
Giant bags of mostly water: Securing your IT infrastructure - rdl
http://slides.com/mricon/giant-bags-of-mostly-water#/
======
lucb1e
Sorry if I'm being thick, but how is this twodimensional slideset supposed to
work? I just want to go to the next slide, should I go all the way down and
then right? Or do I need to go up again before going right? Or can I ignore
down?

I've seen this being presented before, it seems to be a new thing, but never
navigated one myself.

Edit: Just saw a comment about pressing space bar, that seems to work
linearly. Thanks! (Source:
[https://news.ycombinator.com/item?id=11653281](https://news.ycombinator.com/item?id=11653281)
)

~~~
triplesec
Just use your spacebar and it'll navigate you linearly, taking you down ad
across the pseudotree as you need. Edit, or click downarrow, if no spacebar.

~~~
CarolineW
See my comment here [0] with its genuine, but as yet unanswered question:

    
    
      If you hit space, how do you know
          you end up seeing every slide?
    

Every seems to be chipping in with these navigation hints, and that's great,
but no one seems to answer my question. The site seems to be a triumph of
presentation over usability, and I'd really like an insight into the minds of
those people who think it's all obvious and usable.

For example, someone else said[1] that if you hit ESC you get an overview. How
do you find that? What if you don't have an escape key, such as on my tablet?

I'm not trying to be grumpy or anti-anything, I'm trying to gain an insight
into how people think this is a good thing, and to provide, in return, an
insight into why I think it's unusable.

[0]
[https://news.ycombinator.com/item?id=11653447](https://news.ycombinator.com/item?id=11653447)

[1]
[https://news.ycombinator.com/item?id=11653323](https://news.ycombinator.com/item?id=11653323)

~~~
DDickson
Slides.com is focused on the presentation. The audience is not typically
interacting directly with the deck.

When you create a deck, there is a pretty good tutorial explaining how the
interface works, including what spacebar and escape do.

The real advantage of the service, for me, is the support for embedding any
digital media you want into a slide via iFrames, and the ability to use your
phone/tablet to advanced slides and see speakers notes if your venue did not
provide you with a clicker.

It also has another pretty neat feature where audience members can pull up the
presentation on their laptops/tablets to follow along, and their slides will
automatically advance to match my progress through the deck.

I'm just trying to explain why its very much a tool for the presenter, not the
presentee.

Edit: Slides.com is a locked down instance of reveal.js

Here is a link to their deck, explaining all of its features
[http://lab.hakim.se/reveal-js/#/](http://lab.hakim.se/reveal-js/#/)

------
Jerry2
I absolutely loathe this style of presentations. It always feels like I've
missed a part. Call me old fashioned but the UI and UX of linear presentations
is so much easier to use.

~~~
BafS
You can simply press "space" to go to the next slide, almost like a linear
presentation.

~~~
CarolineW
How do you know? How can you be sure you reach every slide simply by pressing
space?

What about on my tablet, which doesn't have a space bar?

Edit: These are genuine questions, and I am _deeply_ frustrated that it's
being downvoted without any discussion. People are claiming that hitting the
space bar takes you linearly through the entire presentation. _How do you know
you reach every slide like that?_

Really, seriously, how do you know?

As far as I'm concerned the navigation is opaque - if I hit space, I don't
know that I'll reach every slide.

 _How do you know ?!?_

I suspect that people are enamoured with the attractiveness of the
presentation - it's cool, it's slick, it's gorgeous, it's wonderful - and when
I question its usability or discoverability, people are downvoting because
they have no answer, and just get pissed off at being questioned.

Do you actually have an answer? If so, tell me.

~~~
tmptmp
You have raised a very important issue here. Today's web has been festered
with such sucking UI/UX. It just caters to the demands of novelty-seeking
users with no concern for usability/discoverability.

~~~
qb45
> It just caters to the demands of novelty-seeking users

Not even sure if users or just developers and website owners. As in - _oh man,
that looks so cool, let 's do that!_

~~~
tmptmp
Indeed, you made a very sharp statement. It might be driven, to a very large
extent, by the crazy novelty-seeking ideas of the website owners and devs.

