughts? 17:32:25 sounds cool 17:32:32 hyakuhei: what if they don't want to be shiny? =P 17:32:34 hyakuhei: crypto tracking can be a small Bandit tweak 17:32:46 nice idea tmcpeak 17:32:56 tmcpeak: it needs to be reported/centralized 17:33:13 it just means every project needs to run bandit ;) 17:33:17 hyakuhei: no problem ,we can push our JSON results to a server 17:33:21 and then do some parsin 17:33:22 g 17:33:24 The tracking is about what algorithms get used where, why and are they appropriate. Can they be configured or are they hard coded etc. 17:33:41 elmiko: I don't think so, we can just have a list of repos, and then iterate, clone, report, and move on 17:33:47 tmcpeak: It’s a good idea 17:33:51 tmcpeak: even better 17:33:54 +1 17:33:58 low effort approach anyway 17:34:07 could probably bang that up in a few hours 17:34:16 +1 17:34:40 hyakuhei: I'm happy to carve a few hours for that at midcycle 17:35:16 Sweet 17:35:28 #topic MidCycle 17:35:29 where is nkinder anyway? 17:35:43 So I’m assuming everyone confirmed on the etherpad is coming (yay!) 17:35:45 he still have a conflict for this meeting? 17:35:55 ya 17:36:03 tmcpeak: i assume so, haven't talked with him recently 17:36:24 ahh ok cool 17:36:27 hyakuhei: I am 17:36:30 hopefully he can get to the midcycle 17:36:35 I’m going to get food orders sorted soon, basically there’s a big area with snacks/drinks whatever available in the office 17:36:52 I’ll get breakfast and lunch sorted for day 1, a general mix of food for vedgies/meaties 17:36:54 there's a place where they throw fish around nearby 17:37:06 and we’ll sort out what to do from then on, as with the SF midcycle 17:37:13 That work? 17:37:15 hyakuhei: +1 17:37:18 sounds good 17:37:19 bknudson: +1 17:37:42 put me down as a meatie 17:37:53 i added a session topic to the etherpad, wasn't sure about the general form. i hope it's ok 17:38:20 and put me down as a veggie plz =) 17:38:27 I’ll just cut a 65% meaty line 17:38:35 lol, nice 17:38:49 Everyone booked/sorted for the mid-cycle then? 17:39:07 hyakuhei: booked here 17:39:16 same, booked and sorted 17:39:17 Excellent! 17:39:18 we going to need visitor badges and stuff? 17:39:55 bknudson: you can just grab them day 1 17:40:06 Yeah, just bring some ID 17:40:15 go up the elevator, cause a commotion to get security interested, explain you're there for the lols 17:40:29 for the YOLOs 17:40:36 nice 17:41:08 So that’s all I had for today 17:41:13 API testing 17:41:21 tmcpeak: yes 17:41:22 #topic API testing/fuzzing 17:41:38 The PoC is working now 17:41:49 sweet, linkies? 17:41:50 We are polishing the documentations 17:42:05 adding examples. 17:42:21 it should be ready for public by early next week. 17:42:30 awesome 17:42:31 it is still early stage 17:42:33 is it a tool? 17:42:46 We want your feedbacks before adding more stuff 17:42:55 bknudson: Yes, it is a standalone tool. 17:43:09 neat 17:43:10 For current example, we are using keystone API 17:43:31 Wish that it will become an openstack security tool 17:43:49 michaelxin: sounds good 17:43:50 keystone added input validation with JSON schema to the v3 api so that should help 17:43:59 michaelxin: may I ask what inputs does it need to run ? 17:44:08 that was something a guy from our group was working on (not to brag) 17:44:24 tristanC: valid payload 17:44:41 like HTTP request in burp. 17:45:11 We do have extension enabling automatic authentication with tokens replaced. 17:45:51 interesting, so can you for example convert a tempest run into usable payload ? 17:45:52 In configuration files, you set up user name and password, etc. 17:46:15 At this stage, no 17:46:34 We have some discussion about generating the usable payloads. 17:46:40 But the project is in early stage. 17:46:54 We want to focus on fuzzing and testing 17:47:05 I’m really looking forward to experimenting with this michaelxin 17:47:15 likewise 17:47:21 yeah should be very cool 17:47:29 hyakuhei: we look forward to your feedbacks 17:47:46 I’m sure there’ll be some ;) 17:47:51 At this stage, it is only a PoC. 17:48:08 Too much expectation might kill me. :-) 17:48:11 fair enough, does it have a name yet ? :) 17:48:26 we code name it syntribos 17:49:11 I will make it available next week in openstack-security room 17:49:24 If you have any question, you can find me over there. 17:49:33 great! 17:49:40 michaelxin: thanks 17:50:10 tristanC: You are welcome 17:50:19 that's all for me 17:50:42 sweet 17:50:55 #topic Any Other Business 17:51:20 michaelxin: Did you want to make syntribos an official OpenStack Security Activity ? 17:51:33 I don’t like the word project as everything is a project already 17:51:33 hyakuhei: Sure 17:51:39 The list of Security Project Projects... 17:51:42 Great :D 17:52:15 When you’re ready to release we’ll setup a repo for it 17:52:23 Straight to the big-tent for you ;) 17:52:29 nice 17:53:01 haha, Thanks. 17:53:31 Great, anything else before we close this out? 17:54:37 should be good, thanks hyakuhei! 17:54:46 oh 17:54:46 hyakuhei: tmcpeak Thanks 17:54:51 ossn triage for mid-cycle? 17:55:00 yeah, we should do that for sure 17:55:07 i can add it to the pad 17:55:23 elmiko: +1 17:56:59 k, added 17:57:04 cool, thanks elmiko 17:57:07 good point 17:57:58 allright, that's a wrap then 17:58:05 #endmeeting