2020 – Tuesday – Session 3 – Container Miniconf

Unsafe Defaults: Deploying Kubernetes Safer(ish) – James

Overview of Kubernetes

  • A compromised container is very close to being a compromised host
  • While you shouldn’t curl|bash the attacker can do it to get the latest exploits.

Three Quick things for some easy wins

  • The Kubernetes API is completely open from localhost. This is no longer required but old clusters and some upgraded clusters may still have it.
  • Put a Valid certificate on the cluster or at least one you can keep track of.
  • Get rid of unauthenticated user roles as much as possible.
  • Check you don’t still have “forever tokens”
  • A Good idea not to give service tokens to most pods.
    automountServiceAccountToken: false


  • Keep an eye on
  • New
  • You need good RBAC
  • Have a look at k-rail


  • Can turn on authentication
  • Can turn on TLS between peers and clients
  • Can encrypt on disk
  • Can restrict it with a firewall

Every Image Has A Purpose by Allen Shone

Docker Images

  • What are they anyway
  • A base definition to prepare a filesystem for execution as a container
  • Caching mechanism
  • Reproduceable
  • Great way to share runtime circumstances
  • A comprehensive environment structure


  • image is a series of layers
  • Minimizing layers makes things better
  • Structure the image build process to get the best set of images

Basic Uses

  • Use the most appropriate image
  • A small fix can add up

Images in Production / Customers facing envs

  • When deploying containers, be precise as possible.
  • The image should be ready to go without further work
  • Keep image and small and simple as possible
  • “FROM: golang:alpine” in testing
  • “FROM: scratch” in production
  • Two images but they serve different purposes


  • Possible to use the same image as previously
  • Bring in some extra debug tools etc, mocks for other services

Trimming the final image to be very specific

  • Start with the production image and add extra layers of stuff

Deployed Considerations

  • Some things only come into consideration once they are deployed
  • Instead of creating a big general container, create two containers in a pod that share a file system
  • Configuration should be injeted, as an env-specific setup
  • Images should be agnostic


  • Look at using the .dockerignore file
  • Use image scannign tools ( Diive and Clair)
  • A little preparation up front can prevent a lot of headache later
Share 2020 – Tuesday – Session 2 – Security, Identity, Privacy Miniconf

Privacy and Transparency in the VPN industry by Ruben Rubio Rey

We are at an “Oh Noe!” Moment in the VPN Industry

VPN Advantages

  • Protect your privacy
  • Bypass Geo-Restrictions
  • Beat Censorship
  • Save money on Hotels and Flights
  • Download torrents anonymously
  • Bypass ISP speed regulations
  • Secures Public WIFI

What Can be intercepted?
– Without Encryption: Any Data
– With Encryption: IP and Port

But HTTPS only works of client and server configured correctly
Client: Rough root certificate
Servers: CORS, insecure SSL version

Protect Your Privacy

  • Many Countries Systematicly collecting data about citizens
  • ISP collect data, must keep for two years and accessabil to agencies
  • USA ISP’s can sell information
  • Others Countries tried to put in MITM Certs

So Private companies have incentives to protect my data?

The Reality of Private VPN providers

  • Several examples of collecting Data
  • Several examples of them releasing data to agencies
  • Random security and implementation problems
  • Exaggerations in sales pitches
  • Installs Rouge Roots Cert on user machine

Conflict of Interest, what is a business model of the providers?


  • 59% of Free VPNs in play store had hidden Chinese ownership
  • 86% had privacy policy flaw
  • 85% asked for excessive permissions

Are VPN Companies Needed?

People with non-technical skills need an option

How to Improve the VPN Market?

  • Privacy and Transparency go hand and hand
  • Open Source Provides Transparency
  • End to End open source VPN Company

Install you own VPN

Algo and Streisand

Create your own VPN Company using the base for “The VPN Company”

Authentication Afterlife: the dark side of making lost password recovery harder by Ewen McNeill

Twitter Account “badthingsdaily” . Fictional Scenarios that might happen to security people. Inspired this talk.

Scenario 1

  • A Big fire took out your main computer
  • You done have the computer and you don’t know all your passwords

Recovery Traditional

  • You get email somewhere else. On your phone
  • Click on Forgot my password
  • Repeat until all accoutns recoveryed

Scenario 2

  • You need to login to your account on a new device
  • All account secured with 2FA
  • Your 2FA isn’t working


  • Recovery Tokens
  • Alternative 2FA Solution

Scenario 3

  • Your bad was stolen
  • It had computer, phone and 2FA
  • Can bad guy impersonate you?
  • Can you recovery faster than the other guy (or at all?)


