Donations 2019

Each year I do the majority of my Charity donations in early December (just after my birthday) spread over a few days (so as not to get my credit card suspended). I’m a little late this year due to a new credit card and other stuff distracting me.

I also blog about it to hopefully inspire others. See: 2018, 2017, 2016, 2015

All amounts this year are in $US unless otherwise stated

My main donations was to Givewell (to allocate to projects as they prioritize). Once again I’m happy that Givewell make efficient use of money donated.

I donated $50 each to groups providing infrastructure and advocacy. Wikipedia only got $NZ 50 since they converted to my local currency and I didn’t notice until afterwards

Some Software Projects. Software in the Public Interest provides admin support for many Open Source projects. Mozilla does the Firefox Browser and other stuff. Syncthing is an Open Source Project that works like Dropbox

Finally I’m still listening to Corey Olsen’s Exploring the Lord of the Rings series (3 years in and about 20% of the way though) plus his other material

Share

DevOpsDays NZ 2019 – Day 2 – Session 3

Everett Toews – Is GitOps worthy of the [BuzzWord]Ops moniker?

  • Usual Git workflow
  • But it takes some action
  • Applying desired state from Git
  • Example: Infrastructure as code
    • DNS
    • Onboarding and offboarding
  • Git is now a SPOF
  • Change Management Dept is now a barrier
  • Integrate with ITSM
  • Benefits: Self-service, Compiience

Joel Wirāmu Pauling – Why Bare Metal still maters

  • Cloud Native Dev doesn’t exist as a closer system
  • IoT is all hardware
  • AI/ML is using special hardware
  • Networks is all hardware offloads
  • FPGAs and ASICS need more standard open way to access
  • You’ll always have weird stuffs on your network
  • Virtualization has abstracted away the real
  • We care able vendor lockin with cloud APIs and Aus electricity isn’t all that green

Steven Ensslen – Do you have a data quality problem?

  • What is data ops and why do we want it?
  • People think they have a data quality problem but they don’t actually measure it to see how bad.
  • Causes all sorts of problems.
  • 3 Easy steps to fix data quaility
  • 1 – Document data charactersistics and train people to know them
  • 2 – Monitor data as if it is infrastructure
    • Test data like it is code
  • 3 – Professionalize your support of data professionals
    • Bring in the spreadsheet experts
    • Support reporting and analytics people too

Mandi Buswell – What are Kubernetes Operators and Why do I care

  • Like an App Store on your kubernetes cluster
  • Like a like Kubernetes robot doing that hard work for you. Lifecycle management
  • Operators run as microservices on the kubernetes cluster
  • operatorhub.io
  • Work on any kubernetes cluster
  • You can even write your own

Laura Bell – Securing the systems of the future

  • Fear and Lothing
    • It is an old problem because “People are Jerks”
  • All organization try either Fight, Flight, Freeze
  • Trying to protect: Confidentiality, Integrity, Availbality
  • Protect, Detect, Respond
  • Monolith
    • A big wall around
    • Layered defense is better but not the final solution
    • Defensive software architecture is not just prevention
    • Castles had lots of layers of defenses. Some prevention, Some Detection, Some response
  • MIcroservices
    • Look at something in the middle of a star and erase it
    • Push malicious code into deployment pipelines
  • Avoid scar tissue, stuff put in just to avoid specific previous problems. Make you feel safe but without any real evidence.
  • Fearless security patterns and approaches
  • Technology is changing but the basics are still the same
  • Lots of techniques in computer security.
  • Prevention and Detection are interchangeable
  • Batman vs Meercat model
  • Be Aware and challenge your own bubble
  • Supply Chains are vulnerable: Integrations, dependencies, Data Sources
  • Determinate threat vs Dynamic Threat
    • Can’t predicts which steps in which order are going to get the result
    • Comprimise the data then the engine will return bad results
  • Plug for opensecurity.nz

