17:00:45 <hyakuhei_> #startmeeting security 17:00:46 <openstack> Meeting started Thu Aug 4 17:00:45 2016 UTC and is due to finish in 60 minutes. The chair is hyakuhei_. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:49 <openstack> The meeting name has been set to 'security' 17:00:54 <singlethink> o/ 17:01:00 <hyakuhei_> hey! 17:01:03 <xarses> sorry guys 17:01:10 <hyakuhei_> no worries 17:01:14 <hyakuhei_> #link https://etherpad.openstack.org/p/security-agenda 17:02:14 <hyakuhei_> I'm expecting a quiet meeting 17:02:22 <hyakuhei_> Blackhat etc. 17:03:19 <hyakuhei_> So I guess we'll get started, any Syntribos folks around? 17:03:58 <hyakuhei_> Hmm, I guess not 17:04:28 <hyakuhei_> lhinds: you around? 17:04:51 * hyakuhei_ listens for an echo 17:04:54 <hyakuhei_> hey dg____ 17:05:14 <hyakuhei_> It's oddly quiet here, concerned the internet broke. 17:05:28 <dg____> are we in the wrong room or something? 17:05:29 <elmiko> hi =) 17:05:33 <dg____> hey elmiko 17:05:48 <hyakuhei_> elmiko is here! Everything will be ok now. 17:05:50 <elmiko> how's things on the other side of the pond? 17:06:03 <hyakuhei_> I'm your side atm elmiko 17:06:11 <elmiko> ooh, interesting... ;) 17:06:17 <hyakuhei_> I know rite!? 17:06:27 <elmiko> can't get enough american politics huh? 17:07:13 * singlethink has had enough... hyakuhei_ can take my share 17:07:24 <elmiko> hahaha, singlethink++ 17:07:56 <hyakuhei_> So I'm not sure we have enough of a quorum to follow the normal meeting agenda. 17:08:08 <dg____> its oddly quiet 17:08:31 <dg____> guess a few people are in vegas 17:08:40 <hyakuhei_> I think with the various conferences / things going on at the moment and the midcycle on the horizon there's not much going to happen before the summit 17:08:46 <hyakuhei_> s/summit/midcycle/ 17:08:52 <dg____> +1 17:08:58 <dg____> anything you want to discuss? 17:09:08 <dg____> elmiko are you coming to the midcycle? 17:09:13 <hyakuhei_> Last chance to vote for: https://www.openstack.org/summit/barcelona-2016/vote-for-speakers/ 17:09:15 <elmiko> no, i don't think so 17:09:32 <gmurphy> how's the threat analysis stuff going dg____? 17:09:35 * gmurphy hides 17:09:49 <elmiko> i thought about trying to get clearance for some sort of last hurrah with the ossp, but it didn't quite work out 17:10:49 <hyakuhei_> booo. 17:10:56 <singlethink> I just added one item under OSSNs 17:11:01 <hyakuhei_> Roadtrip! We'll cover food, you can stay in my bathroom :P 17:11:10 <hyakuhei_> #topic OSSN 17:11:11 <elmiko> haha, brilliant! 17:11:27 <dg_____> back again, sorry internets 17:11:28 <hyakuhei_> singlethink: could you say a bit more about NTP ? 17:11:35 <singlethink> Ok well... we and others have been reporting a number of NTP vulnerabilities lately 17:11:54 <singlethink> basically, there are a number of ways that (until very recently) unauthenticated attackers can change time 17:11:59 <singlethink> or DoS ntpd 17:12:08 <hyakuhei_> Well NTP's insecure in general and lots of services like Swift need precise timing.... 17:12:15 <singlethink> A number of them can be mitigated by hardening the NTP configuration 17:13:10 <singlethink> Would the steps to harden NTP in an OpenStack environment be an appropriate OSSN topic? Or is it too general (because there's lots of stuff that depends on NTP outside of OpenStack too) 17:14:00 <hyakuhei_> Tricky. So OSSN can (and do) refer to issues that underly OpenStack. 17:14:14 <dg_____> seems like a topic for the guide 17:14:20 <dg_____> at least mentioning that it should be done 17:14:20 <hyakuhei_> I think an OSSN would be fine. It'd have to spell out that it's not an inherent issue with OpenStack but that services can be abused by it. 17:14:42 <hyakuhei_> dg_____: Agree but OSSN is just easier right now, Guide is in limbo 17:14:44 <singlethink> ack 17:14:57 <hyakuhei_> Is that a fair thing to say elmiko ? 