  • Does you 2FA pop up on your lock screen?
  • So anybody with your computer is able to get this?
  • Race to reset passwords and invalidate your login tokens
  • Maybe you remember your passwords but not you 2FA
  • Recovery questions “Mother’s maiden name”
  • Can be easy to discover, but if it is something random then you have to be able to find it (ie on the password store you just lost)

Multiple alternate authentication methods

  • Primary you use every day
  • One or more backups

If resetting your password every time is easier than remembering your password people will do that.

Attackers will use the easiest authentication method. Eg Contacting the Helpdesk or going into a bank branch office.

But if recovery is too hard you can end up losing access to your account permanently

Recommend: GitHub’s 2FA recovery guide

Scenario 4

You startups founder has left. He has wipped out all his computer. Now your Cloudprovider is threatening to lock you out unless you authenticate using 2FA

  • Hopefully in the password store
  • Or perhaps they no longer work
  • Contact Helpdesk, Account Manager, Lawyer, Social Media (usually the bigger you are and the more you pay the better you chance)
  • Sore everything centrally. How do you audit that? , regularly?

Scenario 5

A relative dies. You first step is to login to all their accounts work out what should be kept.

This will take months not years. Sometimes you will only find out the account exists when they email you that your account is about to expire.

Personal Observations

  • You will not have access to their cellphone
  • or probably not past the lock screen
  • Anything they told you that was obvious you will forget
  • You will not have access to the password store
  • You may have access to saved passwords in browser
  • Maybe you need to optimise for family can access stuff not complete lockdown.
  • Physical notebook with passwords
  • Consider in advance how you will recover if your 2FA device breaks
  • How will you convince a helpdesk person that you are you?

Personal Mitigations

  • Kawaiicon 2019 ” How can I help you” Talk by Laura Bell

You Shall Not Pass by Peter Burnett

Moodle is an open souce Learning Management System.

  • Legacy System
  • First developed in 1997
  • Open Sourced in 2001
  • New Code is good quality, older stuff not as much

Efforts to improve password policy

  • Password policy was a bit antiquated
  • Best policies come from NIST, 2018 version is good.
  • Don’t force a pattern, Check for compromised passwords, Check for dictionary based and identifying passwords
  • Look at the “Have I been Pwned” API – takes first 5 characters of the sha of the password.
  • Dictionary checks – Top 10,000 English words might be enough
  • Indentifying information – Birthdays, names, cities are things to watch for. Name of the company.

Released as an open source plugin for Moodle

A look at the Authentication Flow

  • Natively supported LDAP etc.
  • Lots of extra plugins impliment other methods
  • Had to put MFA in when people using plugins. Difficult to mix
  • Added extra hook on “account related” actions, they would check for MFA etc.
  • Required a bit of work to get merged in.

Implementing MFA

  • MFA is a superset of 2FA implimentations
  • Had to do extensible platform
  • Traditional: TOTP, Email
  • Non-Traditional: IP verification, Authentication type (might already have MFA)
  • Design considerations – Keep secure but impact people as little as possible.
  • Different users: Not required, Optional, Forced Upon . So built in the ability for a range of use across platform.
  • Learnings
    • Anything can be used as a factor
    • delicate balance between secure and usable
    • When designing, paranoid is the right mindset
    • Give the least information possible to allow a legit user to authenticate
    • What can the attacker do if this factor is compromised?

Final Thoughts

  • Long way to go
  • Security is a shifting goalpost
  • Keep on top of new developments
Share 2020 – Tuesday – Session 1 – Security, Identity, Privacy Miniconf

Facebook, Dynamite, Uber, Bombs, and You – Lana Brindley

  • Herman Hollerith
    • Created the punch card, introduced for the 1890 US Census
    • Hollerith leased companies to other people
  • Hollerith machines and infrastructure used by many Census in Europe.
    • Countries with better census infrastructure using Hollerith machines tended to use have higher deather rate in The Holocaust
  • Alfred Nobel
    • Invented Dynamite and ran weapons company
  • Otto Hahn
    • Invented Nuclear Fission
  • Eugenics
    • 33 US states have sterilization programmes in place
    • 65,000 Americans sterilized as part of programmes
    • WHO was created as a result.
  • Thalidomide
    • Over-the-counter morning sickness treatment
    • Caused birth defeats
    • FDA strengthened

