17:00:03 #startmeeting security 17:00:04 Meeting started Thu Jul 28 17:00:03 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:06 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:06 o/ 17:00:08 #chair hyakuhei 17:00:09 The meeting name has been set to 'security' 17:00:10 Current chairs: hyakuhei tmcpeak 17:00:14 hey 17:00:19 yo! 17:00:20 yo doog 17:00:21 hai 17:00:22 o/ 17:00:24 o/ 17:00:32 o/ 17:00:34 o/ 17:00:41 #link https://etherpad.openstack.org/p/security-agenda 17:00:44 o/ 17:00:48 o/ 17:01:03 o/ 17:01:30 allright 17:01:37 good turnout, let's get started 17:01:41 #topic Syntribos 17:01:46 ccneill: what's up this week? 17:01:53 kewl 17:02:12 so I've been out for a few OSSP meetings recently, not sure what all we've covered already 17:02:30 but we are now rid of OpenCAFE as a code dependency (though we still need to update the docs to reflect that fully) 17:03:01 we're working on a more intuitive output format that's less driven by unit test dynamics and is more useful (we think) for security testing 17:03:12 er, sorry - *command-line output 17:03:23 i hooked up syntribos with openstack proposal bot. so now the project will get all of the easy updates to requirements.txt 17:03:31 yep, thanks browne! 17:03:34 o/ 17:03:44 browne: ++ 17:03:49 sigmavirus: long time no see 17:03:59 we're also working on our debug log right now for logging useful info about tests/requests/etc. 17:04:04 tmcpeak: yeah :/ 17:04:12 sigmavirus: you finally emerge from your block of Wisconsin ice? :P 17:04:30 ccneill: you guys end up going with oslo? 17:04:35 *makes wooly mammoth noises* 17:04:38 we're sticking with python logging for the moment 17:04:50 because oslo.log added so many cli options that we don't think we really need atm 17:04:56 yeah, python logging is solid 17:05:08 is there a summit talk on syntribos? 17:05:15 and it's pretty easy to plug in if we decide we do want those features in the future 17:05:20 err.. not sure 17:05:24 when is the summit anyway? 17:05:31 * ccneill is unprepared <_< 17:05:33 what's a summit :P 17:05:38 * elmiko waves at sigmavirus 17:05:41 end of Octobert 17:05:47 October 17:05:50 25-28th 17:06:02 * sigmavirus waves at elmiko 17:06:05 I imagine we could piece something together by then :) 17:06:11 I don't know if it is formally on the agenda though 17:06:21 oh then its not 17:06:29 voting for the summit is going on now 17:06:32 ccneill: for the summit submissions were due a while ago 17:06:35 You guys should have something in for the X-project and Security design sessions 17:06:45 d'oh. I'm mixing up summits and midcycles 17:06:51 you're talking Barcelona 17:07:02 Aaah 17:07:11 So midcycle is two weeks-ish 17:07:16 #link https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:07:17 oh yeah, we should definitely have stuff at midcycle 17:07:33 +1 17:07:50 we haven't submitted any formal talks about it yet because things have felt pretty chaotic 17:08:08 but (helped by the fact that we've started actually writing unit tests) things should be declining in craziness over time 17:08:35 yeah, I think we’ve decided that we weren’t quite ready for this summit 17:08:39 I do have a question for all you smart people: has anyone figured out how to get rid of or otherwise modify the --config-file and --config-dir options auto-added by oslo.config? 17:08:46 I'd like to hack on it at least in Austin 17:09:12 maybe I'll slam some redbulls and attempt to break IBM things with it :D 17:09:21 tmcpeak: let us know how it goes :D 17:09:44 for sure 17:09:46 I think we have a somewhat-stable idea of what 1.0 will look like 17:09:59 o/ 17:10:04 ccneill: i think you may need to duck-punch some of the oslo.config classes to override those options 17:10:07 hey woodster_ 17:10:24 hyakuhei: hello! 17:10:27 duck-punch ? 17:10:31 our meeting notes from 7/19 have some of our tentative plans for 1.0 and beyond: https://etherpad.openstack.org/p/syntribos-planning 17:10:41 think, forceable ducktyping ;) 17:10:45 lol 17:10:51 yeah, i love that one 17:11:08 yeah, I was afraid we'd have to go a little deeper than just passing it some kwargs :( 17:11:24 we'll figure it out one way or another.. 