Share

DevOpsDays NZ 2019 – Day 2 – Session 2

Jacob Ivester – Diagnose DevOps: The work behind the work

  • Unhappy DevOps Family
    • Unsupport Software
    • Releases outside of primetime
    • etc
  • Focus on Process as a common problem
    • Manage Change that Affects Multiple teams
    • Throughputs vs Outputs
  • Repeatability
  • Extensibility
  • Visability
  • Safety

Cameron Huysmans – Designing an Enterprise Secrets Management Service using HashiCorp Vault

  • Australian based Bank
  • Transition for last 30 years for a bank to a layered based security model (all the way down to the server in the datacentre)
  • In 2017 moved to the cloud and infrastructure in the cloud
  • What makes a bank – licensed to operate
    • Must demonstrate control of the process
    • Reports problems to regulator
    • Identifyable business Processes
    • All Humans
  • If you use a pipeline there are no humans in the process. These machine process needs to conform to the same control
    • Archetecture naturally resistent to change. Change requires a complex process
    • ITIL
    • 2FA required for everything
    • Secrets everywhere
  • Disruption
    • Dynamic Systems with constant updates
    • Immutable containers
    • Changes done via code
    • Live system changes
    • Code and automation drives things
    • Dynamic CMDB – High Levels of abstraction
    • But you still have a secrets problems
  • Secrets Management
    • Not just a place to store passwords
    • But also a Chain of Trust
  • If Pipelines make the change who owns it, who audits it?
  • Vault becomes a bit of audit by saying who used something (person or process)
  • Why another tool ?
  • Created a pattered on how thing will be deployed. Got Security to okay it. Build it in a pipeline
  • Vault placed in the highest security area
    • But less-secure areas needed to talk to it.
    • Lots of zones internally. Some in Cloud, DMZ
    • Some talk via API gateway to main vault
    • Had a Vault replica that had a copy of some secrets and could be used by those zones that were not allowed to to the secrets zone
  • Learnings
    • This is hard, especially in the cloud
    • If Pipelines are doing the change, that must be kept secure. Attribution, notification and real-time analytics
    • Declarative manifests of change (code, scripts, tools) require more strict access controls
    • Avoid direct point-to-point connections

Share

DevOpsDays NZ 2019 – Day 2 – Session 1

Cath Jones – The Myth of the Senior Engineer

  • They won’t be able to hit the ground running on Day 1
    • Assume they know everything about how things work at your organisation that is organisation or industry-specific
    • If you don’t account for this you will see problems, stress, high turnover
  • Example: Trail by Fire
    • You get shown the basic stuff and then given your first ticket
  • How do you take organisation knowledge and empower people?
  • Employee Socialisation
    • Helps mitigate problems and assumptions
    • Facilitates communication and networking
    • Allows people to begin contributing sooner
  • Pre-Arrival Stage
    • Let people know what is expected
    • Let existing people kno who is thating and our expectations for them
    • Example: Automatic (wordpress)
      • Asked people in the final stages to complete some (paid) work.
      • Candiatites get better understanding of the company
  • Preparing for Transition
    • Culture-shock
    • How are you like compared to where they came from?
    • The new role compared to their previous one?
    • Come from a place where they were an expert and had lots of domain-specific knowledge to being a newbie
  • The Encounter Stage
    • Mentoring, Communication, Technical onboarding
    • Example: Cohorts of new hires
    • Mentoring: Proven way to socialise Senior engineers. Can be Labour intensive but helps when documentation lacking
    • Share Mentor-ship responsibilities: eg Technical and Organisational mentor seperate
    • Communication: Expectations that company places, how privledged and how transparent?
    • Authenticity: Can people be themselves. Reduces stress
  • Technical onboarding: Needs to take time and do it properly. Allow new people to contribute back to it and make it better.
    • Pick out easy wins or low-hanging fruit so peopel can contribute sooner
    • Have Style Guides and good docs
  • MetaMorphosis
    • Senior Engineers are fully Contributing

Katie McLaughlin – Being kind to 3am you

Share

DevOpsDays NZ 2019 – Day 1 – Session 3

Gleidson Nascimento – Packaging OpenShift Origin Kubernetes Distribution (OKD)

