#openstack-meeting log

18:00:49 <bdpayne> #startmeeting OpenStack Security Group
18:00:50 <openstack> Meeting started Thu Jun  5 18:00:49 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:51 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:52 <mxin> hi, all
18:00:55 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:02 <bdpayne> #topic Rollcall
18:01:14 * bdpayne running the meeting for Rob today
18:01:16 <bknudson> hi
18:01:18 <malini1> present
18:01:24 <mxin> Happy OpenSSL Thursday!
18:01:25 <shohel> hi
18:01:30 <bknudson> not again!
18:01:31 <bdpayne> mxin ha
18:01:53 <bdpayne> yes, for those that haven't heard https://www.openssl.org/news/secadv_20140605.txt
18:01:58 <bdpayne> it's probably time to upgrade again
18:02:24 <bdpayne> so hi to all that are here
18:02:40 <nkinder> hi all
18:02:40 <bdpayne> I'm filling in for Rob today, it was a last minute thing so I'm just kind of rolling with the flow here ;-)
18:02:53 <bdpayne> #topic Agenda
18:03:01 <bdpayne> Anything people would like to add to the agenda
18:03:37 <bdpayne> anything at all?
18:03:47 <bknudson> what's the agenda?
18:04:00 <bdpayne> Well, I have two minor things
18:04:07 <bdpayne> I'd like to discuss the mid-cycle meetup
18:04:15 <bdpayne> and I'd like to discuss a new time for this IRC meeting
18:04:17 <mxin> cool
18:04:30 <bdpayne> anything else that people would like to discuss
18:04:30 <bdpayne> ?
18:04:53 <bdpayne> ok, sounds good
18:04:56 <bdpayne> so let's push ahead
18:05:01 <bdpayne> #topic IRC Meeting time
18:05:03 <sriramhere> sorry guys for being little late, howdy
18:05:10 <bknudson> I might be making some progress towards getting our group here to help community support stable releases longer
18:05:17 <bdpayne> So we've have an email thread about changing the time of this meeting
18:05:39 <CristianF> Just joining, hi everyone
18:05:43 <bknudson> the proposed new meeting time works for me
18:05:51 <bdpayne> the proposal is to change this to Thursdays at 1700 - 1800 UTC in #openstack-meeting-alt
18:06:10 <bdpayne> We will be starting with this new time *next week*
18:06:18 <bdpayne> So please consider this your heads up :-)
18:06:28 <bdpayne> I'll make sure that the wiki page for the meeting is updated in short order
18:06:29 <dg_> sounds good
18:06:40 <bknudson> so also switching meeting rooms
18:06:53 <bdpayne> yeah, that's what Rob had indicated
18:07:13 <malini1> works for me
18:07:22 <bdpayne> ok, so update your calendars
18:07:28 <bdpayne> moving along to the next topic
18:07:30 <mxin> it should work for me
18:07:34 <bdpayne> #topic Mid-cycle meetup
18:07:35 <shohel> good for me also
18:07:53 <bdpayne> https://etherpad.openstack.org/p/ossg-juno-meetup
18:08:12 <bdpayne> If you would like to attend the OSSG mid-cycle meetup, please make sure your date prefs are noted on this etherpad
18:08:23 <bdpayne> We are currently planning to hold this event at HP in Seattle
18:08:47 <shohel> is there any agenda defined for the meetup
18:08:47 <bdpayne> Right now it looks like July 14 - July 18 is the leading week
18:09:07 <bdpayne> We will use the time to drive the primary efforts forward (book, ossn, and threat analysis)
18:09:25 <bdpayne> people involved in each of those areas will want to put together an agenda with their respective groups
18:09:41 <dg_> who should I talk to about getting involved with the threat analysis efforts?
18:09:41 <bdpayne> there may also be some time for getting tracting on 1 or 2 new efforts, but that's tbd
18:09:58 <bdpayne> dg_ I think Rob Clark and shohel
18:10:10 <dg_> bdpayne thanks I'll talk to Rob
18:10:12 * tmcpeak sorry I'm late
18:10:30 <bdpayne> sorry that I don't have more details on the agenda for the meetup
18:10:40 <bdpayne> I think that Rob's working on that, so expect something before too long
18:10:51 <shohel> thats sounds good
18:10:55 <mxin> it works for me.
18:10:59 <tmcpeak> did we firm a date?
18:11:11 <bdpayne> any other thoughts / discussion on the mid-cycle meetup?
18:11:19 <bdpayne> tmcpeak We are doing final voting for the date today
18:11:31 <bdpayne> should lock it in tomorrow or early next week
18:11:32 <tmcpeak> cool, sounds good.  What forum?
