17:02:29 <tmcpeak> #startmeeting security
17:02:31 <openstack> Meeting started Thu Nov 17 17:02:29 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:32 <tmcpeak> #chair hyakuhei
17:02:35 <openstack> The meeting name has been set to 'security'
17:02:36 <openstack> Current chairs: hyakuhei tmcpeak
17:02:36 <lhinds> o/
17:02:41 <capnoday> o/
17:02:44 <hyakuhei> lol sorry
17:02:50 <tmcpeak> looool
17:02:51 <tmcpeak> I'm broken
17:02:52 <hyakuhei> I'm stupid and tmcpeak is an enabler
17:02:53 <hyakuhei> o/
17:02:59 <tmcpeak> o/
17:03:02 <hyakuhei> #agenda https://etherpad.openstack.org/p/security-agenda
17:03:04 <vds> o/
17:03:12 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda agenda :)
17:03:14 <hyakuhei> man.
17:03:16 <tmcpeak> I'm surprised the meeting even worked over there
17:03:21 <hyakuhei> vds hi! congrats on your first OSSN!
17:03:21 <tmcpeak> thank you sigmavirus
17:03:26 <hyakuhei> +1
17:03:38 <vds> hyakuhei, thx!
17:03:53 <sigmavirus> You're welcome :)
17:05:03 <hyakuhei> tmcpeak can you roll the first few topics while I clear something up?
17:05:11 <tmcpeak> yep
17:05:26 <tmcpeak> #topic Syntribos
17:05:33 <tmcpeak> unrahul:
17:05:42 <tmcpeak> saw your release announcement on ML
17:05:43 <tmcpeak> :)
17:05:43 <unrahul> hey tmcpeak
17:05:44 <tmcpeak> congrats!
17:05:52 <unrahul> yup.. thanks ! :)
17:05:57 <hyakuhei> +1
17:06:04 <unrahul> finally we released a version through openstack CI..
17:06:15 <capnoday> awesome
17:06:25 <sigmavirus> Good job unrahul!
17:06:36 <lhinds> wd unrahul
17:06:41 <unrahul> We are still continuing our discussions/design sessions on what all things we should add to the tool..
17:06:50 <unrahul> thank you hyakuhei capnoday sigmavirus and lhinds  :)
17:07:01 <hyakuhei> Anything need reviewing atm unrahul ?
17:07:16 <unrahul> we have added a few tests like json depth limit and user defined tests
17:07:30 <unrahul> nop hyakuhei .. nothing for now..
17:07:37 <hyakuhei> Excellent :P
17:07:46 <unrahul> if anyone can suggest any tests to be added to the tool, that would be great..
17:07:58 <unrahul> other than than.. we dont have much for this week..
17:08:09 <tmcpeak> unrahul: you guys have that recorded demo Rob shared in his talk anywhere?
17:08:23 <tmcpeak> might be good to write a shareable blog post with that linked to demo to people that are interested
17:09:07 <unrahul> we will do that.. tmcpeak .. as we are redesigning the template schema, thought we would come up with a blog after that is finalized and version is released in few weeks.. what do u think ?
17:09:31 <tmcpeak> either way :)
17:09:43 <unrahul> neat..
17:09:45 <tmcpeak> just nice to get something easily consumable to share but no rush
17:10:03 <unrahul> so thats it guys from us .. yup tmcpeak .. :)
17:10:22 <tmcpeak> cool
17:10:27 <tmcpeak> #topic OSSN
17:10:31 <tmcpeak> lhinds: o/
17:11:01 <lhinds> not much new, vds did a great job, but we did not publish as it turns out even though it was marked as OSSN, there was no remediation.
17:11:07 <lhinds> it was a pure code patch
17:11:21 <tmcpeak> ahh ok
17:11:24 <tmcpeak> well good practice :)
17:11:27 <lhinds> oh well, it got vds up to speed though, so we have another valued author on the team
17:11:41 <vds> :)
17:11:56 <lhinds> other then that, I need to make some gentle prods of tmcpeak and hyakuhei over your embargoed notes.