  • Centos SIG
  • Based on latest upstream

Joshua King – Don’t Reinvent the Wheel, Just Realign It

  • Project: Let notifications work for powershell users
  • Then he found the UWP community toolkit
  • Which had notifications built-in
  • These days looks around first, asks for APIs rather than scraping
  • Look around for open-source tools and give back
  • Sometimes your implimentation might be fun or even better than the original

Srdan Dukic – Implicit trust agreement in Learning Organizations

  • Sysadmin shell -> ansible -> APIs -> automate everything
  • Programmers coded themselves out of a job
  • Followup instructions or achieve results?
  • A bit of both – tension between the two
  • Money today or Money tomorrow?
  • Employee – Expected to make things better
  • Employer – Support things getting better, not fire people when they automate themselves out of a job

Julie Gunderson – You Can’t Buy DevOps

  • Lots of companies talking about DevOps are trying to sell you a solution
  • What doesn’t makes you a devops company
    • Be in the Cloud
    • Have a DevOps team
    • Get rid of the Ops Team
    • A checklist you can tick off
    • Easy
  • Westrum 3 Cultures Model
  • We want the generative model
  • Keeping information flowing between teams is prerequisite for high performance teams
  • Psychological Safety to make decisions. Lets employees focus on problems and getting work done rather than politics
  • Practices
    • Configuration management
    • CICD Pipelines
    • Work in small batches
    • Test every commit and everything else (look at Chaos engineering)
  • Tools
    • Let the teams who are using the tools decide on what tools they will use
    • XebiaLabs Periodic table of DevOps tools
  • Getting there
    • Start with one team and a POC
Share

DevOpsDays NZ 2019 – Day 1 – Session 2

Allen Geer, Michael Harrod – Kiwi Ingenuity – Kiwi’s can Overcome Tough Problems In DevOps

  • Contrast – US vs NZ
    • In the US companies are bigger, lots more people, lots more money to throw at problems.
    • Contrast with Arial Topdressing pioneered in NZ using surplus WW2 aircraft
    • Since the problems are up to 100x bigger in the US the tools are designed for that scale. ROI might not not be there for smaller companies.
    • Dealing with Scale
      • Avoid “Shinny new thing” syndrom, plan for keeping things for at least 5 years.
      • Ramp up slowly with the tool, push it into other areas.
      • Avoid Single Person Silo.
      • Bring up some Kiwi Inginuity (Look at Open source, Use the Free Tiers or Cheap Tiers).
      • Out-Innovate the US companies rather than trying to out-scale
    • Infrastructure: Monetization of Toil
      • Spending time and money on stuff you can automate
      • Lots of manual creating of infrastructure, servers, firewalls.
      • Lack of incentive for providers who charge for changes to automate stuff
      • Other Providers will automate (especially overseas ones that will come into NZ)
      • People take risks (eg no DR) in order to save money.
      • Innovator’s Dilemma
    • Solutions
      • More vocal customers
      • Providers should provider a platform, lots more self-service. Ahnd-holding for the hard stuff not the day-to-day
      • Charge for outcomes not person-hours
      • Begin Small
      • It’s an experiment – Freedom to Fail
    • Inattentive Customer Service
      • Overseas companies have a lot more forums, helpdesks, quick responses.
      • “Kiwis reluctant to make a fuss” , Companies not used to people making a fuss
      • Apply “American Ingenuity” – Striving focus to increase customer satisfaction.
      • Build a healthy community (eg online forums) around your service.
      • Gather insights from customers
      • Bezos – “When a customer contacts us, we see this as a defect” . Focus on the source of problems
    • Evolving Kiwi Workforce
      • NZ has older and aging workforce. 2nd oldest in the OECD
      • Slightly Fewer peoples with degrees
      • 11% of workforce 65+ by 2038
    • Learning in the workplace
      • Leverage senior Knowledge
      • Telco – Older customers didn’t want to approach young workers in mall. Brought in retired engineers to work in stores.
      • Mentoring and reverse-mentoring. Mentor learns insights from mentoree too (eg about younger people’s habits)
    • Introducing people to DevOps
      • Kiwi DevOps models

Craig Box – Teaching Old Servers New Tricks: extending the service mesh outside the cluster

