17:02:29 <tmcpeak> #startmeeting security 17:02:31 <openstack> Meeting started Thu Nov 17 17:02:29 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:32 <tmcpeak> #chair hyakuhei 17:02:35 <openstack> The meeting name has been set to 'security' 17:02:36 <openstack> Current chairs: hyakuhei tmcpeak 17:02:36 <lhinds> o/ 17:02:41 <capnoday> o/ 17:02:44 <hyakuhei> lol sorry 17:02:50 <tmcpeak> looool 17:02:51 <tmcpeak> I'm broken 17:02:52 <hyakuhei> I'm stupid and tmcpeak is an enabler 17:02:53 <hyakuhei> o/ 17:02:59 <tmcpeak> o/ 17:03:02 <hyakuhei> #agenda https://etherpad.openstack.org/p/security-agenda 17:03:04 <vds> o/ 17:03:12 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda agenda :) 17:03:14 <hyakuhei> man. 17:03:16 <tmcpeak> I'm surprised the meeting even worked over there 17:03:21 <hyakuhei> vds hi! congrats on your first OSSN! 17:03:21 <tmcpeak> thank you sigmavirus 17:03:26 <hyakuhei> +1 17:03:38 <vds> hyakuhei, thx! 17:03:53 <sigmavirus> You're welcome :) 17:05:03 <hyakuhei> tmcpeak can you roll the first few topics while I clear something up? 17:05:11 <tmcpeak> yep 17:05:26 <tmcpeak> #topic Syntribos 17:05:33 <tmcpeak> unrahul: 17:05:42 <tmcpeak> saw your release announcement on ML 17:05:43 <tmcpeak> :) 17:05:43 <unrahul> hey tmcpeak 17:05:44 <tmcpeak> congrats! 17:05:52 <unrahul> yup.. thanks ! :) 17:05:57 <hyakuhei> +1 17:06:04 <unrahul> finally we released a version through openstack CI.. 17:06:15 <capnoday> awesome 17:06:25 <sigmavirus> Good job unrahul! 17:06:36 <lhinds> wd unrahul 17:06:41 <unrahul> We are still continuing our discussions/design sessions on what all things we should add to the tool.. 17:06:50 <unrahul> thank you hyakuhei capnoday sigmavirus and lhinds :) 17:07:01 <hyakuhei> Anything need reviewing atm unrahul ? 17:07:16 <unrahul> we have added a few tests like json depth limit and user defined tests 17:07:30 <unrahul> nop hyakuhei .. nothing for now.. 17:07:37 <hyakuhei> Excellent :P 17:07:46 <unrahul> if anyone can suggest any tests to be added to the tool, that would be great.. 17:07:58 <unrahul> other than than.. we dont have much for this week.. 17:08:09 <tmcpeak> unrahul: you guys have that recorded demo Rob shared in his talk anywhere? 17:08:23 <tmcpeak> might be good to write a shareable blog post with that linked to demo to people that are interested 17:09:07 <unrahul> we will do that.. tmcpeak .. as we are redesigning the template schema, thought we would come up with a blog after that is finalized and version is released in few weeks.. what do u think ? 17:09:31 <tmcpeak> either way :) 17:09:43 <unrahul> neat.. 17:09:45 <tmcpeak> just nice to get something easily consumable to share but no rush 17:10:03 <unrahul> so thats it guys from us .. yup tmcpeak .. :) 17:10:22 <tmcpeak> cool 17:10:27 <tmcpeak> #topic OSSN 17:10:31 <tmcpeak> lhinds: o/ 17:11:01 <lhinds> not much new, vds did a great job, but we did not publish as it turns out even though it was marked as OSSN, there was no remediation. 17:11:07 <lhinds> it was a pure code patch 17:11:21 <tmcpeak> ahh ok 17:11:24 <tmcpeak> well good practice :) 17:11:27 <lhinds> oh well, it got vds up to speed though, so we have another valued author on the team 17:11:41 <vds> :) 17:11:56 <lhinds> other then that, I need to make some gentle prods of tmcpeak and hyakuhei over your embargoed notes. 