17:12:02 <hyakuhei> lol
17:12:06 <hyakuhei> Is my one good now mate?
17:12:23 <tmcpeak> :) I'll put it on my calendar for tomorrow
17:12:55 <lhinds> I think so, check the latest, I made a comment on one, but they are super close hyakuhei
17:13:23 <lhinds> I also have not had a chance to work on the notes API again yet
17:13:37 <lhinds> will hopefully have some time freed up over xmas to get it in shape.
17:13:46 <lhinds> that's it for da notes
17:13:50 <hyakuhei> ok cool.
17:14:09 <hyakuhei> lhinds are we happy with the google docs for embargos?
17:14:17 <hyakuhei> and just doing the clunky LP pastes for now?
17:14:21 <tmcpeak> yeah that seems to be working well
17:14:24 <lhinds> hyakuhei: I think so yes
17:14:40 <lhinds> that way we can grammar nits, and then share with cores on LP
17:14:48 <hyakuhei> cool
17:14:56 <lhinds> I always need lots of help with grammar :P
17:15:04 <tmcpeak> anything else on notes?
17:15:11 <lhinds> nop, thats it
17:15:43 <tmcpeak> sweet'
17:15:47 <tmcpeak> #topic Blog
17:16:19 <tmcpeak> looks like we could use one for security review
17:16:33 <lhinds> I also need my OSSN post merged
17:16:35 <tmcpeak> and hyakuhei has apparently written himself a note about LF Badge
17:16:42 <hyakuhei> lhinds I'll look at that now
17:16:49 <lhinds> thanks hyakuhei
17:17:12 <lhinds> hyakuhei: no pressure though, as its a time agnostic post.
17:17:55 <lhinds> did they get any nice stage pics of you guys?
17:18:17 <hyakuhei> shudder. I hope not
17:18:18 <tmcpeak> I don't know about nice but there were pics :P
17:18:41 <gmurphy> i tried to get some on my phone but was sitting in the back row. so everybody looks like ants.
17:19:24 <hyakuhei> hah
17:19:50 <tmcpeak> allright, move on?
17:20:19 <tmcpeak> #topic Security Review
17:20:34 <capnoday> sup tmcpeak
17:20:36 <tmcpeak> capnoday:
17:20:45 <tmcpeak> forgot you've got a shiny new name
17:20:49 <capnoday> yeh bro
17:20:56 <capnoday> i got sick of you trolling me with underscores
17:21:32 <tmcpeak> :P
17:21:37 * gmurphy goes to check if capnoday is registered...
17:21:38 <tmcpeak> what's new with security review 0day?
17:22:15 <capnoday> nothing new from me, waiting on an update about what happened at the summit
17:22:24 <tmcpeak> oh, right
17:22:27 <tmcpeak> well let's do that now
17:22:40 * tmcpeak trying to remember 3 weeks ago
17:22:50 <michaelxin> what happened at the summit?
17:22:51 <tmcpeak> there seemed to be lots of general interest
17:22:59 <tmcpeak> however I wasn't around Friday
17:23:09 <tmcpeak> hyakuhei: did the security review session happen Friday?
17:23:10 <tmcpeak> if so, how was it?
17:23:38 <hyakuhei> Fridays are always quiet
17:23:46 <hyakuhei> However we did have a design session mid week IIRC
17:23:58 <hyakuhei> That went well, the fundamental feedback was the same as it always is
17:24:04 <hyakuhei> "make it easier, make it faster"
17:24:22 <tmcpeak> where did we get with Kolla?
17:24:34 <tmcpeak> think we were part way through...
17:24:56 <tmcpeak> so I guess, realistically - what's our goal
17:25:18 <hyakuhei> capnoday was talking to their new PTL?