Unintended consequences of technology, result was stronger regulation

Volkswagen emission and Uber created Greyball
– Volkswagen engineers went to jail, Uber engineers didn’t

Here are some IT innovations that didn’t lead to real change

  • Medical Devices
    • Therac-25 was a 1980s machine used for treating cancer with radiation
    • Control software had race condition that gave people huge radiation overloads
  • Drive by Wire for Cars
    • Luxus ES350 sudden acceleration
    • Toyota replaced floor mats, not software
    • Car accelerator stuck at full speed and brakes not working
    • No single cause ever identified
  • Deep Fake Videos
  • Killer Robots
    • South Korean Universities came under pressure to stop research, said they had stopped but not confirmed.
  • Chinese Surveillance
    • Checkpoints all though the city, average citizen goes though them many times per day and have phoned scanned, other checks.
    • Cameras with facial recognition everywhere
  • Western Surveillance – Palantir and other companies installing elsewhere
  • Boeing Software – 373 Max

Bad technology should have consequences and until it does people have to avoid things themselves as much as possible and put pressure on governments and companies

The Internet: Protecting Our Democratic Lifeline by Brett Sheffield

Lost of ways technology can protect us (Tor etc) and at the same time plenty of ways technology works against our prevacy.

The UN Declaration of Human Rights
Australia is the only major country without a bill of rights.

Ways to contribute
– They Work for you type websites
– Protesting
– Whistleblowers

Democracy Under Threat
– Governments blocking the Internet
– Police harrass journalists (AFC raids ABC in Aus)
– Censorship

Large Companies
– Gather huge amounts of information
– Aim for personalisation and monotisation
– Leads to centralisation

Rebuilding the Internet with Multicast
– Scalable
– Happens at the network layer
– Needs to be enabled on all routers in each hop
– Currently off by default

– Aims to get multicast in the hands of developers
– Tunnels though non-multicast enabled devices
– Messaging Library
– Transitional tunneling
– Improved routing protocol
– Try to enable in other FOSS projects
– Ensure new standards ( WebRTC, QUIC) support multicast

Share 2020 – Tuesday – KeyNote: Sean Brady

Keynote: Drop Your Tools – Does Expertise have a Dark Side? by Dr Sean Brady

Harford Convention Center

Engineers ignored warnings of problems, kept saying calculations were good. Structure collasped under light snow load

People are involved with engineering, therefore it is a people problem

What it possessing expertise has a dark side? Danger isn’t ignnorance it is the illusion of knowledge.

Mann Gulch fire

Why did the firefighters not drop their tools?
Why did they not get in the Escape Fire?

Priming – You get information that primes you to think a certain way.

What if Expertise priming somebody?
– Baseball experts primed to go down the wrong path, couldn’t even stop when explicitly told about the trick.

Firefighters explicitly trained that they are faster runners with tools.

Creative Desperation – Mentally drop your existing tools.

Share 2019 – Friday – Lightning talks and Conference Close

Closing Stuff

  • Special Badge given out
  • Projects from Junior Group from Club Penguin
  • Rusty Wrench award to Joshua Hesketh

