Linux.conf.au 2020 – Wednesday – Keynote – Donna Benjamin

Keynote: From 2020 to 2121: How will we get there?

Who is watching and why are they watching,? Why does it matter?

People install siri and other personal assistants. Cameras are everywhere.

We are making it too easy for the bad guys.

But makers of free and open source software and also helping the persuasion industry. Are we responsible for that?

The Why matters. Is the tech deterring crime, helping rescue people or used for repressing people.

Observation + Suspicious = Surveillance

From here to 2021

How to make the future happen. Act now to create what you’ll need when you get there. Pack like a Hiking trip

The Four Powers – Information, Relationships, Resources and Decision Making

What is something small can you do now to make the future better? Donna is going to take steps to improve our herd immunity to mass surveillance

https://etherpad.wikimedia.org/p/LCA2121

Step to take to more evenly distribute power now and more evenly distribute the future in 2021

Open Australia – Run various websites
– Putting Hansard online in machine readable format
– More easily submit freedom of information request

Appreciative Inquiry

Share

Linux.conf.au 2020 – Tuesday – Session 3 – Container Miniconf

Unsafe Defaults: Deploying Kubernetes Safer(ish) – James

Overview of Kubernetes

  • A compromised container is very close to being a compromised host
  • While you shouldn’t curl|bash the attacker can do it to get the latest exploits.

Three Quick things for some easy wins

  • The Kubernetes API is completely open from localhost. This is no longer required but old clusters and some upgraded clusters may still have it.
  • Put a Valid certificate on the cluster or at least one you can keep track of.
  • Get rid of unauthenticated user roles as much as possible.
  • Check you don’t still have “forever tokens”
  • A Good idea not to give service tokens to most pods.
    automountServiceAccountToken: false

PodsecurityPolicy

  • Keep an eye on
  • New
  • You need good RBAC
  • Have a look at k-rail

etcd

  • Can turn on authentication
  • Can turn on TLS between peers and clients
  • Can encrypt on disk
  • Can restrict it with a firewall

Every Image Has A Purpose by Allen Shone

Docker Images

  • What are they anyway
  • A base definition to prepare a filesystem for execution as a container
  • Caching mechanism
  • Reproduceable
  • Great way to share runtime circumstances
  • A comprehensive environment structure

Layers

  • image is a series of layers
  • Minimizing layers makes things better
  • Structure the image build process to get the best set of images

Basic Uses

  • Use the most appropriate image
  • A small fix can add up

Images in Production / Customers facing envs

  • When deploying containers, be precise as possible.
  • The image should be ready to go without further work
  • Keep image and small and simple as possible
  • “FROM: golang:alpine” in testing
  • “FROM: scratch” in production
  • Two images but they serve different purposes

Development

  • Possible to use the same image as previously
  • Bring in some extra debug tools etc, mocks for other services

Trimming the final image to be very specific

  • Start with the production image and add extra layers of stuff

Deployed Considerations

  • Some things only come into consideration once they are deployed
  • Instead of creating a big general container, create two containers in a pod that share a file system
  • Configuration should be injeted, as an env-specific setup
  • Images should be agnostic

Extras

  • Look at using the .dockerignore file
  • Use image scannign tools ( Diive and Clair)
  • A little preparation up front can prevent a lot of headache later
Share

Linux.conf.au 2020 – Tuesday – Session 2 – Security, Identity, Privacy Miniconf

Privacy and Transparency in the VPN industry by Ruben Rubio Rey

We are at an “Oh Noe!” Moment in the VPN Industry

VPN Advantages

  • Protect your privacy
  • Bypass Geo-Restrictions
  • Beat Censorship
  • Save money on Hotels and Flights
  • Download torrents anonymously
  • Bypass ISP speed regulations
  • Secures Public WIFI

What Can be intercepted?
– Without Encryption: Any Data
– With Encryption: IP and Port

But HTTPS only works of client and server configured correctly
Client: Rough root certificate
Servers: CORS, insecure SSL version

Protect Your Privacy

  • Many Countries Systematicly collecting data about citizens
  • ISP collect data, must keep for two years and accessabil to agencies
  • USA ISP’s can sell information
  • Others Countries tried to put in MITM Certs

So Private companies have incentives to protect my data?

The Reality of Private VPN providers

  • Several examples of collecting Data
  • Several examples of them releasing data to agencies
  • Random security and implementation problems
  • Exaggerations in sales pitches
  • Installs Rouge Roots Cert on user machine

Conflict of Interest, what is a business model of the providers?