  • Service Mesh
    • Managing a service is hard
    • metrics, monitoring, logging, traceing
    • AAA encryption, certs
    • load balancing, routing, network policy
    • quota
    • Failure handling, fault inject
  • Microservices
    • Not just for hipsters
    • Works best at scale. Lots of devs
  • Now introduce a network in between everything. Lots of hard dtuff, distributed systems are hard
  • Leaky abstractions
    • Have to build stuff into microservice to deal with problems of the network
    • In multiple libraries and languages
    • Can we fix it?
  • Sidecar Pattern
    • The sidecar does all the hard stuff instead of making the microservice itself do it.
    • Talks TCP. Able to work with all languages
  • Proxies as sidecars
    • SPOF
    • Sidecar is attached to each MS
  • Flexability and Power
    • Single place where we can do everything
    • Traffic going in: TLS termination, metrics, quota
    • Traffic out of workloads: Authentication, TLS connections
  • Istio
    • Open platform
    • Not always microservices
    • Uniform observability
    • Operational Agility
    • Policy driven Security
  • How istio works
    • Proxies + control plane
    • Pilot in control plane pushes config to proxies, keeps track of them, looks up stuff in k8s cluster
    • Mixer – policy check and telemetry
    • Citidel – cert authority to proxies
    • Control plane has to run on k8s
    • Proxies run using envoy
    • Zipkin built in
    • All done automatically for kubernetes environments ( admission controller adds sidecar )
  • Adding a VM to a service mesh
    • Enable the mesh expansion, connect the networks
    • Add the gateway IP to the VM
    • Get a cert and copy to the VM
    • Install proxy and node agent
    • Traffic from cluster -> VM .
      • Add the service to DNS in the cluster,
      • Create a ServiceEntry on the cluster
    • Traffic from VM -> Cluster service
      • Add Service and IP to /etc/host on the VM
  • Sample Application – Hipster Shop
    • productcatalogservice is outside of kubernetes
    • headless service in kubernetes
    • manually created service entry in k8s
    • Experimental istio commands to simplify process to single command

Share

DevOpsDays NZ 2019 – Day 1 – Session 1

Brooke Treadgold – Back to Basics

  • Transformation Lead ANZ Bank
  • Not originally from a Tech background
  • Tech has a lot of buzzwords and acronyms that make it an exclusive club. Improvements relay on people from other parts of the business that aren’t in that club
  • These people have to care about it and understand it.
  • Had to use terms that everybody in the business understood and related to.
  • Case for change – What top orgs do:
    • 208 times more frequent deployments
    • 2604 times faster to recover from incidents
    • 7 times lower change failure rate
  • What you need
    • High Priority -> Access to people to do the work
    • Needed tangible goal (weekly releases) to get people to focus (and pay)
  • Making change a reality
    • Risk Management
      • You can just stop doing the reports
      • You need to gain their trust in order to get influence
      • Have to take them along the way with the changes
    • Empathy
    • Influence
  • History at ANZ
    • First pipeline replace just one document
      • Explained to change managment team how the pipeline could replace the traditional plan
    • Rethink of Change Plan and Outcome Reports
      • Other teams needed these for confidence in the change
      • Found out what people actually cared about, found better ways to provide that information (confidence) it an automated way
    • Security Assessment
      • Traditionally required a big document filled in and signed off
      • Found that this was only required for “Significant” changes
      • Got a definition of what significant means so didn’t need to do this.
    • High Risk Change Records
      • Lots of paperwork for High Risk changes
      • Decided that these are not high risk changes so lots less work
      • Templated them so a lot easier to do