Lightning Talks

  • 3 minutes each
  • Martin Kraft
    • Digital trust and trust in the real world
    • In real world it is wired into our brains
    • Aunt’s Laptop. Has Trusted CAs, Debian.
    • Doesn’t know what lock on browser means
    • Imaging that trust is a competition that happens in real time, that takes interactions, mood, random stuff.
    • Maybe when you visit a good vs bad website the browser looks visably different
    • Machine Learning
  • Brimly Collings-Stone
    • Maori language not available on AAC outputs
    • Need a device that speaks Maori and represents Maori grammar accurately
  • Mathew Sherborn
    • RSI
    • Got it in the past, tried various keyboards
    • Type-Matrix but it broke
    • ErgoDox – open source keyboard
    • – Keyboard in batch orders
    • Like the ErgoDox-E – $500 but good – web app to program
    • Change the Dvorak keyboard with special keyboard
  • Emma Springkmeier
    • What do I do when it all goes wrong
    • Potentially stressful situations – phone calls, meetings.
    • eg last year’s lightning talk
    • What I do to cope
    • Talk to friends, explain how I feel to others, listening to calming music, breathing techniques ( 4s in, 4s hold, 4 out, 4 holding, repeat )
  • Karl Kitcher
    • Secretary of the NZ Open Source Society
    • Charity since 2008
    • Reducing in interest in the recent years
    • Open source is not so prevalent, people not really caring, trying to maintain the momentium
    • Open vs Fauxpem
    • – signup to the mailing list
    • Various services to projects
  • Leon Wright
    • About Leon’s badge
    • Twitter bot hooked to hug detector in his badge
    • 2017 badge detects hugs
    • 2018 version 2 . So good twitter shadow banned his account
    • 2019 – Docker containers and other crazy stuff
  • Talia White
    • At LCA since 2018 – Was only 8. Now 12
    • Ordered a robot kit for ardiano
    • Made various projects
    • Don’t give up, struggled to start with coding, got better
  • Brenda Wallace
    • Works for the NZ Govt
    • Sometimes abigious
    • Going to publish for some legislation as python rules
    • eg Social welfare rules,
    • Unit tests
  • Paul Gunn Stephen
    • GDP per km of coastline
    • %coastline length for area
    • Means hard to get Tsunami warning systems
    • Cheaper
    • ETC Lali system approach
    • Every Village has a local warning system
    • Redundant system
  • E Dunham
    • You should speak at conferences
    • 54th talk in 5 years
    • Promotes your company
    • Intersection: What you know, what conference needs and what the attendees needs
    • Find conference want to attend
    • Write abstract
    • Submit a lot, get rejected a lot
    • Each reject is how you dodged a bullet
  • Charell
    • CVE-2019-3462
    • Bug in apt that allows injection of bad content
    • Why https
    • Attestation
    • apt-transport-https – enable
  • Jen Zajac
    • Project scaffolding eg Cookiecutter, yoeman
    • Lots of generating options
    • Creates templates for a project
  • Hugh Blemmings
    • Ardionu and Beagleboard
    • Cool but not high performance
    • A True open and HP computer
    • Open Hardware, Open software stack, no bin blobs, No unexpected software, No cost/perf penality
  • Benno Rice
    • Cobol
    • Over 50 years old
    • Not used much
    • What Language is the new Cobol?
    • PHP is the new COBOL
    • Perl is the new COBOL
    • Python2 ?
    • Javascript ?
    • C ?
    • Y2K – Maybe the real Cobol is the maintenance we incurred along the way
    • Maybe you should support software before it bites you back

Closing Stuff

  • 652 people attended
  • 2.4TB transferred over the SSID
  • 3113 Coffee vouchers

Lots of sponsors and suppliers and staff thanked 2020 is in …. Gold Coast

  • 21st birthday!
  • Gold Coast convention and Exhibition centre
  • 13 – 17th January 2020

Share 2019 – Friday – Session 2

OpenLI: Lawful Intercept Without the Massive Price Tag
– Shane Alcock

Shane Alcock
  • Police get Warrent to ISP
  • ISP Obligations
    • Can’t tip off person being intercepted
    • Both current and past intercepts must be private
    • Can’t accept other people’s communications
    • Must accept all communications
  • NZ Lawful Intercept
    • All Providers with more than 4000 customers must be LI capable
    • Must be streamed live
    • TCP/IP over tunnel
    • Higher level agencies have extra requirements
    • 2 seperate handovers – IRI metadata for calls, IP sessions. CC= data packets
  • Open LI
    • $10,000s – $100,000s costs to impliment and license from vendors
    • WAND had some experise in packet collection
    • Known my NZ Network Operator community
    • Voluntary contributions from NZ Network Operators
    • $10k+ each
    • Buys 50% of my time to work on it for a year.
    • Avoiding Free Rider problem
      • Early access for supporters
      • Dev assistence with deployment
      • Priority support for bugs and features
  • Building Blocks
    • Developed and tested on Debian
    • Should work on other Linux flavours
    • Written in C – fast and likes writing C
    • Use libtrace from WAND
    • Data Plane Develop Kit
  • Provisioner
    • Interface for operators
    • Not very busy
  • Collector
    • Comms from Provisioner
    • Intercept instructions
    • Recommended run on bare-metal
    • 1RU Server with 10G interface with DPDK support
    • Supports multiple collectors
  • Mediator
    • Gets data from Collector
    • Forwards to Agency based on instructions from Provisioner
  • Target Identification
    • Nothing on the packets linked to target user
    • People get dynamic IPs, can change
    • For VOIP calls need to know RDP port
    • SIP for VIP , Radius to IP to ID the user’s IPs/Ports
    • Deriving caller identities from SIP packets can be tricky. Other headers can be used, depends on various factors
  • Performance Matters
    • 1Gb/s plans are available to residential customers
    • ISP may have multiple customers being intercepted. Collector must not drop packets
    • Aim to support multiple Gb/s of data
    • libtrace lets use spread load across multiple interfaces, cpus etc
    • But packets now be in multiple threads
    • Lots of threads to keep things all in sync
  • Status
  • Future
    • Build user-driver community around the software
  • Questions
    • Can it handle a hotel? – maybe
    • ISPs or police contributing? – Not yet
    • What have people been doing so far? – They have been gettign away with saying they will use this
    • What about bad guys using? – This probably doesn’t give them any more functionality
    • Larger Operators? – Gone with Vendor Solutions
    • Overseas Interest? – One from Khazakstan , but targetted at small operators
    • Why not Rust, worry about parsing data – Didn’t have time to learn Rust