Stats

  • 59% of Free VPNs in play store had hidden Chinese ownership
  • 86% had privacy policy flaw
  • 85% asked for excessive permissions

Are VPN Companies Needed?

People with non-technical skills need an option

How to Improve the VPN Market?

  • Privacy and Transparency go hand and hand
  • Open Source Provides Transparency
  • End to End open source VPN Company
  • theVPNcompany.com.au

Install you own VPN

Algo and Streisand

Create your own VPN Company using the base for “The VPN Company”

https://thevpncompany.com.au/

Authentication Afterlife: the dark side of making lost password recovery harder by Ewen McNeill

Twitter Account “badthingsdaily” . Fictional Scenarios that might happen to security people. Inspired this talk.

Scenario 1

  • A Big fire took out your main computer
  • You done have the computer and you don’t know all your passwords

Recovery Traditional

  • You get email somewhere else. On your phone
  • Click on Forgot my password
  • Repeat until all accoutns recoveryed

Scenario 2

  • You need to login to your account on a new device
  • All account secured with 2FA
  • Your 2FA isn’t working

Recovery

  • Recovery Tokens
  • Alternative 2FA Solution

Scenario 3

  • Your bad was stolen
  • It had computer, phone and 2FA
  • Can bad guy impersonate you?
  • Can you recovery faster than the other guy (or at all?)

Recovery

  • Does you 2FA pop up on your lock screen?
  • So anybody with your computer is able to get this?
  • Race to reset passwords and invalidate your login tokens
  • Maybe you remember your passwords but not you 2FA
  • Recovery questions “Mother’s maiden name”
  • Can be easy to discover, but if it is something random then you have to be able to find it (ie on the password store you just lost)

Multiple alternate authentication methods

  • Primary you use every day
  • One or more backups

If resetting your password every time is easier than remembering your password people will do that.

Attackers will use the easiest authentication method. Eg Contacting the Helpdesk or going into a bank branch office.

But if recovery is too hard you can end up losing access to your account permanently

Recommend: GitHub’s 2FA recovery guide

Scenario 4

You startups founder has left. He has wipped out all his computer. Now your Cloudprovider is threatening to lock you out unless you authenticate using 2FA

  • Hopefully in the password store
  • Or perhaps they no longer work
  • Contact Helpdesk, Account Manager, Lawyer, Social Media (usually the bigger you are and the more you pay the better you chance)
  • Sore everything centrally. How do you audit that? , regularly?

Scenario 5

A relative dies. You first step is to login to all their accounts work out what should be kept.

This will take months not years. Sometimes you will only find out the account exists when they email you that your account is about to expire.

Personal Observations

  • You will not have access to their cellphone
  • or probably not past the lock screen
  • Anything they told you that was obvious you will forget
  • You will not have access to the password store
  • You may have access to saved passwords in browser
  • Maybe you need to optimise for family can access stuff not complete lockdown.
  • Physical notebook with passwords
  • Consider in advance how you will recover if your 2FA device breaks
  • How will you convince a helpdesk person that you are you?

Personal Mitigations

  • Kawaiicon 2019 ” How can I help you” Talk by Laura Bell

You Shall Not Pass by Peter Burnett

Moodle is an open souce Learning Management System.

  • Legacy System
  • First developed in 1997
  • Open Sourced in 2001
  • New Code is good quality, older stuff not as much

Efforts to improve password policy

  • Password policy was a bit antiquated
  • Best policies come from NIST, 2018 version is good.
  • Don’t force a pattern, Check for compromised passwords, Check for dictionary based and identifying passwords
  • Look at the “Have I been Pwned” API – takes first 5 characters of the sha of the password.
  • Dictionary checks – Top 10,000 English words might be enough
  • Indentifying information – Birthdays, names, cities are things to watch for. Name of the company.

Released as an open source plugin for Moodle

A look at the Authentication Flow

  • Natively supported LDAP etc.
  • Lots of extra plugins impliment other methods
  • Had to put MFA in when people using plugins. Difficult to mix
  • Added extra hook on “account related” actions, they would check for MFA etc.
  • Required a bit of work to get merged in.