Charles Korn – Dockerised local build and testing environments made easy

  • Go Script – Single script that a consistence place in all you repos that does the basic function. install, help, run, deploy
  • batect – tool he wrote
    • dockerized dev environment plus a Go Script
  • Dev environment
    • Build env: code to an artifact
    • Testing Environments. Fake stuff, lots of different levels
  • Build Environment
    • Container with the build tools. Mount our code directory into this
    • Isolation brings consistency and repeatability. No more “works on my machine”
    • Clean container every single time we run a build
    • CI agents just need docker since teams will provide the container
    • Ease of Onboarding. Just get git and docker installed
    • Ease of change. Environment and tasks defined in yaml and versioned like everything else. New version downloaded. Kept in sync with actual code
  • Test Environments
    • You can run local tests
    • Consistently runs test on CI
    • Have to launch multiple containers for more complex tests, using built in docker definitions and health checks and networking
  • Path to Production
    • If deploying docker then can use same image
    • But works with stuff that isn’t deployed as docker too
  • What about docker compose?
    • Better performance
    • Model – tasks are a first class citizen – Doesn’t feel like you are fighting the too.
    • Better UI and developer experience. Updates managed automatically
    • Cleans up better after each run
    • It just works. Works with proxies better. Works with file permissions better.
  • How to get started?
    • start small, work incrementally
    • Start with the build enviroment
    • With the Test env work though one piece at a time.
    • Reuse components
    • Take advantage for other people’s images. Lots of mocks for cloud services.
    • Docker has library of health check scripts
    • Bunch of sample scripts for batect
  • github.com/charleskorn/batect

Share

Linux.conf.au 2019 – Friday – Lightning talks and Conference Close

Closing Stuff

  • Special Badge given out
  • Projects from Junior Group from Club Penguin
  • Rusty Wrench award to Joshua Hesketh

Lightning Talks

  • 3 minutes each
  • Martin Kraft
    • Digital trust and trust in the real world
    • In real world it is wired into our brains
    • Aunt’s Laptop. Has Trusted CAs, Debian.
    • Doesn’t know what lock on browser means
    • Imaging that trust is a competition that happens in real time, that takes interactions, mood, random stuff.
    • Maybe when you visit a good vs bad website the browser looks visably different
    • Machine Learning
  • Brimly Collings-Stone
    • Maori language not available on AAC outputs
    • Need a device that speaks Maori and represents Maori grammar accurately
  • Mathew Sherborn
    • RSI
    • Got it in the past, tried various keyboards
    • Type-Matrix but it broke
    • ErgoDox – open source keyboard
    • Mascot.com – Keyboard in batch orders
    • Like the ErgoDox-E – $500 but good – web app to program
    • Change the Dvorak keyboard with special keyboard
  • Emma Springkmeier
    • What do I do when it all goes wrong
    • Potentially stressful situations – phone calls, meetings.
    • eg last year’s lightning talk
    • What I do to cope
    • Talk to friends, explain how I feel to others, listening to calming music, breathing techniques ( 4s in, 4s hold, 4 out, 4 holding, repeat )
  • Karl Kitcher
    • Secretary of the NZ Open Source Society
    • Charity since 2008
    • Reducing in interest in the recent years
    • Open source is not so prevalent, people not really caring, trying to maintain the momentium
    • Open vs Fauxpem
    • nzoss.nz – signup to the mailing list
    • Various services to projects
  • Leon Wright
    • About Leon’s badge
    • Twitter bot hooked to hug detector in his badge
    • 2017 badge detects hugs
    • 2018 version 2 . So good twitter shadow banned his account
    • 2019 – Docker containers and other crazy stuff
  • Talia White
    • At LCA since 2018 – Was only 8. Now 12
    • Ordered a robot kit for ardiano
    • Made various projects
    • Don’t give up, struggled to start with coding, got better
  • Brenda Wallace
    • Works for the NZ Govt
    • Sometimes abigious
    • Going to publish for some legislation as python rules
    • rules.nz
    • eg Social welfare rules,
    • Unit tests
  • Paul Gunn Stephen
    • GDP per km of coastline
    • %coastline length for area
    • Means hard to get Tsunami warning systems
    • Cheaper
    • ETC Lali system approach
    • Every Village has a local warning system
    • Redundant system
  • E Dunham
    • You should speak at conferences
    • 54th talk in 5 years
    • Promotes your company
    • Intersection: What you know, what conference needs and what the attendees needs
    • Find conference want to attend
    • Write abstract
    • Submit a lot, get rejected a lot
    • Each reject is how you dodged a bullet
  • Charell
    • CVE-2019-3462
    • Bug in apt that allows injection of bad content
    • Why https
    • Attestation
    • apt-transport-https – enable
  • Jen Zajac
    • Project scaffolding eg Cookiecutter, yoeman
    • Lots of generating options
    • Creates templates for a project
  • Hugh Blemmings
    • Ardionu and Beagleboard
    • Cool but not high performance
    • A True open and HP computer
    • Open Hardware, Open software stack, no bin blobs, No unexpected software, No cost/perf penality
    • openpowerfoundation.org
  • Benno Rice
    • Cobol
    • Over 50 years old
    • Not used much
    • What Language is the new Cobol?
    • PHP is the new COBOL
    • Perl is the new COBOL
    • Python2 ?
    • Javascript ?
    • C ?
    • Y2K – Maybe the real Cobol is the maintenance we incurred along the way
    • Maybe you should support software before it bites you back

