DevOpsDays NZ 2019 – Day 2 – Session 3

Everett Toews – Is GitOps worthy of the [BuzzWord]Ops moniker?

  • Usual Git workflow
  • But it takes some action
  • Applying desired state from Git
  • Example: Infrastructure as code
    • DNS
    • Onboarding and offboarding
  • Git is now a SPOF
  • Change Management Dept is now a barrier
  • Integrate with ITSM
  • Benefits: Self-service, Compiience

Joel Wirāmu Pauling – Why Bare Metal still maters

  • Cloud Native Dev doesn’t exist as a closer system
  • IoT is all hardware
  • AI/ML is using special hardware
  • Networks is all hardware offloads
  • FPGAs and ASICS need more standard open way to access
  • You’ll always have weird stuffs on your network
  • Virtualization has abstracted away the real
  • We care able vendor lockin with cloud APIs and Aus electricity isn’t all that green

Steven Ensslen – Do you have a data quality problem?

  • What is data ops and why do we want it?
  • People think they have a data quality problem but they don’t actually measure it to see how bad.
  • Causes all sorts of problems.
  • 3 Easy steps to fix data quaility
  • 1 – Document data charactersistics and train people to know them
  • 2 – Monitor data as if it is infrastructure
    • Test data like it is code
  • 3 – Professionalize your support of data professionals
    • Bring in the spreadsheet experts
    • Support reporting and analytics people too

Mandi Buswell – What are Kubernetes Operators and Why do I care

  • Like an App Store on your kubernetes cluster
  • Like a like Kubernetes robot doing that hard work for you. Lifecycle management
  • Operators run as microservices on the kubernetes cluster
  • operatorhub.io
  • Work on any kubernetes cluster
  • You can even write your own

Laura Bell – Securing the systems of the future

  • Fear and Lothing
    • It is an old problem because “People are Jerks”
  • All organization try either Fight, Flight, Freeze
  • Trying to protect: Confidentiality, Integrity, Availbality
  • Protect, Detect, Respond
  • Monolith
    • A big wall around
    • Layered defense is better but not the final solution
    • Defensive software architecture is not just prevention
    • Castles had lots of layers of defenses. Some prevention, Some Detection, Some response
  • MIcroservices
    • Look at something in the middle of a star and erase it
    • Push malicious code into deployment pipelines
  • Avoid scar tissue, stuff put in just to avoid specific previous problems. Make you feel safe but without any real evidence.
  • Fearless security patterns and approaches
  • Technology is changing but the basics are still the same
  • Lots of techniques in computer security.
  • Prevention and Detection are interchangeable
  • Batman vs Meercat model
  • Be Aware and challenge your own bubble
  • Supply Chains are vulnerable: Integrations, dependencies, Data Sources
  • Determinate threat vs Dynamic Threat
    • Can’t predicts which steps in which order are going to get the result
    • Comprimise the data then the engine will return bad results
  • Plug for opensecurity.nz

Share

DevOpsDays NZ 2019 – Day 2 – Session 2

Jacob Ivester – Diagnose DevOps: The work behind the work

  • Unhappy DevOps Family
    • Unsupport Software
    • Releases outside of primetime
    • etc
  • Focus on Process as a common problem
    • Manage Change that Affects Multiple teams
    • Throughputs vs Outputs
  • Repeatability
  • Extensibility
  • Visability
  • Safety

Cameron Huysmans – Designing an Enterprise Secrets Management Service using HashiCorp Vault