Then if some equally stupid "journalist" gives praise and publicity to their
foolish UI/UX this trend increases and perpetuates. Unfortunately, it seems to
be happening to a very large extent. The irony of this article is that it
talks about security, and calls for anti-bloat things.

------
mricon
I'm sorry you all have to read just the slide deck. It's an hour-long
presentation and a lot of content is simply not in the deck. :( Unfortunately,
every time I've presented it, the talk was not recorded -- hopefully I'll
eventually present it somewhere else that will capture it for me.

Additionally, here's a small op-ed piece that is supposed to go with it:
[http://mricon.com/i/airbags-and-steel-
frames.html](http://mricon.com/i/airbags-and-steel-frames.html)

~~~
nickpsecurity
It's a good presentation with many good points outside the horrid formatting.
Just turn it into a PDF with slides for goodness sakes. Write key pages on a
piece of paper for audience questions where you have to go back. Should work
fine. :)

Btw, one thing worth correcting is false claim that QubesOS was or is only
attempt at workstation security. I've evaluated almost a dozen over past 10
years with some still existing. List those here:

[https://news.ycombinator.com/item?id=11654680](https://news.ycombinator.com/item?id=11654680)

You really need to look up separation kernels as isolating most critical stuff
in a dedicated partition protected with 4-12kloc kernel is one of strongest
approaches. seL4 and Muen are examples with GenodeOS an example of FOSS
attempt to do a Nizza-like architecture with strong foundation and best-of-
breed components (esp Nitpicker GUI). High-assurance security is moving
forward with hardware-software architectures with one maybe getting SOC
release (plus source code) in 1-2 years. Yet, our prior work with separation
kernels/VMM's plus safe code (esp SPARK Ada or C w/ Astree Analyzer) for
trusted components is _still_ stronger than any crap mainstream FOSS, VMware,
etc are making. They rarely learn from the past.

Note: Email me if you want more examples of past and current high-assurance
work. I have collected them for most focus areas with papers, prototypes
and/or products.

~~~
mricon
> Just turn it into a PDF with slides for goodness sakes.

Hey, I'm not the ones who linked to slides.com. :) The PDF version is linked
off the main conference page: [http://kernsec.org/files/lss2015/giant-bags-of-
mostly-water....](http://kernsec.org/files/lss2015/giant-bags-of-mostly-
water.pdf)

> Btw, one thing worth correcting is false claim that QubesOS was or is only
> attempt at workstation security.