Closing Stuff

  • 652 people attended
  • 2.4TB transferred over the SSID
  • 3113 Coffee vouchers

Lots of sponsors and suppliers and staff thanked

Linux.conf.au 2020 is in …. Gold Coast

  • Linux.conf.au 21st birthday!
  • Gold Coast convention and Exhibition centre
  • 13 – 17th January 2020

Share

Linux.conf.au 2019 – Friday – Session 2

OpenLI: Lawful Intercept Without the Massive Price Tag
– Shane Alcock

Shane Alcock
  • Police get Warrent to ISP
  • ISP Obligations
    • Can’t tip off person being intercepted
    • Both current and past intercepts must be private
    • Can’t accept other people’s communications
    • Must accept all communications
  • NZ Lawful Intercept
    • All Providers with more than 4000 customers must be LI capable
    • Must be streamed live
    • TCP/IP over tunnel
    • Higher level agencies have extra requirements
    • 2 seperate handovers – IRI metadata for calls, IP sessions. CC= data packets
  • Open LI
    • $10,000s – $100,000s costs to impliment and license from vendors
    • WAND had some experise in packet collection
    • Known my NZ Network Operator community
    • Voluntary contributions from NZ Network Operators
    • $10k+ each
    • Buys 50% of my time to work on it for a year.
    • Avoiding Free Rider problem
      • Early access for supporters
      • Dev assistence with deployment
      • Priority support for bugs and features
  • Building Blocks
    • Developed and tested on Debian
    • Should work on other Linux flavours
    • Written in C – fast and likes writing C
    • Use libtrace from WAND
    • Data Plane Develop Kit
  • Provisioner
    • Interface for operators
    • Not very busy
  • Collector
    • Comms from Provisioner
    • Intercept instructions
    • Recommended run on bare-metal
    • 1RU Server with 10G interface with DPDK support
    • Supports multiple collectors
  • Mediator
    • Gets data from Collector
    • Forwards to Agency based on instructions from Provisioner
  • Target Identification
    • Nothing on the packets linked to target user
    • People get dynamic IPs, can change
    • For VOIP calls need to know RDP port
    • SIP for VIP , Radius to IP to ID the user’s IPs/Ports
    • Deriving caller identities from SIP packets can be tricky. Other headers can be used, depends on various factors
  • Performance Matters
    • 1Gb/s plans are available to residential customers
    • ISP may have multiple customers being intercepted. Collector must not drop packets
    • Aim to support multiple Gb/s of data
    • libtrace lets use spread load across multiple interfaces, cpus etc
    • But packets now be in multiple threads
    • Lots of threads to keep things all in sync
  • Status
  • Future
    • Build user-driver community around the software
  • Questions
    • Can it handle a hotel? – maybe
    • ISPs or police contributing? – Not yet
    • What have people been doing so far? – They have been gettign away with saying they will use this
    • What about bad guys using? – This probably doesn’t give them any more functionality
    • Larger Operators? – Gone with Vendor Solutions
    • Overseas Interest? – One from Khazakstan , but targetted at small operators
    • Why not Rust, worry about parsing data – Didn’t have time to learn Rust