  • Australian based Bank
  • Transition for last 30 years for a bank to a layered based security model (all the way down to the server in the datacentre)
  • In 2017 moved to the cloud and infrastructure in the cloud
  • What makes a bank – licensed to operate
    • Must demonstrate control of the process
    • Reports problems to regulator
    • Identifyable business Processes
    • All Humans
  • If you use a pipeline there are no humans in the process. These machine process needs to conform to the same control
    • Archetecture naturally resistent to change. Change requires a complex process
    • ITIL
    • 2FA required for everything
    • Secrets everywhere
  • Disruption
    • Dynamic Systems with constant updates
    • Immutable containers
    • Changes done via code
    • Live system changes
    • Code and automation drives things
    • Dynamic CMDB – High Levels of abstraction
    • But you still have a secrets problems
  • Secrets Management
    • Not just a place to store passwords
    • But also a Chain of Trust
  • If Pipelines make the change who owns it, who audits it?
  • Vault becomes a bit of audit by saying who used something (person or process)
  • Why another tool ?
  • Created a pattered on how thing will be deployed. Got Security to okay it. Build it in a pipeline
  • Vault placed in the highest security area
    • But less-secure areas needed to talk to it.
    • Lots of zones internally. Some in Cloud, DMZ
    • Some talk via API gateway to main vault
    • Had a Vault replica that had a copy of some secrets and could be used by those zones that were not allowed to to the secrets zone
  • Learnings
    • This is hard, especially in the cloud
    • If Pipelines are doing the change, that must be kept secure. Attribution, notification and real-time analytics
    • Declarative manifests of change (code, scripts, tools) require more strict access controls
    • Avoid direct point-to-point connections

Share

DevOpsDays NZ 2019 – Day 2 – Session 1

Cath Jones – The Myth of the Senior Engineer

  • They won’t be able to hit the ground running on Day 1
    • Assume they know everything about how things work at your organisation that is organisation or industry-specific
    • If you don’t account for this you will see problems, stress, high turnover
  • Example: Trail by Fire
    • You get shown the basic stuff and then given your first ticket
  • How do you take organisation knowledge and empower people?
  • Employee Socialisation
    • Helps mitigate problems and assumptions
    • Facilitates communication and networking
    • Allows people to begin contributing sooner
  • Pre-Arrival Stage
    • Let people know what is expected
    • Let existing people kno who is thating and our expectations for them
    • Example: Automatic (wordpress)
      • Asked people in the final stages to complete some (paid) work.
      • Candiatites get better understanding of the company
  • Preparing for Transition
    • Culture-shock
    • How are you like compared to where they came from?
    • The new role compared to their previous one?
    • Come from a place where they were an expert and had lots of domain-specific knowledge to being a newbie
  • The Encounter Stage
    • Mentoring, Communication, Technical onboarding
    • Example: Cohorts of new hires
    • Mentoring: Proven way to socialise Senior engineers. Can be Labour intensive but helps when documentation lacking
    • Share Mentor-ship responsibilities: eg Technical and Organisational mentor seperate
    • Communication: Expectations that company places, how privledged and how transparent?
    • Authenticity: Can people be themselves. Reduces stress
  • Technical onboarding: Needs to take time and do it properly. Allow new people to contribute back to it and make it better.
    • Pick out easy wins or low-hanging fruit so peopel can contribute sooner
    • Have Style Guides and good docs
  • MetaMorphosis
    • Senior Engineers are fully Contributing

Katie McLaughlin – Being kind to 3am you

Share

DevOpsDays NZ 2019 – Day 1 – Session 3

Gleidson Nascimento – Packaging OpenShift Origin Kubernetes Distribution (OKD)

  • Centos SIG
  • Based on latest upstream

Joshua King – Don’t Reinvent the Wheel, Just Realign It

  • Project: Let notifications work for powershell users
  • Then he found the UWP community toolkit
  • Which had notifications built-in
  • These days looks around first, asks for APIs rather than scraping
  • Look around for open-source tools and give back
  • Sometimes your implimentation might be fun or even better than the original

Srdan Dukic – Implicit trust agreement in Learning Organizations

  • Sysadmin shell -> ansible -> APIs -> automate everything
  • Programmers coded themselves out of a job
  • Followup instructions or achieve results?
  • A bit of both – tension between the two
  • Money today or Money tomorrow?
  • Employee – Expected to make things better
  • Employer – Support things getting better, not fire people when they automate themselves out of a job

Julie Gunderson – You Can’t Buy DevOps

  • Lots of companies talking about DevOps are trying to sell you a solution
  • What doesn’t makes you a devops company
    • Be in the Cloud
    • Have a DevOps team
    • Get rid of the Ops Team
    • A checklist you can tick off
    • Easy
  • Westrum 3 Cultures Model
  • We want the generative model
  • Keeping information flowing between teams is prerequisite for high performance teams
  • Psychological Safety to make decisions. Lets employees focus on problems and getting work done rather than politics
  • Practices
    • Configuration management
    • CICD Pipelines
    • Work in small batches
    • Test every commit and everything else (look at Chaos engineering)
  • Tools
    • Let the teams who are using the tools decide on what tools they will use
    • XebiaLabs Periodic table of DevOps tools
  • Getting there
    • Start with one team and a POC
Share

