Podcasts about AppArmor

Контейнер, это не виртуалка... мы это уже знаем... но что дальше? Продолжаем "выдавать базу" :)Спасибо всем, кто нас слушает. Ждем Ваши комментарии.Музыка из выпуска: https://t.me/angry_programmer_screamsВесь плейлист курса "Kubernetes для DotNet разработчиков": https://www.youtube.com/playlist?list=PLbxr_aGL4q3SrrmOzzdBBsdeQ0YVR3Fc7Бесплатный открытый курс "Rust для DotNet разработчиков": https://www.youtube.com/playlist?list=PLbxr_aGL4q3S2iE00WFPNTzKAARURZW1ZShownotes: 00:00:00 Вступление00:06:10 Сеть и namespaces00:15:10 Bridge - как работает в докере00:20:20 Port Mapping00:29:50 Сеть в кубере00:40:00 Linux Capabilities00:44:50 SecComp00:47:00 AppArmorСсылки:- https://youtu.be/rJRLZfk3a8U : Контейнерная виртуализация в Linux- https://medium.com/@alexander.murylev/run-your-own-container-without-docker-60c297faf010 : Докер своими рукамиВидео: https://youtube.com/live/q56ELiUNLMM Слушайте все выпуски: https://dotnetmore.mave.digitalYouTube: https://www.youtube.com/playlist?list=PLbxr_aGL4q3R6kfpa7Q8biS11T56cNMf5Twitch: https://www.twitch.tv/dotnetmoreОбсуждайте:- Telegram: https://t.me/dotnetmore_chatСледите за новостями:– Twitter: https://twitter.com/dotnetmore– Telegram channel: https://t.me/dotnetmoreCopyright: https://creativecommons.org/licenses/by-sa/4.0/

Most founders feel isolated after selling their company. Chris and David Sinkinson didn't—because they had each other. The brothers built and sold their startup, AppArmor, for $40 million. But unlike many founders who struggle with identity and purpose post-exit, they had a built-in support system: each other. With a 10-year age gap and complementary skills, they navigated the highs and lows of entrepreneurship as a team. And when they suddenly found themselves financially free, their brotherhood kept them from making reckless decisions—or jumping into the next venture too soon. In this episode, Chris and David share how selling their company impacted their relationship, their investments, and their sense of purpose. We dive into: Why going through a major exit alone can feel isolating—but they never did. How their brotherly dynamic kept them from making bad financial decisions. The identity crisis that followed the sale—and how they leaned on each other to navigate it. Why they're already thinking about their next venture, but with new priorities.

Innovation: Driving Better Outcomes or Reinforcing the Status Quo? In today's rapidly evolving business landscape, true innovation is more crucial than ever. But what separates genuine innovation from mere change? David Sinkinson, co-founder of AppArmor and author of "Startup Different," offers a thought-provoking perspective: "Innovation is not changes that reinforce the status quo. It's about doing something differently with better outcomes." How can leaders ensure their initiatives truly innovate rather than simply maintain the current state? Are your organization's "innovations" creating value or just shifting it? ------------------------------------------------------------Episode Guide:0:00 - Intro0:59 - What is Innovation?4:25 - Importance of being mission-driven8:43 - Data-driven innovation14:18 - What isn't innovation?19:27 - Innovation's impact on career24:49 - Advice for innovators------------------------------------------------------------Brothers David Sinkinson and Chris Sinkinson are proven SaaS entrepreneurs. Their bootstrapped startup, AppArmor, helped keep people safer with innovative mobile apps and emergency notification solutions for individuals across the globe. In February of 2022, their company was acquired by US competitor Rave Mobile Safety for tens of millions of dollars. Later in 2022, Rave and AppArmor were acquired for over $550 Million by Motorola Solutions. Now Dave and Chris have launched Startup Different - a book and podcast to help show you that there's another, better way to build your business. Startup Different debunks startup myths, tackles some of the toughest challenges and gives you the tools to build your business. These down-to-earth founders prove making a successful startup has little to do with unicorns or ten-baggers and instead focuses on a proven, different method for startup success.More about our guest:David SinkinsonPodcast: Startup DifferentBook: Startup DifferentOUTLAST Consulting offers professional development and strategic advisory services in the areas of innovation and diversity management

Chris Sinkinson - Entrepreneurship: A Hero's Journey Join me and my guest Chris Sinkinson, Co-Author of Startup Different (startupdifferent.com), and former CTO and Co-Founder of AppArmor. In 2022, AppArmor was acquired by Rave Mobile Safety for $40 million, and later that year, both were acquired for over $550 Million by Motorola Solutions. In this episode we discuss the hero's journey that defines being a successful entrepreneur, focusing on the importance of empathy, company culture, and myth-busting in startups. Chris shares his experiences of starting a business with his brother, the challenges they faced, and the lessons learned along the way. He emphasizes the need for continuous improvement, the significance of intentionally building a strong company culture, and how empathy can be a powerful tool for leaders. We do a deep dive on the importance of being adaptable and willing to pivot in response to changing circumstances. Takeaways Myth: If it ain't broke, don't fix it (You need to get ahead of stuff breaking or it'll break your business) Why being "tough" in business won't get you far: The direct correlation between empathetic leadership to improved market performance and profitability Starting a business involves debunking many myths and navigating unexpected challenges. Empathy is crucial for effective leadership and team dynamics. Building a strong company culture requires intentional effort and discipline. Hiring should be approached with caution; it's easier to hire than to fire. Continuous improvement is essential for long-term success. Pivots should be strategic and based on market needs, not just reactive. Company culture should reflect the values and operational style of the founders. Engaging with customers can provide valuable insights and motivation for the team. A successful startup often requires multiple attempts before finding the right idea. Trust and relationships with employees are vital for navigating tough times. Learn more about your ad choices. Visit megaphone.fm/adchoices

