#openstack-meeting-alt log

17:00:11 <tmcpeak> #startmeeting security
17:00:11 <openstack> Meeting started Thu Aug 20 17:00:11 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:13 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:15 <openstack> The meeting name has been set to 'security'
17:00:19 <browne> hi
17:00:20 <tmcpeak> #chair hyakuhei
17:00:20 <openstack> Warning: Nick not in channel: hyakuhei
17:00:21 <openstack> Current chairs: hyakuhei tmcpeak
17:00:23 <tmcpeak> yo
17:00:29 <elmiko> hi
17:00:48 <tmcpeak> hey there
17:00:51 <redrobot> o/
17:01:17 <tmcpeak> hyakuhei: take it away
17:01:32 <openstack> hyakuhei: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
17:01:41 <tmcpeak> it's already going :)
17:01:46 <tmcpeak> you're chair
17:01:48 <hyakuhei> oh hai
17:02:05 <hyakuhei> So my first topic was going to be the meeting topic :)
17:02:12 <hyakuhei> It should always be security
17:02:22 <tmcpeak> isn't it?
17:02:22 <hyakuhei> not ossg, openstack-security, security group etc
17:02:35 <tkelsey> o/
17:02:35 <hyakuhei> It is this time, we have 4-5 in the IRC logs
17:02:40 <elmiko> doh
17:02:45 <tmcpeak> oh yeah, I think those are old
17:03:02 <hyakuhei> Just makes keeping track of the logs tricky, “ossg” was last week - not a big deal, just a quick thing to note
17:03:10 <hyakuhei> (I was making wiki edits immediately before this meeting
17:03:27 <tmcpeak> ahh crap, my bad
17:03:42 <hyakuhei> No worries, never actually formally set a policy around it
17:03:47 <hyakuhei> Bad management if you ask me
17:03:51 <hyakuhei> Ok, Agenda
17:04:08 <elmiko> lol
17:04:13 <hyakuhei> Anchor, Bandit, TA Efforts, Encryption, MidCycle
17:04:15 <hyakuhei> What else
17:04:34 <tmcpeak> fuzzing
17:04:42 <elmiko> +1
17:04:59 <elmiko> (assuming the right folks are around)
17:05:09 <hyakuhei> cool, do we have anyone here that’s involved with the fuzzing workies?
17:05:31 <tmcpeak> jian5397: ^
17:05:43 <hyakuhei> Cool
17:05:57 <hyakuhei> So tkelsey and viraptor(who isn’t here) have done a bunch of Anchor work
17:06:07 <hyakuhei> We just committed a bunch of stuff that breaks the API
17:06:13 <hyakuhei> I hear people like it when you do that
17:06:20 <elmiko> oh, always
17:06:23 <tmcpeak> excellent
17:06:31 <hyakuhei> :D
17:06:32 <redrobot> btw, Magnum is going to be using Anchor
17:06:38 <dg_> redrobot thats awesome
17:06:46 <tkelsey> well we created a 0.1.0 tag before the breakage
17:07:00 <redrobot> and possibly barbican ca as well
17:07:03 <tkelsey> and the API is now versioned, so this _shouldn't_ happen again
17:07:06 <hyakuhei> It is? Excellent, I’ve recently been looking more closely at Magnum
17:07:20 <hyakuhei> redrobot: I thought Barbican had it’s own snakeoil CA
17:07:38 <redrobot> we do, but it had a bug when they evaluated it
17:07:44 <sigmavirus24> o/
17:07:47 <dg_> lol
17:07:51 * sigmavirus24 apologizes for being late
17:08:06 <hyakuhei> oh interesting, well the new changes don’t take much effort to keep up with and will make future work much easier
17:08:08 <michaelxin> sorry that I am late.
17:08:27 <hyakuhei> Lots of internal changes, not using pyCryptography any more (for now, long term plan is to use it)
17:08:47 <hyakuhei> So we have some built in ASN1 munging to do the things we can’t bind easily through pyCryptography
17:08:49 <redrobot> one thing we should pay attention to is that I heard from a 3rd party that they plan on using an interface for provisioning the certs
17:08:50 <hyakuhei> tkelsey: anything to add?
17:09:05 <hyakuhei> redrobot: like what?
17:09:09 <redrobot> so that anchor and/or barbican can be put behind the interface
17:09:10 <tristanC> o/
17:09:11 <tkelsey> nope, i think thats about it
17:09:22 <hyakuhei> So Castellan for Certs ?