You must look at my statements in the context of presenting this at the Linux
Security Summit. You know a lot more about this than me, obviously, but from
what I can tell, each of the other solutions you mention run custom non-Linux
microkernels that provide virtualization to other consumer OSes. I'm ready to
be educated here, but I believe I didn't misstate that QubesOS was one of the
first pure-Linux mainstream attempts at workstation security through
compartmentalization.

~~~
mrmondo
Oh, you're a legend, no more reveal.js thanks for the link!

EDIT: It was 28MB so I compressed it down to 1.7MB here (image quality wont be
as good but meh): [https://www.dropbox.com/s/8bu3rkj6pjbneiv/giant-bags-of-
most...](https://www.dropbox.com/s/8bu3rkj6pjbneiv/giant-bags-of-mostly-
water.compressed.pdf?dl=0)

------
kakwa_
On the workstation part, it recommends QubesOS.

Am I the only one who is skeptical about it?

From what I saw superficially reading their source code, there are some
frightening stuff going on:

* tons of C code with nearly zero unit tests, same with the python code

* lots glue in form of bash or python scripts

* some not so beautiful stuff like:

\- [https://github.com/QubesOS/qubes-core-agent-
linux/blob/maste...](https://github.com/QubesOS/qubes-core-agent-
linux/blob/master/vm-init.d/qubes-firewall#L29) (kill -9 on a daemon...)

\- [https://github.com/QubesOS/qubes-core-agent-
linux/blob/maste...](https://github.com/QubesOS/qubes-core-agent-
linux/blob/master/vm-init.d/qubes-firewall#L18) (a daemon is a little bit more
than an exe launched with '&'

\- [https://github.com/QubesOS/qubes-core-agent-
linux/blob/maste...](https://github.com/QubesOS/qubes-core-agent-
linux/blob/master/vm-init.d/qubes-core-appvm#L34) (changing a config file in
an init script, humm, weird...)

\- [https://github.com/QubesOS/qubes-core-agent-
linux/blob/maste...](https://github.com/QubesOS/qubes-core-agent-
linux/blob/master/vm-init.d/qubes-core-appvm#L32) (starting a service inside
the init of another service...)

\- [https://github.com/QubesOS/qubes-core-agent-
linux/blob/maste...](https://github.com/QubesOS/qubes-core-agent-
linux/blob/master/vm-init.d/qubes-qrexec-agent#L13) ("logging" with stderr
redirection in a file)

And it's just the init scripts... I'm too lazy to take a look further inside
the C or python stuff.

IMHO, as a proof of concept, it's interesting, as a finished, reliable and
secure OS, it's frightening...

~~~
mricon
It's not really a recommendation. It's presented as one of the free software
projects attempting to tackle workstation security. Another one is SubgraphOS.

~~~
nickpsecurity
That's not how I read it:

"The only serious attempt at workstation security"

"The Volvo of blah blah"

Quite a slam to those of past and present that handed NSA or DOD pentesters
their asses back to them. Maybe be more accurate if you said "a FOSS attempt
at workstation security" minus Volvo part. Volvo probably goes to
INTEGRITY-178 as SKPP cert requires more attack areas to be covered plus 2
years of pentesting for kernel. Genode Architecture is prime contender for
FOSS far as foundations go. Next time a FOSS project claims to be designed
securely just ask for a covert storage and timing channel analysis of any
components that handle secrets. They'll either say "Huh? What's a covert
channel analysis?" or "We don't really have anyone doing that as we're too
understaffed or it doesn't really matter." ;)

------
CarolineW
Perhaps I'm wrong, but I've always remembered this as

    
    
        *Ugly* bags of mostly water.
    

Am I wrong?

And along with several other commenters here, I strongly dislike this sort of
multi-direction navigation with no overall map showing what's there, where
I've been, and what I haven't yet visited. Beautifully designed and presented,
with no concern for the user experience.

A bit like the cars being described.

    
    
        The car is designed  | The presentation is
            perfectly.       |     designed perfectly
    
        Any crashes are the  | Any inability to navigate
            driver's fault.  |     is the user's fault.
    

_EDIT: The Wikipedia page about this episode agrees with me, but other
"quotation" pages have "ugly giant bags of mostly water." Does anyone have the
episode to hand and the time to watch it? Am I paying too much attention to
trivial details?_

 _EDIT II: Found a script[0]: First reference is in an initial translation and
is:_

    
    
        Ugly... Ugly... Giants...
        Bags of Mostly Water...
    

_Subsequently as the translator gets better it 's:_

    
    
        Ugly Bag of Mostly Water
    

_So there we are._

 _EDIT III: Wow - downvotes! No complaint, obviously people feel either that
this comment is wrong, or doesn 't belong. I'd appreciate knowing why people
might think that, but I guess I'll never know. Which is a shame, I'd welcome
the opportunity to learn._

[0] [http://www.st-minutiae.com/resources/scripts/117.txt](http://www.st-
minutiae.com/resources/scripts/117.txt)