17:12:02 <hyakuhei> lol 17:12:06 <hyakuhei> Is my one good now mate? 17:12:23 <tmcpeak> :) I'll put it on my calendar for tomorrow 17:12:55 <lhinds> I think so, check the latest, I made a comment on one, but they are super close hyakuhei 17:13:23 <lhinds> I also have not had a chance to work on the notes API again yet 17:13:37 <lhinds> will hopefully have some time freed up over xmas to get it in shape. 17:13:46 <lhinds> that's it for da notes 17:13:50 <hyakuhei> ok cool. 17:14:09 <hyakuhei> lhinds are we happy with the google docs for embargos? 17:14:17 <hyakuhei> and just doing the clunky LP pastes for now? 17:14:21 <tmcpeak> yeah that seems to be working well 17:14:24 <lhinds> hyakuhei: I think so yes 17:14:40 <lhinds> that way we can grammar nits, and then share with cores on LP 17:14:48 <hyakuhei> cool 17:14:56 <lhinds> I always need lots of help with grammar :P 17:15:04 <tmcpeak> anything else on notes? 17:15:11 <lhinds> nop, thats it 17:15:43 <tmcpeak> sweet' 17:15:47 <tmcpeak> #topic Blog 17:16:19 <tmcpeak> looks like we could use one for security review 17:16:33 <lhinds> I also need my OSSN post merged 17:16:35 <tmcpeak> and hyakuhei has apparently written himself a note about LF Badge 17:16:42 <hyakuhei> lhinds I'll look at that now 17:16:49 <lhinds> thanks hyakuhei 17:17:12 <lhinds> hyakuhei: no pressure though, as its a time agnostic post. 17:17:55 <lhinds> did they get any nice stage pics of you guys? 17:18:17 <hyakuhei> shudder. I hope not 17:18:18 <tmcpeak> I don't know about nice but there were pics :P 17:18:41 <gmurphy> i tried to get some on my phone but was sitting in the back row. so everybody looks like ants. 17:19:24 <hyakuhei> hah 17:19:50 <tmcpeak> allright, move on? 17:20:19 <tmcpeak> #topic Security Review 17:20:34 <capnoday> sup tmcpeak 17:20:36 <tmcpeak> capnoday: 17:20:45 <tmcpeak> forgot you've got a shiny new name 17:20:49 <capnoday> yeh bro 17:20:56 <capnoday> i got sick of you trolling me with underscores 17:21:32 <tmcpeak> :P 17:21:37 * gmurphy goes to check if capnoday is registered... 17:21:38 <tmcpeak> what's new with security review 0day? 17:22:15 <capnoday> nothing new from me, waiting on an update about what happened at the summit 17:22:24 <tmcpeak> oh, right 17:22:27 <tmcpeak> well let's do that now 17:22:40 * tmcpeak trying to remember 3 weeks ago 17:22:50 <michaelxin> what happened at the summit? 17:22:51 <tmcpeak> there seemed to be lots of general interest 17:22:59 <tmcpeak> however I wasn't around Friday 17:23:09 <tmcpeak> hyakuhei: did the security review session happen Friday? 17:23:10 <tmcpeak> if so, how was it? 17:23:38 <hyakuhei> Fridays are always quiet 17:23:46 <hyakuhei> However we did have a design session mid week IIRC 17:23:58 <hyakuhei> That went well, the fundamental feedback was the same as it always is 17:24:04 <hyakuhei> "make it easier, make it faster" 17:24:22 <tmcpeak> where did we get with Kolla? 17:24:34 <tmcpeak> think we were part way through... 17:24:56 <tmcpeak> so I guess, realistically - what's our goal 17:25:18 <hyakuhei> capnoday was talking to their new PTL? 17:25:26 <hyakuhei> So 17:25:27 <tmcpeak> I think everybody would agree that this would be a nice thing to have, but 1) do we have the time and resources to do it, 2) will project teams commit the time and resources to do it with us 17:25:40 <hyakuhei> TBH I think what happened is that this fell by the wayside while capnoday transitioned company 17:25:56 <hyakuhei> I imagine we'll be able to speed things up again now 17:26:03 <capnoday> yeah ive been AFK for about 4 weeks 17:26:03 <michaelxin> +1 17:26:20 <capnoday> that is resaonable feedback, given that