DevOpsDays NZ 2019 – Day 1 – Session 2

Allen Geer, Michael Harrod – Kiwi Ingenuity – Kiwi’s can Overcome Tough Problems In DevOps

  • Contrast – US vs NZ
    • In the US companies are bigger, lots more people, lots more money to throw at problems.
    • Contrast with Arial Topdressing pioneered in NZ using surplus WW2 aircraft
    • Since the problems are up to 100x bigger in the US the tools are designed for that scale. ROI might not not be there for smaller companies.
    • Dealing with Scale
      • Avoid “Shinny new thing” syndrom, plan for keeping things for at least 5 years.
      • Ramp up slowly with the tool, push it into other areas.
      • Avoid Single Person Silo.
      • Bring up some Kiwi Inginuity (Look at Open source, Use the Free Tiers or Cheap Tiers).
      • Out-Innovate the US companies rather than trying to out-scale
    • Infrastructure: Monetization of Toil
      • Spending time and money on stuff you can automate
      • Lots of manual creating of infrastructure, servers, firewalls.
      • Lack of incentive for providers who charge for changes to automate stuff
      • Other Providers will automate (especially overseas ones that will come into NZ)
      • People take risks (eg no DR) in order to save money.
      • Innovator’s Dilemma
    • Solutions
      • More vocal customers
      • Providers should provider a platform, lots more self-service. Ahnd-holding for the hard stuff not the day-to-day
      • Charge for outcomes not person-hours
      • Begin Small
      • It’s an experiment – Freedom to Fail
    • Inattentive Customer Service
      • Overseas companies have a lot more forums, helpdesks, quick responses.
      • “Kiwis reluctant to make a fuss” , Companies not used to people making a fuss
      • Apply “American Ingenuity” – Striving focus to increase customer satisfaction.
      • Build a healthy community (eg online forums) around your service.
      • Gather insights from customers
      • Bezos – “When a customer contacts us, we see this as a defect” . Focus on the source of problems
    • Evolving Kiwi Workforce
      • NZ has older and aging workforce. 2nd oldest in the OECD
      • Slightly Fewer peoples with degrees
      • 11% of workforce 65+ by 2038
    • Learning in the workplace
      • Leverage senior Knowledge
      • Telco – Older customers didn’t want to approach young workers in mall. Brought in retired engineers to work in stores.
      • Mentoring and reverse-mentoring. Mentor learns insights from mentoree too (eg about younger people’s habits)
    • Introducing people to DevOps
      • Kiwi DevOps models

Craig Box – Teaching Old Servers New Tricks: extending the service mesh outside the cluster

  • Service Mesh
    • Managing a service is hard
    • metrics, monitoring, logging, traceing
    • AAA encryption, certs
    • load balancing, routing, network policy
    • quota
    • Failure handling, fault inject
  • Microservices
    • Not just for hipsters
    • Works best at scale. Lots of devs
  • Now introduce a network in between everything. Lots of hard dtuff, distributed systems are hard
  • Leaky abstractions
    • Have to build stuff into microservice to deal with problems of the network
    • In multiple libraries and languages
    • Can we fix it?
  • Sidecar Pattern
    • The sidecar does all the hard stuff instead of making the microservice itself do it.
    • Talks TCP. Able to work with all languages
  • Proxies as sidecars
    • SPOF
    • Sidecar is attached to each MS
  • Flexability and Power
    • Single place where we can do everything
    • Traffic going in: TLS termination, metrics, quota
    • Traffic out of workloads: Authentication, TLS connections
  • Istio
    • Open platform
    • Not always microservices
    • Uniform observability
    • Operational Agility
    • Policy driven Security
  • How istio works
    • Proxies + control plane
    • Pilot in control plane pushes config to proxies, keeps track of them, looks up stuff in k8s cluster
    • Mixer – policy check and telemetry
    • Citidel – cert authority to proxies
    • Control plane has to run on k8s
    • Proxies run using envoy
    • Zipkin built in
    • All done automatically for kubernetes environments ( admission controller adds sidecar )
  • Adding a VM to a service mesh
    • Enable the mesh expansion, connect the networks
    • Add the gateway IP to the VM
    • Get a cert and copy to the VM
    • Install proxy and node agent
    • Traffic from cluster -> VM .
      • Add the service to DNS in the cluster,
      • Create a ServiceEntry on the cluster
    • Traffic from VM -> Cluster service
      • Add Service and IP to /etc/host on the VM
  • Sample Application – Hipster Shop
    • productcatalogservice is outside of kubernetes
    • headless service in kubernetes
    • manually created service entry in k8s
    • Experimental istio commands to simplify process to single command