~~~
Joeri
Press escape to get the slides overview.

~~~
yxlx
There's no escape on my tablet. Also, the whole experience is horrible on
tablet also wrt the other parts of navigation. Doesn't fit right on screen,
navigates when trying to adjust, jumps around when trying to navigate. Hard to
hit the arrows. I bailed out on this after three slides. Unusable.

------
x5n1
Let me know when your team of 10 security people that the corporation spends a
million per year on is ready to tackle all these issues. Not one overworked IT
guy that keeps getting shit from dumb people like the CEO who don't get it.
Otherwise forget it, security is not happening, because there is no budget for
it. At the end of the day the problem with security is not security, it's
money, we have more than enough tools to make everything airtight. What we
don't have are the budgets to make this happen, so instead of proactive
security you get reactive security, and the CEOs and other executives don't
care about that until it happens because it costs money.

~~~
mricon
Of course, if the company leadership doesn't care, then you will have a hard
time convincing them why the upfront effort of "doing it right" is worth it.
When dealing with this situation, I found it useful to compare IT security
people to lawyers. Wait, hear me out before you shout me down. :)

To the non-initiated, lawyers and infosec people are seen with nearly-equal
amount of both dislike and trepidation. They are seen as a force of lawful
evil that descends on your team and starts telling you that all those cool
things you're trying to do cannot actually be done, or must be done in a non-
obvious roundabout way. When asked for reasons, both lawyers and infosec start
talking about concepts that are entirely unfamiliar to most devs (code
provenance, license agreements, trademarks, patent litigation, IP isolation,
containers and namespaces, RBAC policies, multifactor authentication). All you
care about is that this is a person who is telling you that your project, 99%
complete after your team worked multiple 60-hour weeks, must be delayed until
a bunch of things -- that you don't consider broken! -- are fixed.

However, this is where things usually go differently. If a lawyer comes to
management and says "this project cannot launch because a bunch of code was
copy-pasted from stackoverflow and links with an incompatibly-licensed
library," the management is likely to listen even if they don't understand a
word of what was said -- because they know the importance of lawyers and know
that, in the long run, litigation is extremely expensive. However, if an
infosec person comes to them and says "this project cannot launch because they
have a PHP script running as root that listens on external port 80,"
management will not value this input nearly to the same degree, even though,
in the long run, a bad security vulnerability can have just as much of a
detrimental impact on a company as litigation -- and probably worse, because
you won't be able to hush-hush and "settle out of court."

The reasons for this are multiple -- infosec is in infancy compared to the
legal field, and, sadly, many IT security practitioners tend to look and act
in a way that makes their recommendations carry so much less weight with upper
management.

So, where I'm going with this is -- if you work for a company in an infosec
field and you genuinely want to improve things to the point where management
actually starts to listen (which translates into $$ for your team and your
projects), then you need to both convince them that your expertise is equally
as important as the lawyers', and probably present yourself with the same
amount of gravitas as those working on the legal team.

------
reitanqild
Anyone here has good pointers to get started with and understand [0] selinux?

[0]: in that order preferably : )

~~~
garethsaxby
I found that this talk (selinux for mere mortals) was good for me to start off
-
[https://www.youtube.com/watch?v=cNoVgDqqJmM](https://www.youtube.com/watch?v=cNoVgDqqJmM)

After that, Red Hat's documentation was probably the next most useful thing
for getting started; [https://access.redhat.com/documentation/en-
US/Red_Hat_Enterp...](https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/)

But mostly it was a lot of proding and poking whilst setting various things up
that helped a lot, and remembering that when something doesn't work, to check
selinux first.

The 'settroubleshoot-server' package for the Red Hat based distributions is
also good whilst you're getting started in dev, as it takes the avc logs and
'guesses' what the likely cause of the problems you've had are, giving
percentage likelihoods of the policies and booleans that might be causing
problems.

~~~
odonnellryan
When I started using Linux very heavily for a lot of things, nothing really
clicked until I started paying real attention to logging.