David Sinkinson, co-founder of AppArmor, shares his entrepreneurial journey and the lessons he learned along the way. He challenges startup myths and emphasizes the importance of finding the right co-founder. The conversation covers topics such as the need for funding, the psychology of being a founder, the evolution of AppArmor's product, the slow sales cycle in selling to colleges, and the impact of COVID-19 on the business. AppArmor was eventually sold for $40 million.  The conversation explores the psychology behind valuations and acquisitions in the software business. It highlights the concept of the 'mighty middle' where businesses sell for millions of dollars, but are not the multi-billion dollar giants. The discussion also touches on the challenges and opportunities of building a SaaS company, the importance of timing in seeking funding, and the benefits and complexities of working with family members. The guest also shares insights from his book 'Startup Different' which offers a chronological account of his company's journey and busts 33 myths about entrepreneurship. Takeaways Challenge startup myths and evaluate what is truly necessary for your business. Finding the right co-founder who complements your skills and provides support is crucial. The evolution of a product is inevitable, and listening to customer feedback is essential for success. Selling to colleges can have a slow sales cycle, but once you gain traction, customer loyalty is high. Adapting to market changes, such as the impact of COVID-19, requires innovation and listening to customer needs. Building a successful business often takes years of hard work and perseverance. The 'mighty middle' refers to businesses in the software industry that sell for millions of dollars, bridging the gap between small startups and multi-billion dollar companies. Building a SaaS company to reach a million dollars in revenue is challenging but doable, while reaching 10 million is a whole different level of difficulty. Timing is crucial when seeking funding, as it's important for the market to develop and understand the product before investing heavily. Working with family members in a business can be successful if there is trust, complementary skills, and effective communication. The book 'Startup Different' provides a chronological account of the author's company journey and offers insights and lessons for young entrepreneurs. Find Startup Hustle Everywhere:https://gigb.co/l/YEh5This episode is sponsored by Full Scale:https://fullscale.io/Find out more about Startup Different here:https://www.startupdifferent.com/ Learn more about David Sinkinson here:https://www.linkedin.com/in/davidsinkinson/ Sign up for the Startup Hustle newsletter:https://newsletter.startuphustle.xyz/ Sound Bites "We wanted to make sure that entrepreneurs and founders can avoid some of the mistakes that we made." "Funding might actually leave your business worse off than if you hadn't pursued it." "Being a single founder is hard. You need someone to talk to, cheer with, and pick you back up in the low moments." "Most people think of software businesses as being these multi-billion dollar huge sales that happen later coming to nowhere kind of thing." "It's relatively easy to build a SaaS company that gets to a million dollars a year in revenue." "We were extremely profitable, turning a 60% profit by our final year." Chapters00:00 Introduction and Background04:10 The Importance of Finding the Right Co-founder07:05 Evolution of a Product: Listening to Customer Feedback13:09 Navigating the Slow Sales Cycle in Selling to Colleges15:59 Adapting to Market Changes: The Impact of COVID-1918:20 Successful Exit: Building a Business Over Time22:40 Valuations and Acquisitions in the Software Industry25:17 The Importance of Timing in Seeking Funding29:43 Taking the Money and Running31:37 Insights from 'Startup Different' BookSee omnystudio.com/listener for privacy information.

In this podcast episode, Dr. Jonathan H. Westover talks with David Sinkinson about the psychology of being a startup founder. David Sinkinson is a proven SaaS entrepreneur. David was the Co-Founder and CEO of AppArmor, the bootstrapped public safety software startup he led with his brother, Chris. AppArmor was purchased by Rave Mobile Safety in February of 2022 for $40 Million. Later in 2022, both Rave  Mobile Safety and AppArmor were acquired by Motorola Solutions for $560 million. Now Dave has co-authored Startup Different and launched The Startup Different Podcast to help show entrepreneurs that there's another, better way to build your business. Startup  Different debunks startup myths, tackles some of the toughest challenges and gives founders the tools to build their business. This down-to-earth founder proves that making a successful startup has little to do with unicorns or ten-baggers and instead focuses on a proven, different method for startup success. Check out all of the podcasts in the HCI Podcast Network!

Segment 1 with Zac Larsen starts at 0.00.Lately, I keep talking about retirement to my friends and family. I keep saying 2 more years because there are other things I want to do with my life. For most of us, retiring is complicated.Zachary Larson is a CFP®, ChFC®, FIC and Founding Partner & Wealth Advisor for IntentGen Financial Partners in Naperville, Illinois. He is also the author of the new book called “Retire Intentionally: Stories and Strategies to Spend, Give and Live with Confidence.”Segment 2 with David Sinkinson starts at 16:39.There is so much misinformation about what it takes to launch a successful start up.My guest is David Sinkinson who  is a proven SaaS entrepreneur. His bootstrapped startup alongside his brother Chris, AppArmor, helped keep people safer with innovative mobile apps and emergency notification solutions for individuals across the globe. In February of 2022, their company was acquired by US competitor Rave Mobile Safety for tens of millions of dollars. Later in 2022, Rave and AppArmor were acquired for over $550 Million by Motorola Solutions. He is co-host of the Startup Different podcast and co-author of the book, "Startup Different: The Myth-Busting Blueprint for Your Multi-Million Dollar Business."Become a supporter of this podcast: https://www.spreaker.com/podcast/the-small-business-radio-show--3306444/support.

John and Maximé have been talking about Ubuntu's AppArmor user namespace restrictions at the the Linux Security Summit in Europe this past week, plus we cover some more details from the official announcement of permission prompting in Ubuntu 24.10, a new release of Intel TDX for Ubuntu 24.04 LTS and more.

Laurie Barkman interviews brothers and business partners, David and Chris Sinkinson, about their experience as co-founders of AppArmor, a bootstrapped SaaS business with a $40 million exit. They discuss the importance of understanding product-market fit, the role of unhappy customers in identifying issues, and the significance of recurring revenue in their app business. The conversation highlights the value of building relationships with potential buyers over time, which contributed to their successful exit. They emphasize the importance of selling at the right time to capitalize on growth potential. The brothers also share their experience of transitioning out of the company and their ongoing efforts to help other entrepreneurs in their new venture called Startup Different. Check out their podcast and new book called “Startup Different.” Enjoy this episode with Chris and David Sinkinson and their succession story from idea to exit.   Links for Chris and David: Website: https://www.startupdifferent.com/ LinkedIn: https://www.linkedin.com/company/startup-different/ Instagram: https://www.instagram.com/startupdifferent/ YouTube: https://www.youtube.com/@StartupDifferent/   Succession Stories is Sponsored by The Business Transition Sherpa® Consider this: 100 percent of owners will leave their business one day. But few are prepared. Are you? Learn how to build business value and plan for succession, transition, or selling the business on your terms. LinkedIn: https://www.linkedin.com/company/thebusinesstransitionsherpa/  Website: https://thebusinesstransitionsherpa.com/  Book: https://thebusinesstransitionsherpa.com/the-business-transition-handbook/ Course: https://thebusinesstransitionsherpa.com/course/  ❤️  Write a Review on Rate This Podcast: https://ratethispodcast.com/successionstories      

The long awaited preview of snapd-based AppArmor file prompting is finally seeing the light of day, plus we cover the recent 24.04.1 LTS release and the podcast officially moves to a fortnightly cycle.