18:11:41 <bdpayne> \https://etherpad.openstack.org/p/ossg-juno-meetup
18:12:04 <bdpayne> #topic Open Discussion
18:12:21 <bdpayne> So that's all that I had for today's meeting.  Anything else that people would like to discuss?
18:12:26 <shohel> i would like to add something regarding threat analysis work
18:12:39 <shohel> i have added a process chart in the wiki
18:12:53 <shohel> as discussed in the summit
18:12:56 <shohel> https://wiki.openstack.org/wiki/Security/Threat_Analysis/process
18:13:15 <shohel> feedback ?
18:13:44 <CristianF> shohel: will take a look, thanks for sharing
18:13:58 <shohel> mainly how the initiation until finalising the report
18:14:06 <shohel> need to add more details though
18:14:15 <bknudson> shohel: this looks great
18:14:38 <bdpayne> yeah, this is a good start, but more details would be useful
18:14:38 <sriramhere> Bryan - did u say that agenda is to be determined by people who are involved in various efforts
18:14:46 <bdpayne> yes, I did
18:14:49 <tmcpeak> shohel: yeah, great to get this all written down, +1
18:15:11 <mxin> Thanks for the efforts.
18:15:17 <sriramhere> ok good. how are we converging all these agendas?
18:15:31 <sriramhere> Is Rob going to be the central person, or just jump on etherpad
18:15:33 <sriramhere> ?
18:15:47 <bdpayne> Rob will be the guy planning this
18:15:52 <dg_> shohel looks good, will take a look at the threat modelling process to see what it breaks down into
18:16:10 <bdpayne> I think we should wait for him to get the specifics
18:16:20 <bdpayne> might be worth starting a thread on the mailing list about it though
18:16:50 <sriramhere> ok - can I take the action item to start the email thread?
18:16:58 <bdpayne> yes please
18:17:02 <tmcpeak> please do
18:17:08 <sriramhere> cool
18:17:15 <bdpayne> #action sriramhere to start email thread about meetup agenda
18:17:31 <bdpayne> Also, I ran across this today and I think it needs some security input: https://review.openstack.org/#/c/97900/
18:17:42 <bdpayne> Heat encrypting params
18:17:59 <bdpayne> Anyone here comfortable with crypto review?
18:18:29 <dg_> bdpayne in a past life yes
18:18:46 <bdpayne> may be worth putting some eyes on this if you have time
18:19:03 <bdpayne> it's a relatively small patch
18:19:05 <bknudson> looks like they've got a crypt module already
18:19:25 <dg_> I'll take a look tomorrow, but other people are probably more current, its been a few years for me
18:19:28 <bknudson> http://git.openstack.org/cgit/openstack/heat/tree/heat/common/crypt.py
18:19:36 <bdpayne> bknudson yes
18:19:43 <tmcpeak> along similar lines, I've been chewing over something I'm curious about OSSG thoughts on
18:19:47 <bdpayne> this is more about whether or not this is a proper use of that
18:20:04 <shohel> i will do quick check on this within my limit
18:20:32 <bdpayne> tmcpeak go ahead
18:20:49 <tmcpeak> ok, so I've been working on the Glance security audit
18:20:55 <bknudson> cipher = AES
18:20:56 <tmcpeak> and making a list of where we are using crypto and how
18:21:18 <tmcpeak> I came across the usage of the following library: eventlet.green.ssl
18:21:30 <tmcpeak> it looks like a pretty significant wrapper around normal SSL
18:21:36 <tmcpeak> my question is how has this been vetted
18:21:46 <tmcpeak> do we have any degree of confidence on this implementation etc
18:22:02 <tmcpeak> which got me thinking maybe we need some central page for all crypto related implementations
18:22:15 <tmcpeak> where we can have links regarding any audit efforts, who has looked into them, etc
18:22:21 <nkinder> tmcpeak: many people don't seem to trust the python SSL server-side implementations, so they use terminators
18:22:23 <bdpayne> so I feel like step one is just to identify where crypto is being used, what libs, etc
18:22:31 <bdpayne> but answering these questions is important
18:22:37 <bdpayne> I just view it as step 2
18:22:40 <bdpayne> if that makes sense
18:22:41 <dg_> tmcpeak the AES should be verifiable with the test vectors, the supporting functions are as crucial thou
18:22:53 <tmcpeak> bdpayne: yeah totally
18:23:09 <tmcpeak> dg_: I'm not sure test vectors covers it
18:23:16 <bdpayne> but putting up such a page could be interesting... I'm just worried about sourcing the information properly
18:23:25 <tmcpeak> what about some simple bug like Heartbleed
18:23:32 <tmcpeak> who are the guys who wrote this ssl wrapper
18:23:33 <bdpayne> "simple"
18:23:52 <tmcpeak> and do we have any reason to think that they were careful enough to avoid these kind of problems
18:24:00 <mxin> it is not easy to get encryption correct.