If you configuring logging correctly -- or just be aware of it, really, you
can always optimize later -- you are no longer SysAdmin-ing blind.

------
ancarda
Is there a link to the talk? The slides just list "Networks", "Servers",
"Workstations" and so on... Should there be audio? I don't hear anything.

~~~
bodhi
You might be missing the "down" part of each slide? In the bottom right corner
there's the 4-arrow thing, and if down is 'not disabled', there are more
slides to see.

I can't stand this kind of "2-d" presentation...

~~~
ancarda
Oh thank you! Yeah, I was just pressing the right arrow key so was missing all
the information.

------
tshadwell
This aricle falls foul of what I might call 'security shopping'\-- passing
mentions of lots of brightly coloured complex sounding security things with
very little regard to what exact problem they're solving.

They mention a VPN or insecure access panel having bad permissions, but
recommend a mixed bag of differently coloured jellybeans as the solution
without once reccomending shutting down the PHP script, allowing access from
the VPN only through certificate, password and hardware two-factor
authentication, and ensuring good access controls and employee on- and off
boarding systems.

Far more importantly, I question the efficacy of any security recommendation
that doesn't mention threat modelling at all. What is it you want to protect?
What's it going to cost to protect these things? What's it going to cost to
lose them? What's the simplest and most effective best way of protecting
these? Is it really moving your entire system to a different platform and
upgrading all your cypto -- ask yourself -- are we really installing air bags,
or are we building our car out of armour plates? Some kid is going to spend 2
hours on XSS in your app if you spend all your resources investing in in-
datacentre encryption and service-to-service authentication.

~~~
blazespin
Im sure threat modelling is something everyone does implicitly.

As someone who practices security, I found the keywords you can pull from the
slide reasonable in their suggestions to follow up on. There were a couple of
places he went into the weeds, and I think he probably could have talked up
iOS security a bit more instead of smart cards which are a bit overkill
relative to his other suggestions.

But, this is just a slide deck. Try not to rush to judgement considering we
didn't hear the talk that came with it.

~~~
tshadwell
> I'm sure threat modelling is something everybody does implicitly.

You may work somewhere that this is the case, but I can't count the number of
times I have tested an application where someone has equated security to
having an A+ HTTPS rating.

> This is a slide deck

Understood, and something I didn't consider before. That said, I think my
comments will still be useful to those here who have also not seen the
original talk.

------
morgante
First off: just hit space. You'll see the whole presentation.

\----

As a developer, I definitely liked the framing of the presentation. Though I
don't think it goes far enough in emphasizing defense in depth. Put simply,
user workstations should ideally _never_ be trusted. Getting into the network
shouldn't help an attacker much if everything requires authentication even
once you're in.

~~~
scurvy
How do I hit space on my tablet?

------
jdleesmiller
The analogy between IT security and car safety is really insightful. However,
it's also interesting that cars are two to three orders of magnitude less safe
than rail and air travel, respectively, in terms of injuries and fatalities
per passenger mile. Maybe we should be thinking about how to make using
computers as safe as air travel, rather than as safe as car travel.