17:25:26 <hyakuhei> So
17:25:27 <tmcpeak> I think everybody would agree that this would be a nice thing to have, but 1) do we have the time and resources to do it,   2) will project teams commit the time and resources to do it with us
17:25:40 <hyakuhei> TBH I think what happened is that this fell by the wayside while capnoday transitioned company
17:25:56 <hyakuhei> I imagine we'll be able to speed things up again now
17:26:03 <capnoday> yeah ive been AFK for about 4 weeks
17:26:03 <michaelxin> +1
17:26:20 <capnoday> that is resaonable feedback, given that the process is still evolving
17:26:34 <hyakuhei> 1) we can but we might have to lower the bar. 2) TBD but it should be a requirement for VMT managed and eventually a project maturity tag
17:27:50 <capnoday> seems reasonable
17:28:02 <capnoday> lets continue as we are for the moment, i will write up the process and push it up for review
17:28:09 <vds> Till I find a new job, I have plenty of time to spare, if you tell how to start I'll be happy to jump in
17:28:17 <capnoday> vds excellent, thanks
17:28:29 <capnoday> the only issue is that most of it is in mine and hyakuhei 's heads atm
17:28:37 <vds> I see
17:28:54 <capnoday> but i will reach out to you when we have something and ask you for a look, it would be very handy to have someone fresh take a look
17:29:06 <vds> cool, thx!
17:29:37 <hyakuhei> I'm not sure that's true capnoday the stuff you put in review is good
17:29:40 <hyakuhei> and I wrote bloggy things
17:29:47 <hyakuhei> but we do need to pin down the process
17:29:48 <capnoday> true
17:29:59 <tmcpeak> we should get back with Kolla
17:30:04 <hyakuhei> Happy to
17:30:06 <tmcpeak> would be nice to have another project more or less completed
17:30:06 <hyakuhei> *but*
17:30:13 <hyakuhei> Kolla is a _terrible_ exemplar
17:30:27 <hyakuhei> Virtually unique among OpenStack projects
17:30:29 <tmcpeak> yeah, it's not typical but shows the process can work
17:30:36 <tmcpeak> for non-standard projects
17:30:37 <hyakuhei> That's dumb
17:30:44 <hyakuhei> Well not dumb
17:30:50 <hyakuhei> It's just not the time to prove that
17:30:59 <tmcpeak> ok, fair enough
17:31:01 <hyakuhei> but we owe them a completed review and will deliver
17:31:18 <tbarron> manila is interested in starting the process, as we mentioned a few weeks ago here and at the summit session, but we're pretty complex.
17:31:25 <hyakuhei> When we've got a process that works well for 80% of OpenStack we can then start looking at the outliers
17:31:30 <hyakuhei> tbarron complexity is ok
17:31:40 <tbarron> so we're studying the barbican stuff ...
17:31:44 <hyakuhei> The issue with Kolla is it's not a web service, not an api, not python etc
17:31:59 * tbarron nods
17:32:20 <tbarron> so focus on kolla-kubernetes :)
17:32:35 <hyakuhei> haha
17:32:47 <hyakuhei> tbarron what did you think from looking at the Barbican stuff?
17:32:53 <hyakuhei> We found some interesting problems there
17:33:02 <hyakuhei> but we do know the Barbican project
17:33:17 <tmcpeak> also had the benefit of being stuck in a room together all day
17:33:20 <tbarron> hyakuhei: i think i need to swap memory back in post-summit, sorry have been scrambling :)
17:33:40 <tbarron> hyakuhei: but mostly I need to find the right level of abstraction for manila
17:33:52 <tmcpeak> realistically Hangouts isn't quite as good
17:33:57 <tbarron> hyakuhei: with 20+drivers, lots of networking protocols, etc.
17:34:00 <tmcpeak> it's tenable but not as good
17:34:11 <dave-mccowan> sahara would be a good next-project.  it's architecture is very similar to barbican and we should have elmiko's support.
17:34:21 <tmcpeak> dave-mccowan: +1
17:34:27 <hyakuhei> dave-mccowan +1
17:34:33 <hyakuhei> capnoday thoughts?
17:34:57 <capnoday> sahara would be a good idea
17:36:55 <tmcpeak> allright
17:37:06 <tmcpeak> should we table it this week while capnoday warms up to his new gig?