18:24:05 <bdpayne> all fair questions
18:24:06 <dg_> tmcpeak heh yes, like i said, the crypt is verifiable, but the supporting functions are cruicial
18:24:11 <tmcpeak> at least if we have a list of who has looked into them and in what depth, maybe we can start to build a knowledge base
18:24:15 <bdpayne> I don't have any answers for you off the top of my head though
18:24:31 <bdpayne> yeah, perhaps this could start as an etherpad?
18:24:36 <bdpayne> slightliy less official than a wiki
18:24:45 <bdpayne> more of a data collection effort
18:24:46 <tmcpeak> yeah, I think etherpad would be a great place to start building some knowledge
18:24:56 <tmcpeak> bdpayne: yeah exactly, even just some related links for each lib
18:25:19 <dg_> bdpayne I think Rob has been working on identifying what crypt is in use where, and today mentioned https://github.com/pyca/cryptography as getting a lot of interest from barbican
18:25:40 <bdpayne> so nkinder has been working on the crypto audit
18:25:41 <mxin> sound likes a good starting point.
18:26:00 <bdpayne> I do like python cryptography too, a very interesting project
18:26:07 <bdpayne> And a good team working on it
18:26:22 <tmcpeak> oh, I wasn't aware of this
18:26:26 <tmcpeak> this looks pretty cool
18:26:26 <sriramhere> will this go with the security anti-pattern tests that were talked about last week via eamil thread?
18:26:30 <bdpayne> Personally, I'd love to see about migrating all of openstack to using a single python cryptography library... perhaps this one
18:26:55 <nkinder> bdpayne: +1
18:26:59 <bdpayne> sriramhere I'm not sure I follow
18:27:01 <dg_> it would be nice to have a single library that we had some confidence in, I particuarly dislike how most SSL stuff is handled in python
18:27:09 <tmcpeak> sriramhere: good question
18:27:16 <sriramhere> there was an email thread last week
18:27:26 <sriramhere> Malini started page on security ani-patterns
18:27:41 <sriramhere> and some jumped on that, trying to write some tests to find such patterns
18:28:06 <bdpayne> I'm not sure that the information we are talking about collecting on the crypto libs is really something that fits in with the security anti-patterns
18:28:08 <sriramhere> my thought was, such tests could test for theses questions being raised here
18:28:10 <bdpayne> this is why I'm confused here
18:28:10 <tmcpeak> I'm not sure these are good or bad crypto implementations, we just don't have enough information to make informed decisions IMO
18:28:22 <bdpayne> right
18:28:34 <sriramhere> sorry, my ask is more of automated tests
18:28:39 <sriramhere> than sec anti-patt
18:28:46 <tmcpeak> they are probably two separate efforts at this point
18:28:49 <bdpayne> tmcpeak you want to start an etherpad for this?
18:28:53 <tmcpeak> yep!
18:28:58 <tmcpeak> TODO please :)
18:29:06 <sriramhere> ok cool
18:29:08 <malini1> sriramhere: harder to test the goodness of a library as an anti-pattern
18:29:24 <bdpayne> #action tmcpeak to start etherpad for collecting information about the status of various crypto libraries used in openstack (who has audited them, etc)
18:29:44 <bdpayne> ok, any other discussion for today?
18:29:54 <paulmo> Sorry I'm late, one item from me if we have time
18:30:02 <mxin> want to talk about api testing?
18:30:06 <sriramhere> just a quick update; GSOC project on fuzzing fw coming along wel
18:30:07 <bdpayne> very briefly :-)
18:30:08 <paulmo> What is the next step for getting OSSG approval for: https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines
18:30:15 <sriramhere> had some slow downs, but largely in track.
18:30:36 <bdpayne> paulmo I'd start an email thread on that
18:30:40 <bdpayne> we don't have a formal process
18:30:54 <bdpayne> but, some form of critical review / broad acceptance from the group would make sense to me
18:30:55 <paulmo> Ok, will do; thanks!
18:31:12 <bdpayne> sriramhere sounds good!
18:31:22 <bdpayne> ok, I think that's all we have time for today... thanks everyone!
18:31:26 <sriramhere> thx
18:31:30 <tmcpeak> good stuff, thanks!
18:31:33 <mxin> bye
18:31:34 <shohel> thx
18:31:35 <CristianF> bye
18:31:39 <bdpayne> #endmeeting