17:11:42 so one other question that I have for y'all: what do you think about an #openstack-syntribos channel? 17:11:48 well, it makes sense though. oslo.config provides a great interface for adding those config files, so it makes sense from that perspective 17:11:59 I notice that we sort of dominate the discussion in #openstack-security these days, and I don't know if that's a good or bad thing 17:12:04 I'm fine with it, although we never went that route for Bandit 17:12:09 ccneill: I think that's fine 17:12:11 ccneill: i'd stick with openstack-security 17:12:11 ccneill: no objection to that but I don’t think there’s any objection to you using -security 17:12:16 gives us opportunity to follow 17:12:30 I just didn't know if it felt like scope creep for the openstack-security channel 17:12:31 +1 to keep using -security, the s/n ratio isn't that bad in there 17:12:39 My preference would be to stay on -security but no big objection to you using something else if you really want to 17:12:42 but if everyone's okay with it, I think we are 17:12:43 yeah, we had that for a while with Bandit too, it's fine 17:12:50 yupyup 17:12:50 yeah, but openstack-sdks has several projects which use the channel. so, seems fine to me 17:12:51 ccneill: creep away 17:12:55 :) 17:12:55 its the main active project right now 17:13:15 somebody has to fill the silence in openstack-security channel right now 17:13:20 :'( 17:13:33 even the spanish bots don't like us anymore 17:13:37 lolol 17:13:40 rofl 17:13:45 they've moved on to Kubernetes 17:13:57 nah, cloudfoundry bro 17:14:04 hyakuhei: +1 17:14:05 They’re all hitting up Slack now :P 17:14:13 ++ love Slack 17:14:15 so I think that's about all for us this week 17:14:21 tmcpeak: oh seriously? 17:14:25 haha 17:14:27 wish there was a openstack slack team 17:14:27 mdong: did I miss anything you can think of? 17:14:46 I think our Intel friends and michaelxin are out at the moment 17:14:47 browne: nonsense browne. We use IRC bc we're l33t 17:14:58 irc4lyfe 17:15:00 nah, I think you’ve covered everything 17:15:04 elmiko: +1 17:15:12 awesome 17:15:13 #topic OSSN 17:15:28 I'm supposed to have written one, but I did not because I suck (again) 17:15:39 lol 17:15:44 * sigmavirus wishes he had time to write one 17:15:47 I've been working on same day job stuff… if nothing else I'll write one for sure in Austin 17:16:00 Yeah we have a sprint lined up for the midcycle 17:16:06 Should clear or almost clear the queue 17:16:11 I have 0069 underway, but thinking it might be a better fit for the security guide 17:16:28 lhinds kindly published 64 for me, nkinder be damned :P 17:16:29 this is the qbr ipv6 bypass to get at the host OS 17:16:34 the midcycle ossn sprint was really valuable when i attended in the past 17:16:37 lhinds: both, ideally 17:16:47 sicarie: makes sense 17:16:53 The ossns are more informal 17:17:01 oh authors are updated on wiki now as well 17:17:16 lhinds: +1 17:17:19 So it can be an outline, then the sec guide has style constraints, etc.... 17:17:21 thanks for doing that! 17:18:06 tmcpeak: np 17:18:27 +1 it’ll be a really good addition 17:18:46 cool 17:18:48 probably it for OSSN? 17:19:02 think so 17:19:04 lhinds is pulling the sled by himself now, we'll have to make sure to get a bunch done in Austin 17:19:08 lhinds: you coming to Austin? 17:19:25 not sure about Austin, but will be at barca 17:19:32 Excellent 17:19:47 will see what I can do for Austin 17:19:50 Though FYI there’s no Uber in Barca, which is deeply upsetting for me. 17:19:54 yeah, would be great to have you there 17:19:57 lol hyakuhei 17:20:17 oh, so no different from Austin, then 17:20:19 hyakuhei fairly sure there is no uber in austin now either 17:20:20 hyakuhei: +1 I hate feeling ripped off by local taxis 17:20:26 WHAT?! 17:20:33 v_v 17:20:35 don't remind me... 17:20:43 What was the backup location for the Midcycle? 