17:09:23 <redrobot> something like oslo.ca or oslo.certificate_issue
17:09:28 <redrobot> hyakuhei yeah basically
17:09:47 <hyakuhei> Seriously, Inception must be the favorite movie of every stacker
17:09:53 <hyakuhei> so many levels of indirection...
17:10:00 <hyakuhei> but yay Anchor :)
17:10:04 <redrobot> hehe
17:10:09 <hyakuhei> ok
17:10:11 <hyakuhei> #topic Bandit
17:10:14 <hyakuhei> what’s the story?
17:10:24 <tkelsey> im pushing on docs still
17:10:33 <tmcpeak> story is that we had a couple of bug fixes last week that necessitated new versions
17:10:33 <tkelsey> the WIP is now removed, since 0.13.2 landed
17:11:03 <tmcpeak> TIm is pushing docs like a crazy man, viraptor is doing his usual whirlwind of performance improvements
17:11:29 <tkelsey> yup, viraptor dropped some good perf patches
17:11:50 <hyakuhei> sweet
17:12:09 <tmcpeak> that's roughly it
17:12:12 <browne> i cleaned up all of the bugs that were released
17:12:18 <tmcpeak> we have a lot we want to do at midcycle
17:12:26 <tmcpeak> namely better unit testing, release automation, etc
17:12:28 <tkelsey> browne: I noticed, good stuff :)
17:12:29 <browne> a bunch were left in fix commented
17:12:39 <tmcpeak> ahh yeah, thanks for that browne
17:13:08 <tmcpeak> if we can carve out some cycles at midcycle for Bandit we should be in great shape
17:13:16 <tmcpeak> I'd like to circle back and start selling to projects again
17:13:21 <hyakuhei> Yeah we have some time laid down in the etherpad
17:13:22 <tmcpeak> look at how much fun bknudson is having, etc etc
17:13:55 <dave-mccowan> o/
17:14:07 <bknudson> hard to convince reviewers to prioritize my bandit config updates over all the other work
17:14:17 <tmcpeak> bknudson: how can we help? (if at all)
17:14:20 <bknudson> it's nice just to have it running
17:14:29 <tmcpeak> +1
17:14:32 <hyakuhei> bknudson: I’ll volunteer to reach out to people if that helps
17:14:32 <bknudson> do lots of reviews in keystone and become core reviewers
17:14:44 <tmcpeak> lol
17:14:48 <michaelxin> +1
17:15:11 <tmcpeak> that's all I had for Bandit, unless anybody else wants to add something
17:15:17 <hyakuhei> Thanks tmcpeak et al!
17:15:21 <hyakuhei> #topic Threat Analysis
17:15:38 <tmcpeak> threat analysis?
17:15:41 <hyakuhei> So this has stalled pretty much as the ncie chap that was leading it has been absent for a long time
17:15:50 <michaelxin> threat modeling?
17:16:05 <hyakuhei> same diff (at least for this meeting)
17:16:18 <hyakuhei> Lots of orgs are doing TA work
17:16:22 <hyakuhei> on OpenStack
17:16:38 <hyakuhei> and we are overalapping on a lot of things
17:16:42 <hyakuhei> and all missing things too
17:16:45 <bknudson> if orgs aren't doing TA work they should be
17:16:50 <hyakuhei> bknudson: +1
17:16:58 <hyakuhei> bknudson: some who should, aren't
17:17:02 <hyakuhei> anyway - digression
17:17:19 <hyakuhei> I want to do some combination/normalization
17:17:25 <hyakuhei> and then push the results into the open
17:17:26 <tmcpeak> interesting
17:17:30 <michaelxin> hyakuhei: +1
17:17:37 <michaelxin> Do we know what have been done?
17:17:40 <hyakuhei> with continued efforts to progress and update
17:17:54 <hyakuhei> michaelxin: HP’s done everything that’s in our product portfolio
17:18:02 <hyakuhei> (Not bragging but we have 3-5 FTE on it)
17:18:15 <michaelxin> hyakuhei: +1
17:18:17 <hyakuhei> Openly we’ve done only one small part of Keystone (The OSSG)
17:18:33 <michaelxin> hyakuhei: will you guys share?