~~~
yourapostasy
Why are different modes of travel's safety measured in passenger mile instead
of passenger hours? To measure utility of distance traveled, it makes sense,
but passenger mile doesn't reveal how safe it is per hour that I sit in a
particular vehicle (train, plane, car, etc.).

~~~
morgante
> Why are different modes of travel's safety measured in passenger mile
> instead of passenger hours?

Because it's really the only sensible way to compare different forms of
transportation.

Imagine a teleportation device with an accidental death rate of 1 per 10
trillion miles. But it only takes 2ms to operate (regardless of distance), so
the death rate measured in hours would be horrible.

Compare that to covered wagons. Per mile, they're quite dangerous—going on a
long trip in one might mean a 1 in 10 chance of death. But they're also
extremely slow. So measuring death in terms of hours would make them look
safe.

From a safety perspective, which would you rather use?

------
SFJulie
What I love is the smartcard... Well ... Main AAA
(Authentication/Auhtorizaation/Accounting) problem is the clould.

How can we federate identity and manage them safely?

Plus, once you decide to be connected how to make AAA system talk to each
others?

And then, sometimes you need to make money ... and you know, safely pass token
forth and back... And what standard solution do we have that is not a
framework?

Well, 3GPP proposed IMS based on IETF Diameter. Still not there.

Some proposed Role Based Accounting and proxy authz based on LDAP ... well not
really deployed.

So we are also waiting for a new standard of inter communication of
centralized Enterprise Directory that has tokens, tickets, multi policy for
authentication according to origin, roaming, sane schema...

LDAP is honestly a good tool, is it actually relying on a secured, strongly
typed NOSQL. But, I hardly saw any devs understand the anonymous bind then
authed bind mechanism.

I do feel our biggest problem is not in the tools/technology, but rather in
too much education of people that are useless in production.

~~~
jon-wood
> Main AAA (Authentication/Auhtorizaation/Accounting) problem is the clould. >
> How can we federate identity and manage them safely?

AWS, and I assume Google's stuff, will let you integrate their authentication
system with your internal one using SAML to authenticate.

~~~
SFJulie
SAML is based on SOAP no? SOAP that google dropped for security and
overcomplexity concern while security studies tends to say the bigger risk is
using system you cannot fully understand, no?

It seems to me like modern security by trust in "expert" rather than
understanding the basics. But I guess I am wrong in my appreciation?

~~~
windowsworkstoo
SOAP is just a message format though, so does it matter? SAML works, so long
as the implementation is good (assumption, yes)

~~~
SFJulie
and Oauth is said to be a security framework that can easily go wrong... in
its implementation of a solution. there is no concern here neither?

~~~
windowsworkstoo
Dont know, not familiar enough, my point was writing something because it
talks in SOAP seems...petty?

~~~
SFJulie
Hell often lies in the details

------
visarga
Giant bags of mostly water? I thought we were mostly empty space with a dash
of perturbations.

------
blackice
The slides mention IP reputation and a great free resource for that is
[http://GetIPIntel.net](http://GetIPIntel.net) to make sure unexpected IPs
don't connect to your services.

------
jldugger
IMO, the key challenge to IT security is business justification. The costs are
very explicit: it's a shit ton of work to enable SELinux, and 2factor auth
isn't free. Meanwhile the benefits are fairly nebulous: 2 factor auth doesn't
prevent shellcode injection into imagemagick.

The end result is you have a low probability of a huge impacts occurring,
without enough data to suggest the distribution of low probabilities, or the
nature or distribution of huge impacts. You're sort of selling tiger repellent
rocks, and when the big event does happen, you now have to convince the
executives the counterfactual that if you had the budget to implement X, Y and
Z, the event would have been prevented. Meanwhile, the costs on team velocity
are silently ignored.

The best case scenarios here probably revolve around insurance. Compliance
auditors can impose non-compliance fees, and giving security teams a direct
financial consequence avoided to point to would help their budget
justifications.

~~~
ben_jones
I was watching S01E05 of Mr. Robot, which involves the crew breaking in to a
huge data warehouse facility reminiscent of Fort Knox. My friend asks me if
places like that really exist and I laughed, "No company cares enough to pay
that much to protect their data".

------
toredash
This just in: people on HN doesn't know how to navigate a slidedeck.

What gives? More comments on the format rather than content

~~~
wosos
Exactly, I've been annoyed more than once by pure whining on the
format/color/navigation of a site and little to no comments on content. [Now
going meta whining about the whining, but I'll try not to do it again, I
promise]

~~~
clevernickname
I don't mind the meta comments when they're confined to one thread, but it
gets annoying when there are more meta threads than on topic ones.