17:20:48 haha 17:20:52 there are, however, a preponderance of more-expensive, smaller competitors 17:21:04 whos idea was it to go to texas in august anyway? :P 17:21:07 but now I feel SO MUCH SAFER with all the drunk drivers on the road 17:21:23 * ccneill is still a little frustrated by this, if you couldn't tell 17:21:28 Damn it. 17:21:49 ccneill: yeah, you guys "voted" though :# 17:21:54 Anyway - thanks again lhinds 17:22:03 don’t worry, when you take a Fasten from the airport at a 30% premium compared to Uber, you’ll at least be sure that their drivers are fingerprinted 17:22:17 sigh.. tmcpeak: it was Mother's day weekend, all UT students were mostly out of town, and I think no one saw the "no" vote coming 17:22:37 isnt the IBM office out in the middle of nowhere too? 17:22:54 Auxit :P 17:22:54 <_< 17:22:57 kinda 17:23:10 it's definitely kinda far from the airport 17:23:12 lol 17:23:23 Yeah, it looks like a nice enough office though. 17:23:24 cool 17:23:28 #action hyakuhei rent a truck for the week 17:23:29 #topic Sec Guide 17:23:36 dg____: +A ! 17:23:40 it’s in a really nice part of town, but yeah, pretty far from the airport 17:23:45 ^ 17:23:51 some lifted monstrosity with 50" tires 17:23:53 sicarie … 17:23:57 a paragraph on rate-limiting: https://review.openstack.org/#/c/348290/ 17:23:58 elmiko: 17:24:14 awesome, I did not see that lhinds - I’ll take a look shortly 17:24:23 can we circle back to mid-cycle logistics in AOB? 17:24:24 tried to keep it the same size as the other sections and quick to the point 17:24:26 So i started a review, got through the Neutron chapter, and promptly got distracted 17:24:30 Even San Antonio has Uber, just sayin' 17:24:36 thanks sicarie 17:24:43 dg____: yup 17:24:49 this looks good lhinds! 17:25:16 i haven't created much for the sec-guide recently, but i can certainly check out a few reviews 17:25:36 i think i opened ~5 bugs as a result of my partial read-through 17:25:40 I have a set of notes 17:25:44 dg____: yeah for sure 17:25:55 most of the stuff is “we should make sure this code example is still accurate with the latest version of $X" 17:26:09 and most of that is in the compute chapter 17:26:22 I wonder how many things we could hammer out at the midcycle for this? 17:26:33 I expect Neutron to be different as they gave much more theoretical advice taht was version-specific 17:26:36 we should really try given our desire to put guide in steady state 17:26:47 hyakuhei: quite a bit fo the first 11 chapters 17:26:58 Interesting 17:27:20 I expect Neutron to require a significant overhaul, I remember being very confused the last time I read it, but that was a while ago 17:28:08 so yeah, i’m going to be able to focus on it again a bit this week, so i’ll keep going, and see where i can get 17:28:19 we don't have SME's for Neutron, do we? 17:28:23 nope 17:28:30 Haven’t had for a long time IIRC 17:28:38 anybody have Neutron friends? 17:28:38 We could look up who their core-sec is 17:28:45 sicarie: I guess you guys did that already? 17:28:54 not core sec 17:29:01 we went with the neutron core who was docs lead 17:29:02 or just drop by their IRC room and shout a bit? 17:29:07 I have not yet done that 17:29:08 Ah fair enough 17:29:30 i wanted to have a few more actionable things before i did that 17:29:39 “IF WE DONT GET HELP WERE GOING TO REMOVE NEUTRON FROM THE SECURITY GUIDE COMPLETELY” kthnxbye…. 17:29:46 lol 17:29:54 lol 17:30:00 seems reasonable 17:30:05 i'll do that if i can quote hyakuhei ;) 17:30:19 Quote away :P 17:30:34 we've gone to ultimate stick mode! 17:30:42 lool 17:31:23 ok, 17:31:23 anything else on guide? 17:31:52 narp 17:32:10 #topic Midcycle 17:32:14 I’d like to see more suggestions for topic at the midcycle: https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:32:23 also we can cover logistics now dg 17:32:49 woo 17:33:25 So I’ve got to go sign up to Fasten now…. Damn it Austin 17:33:36 is that like a taxi app? 17:33:49 it’s Uber but legal 17:33:58 :| 17:34:00 * ccneill slams head on desk some more.. 17:34:03 haha 17:34:17 So long as I can sign up with a UK phone and put my company CC in it I’m happy 17:34:24 Though Uber will always have my heart 17:34:30 should we get hotels in downtown and then catch a taxi to the office, or should we get hotels out whever ibm is based? 