But Mummy I don’t want to use CUDA – Open source GPU compute
Dave Airlie

Dave Airlie
  • Use Cases
    • AI/ML – Tensorflow
    • HPC – On big supercomputers
    • Scientific – Big datasets, maybe not on big clusters
  • What APIs Exist
    • CUDA
      • NVIDIA defined
      • Closed Source
      • C++ Based single source
      • Lots of support libraries ( BLAS, CiDNN ) from NVIDIA
    • API – HIP
      • AMD Defined
      • Sourcecode released on github
      • C++ based single source
    • OPenCL
      • Khronos Standard
      • Open and Closed implimentations
      • 1.2 v 2.0
      • OpenCL C/C++ Not single source (GPU and CPU code separate)
      • Online vs offline compilation (Online means final compilation at run time)
      • SPIR-V kernel
    • SYCL
      • Khronos Standard
      • C++ Single source
      • CPU Launch via OpenMP
      • GPU launch via OpenCL
      • Closed (codeplay) vs Open(triSYS)
      • Opening of implementation in Progress (from Intel – Jan 2019)
    • Others
      • C++AMP – MS
      • OPenMP – Gettign better for GPUs
      • OpenACC
      • Vulkan Compute
        • Low level submission API
        • Maybe
    • Future
      • C++ standard
      • C++ ISO standards body, ongoing input from everybody
      • Implementations must be tested
      • Still needs execution environment
  • Components of GPU stack
    • Source -> Compiler
    • Output of GPU and CPU code
  • IR
    • Intermediate representation
    • Between source and final binary
    • NVIDIA PTX – liek assemble
  • OpenCL Stacks
    • Vendor Specific
    • LLVM Forks
  • Open Source
    • Development vs Release Model
    • Vendors don’t want to support ports to competitors hardware
    • Distro challenges
      • No idea on future directions
      • Large bodies of code
      • Very little common code
      • Forked llvm/clang everywhere in code
  • Proposed Stack
    • Needs reference implementation
    • vendor neutral, runs on multiple vendors
    • Shared Code based (eg one copy of clang, llvm)
    • Standards based
    • Common API for runtime
    • Common IR as much as possible
    • Common Tooling – eg single debugger
    • SPIR-V in executable -> NIR -> HW Finaliser
    • Maybe Intel’s implementation will do this
  • Questions
    • Vulkan on top of Metal/Molten ? – Don’t know
    • Lots of other questions I didn’t understand enough to write