the process is still evolving 17:26:34 <hyakuhei> 1) we can but we might have to lower the bar. 2) TBD but it should be a requirement for VMT managed and eventually a project maturity tag 17:27:50 <capnoday> seems reasonable 17:28:02 <capnoday> lets continue as we are for the moment, i will write up the process and push it up for review 17:28:09 <vds> Till I find a new job, I have plenty of time to spare, if you tell how to start I'll be happy to jump in 17:28:17 <capnoday> vds excellent, thanks 17:28:29 <capnoday> the only issue is that most of it is in mine and hyakuhei 's heads atm 17:28:37 <vds> I see 17:28:54 <capnoday> but i will reach out to you when we have something and ask you for a look, it would be very handy to have someone fresh take a look 17:29:06 <vds> cool, thx! 17:29:37 <hyakuhei> I'm not sure that's true capnoday the stuff you put in review is good 17:29:40 <hyakuhei> and I wrote bloggy things 17:29:47 <hyakuhei> but we do need to pin down the process 17:29:48 <capnoday> true 17:29:59 <tmcpeak> we should get back with Kolla 17:30:04 <hyakuhei> Happy to 17:30:06 <tmcpeak> would be nice to have another project more or less completed 17:30:06 <hyakuhei> *but* 17:30:13 <hyakuhei> Kolla is a _terrible_ exemplar 17:30:27 <hyakuhei> Virtually unique among OpenStack projects 17:30:29 <tmcpeak> yeah, it's not typical but shows the process can work 17:30:36 <tmcpeak> for non-standard projects 17:30:37 <hyakuhei> That's dumb 17:30:44 <hyakuhei> Well not dumb 17:30:50 <hyakuhei> It's just not the time to prove that 17:30:59 <tmcpeak> ok, fair enough 17:31:01 <hyakuhei> but we owe them a completed review and will deliver 17:31:18 <tbarron> manila is interested in starting the process, as we mentioned a few weeks ago here and at the summit session, but we're pretty complex. 17:31:25 <hyakuhei> When we've got a process that works well for 80% of OpenStack we can then start looking at the outliers 17:31:30 <hyakuhei> tbarron complexity is ok 17:31:40 <tbarron> so we're studying the barbican stuff ... 17:31:44 <hyakuhei> The issue with Kolla is it's not a web service, not an api, not python etc 17:31:59 * tbarron nods 17:32:20 <tbarron> so focus on kolla-kubernetes :) 17:32:35 <hyakuhei> haha 17:32:47 <hyakuhei> tbarron what did you think from looking at the Barbican stuff? 17:32:53 <hyakuhei> We found some interesting problems there 17:33:02 <hyakuhei> but we do know the Barbican project 17:33:17 <tmcpeak> also had the benefit of being stuck in a room together all day 17:33:20 <tbarron> hyakuhei: i think i need to swap memory back in post-summit, sorry have been scrambling :) 17:33:40 <tbarron> hyakuhei: but mostly I need to find the right level of abstraction for manila 17:33:52 <tmcpeak> realistically Hangouts isn't quite as good 17:33:57 <tbarron> hyakuhei: with 20+drivers, lots of networking protocols, etc. 17:34:00 <tmcpeak> it's tenable but not as good 17:34:11 <dave-mccowan> sahara would be a good next-project. it's architecture is very similar to barbican and we should have elmiko's support. 17:34:21 <tmcpeak> dave-mccowan: +1 17:34:27 <hyakuhei> dave-mccowan +1 17:34:33 <hyakuhei> capnoday thoughts? 17:34:57 <capnoday> sahara would be a good idea 17:36:55 <tmcpeak> allright 17:37:06 <tmcpeak> should we table it this week while capnoday warms up to his new gig? 17:37:21 <hyakuhei> I think so, I don't have cycles for it this week 17:37:32 <tmcpeak> ok cool 17:37:38 <tmcpeak> #topic Sec Guide 17:38:00 <tmcpeak> do we have anybody from Sec Guide? 