17:37:21 <hyakuhei> I think so, I don't have cycles for it this week
17:37:32 <tmcpeak> ok cool
17:37:38 <tmcpeak> #topic Sec Guide
17:38:00 <tmcpeak> do we have anybody from Sec Guide?
17:38:01 <capnoday> tmcpeak +!
17:38:03 <hyakuhei> So my understanding was that Sicarie wanted to kee pdoing sec guide things
17:38:06 <tmcpeak> I thought this fell off our recurring
17:38:17 <lhinds> anyone who knows cinder enc well: please take a look: https://review.openstack.org/#/c/396795/
17:39:36 <capnoday> i just pinged sicarie
17:39:53 <hyakuhei> Thanks lhinds
17:40:51 <tmcpeak> meanwhile..
17:40:53 <tmcpeak> #topic MD5
17:41:03 <tmcpeak> lhinds: this was your baby you want to kick it off?
17:41:04 <hyakuhei> lhinds ^^
17:41:07 <lhinds> sure
17:42:29 <lhinds> so there are quite a number of instances of hashlib.md5 being used in various project, while some of these might be negligible, MD5 is seen as weak now, and gets blocked by the Federal Information Processing Standard (FIPS) and others.
17:42:47 <tmcpeak> what's FIPS say about using it for non-crypto uses?
17:43:09 <lhinds> tmcpeak it just completely blacklists it.
17:43:13 <tmcpeak> ick
17:43:38 <lhinds> the idea is if your using it for check'suming, a collision attack could still happen
17:44:03 <lhinds> so I somehow swap out an object which has the same hash, and so is seen as trusted
17:44:04 <tmcpeak> so, I guess the example I have in my head is PyPI
17:44:40 <lhinds> is PyPI using MD5?
17:44:40 <hyakuhei> So far as I can tell, it's not an Approved Algorithm anymore for anything
17:44:44 <tmcpeak> PyPI has an MD5 of each package, just to validate the package was transferred correctly, even over TLS
17:44:45 <capnoday> theres a fairly small set of cases where it wold be ok to use MD5, but the issue there is that every time you would need hyakuhei standing up and explaining at length to the auditors about why md5 is ok in this exact situation
17:44:55 <hyakuhei> lol
17:45:02 <hyakuhei> That's basically my job.
17:45:03 <tmcpeak> but in addition to that there is real signing for security, which obviously uses good algos
17:45:10 <lhinds> It looks like PyPI is GPG signed
17:45:43 <hyakuhei> #link http://odetocode.com/blogs/scott/archive/2014/03/18/working-with-fips-140-crypto-standards.aspx
17:45:44 <tmcpeak> it's both
17:45:45 <hyakuhei> relevant
17:45:54 <tmcpeak> always MD5 signed and optoinally GPG signed
17:46:01 <tmcpeak> point is MD5 is not designed to provide any security
17:46:29 <lhinds> hmm
17:46:47 <capnoday> so that is a good example of one of thoses cases
17:46:59 <lhinds> so they are using integrity hashing for security though right?
17:47:16 <tmcpeak> no, just to prevent file corruption as I understand it
17:47:22 <lhinds> its insuring the object has not been swapped out (agree its a bad way of doing it btw)
17:47:31 <hyakuhei> They use it as a key name for an object
17:47:33 <tmcpeak> lhinds: I completely agree with you btw, get rid of MD5.  I'm just saying we're going to get huge pushback
17:47:38 <lhinds> we have TCP for that :P
17:47:39 <hyakuhei> In swift at least
17:47:47 <lhinds> understood tmcpeak
17:48:05 <lhinds> so I have a suggesion..
17:48:09 <tmcpeak> also waht about unit tests
17:48:20 <tmcpeak> does FIPS distinguish between production code and not?
17:48:31 * notmyname can talk about swift's use of md5, if you're interested
17:48:38 <hyakuhei> tmcpeak Nope
17:48:38 <tmcpeak> notmyname: please do
17:48:39 <lhinds> unit tests don't matter as you won't be runnning those on a live box I guess?