But Mummy I don’t want to use CUDA – Open source GPU compute
Dave Airlie

Dave Airlie
  • Use Cases
    • AI/ML – Tensorflow
    • HPC – On big supercomputers
    • Scientific – Big datasets, maybe not on big clusters
  • What APIs Exist
    • CUDA
      • NVIDIA defined
      • Closed Source
      • C++ Based single source
      • Lots of support libraries ( BLAS, CiDNN ) from NVIDIA
    • API – HIP
      • AMD Defined
      • Sourcecode released on github
      • C++ based single source
    • OPenCL
      • Khronos Standard
      • Open and Closed implimentations
      • 1.2 v 2.0
      • OpenCL C/C++ Not single source (GPU and CPU code separate)
      • Online vs offline compilation (Online means final compilation at run time)
      • SPIR-V kernel
    • SYCL
      • Khronos Standard
      • C++ Single source
      • CPU Launch via OpenMP
      • GPU launch via OpenCL
      • Closed (codeplay) vs Open(triSYS)
      • Opening of implementation in Progress (from Intel – Jan 2019)
    • Others
      • C++AMP – MS
      • OPenMP – Gettign better for GPUs
      • OpenACC
      • Vulkan Compute
        • Low level submission API
        • Maybe
    • Future
      • C++ standard
      • C++ ISO standards body, ongoing input from everybody
      • Implementations must be tested
      • Still needs execution environment
  • Components of GPU stack
    • Source -> Compiler
    • Output of GPU and CPU code
  • IR
    • Intermediate representation
    • Between source and final binary
    • NVIDIA PTX – liek assemble
  • OpenCL Stacks
    • Vendor Specific
    • LLVM Forks
  • Open Source
    • Development vs Release Model
    • Vendors don’t want to support ports to competitors hardware
    • Distro challenges
      • No idea on future directions
      • Large bodies of code
      • Very little common code
      • Forked llvm/clang everywhere in code
  • Proposed Stack
    • Needs reference implementation
    • vendor neutral, runs on multiple vendors
    • Shared Code based (eg one copy of clang, llvm)
    • Standards based
    • Common API for runtime
    • Common IR as much as possible
    • Common Tooling – eg single debugger
    • SPIR-V in executable -> NIR -> HW Finaliser
    • Maybe Intel’s implementation will do this
  • Questions
    • Vulkan on top of Metal/Molten ? – Don’t know
    • Lots of other questions I didn’t understand enough to write