17:38:01 <capnoday> tmcpeak +! 17:38:03 <hyakuhei> So my understanding was that Sicarie wanted to kee pdoing sec guide things 17:38:06 <tmcpeak> I thought this fell off our recurring 17:38:17 <lhinds> anyone who knows cinder enc well: please take a look: https://review.openstack.org/#/c/396795/ 17:39:36 <capnoday> i just pinged sicarie 17:39:53 <hyakuhei> Thanks lhinds 17:40:51 <tmcpeak> meanwhile.. 17:40:53 <tmcpeak> #topic MD5 17:41:03 <tmcpeak> lhinds: this was your baby you want to kick it off? 17:41:04 <hyakuhei> lhinds ^^ 17:41:07 <lhinds> sure 17:42:29 <lhinds> so there are quite a number of instances of hashlib.md5 being used in various project, while some of these might be negligible, MD5 is seen as weak now, and gets blocked by the Federal Information Processing Standard (FIPS) and others. 17:42:47 <tmcpeak> what's FIPS say about using it for non-crypto uses? 17:43:09 <lhinds> tmcpeak it just completely blacklists it. 17:43:13 <tmcpeak> ick 17:43:38 <lhinds> the idea is if your using it for check'suming, a collision attack could still happen 17:44:03 <lhinds> so I somehow swap out an object which has the same hash, and so is seen as trusted 17:44:04 <tmcpeak> so, I guess the example I have in my head is PyPI 17:44:40 <lhinds> is PyPI using MD5? 17:44:40 <hyakuhei> So far as I can tell, it's not an Approved Algorithm anymore for anything 17:44:44 <tmcpeak> PyPI has an MD5 of each package, just to validate the package was transferred correctly, even over TLS 17:44:45 <capnoday> theres a fairly small set of cases where it wold be ok to use MD5, but the issue there is that every time you would need hyakuhei standing up and explaining at length to the auditors about why md5 is ok in this exact situation 17:44:55 <hyakuhei> lol 17:45:02 <hyakuhei> That's basically my job. 17:45:03 <tmcpeak> but in addition to that there is real signing for security, which obviously uses good algos 17:45:10 <lhinds> It looks like PyPI is GPG signed 17:45:43 <hyakuhei> #link http://odetocode.com/blogs/scott/archive/2014/03/18/working-with-fips-140-crypto-standards.aspx 17:45:44 <tmcpeak> it's both 17:45:45 <hyakuhei> relevant 17:45:54 <tmcpeak> always MD5 signed and optoinally GPG signed 17:46:01 <tmcpeak> point is MD5 is not designed to provide any security 17:46:29 <lhinds> hmm 17:46:47 <capnoday> so that is a good example of one of thoses cases 17:46:59 <lhinds> so they are using integrity hashing for security though right? 17:47:16 <tmcpeak> no, just to prevent file corruption as I understand it 17:47:22 <lhinds> its insuring the object has not been swapped out (agree its a bad way of doing it btw) 17:47:31 <hyakuhei> They use it as a key name for an object 17:47:33 <tmcpeak> lhinds: I completely agree with you btw, get rid of MD5. I'm just saying we're going to get huge pushback 17:47:38 <lhinds> we have TCP for that :P 17:47:39 <hyakuhei> In swift at least 17:47:47 <lhinds> understood tmcpeak 17:48:05 <lhinds> so I have a suggesion.. 17:48:09 <tmcpeak> also waht about unit tests 17:48:20 <tmcpeak> does FIPS distinguish between production code and not? 17:48:31 * notmyname can talk about swift's use of md5, if you're interested 17:48:38 <hyakuhei> tmcpeak Nope 17:48:38 <tmcpeak> notmyname: please do 17:48:39 <lhinds> unit tests don't matter as you won't be runnning those on a live box I guess? 17:48:41 <hyakuhei> Kernel module 17:49:07 <tmcpeak> notmyname: also, do you think Swift, for example would be receptive to swapping out all MD5? 