People, read the comments before you comment. Chances are someone already
complained about the slide format or the font color or whatever.

~~~
toredash
Correction: Chances are someone already complained about something or
whatever.

------
acd
Very good read on security and how we can improve systems

~~~
blazespin
Agreed, some good ideas here. Reading the comments here though I think you
probably have to care about security to get anything from it though.

------
spajus
"This is what DevOps is about: running Ops like you're Developing an app, not
letting your devs run your ops."

This is a very common attitude of sysadmins who think that configuration
management is the only thing they need to do to "become DevOps". Sadly, years
after DevOps movement has started, the majority of people who are "doing
DevOps" are those sysadmins who just added Puppet or Chef to their toolbox.

Security is a very difficult subject when it comes to DevOps practices, but
the approach given in this presentation is definitely something I would not
want to be part of. Unless what they are securing is a nuclear reactor control
center.

~~~
Annatar
On the other hand, I have yet to work with, or even meet a developer who
thinks that DevOps _isn 't_ dumping .tar files or Docker images directly into
production. The developers love it because it gives them _carte blache_ to
just hack production any way they see fit. For instance, I had some Java
developer attempt to argue with me that .tar files are the same as .rpm's, and
that was just one of many incidents. The worst part is, the developers
actively spread that propaganda, along with OS packaging requiring root
privileges to deploy payload as being unsuitable for continuous delivery.

~~~
spajus
I think this is solvable by educating devs, not just by enforcing policies.
And path to production should be a well defined process, that has to evolve
from collaboration between devs and ops, so nobody should be able to just
"hack production" on their own, and ops could also be doing dev code reviews
to see what exactly they are doing.

~~~
acdha
Education is critical, along with ownership. A lot of the bad practices on
either side happen when someone can just fob a mess off onto the other group
rather than trying to fix it. Once they have that responsibility it's easier
to get someone to care about e.g. how a tarball doesn't address dependency
management.

------
mrmondo
Any chance you could export the slides to a PDF or similar?

It looks like the reveal.js pdf export function of appending /reveal-js?print-
pdf to the URL seems to be broken.

EDIT: Thanks to someone in the comments below who linked to the PDF, it was
28MB so I compressed it down to 1.7MB here (image quality wont be as good but
meh): [https://www.dropbox.com/s/8bu3rkj6pjbneiv/giant-bags-of-
most...](https://www.dropbox.com/s/8bu3rkj6pjbneiv/giant-bags-of-mostly-
water.compressed.pdf?dl=0)

------
anacrolix
Lots of "you're doing it wrong" with no solutions. This is why nobody bothers.

~~~
reitanqild
Did you read the second last(?) page? It contains this link:
[https://github.com/lfit/itpol](https://github.com/lfit/itpol)

------
ashitlerferad
Anyone got a link to a PDF?

~~~
mtgx
[http://kernsec.org/files/lss2015/giant-bags-of-mostly-
water....](http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf)

------
erikb
The slides said something about an explanation. And then they link to a github
repo with one of the most minimal readmes you can create. Well... Good attempt
I guess.

------
abpavel
So what is "IP Score" in the car analogy? A World-wide DMV? With all user
information exposed to either a closed-source entity, or an open source
effort?

------
z3t4
Where's the presentation?

------
fapjacks
_Ugly_ giant bags of mostly water.

~~~
mricon
I'm sure we are all beautiful people, which is why I omitted that part. :)

------
abpavel
The car-analogy is a good sign that the speaker is not able to express the
thought directly. The networks are not that simple, and the analogy breaks
down at depth for every comparison. Like the modern drivers who consciously
chose not wear a seat belt. Or that half of the 1.25 millions of death a year
are the "vulnerable users", called so by the who:
[http://www.who.int/mediacentre/factsheets/fs358/en/](http://www.who.int/mediacentre/factsheets/fs358/en/)
, and fatalities of laws of momentum, where a 150 lbs pedestrian absorbs more
energy than a 3000 lbs Scion...