Share

DevOpsDays NZ 2019 – Day 1 – Session 1

Brooke Treadgold – Back to Basics

  • Transformation Lead ANZ Bank
  • Not originally from a Tech background
  • Tech has a lot of buzzwords and acronyms that make it an exclusive club. Improvements relay on people from other parts of the business that aren’t in that club
  • These people have to care about it and understand it.
  • Had to use terms that everybody in the business understood and related to.
  • Case for change – What top orgs do:
    • 208 times more frequent deployments
    • 2604 times faster to recover from incidents
    • 7 times lower change failure rate
  • What you need
    • High Priority -> Access to people to do the work
    • Needed tangible goal (weekly releases) to get people to focus (and pay)
  • Making change a reality
    • Risk Management
      • You can just stop doing the reports
      • You need to gain their trust in order to get influence
      • Have to take them along the way with the changes
    • Empathy
    • Influence
  • History at ANZ
    • First pipeline replace just one document
      • Explained to change managment team how the pipeline could replace the traditional plan
    • Rethink of Change Plan and Outcome Reports
      • Other teams needed these for confidence in the change
      • Found out what people actually cared about, found better ways to provide that information (confidence) it an automated way
    • Security Assessment
      • Traditionally required a big document filled in and signed off
      • Found that this was only required for “Significant” changes
      • Got a definition of what significant means so didn’t need to do this.
    • High Risk Change Records
      • Lots of paperwork for High Risk changes
      • Decided that these are not high risk changes so lots less work
      • Templated them so a lot easier to do

Charles Korn – Dockerised local build and testing environments made easy

  • Go Script – Single script that a consistence place in all you repos that does the basic function. install, help, run, deploy
  • batect – tool he wrote
    • dockerized dev environment plus a Go Script
  • Dev environment
    • Build env: code to an artifact
    • Testing Environments. Fake stuff, lots of different levels
  • Build Environment
    • Container with the build tools. Mount our code directory into this
    • Isolation brings consistency and repeatability. No more “works on my machine”
    • Clean container every single time we run a build
    • CI agents just need docker since teams will provide the container
    • Ease of Onboarding. Just get git and docker installed
    • Ease of change. Environment and tasks defined in yaml and versioned like everything else. New version downloaded. Kept in sync with actual code
  • Test Environments
    • You can run local tests
    • Consistently runs test on CI
    • Have to launch multiple containers for more complex tests, using built in docker definitions and health checks and networking
  • Path to Production
    • If deploying docker then can use same image
    • But works with stuff that isn’t deployed as docker too
  • What about docker compose?
    • Better performance
    • Model – tasks are a first class citizen – Doesn’t feel like you are fighting the too.
    • Better UI and developer experience. Updates managed automatically
    • Cleans up better after each run
    • It just works. Works with proxies better. Works with file permissions better.
  • How to get started?
    • start small, work incrementally
    • Start with the build enviroment
    • With the Test env work though one piece at a time.
    • Reuse components
    • Take advantage for other people’s images. Lots of mocks for cloud services.
    • Docker has library of health check scripts
    • Bunch of sample scripts for batect
  • github.com/charleskorn/batect

Share

Linux.conf.au 2019 – Friday – Lightning talks and Conference Close

Closing Stuff

  • Special Badge given out
  • Projects from Junior Group from Club Penguin
  • Rusty Wrench award to Joshua Hesketh