17:15:31 <elmiko> yeah, i think an ossn is appropriate, but ideally something in the guide would be tops in my book 17:15:35 <gmurphy> well it seems more like OS hardening. so could be a slippery slope if we start down that path too. 17:15:53 <elmiko> i mean, there could be discussions of alternate ntp implementations and whatnot... 17:15:55 <hyakuhei_> gmurphy: I understand, but OSSN are generally driven by the authors. 17:15:58 <singlethink> I'd be fine with either. I was trying to come up with something of reasonable scope to contribute 17:16:00 <dg_____> hyakuhei is that due to limboing strategy or lack of resource? 17:16:00 <gmurphy> kk. 17:16:08 <gmurphy> lack resource i think 17:16:20 <hyakuhei_> dg_____: lack of resource isn't a strategy? 17:16:36 <dg_____> it is at HPE ;) 17:17:08 <elmiko> zing! 17:17:08 <hyakuhei_> Just #OpenStackThings. 17:17:36 <singlethink> It looks like the install guides instruct users to install Chrony these days: http://docs.openstack.org/mitaka/install-guide-obs/environment-ntp.html 17:17:39 * hyakuhei_ takes the KB away from dg_____ for his own good 17:17:52 <dg_____> hahah thanks hyakuhei_ 17:18:27 <dg_____> ok guys, i have to step out early, Im going to attempt to write a section on threat analysis for the security guide before the mid-cycle 17:18:46 <gmurphy> #link - https://github.com/viraptor/reconbf 17:18:49 <unrahul> Guys 17:18:50 <elmiko> dg_____: good luck, we're all counting on you 17:18:56 <hyakuhei_> dg_____: let me know how I can help, should have a couple of hours available next week 17:18:56 <gmurphy> this is another tool HPE open sourced recently 17:19:14 <unrahul> Can I do the Syntribos updates after this? 17:19:15 <gmurphy> has some openstack scope 17:19:23 <hyakuhei_> Whoop, I was wondering if Recon would get open sourced. That's cool 17:19:28 <hyakuhei_> We should do a blog post about it. 17:19:35 <gmurphy> thought i would throw that out there since it's about 3am in australia where stan is 17:19:38 <hyakuhei_> I'll draft something if others don't mind 17:19:51 <singlethink> ohh... that looks cool 17:19:51 <gmurphy> ping stan on it. i'm sure he'd be happy to help 17:19:53 <hyakuhei_> I'll stub it out, invite everyone to comment/edit as appropriate 17:20:00 <hyakuhei_> gmurphy: for sure 17:20:11 <gmurphy> sounds good. he submitted a talk for the summit on it too 17:20:32 <gmurphy> starting to add in more openstack related profiles recently etc 17:20:45 <gmurphy> previously had been a lot of operating system type stuff 17:20:54 <hyakuhei_> It's a really interesting project, very happy to see it's open source now 17:21:29 <gmurphy> may not be the final home either. but is there for now 17:21:42 <hyakuhei_> Cool! 17:21:55 <hyakuhei_> ok, I don't have anything else on OSSN unless you guys do? 17:22:08 <hyakuhei_> #topic Docs 17:22:34 <elmiko> docs are gewd 17:22:39 <hyakuhei_> So my understanding is that sicarie is moving on and elmiko will have very little time to look at docs in the future 17:22:41 <elmiko> we need more 17:22:47 <hyakuhei_> ^ Crisis mode enabled. 17:22:48 <gmurphy> soz. i just jumped the gun then. i thought you changed the topic to #openstackthings lol 17:22:50 <elmiko> oh wow, didn't hear that about sicarie 17:22:56 <hyakuhei_> gmurphy: no worries 17:23:05 <elmiko> good for him (i hope) 17:23:27 <hyakuhei_> So it's possible I've just told the internet something I shouldn't have but I don't think it was secret. My understanding is he's changing role and it'll be less OpenStack focussed in general 17:23:40 <elmiko> i am cartainly willing to help transition with the docs, but i'll need live bodies 17:23:59 <hyakuhei_> Understood. So we need to work out how to fix this. I'll talk to the docs core 17:24:07 <elmiko> sounds good 17:24:10 <hyakuhei_> We also need to work on that open-letter/email to the ML 17:24:30 <elmiko> fortunately, there isn't much institutional knowledge around the sec-docs. it's pretty straightforward 17:24:48 <hyakuhei_> elmiko: yeah, we just have to get people involved. 