Implementing MFA

  • MFA is a superset of 2FA implimentations
  • Had to do extensible platform
  • Traditional: TOTP, Email
  • Non-Traditional: IP verification, Authentication type (might already have MFA)
  • Design considerations – Keep secure but impact people as little as possible.
  • Different users: Not required, Optional, Forced Upon . So built in the ability for a range of use across platform.
  • Learnings
    • Anything can be used as a factor
    • delicate balance between secure and usable
    • When designing, paranoid is the right mindset
    • Give the least information possible to allow a legit user to authenticate
    • What can the attacker do if this factor is compromised?

Final Thoughts

  • Long way to go
  • Security is a shifting goalpost
  • Keep on top of new developments
Share

Linux.conf.au 2020 – Tuesday – Session 1 – Security, Identity, Privacy Miniconf

Facebook, Dynamite, Uber, Bombs, and You – Lana Brindley

  • Herman Hollerith
    • Created the punch card, introduced for the 1890 US Census
    • Hollerith leased companies to other people
  • Hollerith machines and infrastructure used by many Census in Europe.
    • Countries with better census infrastructure using Hollerith machines tended to use have higher deather rate in The Holocaust
  • Alfred Nobel
    • Invented Dynamite and ran weapons company
  • Otto Hahn
    • Invented Nuclear Fission
  • Eugenics
    • 33 US states have sterilization programmes in place
    • 65,000 Americans sterilized as part of programmes
    • WHO was created as a result.
  • Thalidomide
    • Over-the-counter morning sickness treatment
    • Caused birth defeats
    • FDA strengthened

Unintended consequences of technology, result was stronger regulation

Volkswagen emission and Uber created Greyball
– Volkswagen engineers went to jail, Uber engineers didn’t

Here are some IT innovations that didn’t lead to real change

  • Medical Devices
    • Therac-25 was a 1980s machine used for treating cancer with radiation
    • Control software had race condition that gave people huge radiation overloads
  • Drive by Wire for Cars
    • Luxus ES350 sudden acceleration
    • Toyota replaced floor mats, not software
    • Car accelerator stuck at full speed and brakes not working
    • No single cause ever identified
  • Deep Fake Videos
  • Killer Robots
    • South Korean Universities came under pressure to stop research, said they had stopped but not confirmed.
  • Chinese Surveillance
    • Checkpoints all though the city, average citizen goes though them many times per day and have phoned scanned, other checks.
    • Cameras with facial recognition everywhere
  • Western Surveillance – Palantir and other companies installing elsewhere
  • Boeing Software – 373 Max

Bad technology should have consequences and until it does people have to avoid things themselves as much as possible and put pressure on governments and companies

The Internet: Protecting Our Democratic Lifeline by Brett Sheffield

Lost of ways technology can protect us (Tor etc) and at the same time plenty of ways technology works against our prevacy.

The UN Declaration of Human Rights
Australia is the only major country without a bill of rights.

Ways to contribute
– They Work for you type websites
– Protesting
– Whistleblowers

Democracy Under Threat
– Governments blocking the Internet
– Netblocks.org
– Police harrass journalists (AFC raids ABC in Aus)
– Censorship

Large Companies
– Gather huge amounts of information
– Aim for personalisation and monotisation
– Leads to centralisation

Rebuilding the Internet with Multicast
– Scalable
– Happens at the network layer
– Needs to be enabled on all routers in each hop
– Currently off by default

Libracast
– Aims to get multicast in the hands of developers
– Tunnels though non-multicast enabled devices
– Messaging Library
– Transitional tunneling
– Improved routing protocol
– Try to enable in other FOSS projects
– Ensure new standards ( WebRTC, QUIC) support multicast



Share

Linux.conf.au 2020 – Tuesday – KeyNote: Sean Brady

Keynote: Drop Your Tools – Does Expertise have a Dark Side? by Dr Sean Brady

Harford Convention Center

Engineers ignored warnings of problems, kept saying calculations were good. Structure collasped under light snow load

People are involved with engineering, therefore it is a people problem

What it possessing expertise has a dark side? Danger isn’t ignnorance it is the illusion of knowledge.

Mann Gulch fire

Why did the firefighters not drop their tools?
Why did they not get in the Escape Fire?

Priming – You get information that primes you to think a certain way.

What if Expertise priming somebody?
– Baseball experts primed to go down the wrong path, couldn’t even stop when explicitly told about the trick.

Firefighters explicitly trained that they are faster runners with tools.

Creative Desperation – Mentally drop your existing tools.