Lightning Talks

  • 3 minutes each
  • Martin Kraft
    • Digital trust and trust in the real world
    • In real world it is wired into our brains
    • Aunt’s Laptop. Has Trusted CAs, Debian.
    • Doesn’t know what lock on browser means
    • Imaging that trust is a competition that happens in real time, that takes interactions, mood, random stuff.
    • Maybe when you visit a good vs bad website the browser looks visably different
    • Machine Learning
  • Brimly Collings-Stone
    • Maori language not available on AAC outputs
    • Need a device that speaks Maori and represents Maori grammar accurately
  • Mathew Sherborn
    • RSI
    • Got it in the past, tried various keyboards
    • Type-Matrix but it broke
    • ErgoDox – open source keyboard
    • Mascot.com – Keyboard in batch orders
    • Like the ErgoDox-E – $500 but good – web app to program
    • Change the Dvorak keyboard with special keyboard
  • Emma Springkmeier
    • What do I do when it all goes wrong
    • Potentially stressful situations – phone calls, meetings.
    • eg last year’s lightning talk
    • What I do to cope
    • Talk to friends, explain how I feel to others, listening to calming music, breathing techniques ( 4s in, 4s hold, 4 out, 4 holding, repeat )
  • Karl Kitcher
    • Secretary of the NZ Open Source Society
    • Charity since 2008
    • Reducing in interest in the recent years
    • Open source is not so prevalent, people not really caring, trying to maintain the momentium
    • Open vs Fauxpem
    • nzoss.nz – signup to the mailing list
    • Various services to projects
  • Leon Wright
    • About Leon’s badge
    • Twitter bot hooked to hug detector in his badge
    • 2017 badge detects hugs
    • 2018 version 2 . So good twitter shadow banned his account
    • 2019 – Docker containers and other crazy stuff
  • Talia White
    • At LCA since 2018 – Was only 8. Now 12
    • Ordered a robot kit for ardiano
    • Made various projects
    • Don’t give up, struggled to start with coding, got better
  • Brenda Wallace
    • Works for the NZ Govt
    • Sometimes abigious
    • Going to publish for some legislation as python rules
    • rules.nz
    • eg Social welfare rules,
    • Unit tests
  • Paul Gunn Stephen
    • GDP per km of coastline
    • %coastline length for area
    • Means hard to get Tsunami warning systems
    • Cheaper
    • ETC Lali system approach
    • Every Village has a local warning system
    • Redundant system
  • E Dunham
    • You should speak at conferences
    • 54th talk in 5 years
    • Promotes your company
    • Intersection: What you know, what conference needs and what the attendees needs
    • Find conference want to attend
    • Write abstract
    • Submit a lot, get rejected a lot
    • Each reject is how you dodged a bullet
  • Charell
    • CVE-2019-3462
    • Bug in apt that allows injection of bad content
    • Why https
    • Attestation
    • apt-transport-https – enable
  • Jen Zajac
    • Project scaffolding eg Cookiecutter, yoeman
    • Lots of generating options
    • Creates templates for a project
  • Hugh Blemmings
    • Ardionu and Beagleboard
    • Cool but not high performance
    • A True open and HP computer
    • Open Hardware, Open software stack, no bin blobs, No unexpected software, No cost/perf penality
    • openpowerfoundation.org
  • Benno Rice
    • Cobol
    • Over 50 years old
    • Not used much
    • What Language is the new Cobol?
    • PHP is the new COBOL
    • Perl is the new COBOL
    • Python2 ?
    • Javascript ?
    • C ?
    • Y2K – Maybe the real Cobol is the maintenance we incurred along the way
    • Maybe you should support software before it bites you back

Closing Stuff

  • 652 people attended
  • 2.4TB transferred over the SSID
  • 3113 Coffee vouchers

Lots of sponsors and suppliers and staff thanked

Linux.conf.au 2020 is in …. Gold Coast

  • Linux.conf.au 21st birthday!
  • Gold Coast convention and Exhibition centre
  • 13 – 17th January 2020