Docker - https://www.docker.com/ Podman - https://podman.io/ Kubernetes - https://kubernetes.io/ Jitsi - https://jitsi.org/ Mumble - https://www.mumble.info/ Cockpit - https://cockpit-project.org/ Azure -https://azure.microsoft.com/en-us/free Google Cloud - https://cloud.google.com/ AWS - https://aws.amazon.com/ K3S - https://k3s.io/ Docker Swarm - https://docs.docker.com/engine/swarm/ AppArmor - https://apparmor.net/ Python - https://www.python.org/ Banshee Video Card (3dfx) - https://www.techpowerup.com/gpu-specs/voodoo-banshee-agp-16-mb.c3561 GIS - https://www.esri.com/en-us/what-is-gis/overview GPS - https://www.gps.gov/ Java - https://www.java.com/en/ Ruby - https://www.ruby-lang.org/en/ Groovy - https://groovy-lang.org/ Grails - https://grails.org/ Forth - https://www.forth.com/forth/ V (programming language) - https://vlang.io/ BSD - https://www.bsd.org/ ZFS - https://arstechnica.com/information-technology/2020/05/zfs-101-understanding-zfs-storage-and-performance/ Slackware - http://www.slackware.com/ Absolute Linux - https://www.absolutelinux.org/ Windows 3.11 - https://winworldpc.com/product/windows-3/311 DOS 6.22 - https://winworldpc.com/product/ms-dos/622 Storm Linux - https://distrowatch.com/table.php?distribution=storm Alpine Linux - https://www.alpinelinux.org/ Turbo Linux - https://distrowatch.com/table.php?distribution=turbolinux Mepis Linux - https://distrowatch.com/table.php?distribution=mepis Sparky Linux - https://sparkylinux.org/ DistroWatch - https://distrowatch.com/ Mandrake Linux - https://static.lwn.net/2000/features/LinuxMandrake.php3 Mandriva - https://distrowatch.com/table.php?distribution=mandriva Fedora Linux - https://fedoraproject.org/ Windows XP - https://en.wikipedia.org/wiki/Windows_XP Oxford University - https://www.ox.ac.uk/ Cambridge University - https://www.cam.ac.uk/ HTML - https://www.w3schools.com/html/ CSS - https://www.w3schools.com/css/ Javascript - https://www.javascript.com/ Freenode IRC - https://freenode.net/ KDE - https://kde.org/ Manjaro - https://manjaro.org/ Unity - https://unityd.org/ OpenSuse - https://www.opensuse.org/ Enlightenment - https://www.enlightenment.org/ Fluxbox - http://fluxbox.org/ Mate - https://mate-desktop.org/ GTK - https://www.gtk.org/ Vanilla OS - https://vanillaos.org/ Fedora SilverBlue - https://fedoraproject.org/atomic-desktops/silverblue/ Ubuntu Core - https://ubuntu.com/core Virtual Box - https://www.virtualbox.org/ Temple OS - https://templeos.org/ Dos Box - https://www.dosbox.com/ Thunderbird - https://www.thunderbird.net/en-US/ Gecko (browser engine) - https://en.wikipedia.org/wiki/Gecko_(software) Graphene OS - https://grapheneos.org/ UBports - https://ubports.com/en/ Nokia "brick" phone - https://en.wikipedia.org/wiki/Nokia_3310 PineTab 2 - https://wiki.pine64.org/wiki/PineTab2 Pine Note - https://pine64.org/devices/pinenote/ Pulse Audio - https://www.freedesktop.org/wiki/Software/PulseAudio/ In Memory Of 5150 - https://linuxlugcast.com/index.php/category/5150/ HAM Radio - http://www.arrl.org/what-is-ham-radio ICQ Chat - https://icq.com/desktop/en?#windows

Brothers David and Chris Sinkinson attended Queen's University in Ontario, Canada, when David learned of the problems maintaining the blue emergency phones on campus. He proposed a location-aware mobile safety app, so Chris built it himself, and it worked great.  AppArmor grew steadily to become the most popular university mobile safety platform in Canada and the US, and over 250 universities use it. With no outside investors, they bootstrapped the company to US$5 million ARR with serious profits before selling the company to Rave Mobile Security for US$30 million. They stayed on for another year in transition before writing a book and running a podcast called Startup Different. Quote from Dave Sinkinson, CEO and co-founder of AppArmor ”The biggest advice I give new founders is to ‘ignore that startup noise.' Throughout our experience, we had lots of people who I loosely referred to as haters. People who said we're "just a lifestyle business” or our idea is never going to work. One person literally told my cofounder brother Chris that we weren't even a startup. “Just ignore those people. Don't pursue validation from your peers. Instead, pursue validation in the market. A couple of years into the business, that realization was a big change that helped me stay on track. So, my advice for SaaS founders is to ignore the haters and enjoy the journey.” Links David Sinkinson on LinkedIn Chris Sinkinson on LinkedIn AppArmor on LinkedIn AppArmor website Rave Mobile Security website Startup Different podcast and book Sponsor This week's podcast is sponsored by Full Scale, one of the fastest-growing software development companies in any region.  Full Scale vets, employs, and supports over 300 professional developers, designers, and testers in the Philippines, who can augment and extend your core dev team. Learn more at fullscale.io. The Practical Founders Podcast Tune into the Practical Founders Podcast for weekly in-depth interviews with founders who have built valuable software companies without big funding. Subscribe to the Practical Founders Podcast using your favorite podcast app. Get the weekly Practical Founders newsletter and podcast updates at practicalfounders.com. 

In this week's Built to Sell Radio episode, John Warrillow interviews David Sinkinson, co-founder of AppArmor. David and his brother Chris created a mobile app that allows students to alert campus security by pressing a single button on their phones. Their journey from developing AppArmor to selling their company for $40 million is packed with insight.  During the interview, you'll discover how answering a simple question posed by an acquirer almost cost the Sinkinson brothers $20 million. Learn how they navigated this near-disastrous moment and what steps they took to recover and close the deal successfully. 

John and Georgia are at the Linux Security Summit presenting on some long awaited developments in AppArmor and we give you all the details in a sneak peek preview as well as some of the other talks to look out for, plus we cover security updates for NSS, Squid, Apache, libvirt and more and we put out a call for testing of a pending AppArmor security fix too.

AppArmor unprivileged user namespace restrictions are back on the agenda this week as we survey the latest improvements to this hardening feature in the upcoming Ubuntu 24.04 LTS, plus we discuss SMTP smuggling in Postfix, runC container escapes and Qualys' recent disclosure of a privilege escalation exploit for GNU libc and more.

Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source

We're back after unexpectedly going AWOL last week to bring you the latest in Ubuntu Security including the recently announced Downfall and GameOver(lay) vulnerabilities, plus we look at security updates for OpenSSH and GStreamer **and** we detail plans for using AppArmor to restrict the use of unprivileged user namespaces as an attack vector in future Ubuntu releases.

A few tools to build your own Way Back Machine, we check in with the "Year of Voice" and more.

We take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen, containerd and more.

If we could change just one mistake in our Linux journey, what would it be? Open a channel to our node: 037d284d2d7e6cec7623 (https://amboss.space/node/037d284d2d7e6cec7623adbe600450a73b42fb90800989f05a862464b05408df39)

This week Ubuntu 20.04 LTS was FIPS 140-2 certified plus the AppArmor project made some point releases, and we released security updates for Docker, Perl, c-ares, GPSd and more.