Share

AudioBooks – December 2019

Call the Ambulance! by Les Pringle

Stories from a British Ambulance driver in the late-1970s and 1980s. A good range of stories from the funny to the tragic. 7/10

Permanent Record by Edward Snowden

An autobiography by the NSA Whistle-blower. Mostly a recounting of his life, career and circumstances that led up to him leaking. Interesting. 7/10

Life in the Middle Ages by Richard Winston

As the titles describes. Unusually for English Language books it focuses on France. Not much history just daily life & only 5h long. Probably works better with pictures. 6/10

Dr Space Junk vs the Universe: Archaeology and the Future by Alice Gorman

A Mix of topics. Some autobiography & how she worked her way into the archeology of spaceflight. Plus items of Space History & comparisons with earth archeology. But it works 8/10

Little House in the Big Woods by Laura Ingalls Wilder

Only 3h 40m long and roughly covering a year. The author describes her life (aged 5-6) and her family in a cabin Wisconsin in the early 1870s. 1st in the series. 7/10

Abraham Lincoln: A Life (Volume One) by Michael Burlingame

50h and covers up to his 1st inauguration. Not a good 1st Lincoln bio to read but very good. Some repetition as multiple sources a quoted on some points. 7/10

Share

Donations 2019

Each year I do the majority of my Charity donations in early December (just after my birthday) spread over a few days (so as not to get my credit card suspended). I’m a little late this year due to a new credit card and other stuff distracting me.

I also blog about it to hopefully inspire others. See: 2018, 2017, 2016, 2015

All amounts this year are in $US unless otherwise stated

My main donations was to Givewell (to allocate to projects as they prioritize). Once again I’m happy that Givewell make efficient use of money donated.

I donated $50 each to groups providing infrastructure and advocacy. Wikipedia only got $NZ 50 since they converted to my local currency and I didn’t notice until afterwards

Some Software Projects. Software in the Public Interest provides admin support for many Open Source projects. Mozilla does the Firefox Browser and other stuff. Syncthing is an Open Source Project that works like Dropbox

Finally I’m still listening to Corey Olsen’s Exploring the Lord of the Rings series (3 years in and about 20% of the way though) plus his other material

Share

Audiobooks – November 2019

Exactly: How Precision Engineers Created the Modern World by Simon Winchester

Starting from the early 18th century each chapter covers increasing greater accuracy and the technology that needed and used it. Nice read 8/10

The Secret Cyclist: Real Life as a Rider in the Professional Peloton by The Secret Cyclist

An okay read although I don’t follow the sport so had never heard of most of the names. It is still readable however and gives a good feel for the world. 6/10

Braving It: A Father, a Daughter, and an Unforgettable Journey into the Alaskan Wild by James Campbell

A father takes his 15 year-old daughter for two trips to a remote cabin and a 3rd trip hiking/canoeing along a remote river in Alaska. Well written and interesting. 8/10

The Left Behind: Decline and Rage in Rural America by Robert Wuthnow

Based on Interviews with small town Americans it talks about their lives and frustrations with Washington which they see as distant but interfering. 7/10

World War Z: An Oral History of the Zombie War by Max Brookes

This was the “almost” full text version. Lots of different actors reading each chapter (which are arranged as interviews). Great story and presentation works well. 9/10

Share

Audiobooks – October 2019

The Story of the British Isles in 100 Places by Neil Oliver

Covers what you’d expect with a good attempt not just to hit the “history 101” places. Author has an accent that takes a while to get used to. 7/10

Death’s End – Cixin Liu

3rd in Trilogy wrapping things mostly up. Just a few characters so easy to keep track of them. If you liked the previous books you’ll like this one. 7/10

Building the Cycling City: The Dutch Blueprint for Urban Vitality by Melissa & Chris Bruntlett

Talking about Dutch Cycling culture. Compares 5 different cities (some car orientated) and how they differ in their cycling journey. 7/10

Scrappy Little Nobody by Anna Kendrick

A general memoir by the actress. A bit disjointed & unsystematic and by no means a tell-all. A few good stories sprinkled in. 6/10

The $100 Startup by Chris Guillebeau

Lots of case studies of businesses built off relatively little capital (and usually staying small). Plenty of good advice although lists don’t translate well in audio. 7/10

Atomic Adventures: Secret Islands, Forgotten N-Rays, and Isotopic Murder-A Journey into the Wild World of Nuclear Science by James Magaffey

A bunch of really good stories from the Atomic age (not just the usual ones) including a view from inside of the Cold Fusion fiasco. 8/10

Share