Share

Linux.conf.au 2019 – Friday – Session 2

OpenLI: Lawful Intercept Without the Massive Price Tag
– Shane Alcock

Shane Alcock
  • Police get Warrent to ISP
  • ISP Obligations
    • Can’t tip off person being intercepted
    • Both current and past intercepts must be private
    • Can’t accept other people’s communications
    • Must accept all communications
  • NZ Lawful Intercept
    • All Providers with more than 4000 customers must be LI capable
    • Must be streamed live
    • TCP/IP over tunnel
    • Higher level agencies have extra requirements
    • 2 seperate handovers – IRI metadata for calls, IP sessions. CC= data packets
  • Open LI
    • $10,000s – $100,000s costs to impliment and license from vendors
    • WAND had some experise in packet collection
    • Known my NZ Network Operator community
    • Voluntary contributions from NZ Network Operators
    • $10k+ each
    • Buys 50% of my time to work on it for a year.
    • Avoiding Free Rider problem
      • Early access for supporters
      • Dev assistence with deployment
      • Priority support for bugs and features
  • Building Blocks
    • Developed and tested on Debian
    • Should work on other Linux flavours
    • Written in C – fast and likes writing C
    • Use libtrace from WAND
    • Data Plane Develop Kit
  • Provisioner
    • Interface for operators
    • Not very busy
  • Collector
    • Comms from Provisioner
    • Intercept instructions
    • Recommended run on bare-metal
    • 1RU Server with 10G interface with DPDK support
    • Supports multiple collectors
  • Mediator
    • Gets data from Collector
    • Forwards to Agency based on instructions from Provisioner
  • Target Identification
    • Nothing on the packets linked to target user
    • People get dynamic IPs, can change
    • For VOIP calls need to know RDP port
    • SIP for VIP , Radius to IP to ID the user’s IPs/Ports
    • Deriving caller identities from SIP packets can be tricky. Other headers can be used, depends on various factors
  • Performance Matters
    • 1Gb/s plans are available to residential customers
    • ISP may have multiple customers being intercepted. Collector must not drop packets
    • Aim to support multiple Gb/s of data
    • libtrace lets use spread load across multiple interfaces, cpus etc
    • But packets now be in multiple threads
    • Lots of threads to keep things all in sync
  • Status
  • Future
    • Build user-driver community around the software
  • Questions
    • Can it handle a hotel? – maybe
    • ISPs or police contributing? – Not yet
    • What have people been doing so far? – They have been gettign away with saying they will use this
    • What about bad guys using? – This probably doesn’t give them any more functionality
    • Larger Operators? – Gone with Vendor Solutions
    • Overseas Interest? – One from Khazakstan , but targetted at small operators
    • Why not Rust, worry about parsing data – Didn’t have time to learn Rust

But Mummy I don’t want to use CUDA – Open source GPU compute
Dave Airlie

Dave Airlie
  • Use Cases
    • AI/ML – Tensorflow
    • HPC – On big supercomputers
    • Scientific – Big datasets, maybe not on big clusters
  • What APIs Exist
    • CUDA
      • NVIDIA defined
      • Closed Source
      • C++ Based single source
      • Lots of support libraries ( BLAS, CiDNN ) from NVIDIA
    • API – HIP
      • AMD Defined
      • Sourcecode released on github
      • C++ based single source
    • OPenCL
      • Khronos Standard
      • Open and Closed implimentations
      • 1.2 v 2.0
      • OpenCL C/C++ Not single source (GPU and CPU code separate)
      • Online vs offline compilation (Online means final compilation at run time)
      • SPIR-V kernel
    • SYCL
      • Khronos Standard
      • C++ Single source
      • CPU Launch via OpenMP
      • GPU launch via OpenCL
      • Closed (codeplay) vs Open(triSYS)
      • Opening of implementation in Progress (from Intel – Jan 2019)
    • Others
      • C++AMP – MS
      • OPenMP – Gettign better for GPUs
      • OpenACC
      • Vulkan Compute
        • Low level submission API
        • Maybe
    • Future
      • C++ standard
      • C++ ISO standards body, ongoing input from everybody
      • Implementations must be tested
      • Still needs execution environment
  • Components of GPU stack
    • Source -> Compiler
    • Output of GPU and CPU code
  • IR
    • Intermediate representation
    • Between source and final binary
    • NVIDIA PTX – liek assemble
  • OpenCL Stacks
    • Vendor Specific
    • LLVM Forks
  • Open Source
    • Development vs Release Model
    • Vendors don’t want to support ports to competitors hardware
    • Distro challenges
      • No idea on future directions
      • Large bodies of code
      • Very little common code
      • Forked llvm/clang everywhere in code
  • Proposed Stack
    • Needs reference implementation
    • vendor neutral, runs on multiple vendors
    • Shared Code based (eg one copy of clang, llvm)
    • Standards based
    • Common API for runtime
    • Common IR as much as possible
    • Common Tooling – eg single debugger
    • SPIR-V in executable -> NIR -> HW Finaliser
    • Maybe Intel’s implementation will do this
  • Questions
    • Vulkan on top of Metal/Molten ? – Don’t know
    • Lots of other questions I didn’t understand enough to write