17:18:38 <hyakuhei> yeah
17:18:47 <michaelxin> hyakuhei: +100
17:18:51 <hyakuhei> but we don’t want to be the only ones showing the world our underpants
17:18:58 <bknudson> you should brag about that
17:19:15 <hyakuhei> bknudson: I’m happy to but not in the context of the Security project ;)
17:19:36 <michaelxin> we also have some data flow diagrams for some projects
17:19:40 <hyakuhei> Anyway, I’m hoping to make this work either at the mid-cycle or during some of the summit sessions
17:19:59 <tmcpeak> devil is going to be in keeping the upstream TA's synchronized
17:20:06 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/Threat_Analysis
17:20:15 <hyakuhei> ^ Current, abandoned efforts
17:20:20 <tmcpeak> and ensuring that participating organizations continue to contribute, etc
17:20:29 <hyakuhei> s/abandoned/stalled/
17:20:38 <hyakuhei> Yeah there’s lots of chasing things
17:20:43 <elmiko> hyakuhei: sounds like a good effort
17:20:45 <hyakuhei> The idea is to only review the “Core” stuff
17:20:51 <bknudson> might be easier to document the threat analysis now that we've got more docs
17:20:53 <hyakuhei> which we’d have to simply agree by a show of hands
17:20:57 <bknudson> and the docs are in rst
17:21:07 <elmiko> ;)
17:21:16 <hyakuhei> our respective orgs would have to do delta reviews on our add-onn value-add whatever
17:21:47 <tmcpeak> hyakuhei: this is a good idea though, all these saved hours can go into making OpenStack more secure/better
17:21:55 <hyakuhei> So I don’t have any actions for any of you other than please think about this, if you work for a big vendor I’m going to be knocking on your door soon
17:21:56 <tmcpeak> no sense in 5 parallel efforts to TA Nova
17:22:09 <michaelxin> tmcpeak: +1
17:22:28 <hyakuhei> Superb
17:22:40 <hyakuhei> So the problem tends to be getting the right people in the room
17:22:51 <hyakuhei> As you really need cores/PTLs to make it work
17:23:12 <tmcpeak> and how will we do "in the room"?
17:23:18 <hyakuhei> Indeed
17:23:38 <hyakuhei> At one point we discussed sending some of our folk to 3-5 of the mid-cycles
17:23:45 <hyakuhei> Trying to spend a day at each one deep diving
17:24:02 <tmcpeak> yeah, I'm not sure 1 day there is enough
17:24:10 <hyakuhei> It depends on dept
17:24:12 <hyakuhei> *depth
17:24:15 <tmcpeak> the people that are working on it for us spend weeks tracking things down, revising diagrams, etc
17:24:25 <hyakuhei> The inital approach attempted to do full functional decompisition
17:24:36 <michaelxin> we can pick one for exercise purpose
17:24:45 <michaelxin> See what works and what does not
17:24:51 <hyakuhei> tmcpeak: True, though most of the heavy lifting on that is the firt set of documentation
17:25:00 <tmcpeak> Keystone might be a good choice since we have bknudson and could probably get ayoung to play
17:25:15 <hyakuhei> after that (major re-writes notwithstanding) it should be deltas that need reviewing
17:25:18 <bknudson> hp has a few cores and PTL in keystone.
17:25:22 <tmcpeak> hyakuhei: +1
17:25:28 <hyakuhei> Yeah, I don’t want to get too far into the detail here
17:25:42 <hyakuhei> IRC isn’t the best format for what is a lengthy conversation
17:25:44 <sigmavirus24> michaelxin: we (Rackspace) have a few Glance cores + a couple OSSG members
17:25:51 <hyakuhei> but I think the time has come to reboot these efforts
17:25:59 <tmcpeak> yeah, sounds good
17:26:04 <michaelxin> sigmavirus24: +1
17:26:08 <tmcpeak> maybe we can carve out a few hours planning at midcycle?
17:26:10 <yaya> +1
17:26:15 <hyakuhei> I’m happy to lead but it might be a nice opportunity for someone else to pick up an activitiy
17:26:27 <hyakuhei> tmcpeak: +1 I’m adding it to the etherpad shortly
17:26:49 <hyakuhei> Security has a much bigger profile than the last time we tried so fingers crossed we’ll get more traction this time.
17:26:55 * sigmavirus24 sighs
17:27:03 <sigmavirus24> I'm going to miss so much by not being at the midcycle
17:27:11 <tmcpeak> I told you mr. virus
17:27:21 <dg_> hyakuhei got a link for the etherpad?
17:27:29 <sigmavirus24> tmcpeak: does "YOLO" apply here?