In this episode our two aging heroes discuss the proper temperature to drink beer at (spoiler: it's not 20 degrees as CAMRA would make you believe) and the ins and outs of basic and enhanced security on our beloved operating system. If you ever wanted to know more about Linux Security Modules, AppArmor and SELinux and how dames of negotiable affections relate to these concepts, this show is for you. Shownotes: Campaign for Real Ale: https://camra.org.uk/ Linux Security Modules: https://en.wikipedia.org/wiki/Linux_Security_Modules SELinux: https://selinuxproject.org/page/Main_Page SELinux on Android: https://source.android.com/security/selinux AppArmor: https://gitlab.com/apparmor/apparmor/-/wikis/Documentation RBAC with AppArmor: https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorRBAC Plan 9: https://9p.io/plan9 Plan 9 from Outer Space: https://www.imdb.com/title/tt0052077 Man down: https://www.imdb.com/title/tt2461520/?ref_=fn_tt_tt_2 The Midnight Gospel: https://www.netflix.com/de-en/title/80987903

Kamil Potrec is a Senior Security Engineer at Snyk, working on security around Kubernetes and cloud platforms. He joins the show to discuss how to think about securing your infrastructure, the different arts (and colors) of offensive and defensive security, and what not to lose sleep over. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Episode 23, with Andrew Philips and Lars Wander A pile of mail and a bike News of the week Red Hat OpenShift 4.7 is GA Fairwinds Insights 3.0 Envoy zero-day patched Istio security bulletin Sysdig contributes Falco modules to the CNCF StorageOS raises $10m in Series B Platform9 raises $12.5m in Series D CNCF relaunches Kubernetes Community Day with KCD Africa and Bengaluru Links from the interview Offensive unit in American Football Hand-egg Red and blue teams Unreal Tournament Capture the flag Kubernetes secrets Design document Encrypting secrets at the application layer Antivirus software Tracer-tee SolarWinds attack Reflections on Trusting Trust by Ken Thompson left-pad deleted from NPM Snyk Open Source The open source parts Snyk vulnerability database MITRE CVE database Kubernetes security at Snyk Deploy only trusted containers to GKE Application threat modeling Kubernetes security best practices, including security context, AppArmor, gVisor etc CVE-2020-8554: man-in-the-middle attack using ExternalIP services CVE-2020-14386: packet socket vulnerability with user namespaces enabled Earlier related work: CVE-2017-7308 and CVE-2016-8655 Project Zero writeup Rewrite it in Rust! Kamil Potrec on LinkedIn

This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU, containerd, Linux kernel & more, plus we discuss the 2020 State of the Octoverse Security Report from Github, Launchpad GPG keyserver migration, a new AppArmor release & some open positions on the team.

This week we look at vulnerabilities in MoinMoin, OpenLDAP, Kerberos, Raptor (including a discussion of CVE workflows and the oss-security mailing list) and more, whilst in community news we talk about the upcoming AppArmor webinar, migration of Ubuntu CVE information to ubuntu.com and reverse engineering of malware by the Canonical Sustaining Engineering team.

This week we look at vulnerabilities in Samba, GDM, AccountsService, GOsa and more, plus we cover some AppArmor related Ubuntu Security community updates as well.

It's CVE bankruptcy! With a deluge of CVEs to cover from the last 2 weeks, we take a particular look at the ZeroLogon vulnerability in Samba this week, plus Alex covers the AppArmor 3 release and some recent / upcoming webinars hosted by the Ubuntu Security team.

Les conteneurs nous permettent plus que jamais d'accélérer le déploiement de nos applications. Elles sont désormais portables, prêtes à l'emploi et il est possible d'en exécuter des centaines, voire des milliers, sur une même machine. Mais il y a un revers à la médaille : comment être sûr qu'une application n'exécute que le code pour lequel elle est conçue ? Comment repérer un shell malicieux lancé par un tier ? Plus la densité de conteneurs sur un noeud augmente, et plus cette tâche pourrait sembler se complexifier.Bien sûr, il existe depuis longtemps des outils pour nous protéger, comme SELinux, AppArmor ou Seccomp. Ils ne nous mettent pourtant pas à l'abri d'une règle mal écrite ou trop laxiste. Alors comment s'assurer que la règle définie ne contiennent pas de faille qui permette de s'en échapper ? La réponse semble évidente : par l'audit nos systèmes. Et Falco est justement un outil nous permettant de nous acquitter facilement de cette tâche.Dans cet épisode, je reçois Thomas Labarussias. Thomas est Site Reliability Engineer pour Qonto, mais il est avant tout le mainteneur de Falco Sidekick. Avec lui, je discute de Falco et de ce qu'il apporte en terme de sécurité à nos applications, mais aussi de Sidekick, de ses cas d'usage, et des raisons qui ont poussé Thomas à s'investir dans un tel projet.Notes de l'épisodeCaptations et les compte-rendus de la communauté de Falco : https://github.com/falcosecurity/communitySupport the show (https://www.patreon.com/electromonkeys)

Novos modelos Slimbook, actualizações do AppArmor, carabinas com Raspberry pi e muito mais. Novidades trazidas esta semana pelo vosso twitcher preferido: Diogo Constantino e o seu fiel assistente: Tiago Carrondo!

Novos modelos Slimbook, actualizações do AppArmor, carabinas com Raspberry pi e muito mais. Novidades trazidas esta semana pelo vosso twitcher preferido: Diogo Constantino e o seu fiel assistente: Tiago Carrondo! […]

O Kubicast traz nesse episódio, Hesron Hori (https://www.linkedin.com/in/hesron-hori-59b8a72b/), que é o cara para falar de Segurança da Informação ou DevSecOps, como preferir! O Hesron é líder da área de Inteligência e Gestão de Riscos da UnderProtection e, nesse papo, nos ajuda a desmistificar algumas questões que cercam o assunto e que, de tão temidas, são muitas vezes postergadas até o infeliz dia D de um projeto! Abordamos com ele desde o aspecto geral de Segurança em aplicações até seu recorte em Kubernetes e containers. Para fugir de conceitos batidos, passamos longe dos clichês de Segurança e definições de cebolas para o tema. :D Discutimos se a segurança do Kubernetes já pode ser tida por padrão. Também, se precisamos nos preocupar com o host uma vez que a aplicação está isolada no container. Ainda, se SELinux, AppArmor e coisas do tipo ainda têm relevância no cenário atual. Aperte o play para descobrir esse episódio fantástico que preparamos para você! ===== RECOMENDAÇÕES dos participantes do programa: Hesron Hori: Conferências de Segurança - H2HC, UseNix e FOSDEM / João Brito: Ameaça Profunda - Underwater - https://www.imdb.com/title/tt5774060/ ===== Para conferir os links citados no podcast, acesse: http://gtup.me/kubicast-46 ===== Até a próxima edição, ouvinte! Se você curte o #Kubicast compartilhe-o em suas redes sociais! ===== Comentários, críticas e sugestões, escreva para nós no Twitter @GetupCloud usando a #Kubicast ===== Ouça o #Kubicast nos players: Spotify, Overcast, Itunes ou RadioPublic.