17:48:41 <hyakuhei> Kernel module
17:49:07 <tmcpeak> notmyname: also, do you think Swift, for example would be receptive to swapping out all MD5?
17:49:33 <notmyname> swift uses md5 for 2 things. one is to detect bit flips either in transfer of data from one server to another or from media degredation
17:50:18 <lhinds> which are valid cases..
17:50:38 <lhinds> so we need hyakuhei to go and speak with FIPS :P
17:50:38 <notmyname> the other place we use md5 is for splaying data throughout the cluster: we md5(prefix + name of thing + suffix), take some prefix bits, and use that for index into a table to find the right drives to put stuff on
17:51:33 <notmyname> tmcpeak: in theory no, we wouldn't be opposed, but it would be a lot of work, have massive migration concerns, and we'd swap it for faster stuff, not "more secure" stuff
17:51:46 <capnoday> lhinds the problem is that when swift is deployed, the compliance auditors will have a sheet with a series of yes/no checkboxs, and one of them will be 'does it use banned crypt'
17:52:11 <notmyname> capnoday: yep. that's definitely an issue. we arent' using md5 for any cryptography
17:52:12 <lhinds> capnoday, yep that's the concern
17:52:25 <lhinds> capnoday, and they can block production greenlights
17:52:31 <hyakuhei> +1 it's not that it's really a security issue
17:52:39 <hyakuhei> it's that it will be a security blocker
17:52:39 <capnoday> im not saying that swift should do it, but it when arguing with checkbox monkeys, its best to pick your battles on stuff you really care about (like deploying AV to your cloud nodes)
17:52:41 <hyakuhei> which is dumb
17:53:58 <notmyname> IOW, does `grep -ri 'md5' path/to/source/dir` return anything?
17:54:27 <lhinds> so it seems, yes its viable / not *always* SEC related, but at the end of the day, it would be a blocker when it comes to tickboxes.
17:54:51 <vds> I'm afraid that soon EU companies will have the same issue with GDPR, it's not like you can discuss with this people, they only have a check list.
17:54:53 <notmyname> from my inexpert perspective, we'd likely consider stuff like blake2* if we switched
17:55:36 <tmcpeak> the scale of removing MD5 from OpenStack is huge but doesn't mean we shouldn't try
17:55:42 <lhinds> I think the code swap might not be too challenging, its just all the existing hashes stored in meta data used by different projs
17:55:51 <hyakuhei> Migration is the problem
17:55:54 <tmcpeak> yeah
17:55:55 <lhinds> tmcpeak: agree
17:56:03 <hyakuhei> I imagine for a fresh deployment it's got to be pretty trivial
17:56:12 <lhinds> hyakuhei yup
17:56:36 <lhinds> ok, well I can nominate myself for doing a first pass and getting launchpads up.
17:56:54 <notmyname> hyakuhei: for swift, it's no impact to the deployer. it's the code maintenance and the fact we actually cannot remove md5 totally. we must have that or we break every single existing cluster
17:57:07 <tmcpeak> lhinds: awesome, thank you
17:57:08 <lhinds> I will put them as a low (if they are non Security in use) so they don't get hit out as 'won't fix'
17:57:35 <hyakuhei> Figured as much notmyname - it's going to have to happen sometime I imagine.
17:57:48 <lhinds> I will put them in an etherpad so others can chip in.
17:57:49 <notmyname> hyakuhei: of course, the same thing's been said for 5+ years now ;-)
17:58:00 <hyakuhei> lol
17:58:05 <tmcpeak> allright guys, 2 mins
17:58:07 <hyakuhei> well that's pretty much time ppl
17:58:10 <tmcpeak> anything else?
17:58:32 <lhinds> that's it from me
17:58:42 <tmcpeak> #topic AOB
17:58:46 <tmcpeak> last call
17:59:03 <tmcpeak> allright
17:59:05 <tmcpeak> #endmeeting