Stop talking cars and and analogies! Talk straight!

------
Annatar
The author of the presentation lost my respect when I read he is advocating
for using SELinux and Linux containers instead of zones and SmartOS, which
tells me he is not up to date on security. The whole thing was even made worse
by him advocating for the use of continous integration: no, .tar files and
Docker images are not the same thing as operating system packages, nor do they
come anywhere near the functionality, therefore "DevOps" is insane, especially
when the whole thing can be pulled off correctly and securely with SmartOS
zones, OS packaging for both delivery and configuration management, and change
management process modeling. Those are your airbags, crumple zones, and safety
systems, not SELinux, "DevOps", nor Linux "containers". The only thing of
technical value in the presentation is how to put SSH keys on SmartCards, and
even that is just explained as a series of manual steps (hacking in system
engineering context), rather than as a turnkey, OS packaging process (full,
high quality, repeatable integration). Damn it how I loathe half-baked stuff
from people who should know better but don't: if you are going to be
presenting on security, you better know what you are talking about, or else it
is _blind leading the blind_.

~~~
tyingq
You may be right, but from my perspective you're falling into the same trap
that most IT security people do. You're assuming that the mainstream devs
should put security first.

They just never will. Follow the money. The money is paying for revenue
generating activity.

Using your example that "zones and SmartOS" are preferable to "SELinux and
Linux Containers"....that's not going to happen. The people with the money
have already chosen the container direction.

A much better strategy would be to give up on what you want, and focus your
energy on making the direction that's been chosen more secure.

I suspect if enough talented, security minded engineers descended as
contributors for docker, rkt, etc...the situation would improve much faster
than the current direction of just complaining they aren't secure.

Perfect is the enemy of good.

~~~
Annatar
> Using your example that "zones and SmartOS" are preferable to "SELinux and
> Linux Containers"....that's not going to happen.

That has actually already taken place, and is taking place. There is unlikely
to be one winner-take-all.

Following the money does not mean that the application cannot be programmed
from the ground up to support SmartCards and roles, or that it has to be full
of security holes.

> I suspect if enough talented, security minded engineers descended as
> contributors for docker, rkt, etc.

Depends on what is under etcetera. Docker and rkt are not the Silver bullets
everyone who has not gotten busted by them think they are, they are just a
trend. With all of those you instantenously lose lifecycle management, because
they are just images of massive file dumps, not images of software and
configuration installed with packages. When you use Solaris zones in SmartOS,
Docker and rkt become completely superfluous, because you suddenly get a fully
working yet completely isolated UNIX server, running at the speed of bare
metal no less. Add some OS packages on top of that, make them into an image
for imgadm(1M), and in few seconds you're done. What does one need Docker for
in that scenario?

And I should certainly hope that perfect is the enemy of good, because life
has taught me, the hard way, that good isn't good enough. I absolutely _hate_
being woken up during the night because of an incident, and will go out of my
way to get as close to perfect as possible in order to be able to sleep
through the night.

~~~
tyingq
>That has actually already taken place, and is taking place.

"Not going to happen" meaning it's not going to overtake docker/containers in
terms of overall mindshare, activity, etc.

If you're focused on driving the best solution in some sub niche, yes...you
can be successful with that.

But, the larger market is going to continue prioritize things that directly
generate revenue over everything else.

~~~
Annatar
> If you're focused on driving the best solution in some sub niche, yes...you
> can be successful with that.

I would be hard pressed to call securing containers, virtualization and cloud
a niche, since that is exactly what SmartOS has been designed for, from the
ground up.

A large part of generating revenue is not having downtime caused by data
corruption incidents or security breaches (or both), which means picking and
using a substrate which provides guards against that.

~~~
tyingq
The sub-niche would be the smaller number of people that recognize your list
of concerns and choose SmartOS over Docker.

Just as Betamax was a technically better solution than VHS.