Share

Linux.conf.au 2019 – Friday – Session 1

Preventing the IoT Dystopia with Copyleft- Bradley M. Kuhn

Bradley M. Kuhn
  • The S in IoT stands for Security
  • Many stories of people hacking into baby monitors and home cameras
  • IoT Devices often phone home to manufactorers website in order that you can access then remotely. “I suppose there are Chinese hackers watching my Dogs all day, I hope they will call me if they need water etc”
  • Open source people have historically worked to get around problems like this.
  • 1992 – If you wanted Linux, you downloaded the software onto floppies and installed it yourself. And Often had to work hard to make it work.
  • Today only a small percentage of laptops sold have Linux on it.
  • But Linux is commonly installed on IoT devices – 90% odd
  • But
    • No [easy] way to reinstall it yourself
    • Much worse than laptops
    • GPL includes “The scripts used to control the compilation and install of the executable”
    • “Freedom to Study” is not enough
  • Linksys Wifi router
    • OpenWRT Project
    • Release forced from Linksys and Cisco
    • “Source as received from Linksys from GPL enforcement”
    • Is OpenWRT a Unicorn
      • Few projects with serious alternative firmware project
    • Still sold new after 20 years
  • BusyBox Lawsuits
    • Before IoT was even a term
    • At least one model of Samsung TV -> samygo.tv
    • “Baffles me as to why do the manufactorers want us to buy more hardware”
  • Linux focuses to much on big corp users and ignores hobbyist users
    • Kernel peopel only care about the .c files. Don’t care about the install scripts etc.
    • People at top of Linux now got their start hacking on the devices in front of them.
    • The next generation of developers will be those hackers not from IBM and other big companies
    • You didn’t need anything but a computer and an internet connection to become and upstream developer in those days. This is becoming less true.
    • If the only thing you can install Linux on is a rackmount server, a cloud server or maybe a laptop and none of the IoT devices around you then things don’t look good….
  • Linux was successful because users could install it on their own devices
  • Linux won’t remain the most important GPL program if users can’t install their modifications. Tinkering is what makes Free software great.
  • Upstream matters of course, but downstream matters more.
    • There may be 1000s of Linux developers
    • Put 2 billion people have Linux on their phone – Which is locked down and they can’t reinstall
  • We don’t need a revolution to liberate IoT devices
    • because the words are already there in the GPL
    • We just have to take up our rights
  • What you can do.
    • Request Linux sources on every device you own – Companies have figured out people almost never ask
    • Try to build and install them. If you can’t ask a friend or ask Conservancy for help
    • If it doesn’t build/install it is a GPL violation, report it Conservancy
    • Step up as a leader of a project devices that matter to you.
  • Why this will work
    • The problem seems insurmountable now, only because we have been led astray
    • First and absolutely necessary step towards privacy and scurity on those devices
    • When the user controls the OS again, the balance of power can be restored
  • Questions
    • Best way to ask for source code? Try email, the manual should say.
    • How to get the new code on the device? Needs some push onto industry
    • What if writing requires expensive equipment? Fairly rare, many devices allow over-the-air upgrades, we should be able to go the same way.
    • Is there a list of compliant devices? – Proposed in past. Want to go softly at first in many cases
    • Am I exposed to liability if I modify and distribute code I receive? – Almost certainly note, contact Conservatory if you are threatened.