Share 2019 – Friday – Session 1

Preventing the IoT Dystopia with Copyleft- Bradley M. Kuhn

Bradley M. Kuhn
  • The S in IoT stands for Security
  • Many stories of people hacking into baby monitors and home cameras
  • IoT Devices often phone home to manufactorers website in order that you can access then remotely. “I suppose there are Chinese hackers watching my Dogs all day, I hope they will call me if they need water etc”
  • Open source people have historically worked to get around problems like this.
  • 1992 – If you wanted Linux, you downloaded the software onto floppies and installed it yourself. And Often had to work hard to make it work.
  • Today only a small percentage of laptops sold have Linux on it.
  • But Linux is commonly installed on IoT devices – 90% odd
  • But
    • No [easy] way to reinstall it yourself
    • Much worse than laptops
    • GPL includes “The scripts used to control the compilation and install of the executable”
    • “Freedom to Study” is not enough
  • Linksys Wifi router
    • OpenWRT Project
    • Release forced from Linksys and Cisco
    • “Source as received from Linksys from GPL enforcement”
    • Is OpenWRT a Unicorn
      • Few projects with serious alternative firmware project
    • Still sold new after 20 years
  • BusyBox Lawsuits
    • Before IoT was even a term
    • At least one model of Samsung TV ->
    • “Baffles me as to why do the manufactorers want us to buy more hardware”
  • Linux focuses to much on big corp users and ignores hobbyist users
    • Kernel peopel only care about the .c files. Don’t care about the install scripts etc.
    • People at top of Linux now got their start hacking on the devices in front of them.
    • The next generation of developers will be those hackers not from IBM and other big companies
    • You didn’t need anything but a computer and an internet connection to become and upstream developer in those days. This is becoming less true.
    • If the only thing you can install Linux on is a rackmount server, a cloud server or maybe a laptop and none of the IoT devices around you then things don’t look good….
  • Linux was successful because users could install it on their own devices
  • Linux won’t remain the most important GPL program if users can’t install their modifications. Tinkering is what makes Free software great.
  • Upstream matters of course, but downstream matters more.
    • There may be 1000s of Linux developers
    • Put 2 billion people have Linux on their phone – Which is locked down and they can’t reinstall
  • We don’t need a revolution to liberate IoT devices
    • because the words are already there in the GPL
    • We just have to take up our rights
  • What you can do.
    • Request Linux sources on every device you own – Companies have figured out people almost never ask
    • Try to build and install them. If you can’t ask a friend or ask Conservancy for help
    • If it doesn’t build/install it is a GPL violation, report it Conservancy
    • Step up as a leader of a project devices that matter to you.
  • Why this will work
    • The problem seems insurmountable now, only because we have been led astray
    • First and absolutely necessary step towards privacy and scurity on those devices
    • When the user controls the OS again, the balance of power can be restored
  • Questions
    • Best way to ask for source code? Try email, the manual should say.
    • How to get the new code on the device? Needs some push onto industry
    • What if writing requires expensive equipment? Fairly rare, many devices allow over-the-air upgrades, we should be able to go the same way.
    • Is there a list of compliant devices? – Proposed in past. Want to go softly at first in many cases
    • Am I exposed to liability if I modify and distribute code I receive? – Almost certainly note, contact Conservatory if you are threatened.

Web Security 2019 – James Bromberger

James Bromberger
  • History of browser
    • No images
    • Images
    • Netscape with crappy ‘International Security”
    • https takeup is growing
    • Chrome is hitting 60-70%
    • 82% of browser are “modern”, crossover of chrome users to new version is about 3 months.
  • PCI
    • Remove early TLS in mid 2018
    • TLS 1.1 and higher allowed
  • The legacy browser has gone in the real world
    • Some envs still behind, but moving ahead
  • What can we do with as little changes as possible?
  • 0. Don’t use http, use https
    • Use letsencrypt
    • Stds reducing max length of certs from 5 years
  • 1. TLS protocols
    • 7 versions out there (old ones SSL).
    • Most over 10+ years old
    • Only 6 in the wild
    • 3 not-known to be comprimised ( 1.1 1.2 1.3 )
    • Very few clients only support 1.1 and not 1.2 (small gap in 2006-2008 ). IE supports 1.2. So maybe disable 1.1
    • Log the protocol being used so you have data on your users
    • OTOH not much supports 1.3 yet
    • Use 1.2 and 1.3
    • Turn off on the Browsers to
    • Looks at which libraries you are using in code that makes https connections
  • 2. Cypher Suite Optimisation
    • New EC certs for key exchange
    • New certs getting changed to ECDSA
    • AES is standard for bulk encryption. GCM mode is best although windows 9 can’t do (Upgrade to 10!)
    • MAC/Cehecksum – remove MD5, SHA1, remove SHA2-256+ , New ones coming
  • Security Header
    • Content-Security-Policy
    • Referer-Policy – Usually locked down
    • Feature-Policy – lots of stuff
    • ” X-Content-Type-Options: no-sniff ” – don’t guess content type
  • 4. CAA
    • Around 200 Cert Authorities
    • Authorized record type (CAA record) lists what CAs are allowed to issue certs for you.
    • DNS Sec is useful – But during US Govt shutdown DNS keys are expring
  • 5. Sub Resource Integrity
    • Scripts included by html
    • Can include checksums in html calling to varify
  • 6. Cookies
    • Secure – httpsonly
    • “SameSite=Strict” – Reduces cross site request forgery
  • 7. Http2
    • Binary wire protocol
    • Apache 2.4 on debian
    • Forces better protocols
  • 8. Lots more
    • New compression algorithms
    • Network error logs
Share 2019 – Friday – Keynote: A Story – Rusty Russell