17:24:55 <elmiko> right 17:25:03 <hyakuhei_> Or work out some elaborate trick to get them contributing ;) 17:25:06 <elmiko> the scripts are all self-explanatory 17:25:18 <elmiko> heh, i'd love to hear about said trick ;) 17:25:19 <hyakuhei_> Excellent. 17:25:34 <hyakuhei_> elmiko: think back a few years - see if you remember when it happened ;) 17:25:41 <hyakuhei_> #topic Midcycle 17:25:44 <hyakuhei_> #link https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:26:00 <elmiko> hyakuhei_: ack 17:26:25 <hyakuhei_> So IBM is going to sponsor the room and breakfast/lunch for Security people. I think I can swing Barbican too if that's not covered already... redrobot know what the score is there? 17:27:37 <hyakuhei_> I dont' have much more to add really. We need a few more unconference topics but I think lots of the work will be sprints to tidy/clean/wrapp various projects 17:27:55 <hyakuhei_> Thoughts? 17:29:12 <elmiko> i think ibm should definitely cover breakfast for barbican, they work hard! 17:29:35 <hyakuhei_> totes! 17:29:41 <hyakuhei_> #topic Any other business 17:29:58 <gmurphy> (insert previous recon discussion here) 17:30:02 <hyakuhei_> Today is the last day of conference voting 17:30:07 <hyakuhei_> #link https://www.openstack.org/summit/barcelona-2016/vote-for-speakers/ 17:30:16 <elmiko> gmurphy: what is recon? 17:30:17 <hyakuhei_> There's some great talks there and a few really fuddy oness. 17:30:43 <gmurphy> elmiko: the github link from before 17:30:57 <elmiko> hyakuhei_: any talks you want to highlight? 17:31:03 <gmurphy> how many talks this year hyakuhei_? 17:31:17 <hyakuhei_> 30ish I think 17:31:33 <hyakuhei_> elmiko: No, can't hotlink anyway 17:31:41 <elmiko> ack 17:31:47 <hyakuhei_> Will mention that using keyboard numbers and arrows is way faster for voting 17:31:48 <hyakuhei_> heh 17:31:48 <elmiko> recon looks cool 17:31:54 <hyakuhei_> It is 17:32:06 <unrahul> Hey hyakuhei_ I am from #Syntribos, can I update about the project after we finish up, I was running late 17:32:58 <hyakuhei_> unrahul: good stuff, thanks :) 17:33:12 <hyakuhei_> I don't think we have any more stuff for you 17:33:25 <hyakuhei_> Anyone else have other business before we dive into Syntribos? 17:33:55 <gmurphy> nopes 17:33:59 <hyakuhei_> #topic Syntribos 17:34:08 <unrahul> Thanks hyakuhei_ ! , We are working on making the internal APIs a lil better 17:34:09 <hyakuhei_> unrahul ^^^ 17:34:39 <unrahul> and also, on the front end part, we were intially following uniittest results ouput 17:34:44 <hyakuhei_> Interesting, do you have things you want reviewing/contributing to? 17:35:12 <unrahul> we have moved on from there and is working on making it better. 17:35:14 <unrahul> https://review.openstack.org/#/c/345286/ 17:35:38 <unrahul> this patch has been there for a while and is close to getting merged. but other than that we are working on multiple patches not ready for review really 17:35:55 <unrahul> Both ccneill and mdong are off to DEFCON so.. things are kinda slow.. 17:36:18 <elmiko> lucky.... 17:36:30 <unrahul> yeah elmiko !. 17:36:39 <unrahul> thats it from us.. 17:37:17 <hyakuhei_> Awesome, thanks unrahul, you're doing extremely good work here, I know it's already being used internally here on at least one big project. 17:37:53 <hyakuhei_> Any last minute things ? 17:38:01 <unrahul> thanks hyakuhei_ ! it is really great to hear other projects are using it.. especially still we are in alpha. 17:38:13 <unrahul> have fun guys! 17:38:24 <hyakuhei_> #endmeeting