17:34:35 hyakuhei +1 17:34:43 good Q 17:34:48 dg____: you'll be taking pretty long cab rides from downtown every day 17:34:53 commuting to/from downtown is always a pain 17:35:18 yeah but otherwise we'll be taking long cab rides at night :P 17:35:28 http://www.simon.com/mall/the-domain 17:35:36 location 11501 Burnet Rd, Austin, TX 78758 17:35:37 hmmm.. this may not be the best site for this 17:36:07 but there are hotels in The Domain (nearby outdoor shopping mall) that are much closer 17:36:27 basically the question is how much your tolerance for traffic is 17:36:32 ok 17:36:45 i guess we can always get taxis into town in the evening 17:36:52 just without uber its going to be so much harder 17:37:09 dg____: if I told you how I *really* feel about the Uber thing, we'd be here another hour lol 17:37:26 i think we understand ccneill 17:37:27 suffice it to say, I was so pissed off, I watched hours-long city council meetings to try to understand how we went so horribly wrong 17:37:30 lol 17:37:32 :P 17:37:42 I don’t know what hotel I’m in yet, someone who understands such things will tell me tomorrow 17:37:43 ccneill thats basically how we feel about brexit 17:37:49 let it never be said ccneill doesn't know how to party 17:37:49 haha 17:37:59 lolol 17:38:20 hyakuhei you just gettting your admin to put you in the cheapest one around? 17:38:29 I’ve known people who voted no to Uber just because Uber was spamming their mailboxes with too many ads telling them to vote 17:38:54 OMFG FASTEN sucks 17:39:04 we should work out hotel suggestions 17:39:06 ccneill how bad is traffic getting from downtown to the office in the mornings? 17:39:07 dg____: she’ll put me in some hotel sure 17:39:11 there's also one called GetMe[somethingorsomewhere] 17:39:21 don’t use GetMe 17:40:10 dg____: been a while since I made the drive, I don't imagine it's *too* terrible going from downtown to North Austin (most people are going the opposite direction) 17:40:10 I asked one of the IBM guys where to stay 17:40:22 thanks ccneill 17:41:02 he says Westin and Home2 17:41:05 at least in the mornings. in the evenings, traffic can be pretty atrocious getting back to downtown (~5-6PM) 17:41:15 ok 17:41:17 thanks 17:41:20 I’ll ask fernando to put some recommendations on the etherpad 17:41:27 Though locals please feel free to do so also 17:41:55 cool, thanks 17:42:12 I think the various hotels in The Domain are the best from a distance perspective, but it depends on what you want to do while you're here 17:42:17 residence inn and Home2 according to hotels.com 17:42:35 there are lots of cool shops/restaurants/etc. at the Domain, but it's not downtown Austin/6th street 17:42:47 maybe we can do downtown one night and chill around the others 17:42:52 yeah that works 17:43:07 im not looking for the paris experience again 17:43:26 lol, I dont know what that means but I second your opinion 17:43:33 #topic New Sec Core 17:43:40 hyakuhei: I added this for this meeting 17:43:48 seems like we could use another sec core, since nkinder hasn't had much time 17:43:54 Yeah 17:43:58 +1 17:43:59 lhinds volunteered 17:43:59 So we have two “types” of core 17:44:04 Those who do OSSN magic 17:44:07 I think he's a natural choice given all the great work he's done 17:44:22 Actually no, we just have one in this context . ignore me 17:44:32 I mean the embargoed issues type 17:44:36 Yeah 17:45:07 lhinds: I’ll talk to you about it :) Your work on OSSNs has been extremely valuable 17:45:08 so how do we get him set up? 17:45:15 hyakuhei: +1 17:45:23 sounds good hyakuhei 17:45:40 cool 17:45:45 #topic AOB 17:45:48 Core is about more than just that though, there’s a responsibility to consult with and help inform the VMT on complicated vulnerabilities etc 17:45:53 So we’ll chat about it a bit more 17:46:00 anyone going to DEFCON this year? :) 17:46:01 yep yep 17:46:04 sure, np 17:46:05 ccneill: I am 17:46:06 you? 17:46:09 yeeep 17:46:19 neat 17:46:21 awesome! 