17:27:31 <hyakuhei> #link https://etherpad.openstack.org/p/security-liberty-midcycle
17:27:48 <tmcpeak> sigmavirus24: kind of ;)
17:29:40 <sigmavirus24> tmcpeak: then I invoke "YOLO" (whatever that means)
17:29:43 <sigmavirus24> (dang kids)
17:29:47 <tmcpeak> lol
17:30:02 <hyakuhei> lol
17:30:05 <hyakuhei> #topic Crypto
17:30:14 <hyakuhei> There’s lots going on at the moment
17:30:29 <hyakuhei> There’s the audit stuff we wanted to do but nkinder was leading and has been too busy
17:30:44 <hyakuhei> Then there’s oversight and tracking of the openstack native encryption services.
17:30:51 <hyakuhei> Both need work and attention
17:31:30 <hyakuhei> It’s another opportunity for someone to become the shining light of OpenStack security
17:31:58 <hyakuhei> or I’ll try to get around to it - possibly also something that could get bootstrapped at the mid-cycle
17:32:16 <hyakuhei> Thoughts?
17:32:25 <elmiko> sounds cool
17:32:32 <sigmavirus24> hyakuhei: what if they don't want to be shiny? =P
17:32:34 <tmcpeak> hyakuhei: crypto tracking can be a small Bandit tweak
17:32:46 <elmiko> nice idea tmcpeak
17:32:56 <hyakuhei> tmcpeak: it needs to be reported/centralized
17:33:13 <elmiko> it just means every project needs to run bandit ;)
17:33:17 <tmcpeak> hyakuhei: no problem ,we can push our JSON results to a server
17:33:21 <tmcpeak> and then do some parsin
17:33:22 <tmcpeak> g
17:33:24 <hyakuhei> The tracking is about what algorithms get used where, why and are they appropriate. Can they be configured or are they hard coded etc.
17:33:41 <tmcpeak> elmiko: I don't think so, we can just have a list of repos, and then iterate, clone, report, and move on
17:33:47 <hyakuhei> tmcpeak: It’s a good idea
17:33:51 <elmiko> tmcpeak: even better
17:33:54 <hyakuhei> +1
17:33:58 <tmcpeak> low effort approach anyway
17:34:07 <tmcpeak> could probably bang that up in a few hours
17:34:16 <michaelxin> +1
17:34:40 <tmcpeak> hyakuhei: I'm happy to carve a few hours for that at midcycle
17:35:16 <hyakuhei> Sweet
17:35:28 <hyakuhei> #topic MidCycle
17:35:29 <tmcpeak> where is nkinder anyway?
17:35:43 <hyakuhei> So I’m assuming everyone confirmed on the etherpad is coming (yay!)
17:35:45 <tmcpeak> he still have a conflict for this meeting?
17:35:55 <hyakuhei> ya
17:36:03 <elmiko> tmcpeak: i assume so, haven't talked with him recently
17:36:24 <tmcpeak> ahh ok cool
17:36:27 <michaelxin> hyakuhei: I am
17:36:30 <tmcpeak> hopefully he can get to the midcycle
17:36:35 <hyakuhei> I’m going to get food orders sorted soon, basically there’s a big area with snacks/drinks whatever available in the office
17:36:52 <hyakuhei> I’ll get breakfast and lunch sorted for day 1, a general mix of food for vedgies/meaties
17:36:54 <bknudson> there's a place where they throw fish around nearby
17:37:06 <hyakuhei> and we’ll sort out what to do from then on, as with the SF midcycle
17:37:13 <hyakuhei> That work?
17:37:15 <tmcpeak> hyakuhei: +1
17:37:18 <elmiko> sounds good
17:37:19 <michaelxin> bknudson: +1
17:37:42 <bknudson> put me down as a meatie
17:37:53 <elmiko> i added a session topic to the etherpad, wasn't sure about the general form. i hope it's ok
17:38:20 <elmiko> and put me down as a veggie plz =)
17:38:27 <hyakuhei> I’ll just cut a 65% meaty line
17:38:35 <elmiko> lol, nice
17:38:49 <hyakuhei> Everyone booked/sorted for the mid-cycle then?
17:39:07 <michaelxin> hyakuhei: booked here
17:39:16 <elmiko> same, booked and sorted
17:39:17 <hyakuhei> Excellent!
17:39:18 <bknudson> we going to need visitor badges and stuff?