Rusty Russell
  • Bitcoin Billionare
  • 1992
    • The days of SunOS
    • Read the GNU Manafesto
  • 1995
    • Using GPP compiler at work
    • First patch accepted on November 1995
  • 1997
    • USENIX Conference in california
    • UseLinux – Had a track for Linux
    • Hung around a bunch of top guys in Linux talked about added SMP to Linux
    • Talk on porting Linux to Sparc by David Miller & Miguel de Icaza. Going into improvements and showing how Linux port to sparc bet Solaris in the Lmbench benchmarks on same hardware.
    • Relaized lived in a world where students could create and port OS that bet the original OS from the vendor
  • 1997 – 1998
    • Wrote (with another guy) and got ipchains added to Linux
    • “I woke up one morning and I was kernel firewall maintainer”
    • Got job people paid to work on Linux firewall code
  • 1998
    • Decided needed an Australian Linux conference
    • Oct-Nov visited a bunch of LUGS to invite people and find person to collect money.
    • People not sure what they wanted to go to a Linux conference ( $380 bucks)
    • Invited John Maddog Hall
    • Created and ran a slashdot ad
    • Created card got into $14k negative
    • Last session of the 3rd day, reran the 3 best talks
  • Three stories from 1998
    • Tutorial Books for each of the tutorials- Couldn’t get photocopies from commercial facility, so had to make 400 copies of books via 4 coin operated photocopiers
    • Tridge bought up a triple-CD burner. People ran it in relays
    • Somebody said. “I can’t believe you don’t have conference tshirts”. He bought white tshirts, got them screen printed and sold them.
  • End of conference Tridge organised a gift from the Speakers to Rusty. Pewter Beer mug
  • after 1999
    • 2001 scheduled 3 talks from Rusty. At the same time
    • Met Tridge at LCA – Moved to Canberra they did AusLabs
  • How Great Projects
    • Smart and Capable enough to complete them
    • They are Dumb enough to try
    • When somebody tells you about a project?
      • That sounds Great, Tell me more
      • What can I do to help
    • Enable people’s enthusiasms
    • Collaboration is a super Power
    • Get along with people is a skill
    • “Constructive absenteeism”
  • Headwinds to collaboration
    • Signs are welcoming to some people
    • Other people get signs that they are not so welcoming
    • Good are seeing them when they are aimed at them, not so good are even seeing they exist when they are not aimed at them.

Share 2019 – Thursday – Session 3

Open Source Tools for Publishing and Processing Earth Observation Imagery – Paul Haesler

Paul Haesler
  • Golden age of satelite imagery
  • Geostationary – One area – Good for weather
  • Circum-polar orbits – all over earth every 10-16 days
  • Data processing Chain
    • Level 0 – Raw
    • Level 1 – Geo rectify – Measure surface radience
    • Level 2 – Curroect for sun, sat angle, atmostphere – ARD – Records surface reflectance
  • Landsat-8 (25-30m , 8-16 day cycle, data since 1982 ) Sentinel-2 ( better, 5 day cycle, 10m resolution)
  • Digital Earth Australia
  • The Problem
    • Open Data Cube
    • Python, based on xarry
    • Postgres for metadata
    • Actual satellite sata from local or network repo (transparently)
    • GUI maintained by CEOS
    • Aims to publish all Aus OpenData that can be mapped
    • Based on TerriaJS
    • Some DEA data was already being publish but need for additional stuff
  • COGs – Cloud Optimised GeoTIFFs
  • DataCube_ows
    • Lightweight web application server
    • Developed by Datda61 for GA
    • WMS
      • OGC Web Map service
      • Good for general-usage web apps
      • Returns standard images (eg png)
      • Support 1.3 well, works with most clients
      • Styles for band-mapping
      • on-the-fly solar angle correction
    • WCS
      • Version 1 supported
      • Works well with TerriaJS , works okay with QGIS or ArcGIS
  • Next Steps
    • WPS for on-the-fly processing is regularly discussed
    • Better ingegration with datacube-core
    • More recent WCS versions inc WCS-2EO
    • Sparse Data problems