17:46:31 we have a few Rackers going this year I believe 17:46:37 Not I, but a bunch of my Cisco coworkers are 17:46:38 o/ 17:46:42 Just a reminder about the summit voting: #link https://www.openstack.org/summit/barcelona-2016/vote-for-speakers/ 17:48:03 +1 vote early, vote often (as they say in Chicago) 17:48:05 sweet 17:48:18 anything else? 17:48:37 is there an easy way of finding sec talks? 17:48:39 I'm not going to be able to attend next week and possibly the week after 17:48:50 and then week after that is Austin :) 17:48:50 or rather, anyone here have talks up? 17:48:51 you can list by track (security, for example) top left drop-down menu 17:48:59 ahh ok, thanks sicarie 17:49:05 There’s a drop down but no hot-linking 17:49:08 hyakuhei, tmcpeak, gmurphy all have one 17:49:10 (by design) 17:49:15 as does sicarie 17:49:23 got it 17:49:28 psh, that guys sucks at speaking 17:50:01 lol 17:50:15 nice to see Recon one :P 17:50:17 after all this time 17:50:17 is there going to be a hyakuhei vs ade rap battle? 17:50:24 yeah, stan put one up on that 17:50:25 We have a talk in yeah 17:50:33 dg____: that would be epic 17:50:37 ++++ 17:50:38 :D 17:50:54 Sigh. Fasten doesn’t work with UK credit cards. 17:50:58 I will prioritize voting for any kind of hyakuhei rap battle 17:50:59 * hyakuhei facedesks 17:50:59 fml 17:51:03 lol 17:51:25 can you take a swipe of ben's amex while you're in seattle the week before? 17:51:30 hyakuhei: you have to use the other sketchy one ccneill said not to use 17:51:38 Fare is another option 17:51:39 * hyakuhei cries 17:51:51 just go on the buddy system, you'll be fine 17:51:53 lol 17:51:56 bring your whistle 17:52:02 I’ll hire a pushbike :D 17:52:05 Is hitch hiking legal in Austin? 17:52:07 In Austin, in August. 17:52:11 I’d honestly get a regular taxi before using GetMe, it’s just an awful app 17:52:41 lol "GetMe" 17:52:44 doesn't sound sketchy at all 17:52:58 this is the special app we have for our British friends 17:53:10 and if you’ve got an iPhone, RideAustin is the city-government approved app 17:53:14 oh, almost forgot 17:53:21 The Domain has a shuttle service that will drive you around the whole mall 17:53:27 and I'm pretty sure IBM is just across the street basically 17:53:37 (I used to be a shuttle driver in college :P) 17:53:45 that's good. My top priority is making sure my city government approves of my ride sharing choices :P 17:53:50 lol I’m loving the local knowledge 17:53:55 tmcpeak: don’t tease him. 17:53:59 This is hard enough as it is 17:54:03 haha 17:54:17 tmcpeak: you'll be super-safe as you wait in the blistering heat for your taxi 17:54:21 hyakuhei: you could craigslist it out :) 17:54:25 so yeah, … Rob can rent a truck 17:54:31 lulz 17:54:37 i think thats probably the best plan 17:54:38 get some real murica 17:54:44 lol 17:54:51 make sure it's a uhaul 17:55:03 nahh you need a big ol' Ford F350 ;) 17:55:08 just hop in the back 17:55:12 ohh, the other other option 17:55:18 is to join the rideshare facebook group 17:55:27 lol if you're daring 17:55:28 Sigh. Phone app lets you sign up from the UK but CC’s break. Webapp doesn’t let you sign up outside the US. 17:55:29 which is a real thing 17:55:35 sure, that works, but it's more fun to have a bunch of folks rattling around the back of a giant uhaul XD 17:55:37 they've started impounding peoples' cars for offering rides on that 17:55:39 -_- 17:55:49 and the final option is to spoof your GPS location to request a ride outside of city limits 17:55:49 freedom! 17:55:52 oh and then there’s this bit: https://www.dropbox.com/s/avs5eyr50jzlwom/Screenshot%202016-07-28%2018.55.43.png?dl=0 17:55:56 So errrr. Noooope. 17:55:59 and then call your uber driver to tell him where to actually pick you up 17:56:18 hyakuhei: wow... wtf 17:56:25 yup 17:56:32 LOL 17:56:34 WUT 17:56:40 awesome 17:56:42 they're background checking you? 17:56:48 wooow 17:57:03 wait, are you sure you didn’t download the driver app? 17:57:07 ^ 17:57:08 instead of the passenger app? 17:57:13 that would be enough for me to nope out there 17:57:20 That’s on the webapp, probably the driver bit yeah 17:57:28 Not paying lots of attention atm 17:57:31 To the app, 17:57:38 doing IRC meeting stuff y’know :P 17:57:46 anyway, lets wrap it! 17:57:46 wrap it? 17:57:49 ^^ 17:57:50 +1 17:57:52 #endmeeting