WISP.org PSA at 35m56s - 37m 19s   Agenda:Bio/background Why are you here (topic discussion) What is the Linux Security Summit North America https://grsecurity.net/   Questions from the meeting invite:   This only affects people who want to use a custom kernel, correct? This doesn’t affect you if you are running bog-standard linux (debian, gentoo, Ubuntu) right? What options do people have in cloud environments?   Does the use of microservices make grsecurity less worthwhile?   You mentioned ARM 64 processors in your first slide as making  significant security functionality strides. With Apple and Microsoft going to ARM based processors, what are some things you feel need to be added to the kernel to shore up Linux for ARM, since some purists enjoy an Apple device with Linux on it? https://www.youtube.com/watch?v=F_Kza6fdkSU - Youtube Video   https://grsecurity.net/10_years_of_linux_security.pdf -- pdf slides   https://lwn.net/Articles/569635/ - Definition of KASLR    LTS kernels moved from 2 years to 6 years - why? 6 years is pretty much “FOREVER” in software development.  Patches get harder to backport, or worse; Could introduce new vulnerabilities Project Treble: https://www.computerworld.com/article/3306443/what-is-project-treble-android-upgrade-fix-explained.html   LTSI: https://ltsi.linuxfoundation.org/   4.4 XLTS is available until Feb2022 -  If fixes and all bugs haven’t been backported (1,250 security fixes aren’t in the latest stable 4.4 kernel) What are the “safe” kernels? Has anything changed since the presentation you gave earlier in July 2020    Syzkaller Let’s discuss Slide 27 (what are those tems?) “Is it improving code quality, or Is it making people lazier and more reliant on a tool to check code?” Slide 29 audio, you mention that you use Syzkaller… why do you use it?   Exploitation Trends Attackers still don’t care about whether a vulnerability has a CVE assigned or not Don’t many vulnerabilities require some work to get to the kernel? And why should they work to get to the kernel?   https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/ 500K IF the kernel vuln affects major distros (Centos, Ubuntu) https://resources.whitesourcesoftware.com/blog-whitesource/top-10-linux-kernel-vulnerabilities   Why does Zerodium payout for kernel vulns lower than application vulns? Would it be fair to say that getting root/persistence is all that matters and you don’t need to worry about the kernel to do so?   Many of the new security features are protecting against bad programming practices?  So by adding all these things, who are you securing systems against?  Bad actors, or devs who employ poor coding measures?  Why do you think we see lower adoption rates of security      Problem solving: Halvar Flake: http://addxorrol.blogspot.com/2020/03/before-you-ship-security-mitigation.html   If we have time…    Threat models in a kernel Where do they go in the development lifecycle? If kernel dev is an open environment, what precipitates the need for a kernel mitigation threat model Is there an example somewhere that we can see? What is the format? Methodology? Do you think static code analysis of the kernel is worthwhile at all? Absolutely! We do a lot of it, including via the analysis resulting from compiling with LLVM, as well as via specific static analysis GCC plugins of our own.   OK, what about the large amount of false positives the analyzers generate? Do you get around with your custom plugins? Also do you use the analyzers included with Clang and GCC v.10 or 3rd products? That's usually a property of the analysis itself -- some can have large false positive issues, others not. Ideally we try to limit that for the plugins we write (we just recently added one helpful for some kind of NULL ptr dereferences this week). My understanding is the public now also has access to the Coverity reports for the kernel? As far as GCC versions, yes we test with all versions from 4.5 to 10.   What do you think of proposed XPFO patch? https://lwn.net/Articles/784839/ The performance profile is a big problem, and it doesn't address that the same attack can be performed in a different way that it wouldn't handle (that limitation is also mentioned in the original paper). So we haven't invested in it at all with our own work.   how about git sha-256 security measures ? Not my domain of expertise, but sounds like a good idea.   What is the status of KASLR on non-Intel architectures? ARMv7/v8? It exists there as well, and is shipped in Android. It's also recently been added for PowerPC.   What dynamic analysis/testing tools do you use for the kernel? We have a couple racks of hardware, including some new AMD EPYC2 systems dedicated entirely to testing and syzkaller fuzzing. We have syzkaller in place (along with backports of functionality to improve its functionality/coverage) for all kernels we support, as well as a good mix of physical/VM systems for major distros, and automated build/boot/functionality/regression testing in a number of configs across ARM/ARM64/MIPS/PowerPC/SPARC64/i386/x86_64. Thanks! Do you write your own configs/definitions for syzkaller? Yes, including some changes to the code to have it detect some of our specific kernel message (size_overflow, refcount, RAP, etc)   What do you think about LKRG? Also, does grsec provide any similar runtime protection/detection/security? I think it's a good alternative to some other commercial security products, but it's not what our goal is with grsecurity. I like the author of LKRG, but heuristic-based security is always problematic as you can't perform the checks everywhere they need to be performed, or as often as they need to be performed. When an attacker knows the checks performed (or has a general idea), then it's easy to devise an attack that would bypass it, knowing how computationally complex it would be to detect. So in grsecurity we focus on providing real defense vs just having a chance to detect something after the fact.   Do you plan on implementing RAP on PowerPC Architecture? We haven't seen any commercial interest in it, but RAP is technically architecture-independent. We've done some demos for non-x86 architectures, and also just recently (within the past month or so), released a version for i386.   For how long GRSecurity is planning to support 5.4 LTS and LTS generally? What do you think is a good rule of thumb? We've always generally supported them for 3 years, regardless of upstream's support periods. We have an independent process for performing backports that involves looking at all the upstream commits and other sources of information, regardless of any stable/Fixes tags (basically a manual version of AUTOSEL).   What is your opinion of the recently proposed Function-Granular KASLR series? Not a fan of *KASLR in the kernel in general. It tries to deal with a problem (poorly) that there already exists a much better solution for: CFI.   Could you comment on how well (relative to your x86 detailed knownledge) ARM and PPC security fixes are backported? We have many years of reverse engineering experience (15+ on my end) across multiple architectures. We were the first to develop software-based PXN/PAN for ARM for instance. We've also developed functionality specifically for non-x86 architectures. Within the past 2 years or so, we added POWER9 support for REFCOUNT, and have the physical hardware on site (in additional to qemu-based testing) to perform the work. But yes, our backports cover all architectures we support.   What is your opinion on the use of BPF for security-purposes, i.e. security monitoring and newer approaches like KRSI? Enabling something like BPF solely for the use of security seems like it could backfire, given how invasive it is. As long as it's not controllable by an unprivileged user, I think it's fine. Anything that avoids the hassle of having to upstream something in order to implement some new kind of security check, is a good idea. They'll still be limited by the LSM interface itself, so that would be the next barrier to go. With BTF, there's a lot of possibility there.   Regarding exploiting containers: isn't the issue with containers that they have very poor defaults and that people don't use the features they could? For example: mounting sysfs or procfs into a container or not adjusting seccomp/apparmor (or better(?) selinux) policies? That's a problem, but the crucial problem is the shared kernel among all containers. If you look at past exploits, they've been in things like futex, mremap, waitid, brk, etc, all syscalls that would be allowed in nearly all of the most strict seccomp policies. The granularity of current seccomp policies is really not that great, and any sufficiently complex code will necessarily have exposure to a large part of kernel attack surface.   What do you think about the CIP Projects' focus on CVE tracking (especially for the kernel)? It's a good initiative, but the main problem with the kernel is that most vulnerabilities in the kernel don't get a CVE in the first place. I know for certain that many of the security issues we've tweeted haven't had a CVE assigned. The ones that do are when a distro with the vuln present in their kernel spots it and requests one. Most vulnerabilities in recent kernels especially don't get CVEs requested, because distros aren't shipping them.   What's your opinion on SMACK? Any other reference implementation except Tizen? Haven't used it myself, so no opinion one way or another, sorry Doesn't seem bad at least in terms of number of security fixes backported to it compared to other access control LSMs.   If you disable as many CONFIG_* options in your kernel config have you actually reduced your attack surface or is most of the vulnerable code not in modules? Yes, this is a good approach particularly for upstream kernels. I would definitely recommend compiling your own kernel instead of using default distro configs (from a security perspective). Under grsecurity, we have a feature that makes it actually a good idea to put as much functionality in modules as possible, as they can't be auto-loaded by unprivileged users. So the functionality is there if it's needed across a fleet of systems, without the downsides. TARA analysis performed in Linux Kernel ? I'm not familiar with this, sorry!   Is the poor state of LTS and XLTS security backports found in PPC and ARM as well as (presumably) what you report for x86? It's somewhat of an across-the-board problem   Actually I hoped that you will tell about new cool features that appeared in grsecury. Can you share anything about your new kernel heap hardening? It's called AUTOSLAB, and it's useful both for security (particularly against AEG and UAFs), but also for debugging.  Minimal performance impact, we've had one person mention their system feels faster now, and we actually had a bug in one of our routine benchmarks where the feature got enabled in the "minimal" config, yet still reported better benchmark results in all tests than an upstream kernel.  So a really nice performance profile, with some additional memory wastage in the MEMCG case, but nothing terrible.  Also non-invasive, as it's done through a GCC plugin. Thanks for your talk, Brad! What would make you work for upstream? We offered that already years ago, and none of the companies involved seemed to be interested.  So we're funded directly now by people that benefit from our work.       Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile  #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