Web Security 2019 – James Bromberger

James Bromberger
  • History of browser
    • No images
    • Images
    • Netscape with crappy ‘International Security”
    • https takeup is growing
    • Chrome is hitting 60-70%
    • 82% of browser are “modern”, crossover of chrome users to new version is about 3 months.
  • PCI
    • Remove early TLS in mid 2018
    • TLS 1.1 and higher allowed
  • The legacy browser has gone in the real world
    • Some envs still behind, but moving ahead
  • What can we do with as little changes as possible?
  • 0. Don’t use http, use https
    • Use letsencrypt
    • Stds reducing max length of certs from 5 years
  • 1. TLS protocols
    • 7 versions out there (old ones SSL).
    • Most over 10+ years old
    • Only 6 in the wild
    • 3 not-known to be comprimised ( 1.1 1.2 1.3 )
    • Very few clients only support 1.1 and not 1.2 (small gap in 2006-2008 ). IE supports 1.2. So maybe disable 1.1
    • Log the protocol being used so you have data on your users
    • OTOH not much supports 1.3 yet
    • Use 1.2 and 1.3
    • Turn off on the Browsers to
    • Looks at which libraries you are using in code that makes https connections
  • 2. Cypher Suite Optimisation
    • New EC certs for key exchange
    • New certs getting changed to ECDSA
    • AES is standard for bulk encryption. GCM mode is best although windows 9 can’t do (Upgrade to 10!)
    • MAC/Cehecksum – remove MD5, SHA1, remove SHA2-256+ , New ones coming
  • Security Header
    • Content-Security-Policy
    • Referer-Policy – Usually locked down
    • Feature-Policy – lots of stuff
    • ” X-Content-Type-Options: no-sniff ” – don’t guess content type
  • 4. CAA
    • Around 200 Cert Authorities
    • Authorized record type (CAA record) lists what CAs are allowed to issue certs for you.
    • DNS Sec is useful – But during US Govt shutdown DNS keys are expring
  • 5. Sub Resource Integrity
    • Scripts included by html
    • Can include checksums in html calling to varify
  • 6. Cookies
    • Secure – httpsonly
    • “SameSite=Strict” – Reduces cross site request forgery
  • 7. Http2
    • Binary wire protocol
    • Apache 2.4 on debian
    • Forces better protocols
  • 8. Lots more
    • New compression algorithms
    • Network error logs
Share

Linux.conf.au 2019 – Friday – Keynote: A linux.conf.au Story – Rusty Russell

Rusty Russell
  • Bitcoin Billionare
  • 1992
    • The days of SunOS
    • Read the GNU Manafesto
  • 1995
    • Using GPP compiler at work
    • First patch accepted on November 1995
  • 1997
    • USENIX Conference in california
    • UseLinux – Had a track for Linux
    • Hung around a bunch of top guys in Linux talked about added SMP to Linux
    • Talk on porting Linux to Sparc by David Miller & Miguel de Icaza. Going into improvements and showing how Linux port to sparc bet Solaris in the Lmbench benchmarks on same hardware.
    • Relaized lived in a world where students could create and port OS that bet the original OS from the vendor
  • 1997 – 1998
    • Wrote (with another guy) and got ipchains added to Linux
    • “I woke up one morning and I was kernel firewall maintainer”
    • Got job people paid to work on Linux firewall code
  • 1998
    • Decided needed an Australian Linux conference
    • Oct-Nov visited a bunch of LUGS to invite people and find person to collect money.
    • People not sure what they wanted to go to a Linux conference ( $380 bucks)
    • Invited John Maddog Hall
    • Created and ran a slashdot ad
    • Created card got into $14k negative
    • Last session of the 3rd day, reran the 3 best talks
  • Three stories from 1998
    • Tutorial Books for each of the tutorials- Couldn’t get photocopies from commercial facility, so had to make 400 copies of books via 4 coin operated photocopiers
    • Tridge bought up a triple-CD burner. People ran it in relays
    • Somebody said. “I can’t believe you don’t have conference tshirts”. He bought white tshirts, got them screen printed and sold them.
  • End of conference Tridge organised a gift from the Speakers to Rusty. Pewter Beer mug
  • Linux.conf.au after 1999
    • 2001 scheduled 3 talks from Rusty. At the same time
    • Met Tridge at LCA – Moved to Canberra they did AusLabs
  • How Great Projects
    • Smart and Capable enough to complete them
    • They are Dumb enough to try
    • When somebody tells you about a project?
      • That sounds Great, Tell me more
      • What can I do to help
    • Enable people’s enthusiasms
    • Collaboration is a super Power
    • Get along with people is a skill
    • “Constructive absenteeism”
  • Headwinds to collaboration
    • Signs are welcoming to some people
    • Other people get signs that they are not so welcoming
    • Good are seeing them when they are aimed at them, not so good are even seeing they exist when they are not aimed at them.

Share