17:49:33 <notmyname> swift uses md5 for 2 things. one is to detect bit flips either in transfer of data from one server to another or from media degredation 17:50:18 <lhinds> which are valid cases.. 17:50:38 <lhinds> so we need hyakuhei to go and speak with FIPS :P 17:50:38 <notmyname> the other place we use md5 is for splaying data throughout the cluster: we md5(prefix + name of thing + suffix), take some prefix bits, and use that for index into a table to find the right drives to put stuff on 17:51:33 <notmyname> tmcpeak: in theory no, we wouldn't be opposed, but it would be a lot of work, have massive migration concerns, and we'd swap it for faster stuff, not "more secure" stuff 17:51:46 <capnoday> lhinds the problem is that when swift is deployed, the compliance auditors will have a sheet with a series of yes/no checkboxs, and one of them will be 'does it use banned crypt' 17:52:11 <notmyname> capnoday: yep. that's definitely an issue. we arent' using md5 for any cryptography 17:52:12 <lhinds> capnoday, yep that's the concern 17:52:25 <lhinds> capnoday, and they can block production greenlights 17:52:31 <hyakuhei> +1 it's not that it's really a security issue 17:52:39 <hyakuhei> it's that it will be a security blocker 17:52:39 <capnoday> im not saying that swift should do it, but it when arguing with checkbox monkeys, its best to pick your battles on stuff you really care about (like deploying AV to your cloud nodes) 17:52:41 <hyakuhei> which is dumb 17:53:58 <notmyname> IOW, does `grep -ri 'md5' path/to/source/dir` return anything? 17:54:27 <lhinds> so it seems, yes its viable / not *always* SEC related, but at the end of the day, it would be a blocker when it comes to tickboxes. 17:54:51 <vds> I'm afraid that soon EU companies will have the same issue with GDPR, it's not like you can discuss with this people, they only have a check list. 17:54:53 <notmyname> from my inexpert perspective, we'd likely consider stuff like blake2* if we switched 17:55:36 <tmcpeak> the scale of removing MD5 from OpenStack is huge but doesn't mean we shouldn't try 17:55:42 <lhinds> I think the code swap might not be too challenging, its just all the existing hashes stored in meta data used by different projs 17:55:51 <hyakuhei> Migration is the problem 17:55:54 <tmcpeak> yeah 17:55:55 <lhinds> tmcpeak: agree 17:56:03 <hyakuhei> I imagine for a fresh deployment it's got to be pretty trivial 17:56:12 <lhinds> hyakuhei yup 17:56:36 <lhinds> ok, well I can nominate myself for doing a first pass and getting launchpads up. 17:56:54 <notmyname> hyakuhei: for swift, it's no impact to the deployer. it's the code maintenance and the fact we actually cannot remove md5 totally. we must have that or we break every single existing cluster 17:57:07 <tmcpeak> lhinds: awesome, thank you 17:57:08 <lhinds> I will put them as a low (if they are non Security in use) so they don't get hit out as 'won't fix' 17:57:35 <hyakuhei> Figured as much notmyname - it's going to have to happen sometime I imagine. 17:57:48 <lhinds> I will put them in an etherpad so others can chip in. 17:57:49 <notmyname> hyakuhei: of course, the same thing's been said for 5+ years now ;-) 17:58:00 <hyakuhei> lol 17:58:05 <tmcpeak> allright guys, 2 mins 17:58:07 <hyakuhei> well that's pretty much time ppl 17:58:10 <tmcpeak> anything else? 17:58:32 <lhinds> that's it from me 17:58:42 <tmcpeak> #topic AOB 17:58:46 <tmcpeak> last call 17:59:03 <tmcpeak> allright 17:59:05 <tmcpeak> #endmeeting