The Tragedy of systemd – Benno Rice

  • References to Contempt Culture
  • Ancestry of Systemd
    • Unix: Happy accident, place, time, reaction to the previous thing
    • housekeeping functions – “mounting filesystems and starting daemons”
    • inetd – Super Daemon for all sockets – “worked well until The Internet Happened”
  • Then the Internet happened
    • forking a process per connection doesn’t scale
    • Lots of persistent state for things like databases
    • Service
      • Might be a bunch of processors
      • Init starts but doesn’t manage
      • initab can restart things in SystemV
  • System Config vs Service bootstrap
    • Mixed in togeather
    • Service management needs more
  • Windows NT
    • Service model there from beginning
  • MacOs
    • Application Model means lot richer interaction with the host
    • Application delegate
    • launchd
  • The Idea of Systemd
    • launchd
      • Service handling in MacOS
      • Took over init, inetd, cron
      • Can listen on ports. Start stuff. doesn’t need to start on boot, boot gets faster, power reduced, security improved
      • Move system services to daemons, then start daemons as needed
    • From Launchd to systemd
      • upstart
        • event driven
        • shell based
      • Rethinking PID 1 – Lennart
      • “Start less” , “Start more in parallel” , “listen to hardware and software changes”
      • cites launchd
  • System management
    • Everything is a lot more dynamic
    • Hotplug , DHCP , etc
    • Don’t install 15 different packages that all behave differently
    • But systemd will have to do things in a different way to those 15 other things
  • The reality of systemd
    • Widely adopted ( 2011 – 2015 )
    • Arguments
      • Violates the unix philosphy – actually systemd actually is many binaries
      • It is bloated and monolithic – Well it does do a lot of thing
      • It is buggy – So is all software, actually a good failure mode
      • I can’t stand Lennart Poettering – He’s delivered. “I won’t defend his community interaction”
      • It is not portable – UNIX is dead – Posix isn’t really a thing anymore, there are not a bunch of crazy Linux variations. “These days you have Linux and some rounding errors”
    • cgroups
    • User-Level units
  • Change – System is a lot of disruptive change
  • The Tragedy of Change
    • Nerds love change as long as we are the ones doing it
    • System boot ups using shell script interaction is like the old blanky we should of got rid of 20 years ago
    • The Knee-jerk – Abuse is not Cool
  • The Next Generation
    • They See a lot more APIs
    • Thinking in Containers is different from thinking in not-containers
  • What does Systemd have that FreeBSD (or even future Linux) could use, or could do better
    • Message Transport
    • RPC Framework
    • Kernel and Use-space services should look similarly to the services above them
    • Service Lifescycle
    • Automation via API – Easier for vendors to write appliances
    • Containers
    • The System Layer
      • Doesn’t have to be the only implementation of theis
    • Consistent Device Naming
    • Better Log/Event/Audit Handling
    • A new model of an application ( a bunch of things managed as a Unit, See the MacOS model)
  • Questions
    • Launchd option – Too MacOS specific
    • Dynamic Libraries = DLL Hell – Containers avoid, different problems
    • Is reaction to systemd scaring other big changes off – Possible, hard to write, very hard to handle the social issues to push though
    • Where is FreeBSD at? – A long way away, no consensus this sort of change needed
    • Should everything have been swallowed up – Thought experiment, If systemd had instead defined an API for separate projects instead of writing them itself, would that have worked? And now we do know what is needed could we switch to a separate model with APIs?
    • Enbeded Devices need systemd – Anything Dynamic needs it
    • What Push back from FreeBSD – Something like that but not systemd. Some like launchd
    • What needs to change in community and systemd team to make things better – See Adam Harvey’s talk on language changes. Hard since everythign is asking for different stuff, systemd people.
    • What should systemd go further into – Messageing and RPC stuff more pervasive and more thought about. Something into the kernel.