In this episode, we cover the following topics: Operating-system-level virtualization = containers Allows the resources of a computer to be partitioned via the kernelAll containers share single kernel with each other AND the host system Depend on their host OS to do all the communication and interaction with the physical machineContainers don't need a hypervisor; they run directly within the host machine's kernel Containers are using the underlying operational system resources and drivers This is why you cannot run different OSes on the same host systemi.e. Windows containers can run on Windows only, and Linux Containers can run on Linux only What we think of different OSes (RHEL, CentOS, SUSE, Debian, Ubuntu) are not really different...They are all same core OS (Linux), they just differ in apps/files Based on the virtualization, isolation, and resource management mechanisms provided by the Linux kernel namespaces cgroups Container history FreeBSD Jails (2000) BSD userland software that runs on top of the chroot(2) system callchroot is used to change the root directory of a set of processes Processes created in the chrooted environment cannot access files or resources outside of it Jails virtualize access to the file system, the set of users, and the networking subsystem A jail is characterized by four elements: Directory subtree: the starting point from which a jail is enteredOnce inside the jail, a process is not permitted to escape outside of this subtree Hostname IP address Command: the path name of an executable to run inside the jail Configured via jail.conf file LXC containers (2008)Userspace interface for the Linux kernel features to contain processes, including: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles Seccomp policies Chroots (using pivot_root) Kernel capabilities CGroups (control groups) Docker containers (2014) Early versions of Docker used LXC as the container runtime LXC was made optional in v0.9 (March 2014) Replaced by libcontainer) libcontainer became the core of runC LXC was dropped in v1.10 (February 2016) Container technology Containers are just processes. So what makes them special? Namespaces Restrict what you can SEE Virtualize system resources, like the file system or networking Makes it appear to processes within the namespace that they have their own isolated instance of resource Changes to the global resource only visible to processes that are members of the namespace Processes inherit from parent Linux provides the following namespaces: IPC (interprocess communications)CLONE_NEWIPC: Isolates System V IPC, POSIX message queues NetworkCLONE_NEWNET: Isolates network devices, stacks, ports, etc MountCLONE_NEWNS: Isolates mount points PIDCLONE_NEWPID: Isolates process IDs UserCLONE_NEWUSER: Isolates user and group IDs UTS (Unix Timesharing System)CLONE_NEWUTS: Isolates hostname and NIS domain name CgroupCLONE_NEWCGROUP: Isolates cgroup root directory Syscall interfaceSystem call is the fundamental interface between an app and the Linux kerneli.e. Linux kernel calls to create/enter namespaces for processes Control groups (cgroups) Restrict what you can DO Limits an application (container) to a specific set of resources like CPU and memory Allow containers to share available hardware resources and optionally enforce limits and constraints Creating, modifying, using cgroups is done through the cgroup virtual filesystem Processes inherit from parent Can be reassigned to different cgroups Memory CPU / CPU cores Devices I/O Processes Using cgroups To see mounted cgroups:mount | grep cgroup To create a new cgroup:mkdir /sys/fs/cgroup/cpu/chris To set "cpu.shares" to 512:echo 512 > /sys/fs/cgroup/cpu/chris/cpu.shares Now add a process to this cgroup:echo > /sys/fs/cgroup/cpu/chris/cgroup.procs Pseudo code: Creating a containerSteps: Create root filesystem for containerSpin up busybox in Docker container, and then export filesystem Run "launcher" process that sets up "child" namespace Launcher process forks new child process (now under new namespaces)Child process then forks new process for container chroot (to our root filesystem) mount any other FS set cgroups (e.g. apply CPU constraints) Links FreeBSD Jails Linux Container Project - LXC, LXD, LXCFS namespaces - overview of Linux namespaces cgroups kernel documentation What Have Namespaces Done For You Lately? - YouTube video End SongBettie Black & Sophia - Something BeautifulFor a full transcription of this episode, please visit the episode webpage.We'd love to hear from you! You can reach us at: Web: https://mobycast.fm Voicemail: 844-818-0993 Email: ask@mobycast.fm Twitter: https://twitter.com/hashtag/mobycast