17:39:55 <tmcpeak> bknudson: you can just grab them day 1
17:40:06 <hyakuhei> Yeah, just bring some ID
17:40:15 <tmcpeak> go up the elevator, cause a commotion to get security interested, explain you're there for the lols
17:40:29 <bknudson> for the YOLOs
17:40:36 <elmiko> nice
17:41:08 <hyakuhei> So that’s all I had for today
17:41:13 <tmcpeak> API testing
17:41:21 <michaelxin> tmcpeak: yes
17:41:22 <hyakuhei> #topic API testing/fuzzing
17:41:38 <michaelxin> The PoC is working now
17:41:49 <tmcpeak> sweet, linkies?
17:41:50 <michaelxin> We are polishing the documentations
17:42:05 <michaelxin> adding examples.
17:42:21 <michaelxin> it should be ready for public by early next week.
17:42:30 <tmcpeak> awesome
17:42:31 <michaelxin> it is still early stage
17:42:33 <bknudson> is it a tool?
17:42:46 <michaelxin> We want your feedbacks before adding more stuff
17:42:55 <michaelxin> bknudson: Yes, it is a standalone tool.
17:43:09 <bknudson> neat
17:43:10 <michaelxin> For current example, we are using keystone API
17:43:31 <michaelxin> Wish that it will become an openstack security tool
17:43:49 <tmcpeak> michaelxin: sounds good
17:43:50 <bknudson> keystone added input validation with JSON schema to the v3 api so that should help
17:43:59 <tristanC> michaelxin: may I ask what inputs does it need to run ?
17:44:08 <bknudson> that was something a guy from our group was working on (not to brag)
17:44:24 <michaelxin> tristanC: valid payload
17:44:41 <michaelxin> like HTTP request in burp.
17:45:11 <michaelxin> We do have extension enabling automatic authentication  with tokens replaced.
17:45:51 <tristanC> interesting, so can you for example convert a tempest run into usable payload ?
17:45:52 <michaelxin> In configuration files, you set up user name and password, etc.
17:46:15 <michaelxin> At this stage, no
17:46:34 <michaelxin> We have some discussion about generating the usable payloads.
17:46:40 <michaelxin> But the project is in early stage.
17:46:54 <michaelxin> We want to focus on fuzzing and testing
17:47:05 <hyakuhei> I’m really looking forward to experimenting with this michaelxin
17:47:15 <elmiko> likewise
17:47:21 <tmcpeak> yeah should be very cool
17:47:29 <michaelxin> hyakuhei: we look forward to your feedbacks
17:47:46 <hyakuhei> I’m sure there’ll be some ;)
17:47:51 <michaelxin> At this stage, it is only a PoC.
17:48:08 <michaelxin> Too much expectation might kill me. :-)
17:48:11 <tristanC> fair enough, does it have a name yet ? :)
17:48:26 <michaelxin> we code name it syntribos
17:49:11 <michaelxin> I will make it available next week in openstack-security room
17:49:24 <michaelxin> If you have any question, you can find me over there.
17:49:33 <tmcpeak> great!
17:49:40 <tristanC> michaelxin: thanks
17:50:10 <michaelxin> tristanC: You are welcome
17:50:19 <michaelxin> that's all for me
17:50:42 <tmcpeak> sweet
17:50:55 <hyakuhei> #topic Any Other Business
17:51:20 <hyakuhei> michaelxin: Did you want to make syntribos an official OpenStack Security Activity ?
17:51:33 <hyakuhei> I don’t like the word project as everything is a project already
17:51:33 <michaelxin> hyakuhei: Sure
17:51:39 <hyakuhei> The list of Security Project Projects...
17:51:42 <hyakuhei> Great :D
17:52:15 <hyakuhei> When you’re ready to release we’ll setup a repo for it
17:52:23 <hyakuhei> Straight to the big-tent for you ;)
17:52:29 <elmiko> nice
17:53:01 <michaelxin> haha, Thanks.
17:53:31 <hyakuhei> Great, anything else before we close this out?
17:54:37 <tmcpeak> should be good, thanks hyakuhei!
17:54:46 <elmiko> oh
17:54:46 <michaelxin> hyakuhei: tmcpeak Thanks
17:54:51 <elmiko> ossn triage for mid-cycle?
17:55:00 <tmcpeak> yeah, we should do that for sure
17:55:07 <elmiko> i can add it to the pad
17:55:23 <tmcpeak> elmiko: +1
17:56:59 <elmiko> k, added
17:57:04 <tmcpeak> cool, thanks elmiko
17:57:07 <tmcpeak> good point
17:57:58 <tmcpeak> allright, that's a wrap then
17:58:05 <tmcpeak> #endmeeting