Share

Linux.conf.au 2019 – Friday – Session 1

Preventing the IoT Dystopia with Copyleft- Bradley M. Kuhn

Bradley M. Kuhn
  • The S in IoT stands for Security
  • Many stories of people hacking into baby monitors and home cameras
  • IoT Devices often phone home to manufactorers website in order that you can access then remotely. “I suppose there are Chinese hackers watching my Dogs all day, I hope they will call me if they need water etc”
  • Open source people have historically worked to get around problems like this.
  • 1992 – If you wanted Linux, you downloaded the software onto floppies and installed it yourself. And Often had to work hard to make it work.
  • Today only a small percentage of laptops sold have Linux on it.
  • But Linux is commonly installed on IoT devices – 90% odd
  • But
    • No [easy] way to reinstall it yourself
    • Much worse than laptops
    • GPL includes “The scripts used to control the compilation and install of the executable”
    • “Freedom to Study” is not enough
  • Linksys Wifi router
    • OpenWRT Project
    • Release forced from Linksys and Cisco
    • “Source as received from Linksys from GPL enforcement”
    • Is OpenWRT a Unicorn
      • Few projects with serious alternative firmware project
    • Still sold new after 20 years
  • BusyBox Lawsuits
    • Before IoT was even a term
    • At least one model of Samsung TV -> samygo.tv
    • “Baffles me as to why do the manufactorers want us to buy more hardware”
  • Linux focuses to much on big corp users and ignores hobbyist users
    • Kernel peopel only care about the .c files. Don’t care about the install scripts etc.
    • People at top of Linux now got their start hacking on the devices in front of them.
    • The next generation of developers will be those hackers not from IBM and other big companies
    • You didn’t need anything but a computer and an internet connection to become and upstream developer in those days. This is becoming less true.
    • If the only thing you can install Linux on is a rackmount server, a cloud server or maybe a laptop and none of the IoT devices around you then things don’t look good….
  • Linux was successful because users could install it on their own devices
  • Linux won’t remain the most important GPL program if users can’t install their modifications. Tinkering is what makes Free software great.
  • Upstream matters of course, but downstream matters more.
    • There may be 1000s of Linux developers
    • Put 2 billion people have Linux on their phone – Which is locked down and they can’t reinstall
  • We don’t need a revolution to liberate IoT devices
    • because the words are already there in the GPL
    • We just have to take up our rights
  • What you can do.
    • Request Linux sources on every device you own – Companies have figured out people almost never ask
    • Try to build and install them. If you can’t ask a friend or ask Conservancy for help
    • If it doesn’t build/install it is a GPL violation, report it Conservancy
    • Step up as a leader of a project devices that matter to you.
  • Why this will work
    • The problem seems insurmountable now, only because we have been led astray
    • First and absolutely necessary step towards privacy and scurity on those devices
    • When the user controls the OS again, the balance of power can be restored
  • Questions
    • Best way to ask for source code? Try email, the manual should say.
    • How to get the new code on the device? Needs some push onto industry
    • What if writing requires expensive equipment? Fairly rare, many devices allow over-the-air upgrades, we should be able to go the same way.
    • Is there a list of compliant devices? – Proposed in past. Want to go softly at first in many cases
    • Am I exposed to liability if I modify and distribute code I receive? – Almost certainly note, contact Conservatory if you are threatened.

Web Security 2019 – James Bromberger

James Bromberger
  • History of browser
    • No images
    • Images
    • Netscape with crappy ‘International Security”
    • https takeup is growing
    • Chrome is hitting 60-70%
    • 82% of browser are “modern”, crossover of chrome users to new version is about 3 months.
  • PCI
    • Remove early TLS in mid 2018
    • TLS 1.1 and higher allowed
  • The legacy browser has gone in the real world
    • Some envs still behind, but moving ahead
  • What can we do with as little changes as possible?
  • 0. Don’t use http, use https
    • Use letsencrypt
    • Stds reducing max length of certs from 5 years
  • 1. TLS protocols
    • 7 versions out there (old ones SSL).
    • Most over 10+ years old
    • Only 6 in the wild
    • 3 not-known to be comprimised ( 1.1 1.2 1.3 )
    • Very few clients only support 1.1 and not 1.2 (small gap in 2006-2008 ). IE supports 1.2. So maybe disable 1.1
    • Log the protocol being used so you have data on your users
    • OTOH not much supports 1.3 yet
    • Use 1.2 and 1.3
    • Turn off on the Browsers to
    • Looks at which libraries you are using in code that makes https connections
  • 2. Cypher Suite Optimisation
    • New EC certs for key exchange
    • New certs getting changed to ECDSA
    • AES is standard for bulk encryption. GCM mode is best although windows 9 can’t do (Upgrade to 10!)
    • MAC/Cehecksum – remove MD5, SHA1, remove SHA2-256+ , New ones coming
  • Security Header
    • Content-Security-Policy
    • Referer-Policy – Usually locked down
    • Feature-Policy – lots of stuff
    • ” X-Content-Type-Options: no-sniff ” – don’t guess content type
  • 4. CAA
    • Around 200 Cert Authorities
    • Authorized record type (CAA record) lists what CAs are allowed to issue certs for you.
    • DNS Sec is useful – But during US Govt shutdown DNS keys are expring
  • 5. Sub Resource Integrity
    • Scripts included by html
    • Can include checksums in html calling to varify
  • 6. Cookies
    • Secure – httpsonly
    • “SameSite=Strict” – Reduces cross site request forgery
  • 7. Http2
    • Binary wire protocol
    • Apache 2.4 on debian
    • Forces better protocols
  • 8. Lots more
    • New compression algorithms
    • Network error logs
Share