Sin lugar a dudas, la salida de la nueva Raspberry Pi 4 ha conseguido eclipsar cualquier otra noticia. Sin embargo, el pasado 6 de julio de 2019 se liberó la versión 10 de Debian con el nombre en clave Buster, y que llevó asociado consigo una nueva versión de Raspian, Raspian Buster. Si bien, la versión de Raspian Buster se adelantó ligeramente a la salida de Debian, es decir, salió modo beta. La razón para esto, radica en que le controlador de vídeo OpenGL se utiliza por defecto en la nueva Raspberry Pi 4. Esto tampoco tiene gran importancia, teniendo en cuenta que la versión de Buster ha estado congelada desde hacía un par de meses, durante los cuales tan solo se realizaron pequeños cambios. Migrar tu Raspberry a Raspbian Buster Novedades de Buster En palabras de los propios responsables de Rasbian, no hay grandes diferencias entre Debian Strech y Debian Buster. La mayoría de las diferencias están orientadas a proporcionar una mayor seguridad. El resto son pequeñas diferencias que la mayoría de los usuarios no vamos a ser capaces de notar. Una nueva versión del kernel de Linux, en concreto la 4.19En versiones anteriores se ha estado utilizando en el caso de Raspbian la vesión 7 y 8 del Java de Oracle. Sin embargo, en esta nueva versión se actualiza a la versión 11 pero de OpenJDK.AppArmor esta activado por defecto.NFtables reemplaza al tradicional iptables. Aunque yo siempre trabajo a nivel de UFW por comodidad. A lo mejor, esSoporte para un gran número de procesadores ARM64El soporte de Python 2 termina en enero de 2020, con lo queBash 5.0Secure boot Uno de los grandes cambios que se han aplicado a Raspbian Buster es la inferfaz gráfica. Se ha buscado un diseño mas plano, que, sin lugar a dudas, es la tendencia actual. Así se han introducido algunos cambios como, se ha reducido la curvatura de las esquinasigualmente se ha reducido los sombreados que se utilizan para dar una sensación 3Dse ha conseguido un diseño mas limpio y moderno.han realizado pequeños cambios en la barra de tareas. Así, por ejemplo, el icono que para expulsar una unidad USB, solo aparece cuando hay un dispositivo que expulsar, en otro caso permanece oculto.Lo mismo se aplica para el caso del bluetooth, de forma que si no tienes ningún dispositivo utilizando el bluetooth, este no se muestra.Otro cambio es el icono de actividad del CPU. Y es que dado el aumento de la potencia de este procesador se ha considerado que no es necesario mostrarlo, aunque si lo quieres, lo puedes mostrar. El cambio a una nueva versión representa un gran esfuerzo para los desarrolladores de Raspbian en el sentido que tienen que aplicar todos los parches que aplicaron a la versión anterior de Debian, a la nueva versión. Esto además se ha complicado por la aparición de un nuevo hardware, en referencia a la Raspberry Pi 4. Mas información en las notas del podcast sobre migrar tu Raspberry a Raspbian Buster

Sin lugar a dudas, la salida de la nueva Raspberry Pi 4 ha conseguido eclipsar cualquier otra noticia. Sin embargo, el pasado 6 de julio de 2019 se liberó la versión 10 de Debian con el nombre en clave Buster, y que llevó asociado consigo una nueva versión de Raspian, Raspian Buster. Si bien, la versión de Raspian Buster se adelantó ligeramente a la salida de Debian, es decir, salió modo beta. La razón para esto, radica en que le controlador de vídeo OpenGL se utiliza por defecto en la nueva Raspberry Pi 4. Esto tampoco tiene gran importancia, teniendo en cuenta que la versión de Buster ha estado congelada desde hacía un par de meses, durante los cuales tan solo se realizaron pequeños cambios. Migrar tu Raspberry a Raspbian Buster Novedades de Buster En palabras de los propios responsables de Rasbian, no hay grandes diferencias entre Debian Strech y Debian Buster. La mayoría de las diferencias están orientadas a proporcionar una mayor seguridad. El resto son pequeñas diferencias que la mayoría de los usuarios no vamos a ser capaces de notar. Una nueva versión del kernel de Linux, en concreto la 4.19En versiones anteriores se ha estado utilizando en el caso de Raspbian la vesión 7 y 8 del Java de Oracle. Sin embargo, en esta nueva versión se actualiza a la versión 11 pero de OpenJDK.AppArmor esta activado por defecto.NFtables reemplaza al tradicional iptables. Aunque yo siempre trabajo a nivel de UFW por comodidad. A lo mejor, esSoporte para un gran número de procesadores ARM64El soporte de Python 2 termina en enero de 2020, con lo queBash 5.0Secure boot Uno de los grandes cambios que se han aplicado a Raspbian Buster es la inferfaz gráfica. Se ha buscado un diseño mas plano, que, sin lugar a dudas, es la tendencia actual. Así se han introducido algunos cambios como, se ha reducido la curvatura de las esquinasigualmente se ha reducido los sombreados que se utilizan para dar una sensación 3Dse ha conseguido un diseño mas limpio y moderno.han realizado pequeños cambios en la barra de tareas. Así, por ejemplo, el icono que para expulsar una unidad USB, solo aparece cuando hay un dispositivo que expulsar, en otro caso permanece oculto.Lo mismo se aplica para el caso del bluetooth, de forma que si no tienes ningún dispositivo utilizando el bluetooth, este no se muestra.Otro cambio es el icono de actividad del CPU. Y es que dado el aumento de la potencia de este procesador se ha considerado que no es necesario mostrarlo, aunque si lo quieres, lo puedes mostrar. El cambio a una nueva versión representa un gran esfuerzo para los desarrolladores de Raspbian en el sentido que tienen que aplicar todos los parches que aplicaron a la versión anterior de Debian, a la nueva versión. Esto además se ha complicado por la aparición de un nuevo hardware, en referencia a la Raspberry Pi 4. Mas información en las notas del podcast sobre migrar tu Raspberry a Raspbian Buster

In this episode I answer a question about how to start a Swarm service container in privileged mode.

This week we look at the latest security updates for the Linux kernel, Firefox, ImageMagick, OpenStack and more, plus we have a special guest, the maintainer and lead developer of the AppArmor project, John Johansen, to talk about the project and some of the upcoming features.

The hype around a new security flaw hits new levels. Fedora has a bunch of news, and we discover what's new in the latest Plasma release. Plus we fall down the openSUSE rabbit hole when Ell updates us on her desktop challenge. Special Guests: Alan Pope, Brent Gervais, Daniel Fore, Ell Marquez, Martin Wimpress, and Neal Gompa.

In their second episode, Serge and Chris return from Thanksgiving thinking about malware in Free Software, specifically the NPM bitcoin attack found in event-streamerShow links:Software Freedom Conservancy (conservancy)Backdoor in event-stream library dependency (hacker news)The event-stream bug report (github)Statement about the event-stream vulerability (bitpay)npm's statement on the event-stream incidentBug Report on ESLint (github)Malware in Linux kernel (lwn)Don't Download Software from Sourceforge (howtogeek.com)Let's Package jQuery: A Javascript Packaging Dystopian Novella (dustycloud.org)Reflections on Trusting Trust - aka the "Thompson attack" mentioned in the episode, a way of embedding malicious code in a compiler that embeds it into the next compiled version of the compilerZooko's Tweet (twitter)Linus's Law (wikipedia)Ka-Ping Yee's dissertation (zesty.ca) -Securing EcmaScript, presentation to Node Security (youtube)Mandatory Access Control (wikipedia)SE Linux Project (github)AppArmor (ubuntu)Docker For Development (medium)The Qubes Operating System (qubes)Android Application SandboxingChris's talk at Northeastern on December 5th - Chris gave the wrong date in the episode, it's on Wednesday... oops!Chris mentioned that they changed their org-mode configuration inspired by the chat from our first episode to incorporate a priorities-based workflow. Maybe you want to look at Chris's updated org-mode configuration! It looks like so:;; (c) 2018 by Christopher Lemmer Webber ;; Under GPLv3 or later as published by the FSF ;; We want the lowest and "default" priority to be D. That way ;; when we calculate the agenda, any task that isn't specifically ;; marked with a priority or SCHEDULED/DEADLINE won't show up. (setq org-default-priority ?D) (setq org-lowest-priority ?D) ;; Custom agenda dispatch commands which allow you to look at ;; priorities while still being able to see when deadlines, appointments ;; are coming up. Very often you'll just be looking at the A or B tasks, ;; and when you clear off enough of those or have some time you might ;; look also at the C tasks ;; ;; Hit "C-c a" then one of the following key sequences... ;; - a for the A priority items, plus the agenda below it ;; - b for A-B priority items, plus the agenda below it ;; - c for A-C priority items, plus the agenda below it ;; - A for just the agenda ;; - t for just the A-C priority TODOs (setq org-agenda-custom-commands '(("a" "Agenda plus A items" ((tags-todo "+PRIORITY="A"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("b" "Agenda plus A+B items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("c" "Agenda plus A+B+C items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("A" "Agenda" ((agenda ""))) ("t" "Just TODO items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down))))))))

In their second episode, Serge and Chris return from Thanksgiving thinking about malware in Free Software, specifically the NPM bitcoin attack found in event-streamerShow links:Software Freedom Conservancy (conservancy)Backdoor in event-stream library dependency (hacker news)The event-stream bug report (github)Statement about the event-stream vulerability (bitpay)npm's statement on the event-stream incidentBug Report on ESLint (github)Malware in Linux kernel (lwn)Don't Download Software from Sourceforge (howtogeek.com)Let's Package jQuery: A Javascript Packaging Dystopian Novella (dustycloud.org)Reflections on Trusting Trust - aka the "Thompson attack" mentioned in the episode, a way of embedding malicious code in a compiler that embeds it into the next compiled version of the compilerZooko's Tweet (twitter)Linus's Law (wikipedia)Ka-Ping Yee's dissertation (zesty.ca) -Securing EcmaScript, presentation to Node Security (youtube)Mandatory Access Control (wikipedia)SE Linux Project (github)AppArmor (ubuntu)Docker For Development (medium)The Qubes Operating System (qubes)Android Application SandboxingChris's talk at Northeastern on December 5th - Chris gave the wrong date in the episode, it's on Wednesday... oops!Chris mentioned that they changed their org-mode configuration inspired by the chat from our first episode to incorporate a priorities-based workflow. Maybe you want to look at Chris's updated org-mode configuration! It looks like so:;; (c) 2018 by Christopher Lemmer Webber ;; Under GPLv3 or later as published by the FSF ;; We want the lowest and "default" priority to be D. That way ;; when we calculate the agenda, any task that isn't specifically ;; marked with a priority or SCHEDULED/DEADLINE won't show up. (setq org-default-priority ?D) (setq org-lowest-priority ?D) ;; Custom agenda dispatch commands which allow you to look at ;; priorities while still being able to see when deadlines, appointments ;; are coming up. Very often you'll just be looking at the A or B tasks, ;; and when you clear off enough of those or have some time you might ;; look also at the C tasks ;; ;; Hit "C-c a" then one of the following key sequences... ;; - a for the A priority items, plus the agenda below it ;; - b for A-B priority items, plus the agenda below it ;; - c for A-C priority items, plus the agenda below it ;; - A for just the agenda ;; - t for just the A-C priority TODOs (setq org-agenda-custom-commands '(("a" "Agenda plus A items" ((tags-todo "+PRIORITY="A"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("b" "Agenda plus A+B items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("c" "Agenda plus A+B+C items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("A" "Agenda" ((agenda ""))) ("t" "Just TODO items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down))))))))

In their second episode, Serge and Chris return from Thanksgiving thinking about malware in Free Software, specifically the NPM bitcoin attack found in event-streamerShow links:Software Freedom Conservancy (conservancy)Backdoor in event-stream library dependency (hacker news)The event-stream bug report (github)Statement about the event-stream vulerability (bitpay)npm's statement on the event-stream incidentBug Report on ESLint (github)Malware in Linux kernel (lwn)Don't Download Software from Sourceforge (howtogeek.com)Let's Package jQuery: A Javascript Packaging Dystopian Novella (dustycloud.org)Reflections on Trusting Trust - aka the "Thompson attack" mentioned in the episode, a way of embedding malicious code in a compiler that embeds it into the next compiled version of the compilerZooko's Tweet (twitter)Linus's Law (wikipedia)Ka-Ping Yee's dissertation (zesty.ca) -Securing EcmaScript, presentation to Node Security (youtube)Mandatory Access Control (wikipedia)SE Linux Project (github)AppArmor (ubuntu)Docker For Development (medium)The Qubes Operating System (qubes)Android Application SandboxingChris's talk at Northeastern on December 5th - Chris gave the wrong date in the episode, it's on Wednesday... oops!Chris mentioned that they changed their org-mode configuration inspired by the chat from our first episode to incorporate a priorities-based workflow. Maybe you want to look at Chris's updated org-mode configuration! It looks like so:;; (c) 2018 by Christopher Lemmer Webber ;; Under GPLv3 or later as published by the FSF ;; We want the lowest and "default" priority to be D. That way ;; when we calculate the agenda, any task that isn't specifically ;; marked with a priority or SCHEDULED/DEADLINE won't show up. (setq org-default-priority ?D) (setq org-lowest-priority ?D) ;; Custom agenda dispatch commands which allow you to look at ;; priorities while still being able to see when deadlines, appointments ;; are coming up. Very often you'll just be looking at the A or B tasks, ;; and when you clear off enough of those or have some time you might ;; look also at the C tasks ;; ;; Hit "C-c a" then one of the following key sequences... ;; - a for the A priority items, plus the agenda below it ;; - b for A-B priority items, plus the agenda below it ;; - c for A-C priority items, plus the agenda below it ;; - A for just the agenda ;; - t for just the A-C priority TODOs (setq org-agenda-custom-commands '(("a" "Agenda plus A items" ((tags-todo "+PRIORITY="A"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("b" "Agenda plus A+B items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("c" "Agenda plus A+B+C items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("A" "Agenda" ((agenda ""))) ("t" "Just TODO items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down))))))))

Byproducts of reading OpenBSD’s netcat code, learnings from porting your own projects to FreeBSD, OpenBSD’s unveil(), NetBSD’s Virtual Machine Monitor, what 'dependency' means in Unix init systems, jailing bhyve, and more. ##Headlines ###The byproducts of reading OpenBSD netcat code When I took part in a training last year, I heard about netcat for the first time. During that class, the tutor showed some hacks and tricks of using netcat which appealed to me and motivated me to learn the guts of it. Fortunately, in the past 2 months, I was not so busy that I can spend my spare time to dive into OpenBSD‘s netcat source code, and got abundant byproducts during this process. (1) Brush up socket programming. I wrote my first network application more than 10 years ago, and always think the socket APIs are marvelous. Just ~10 functions (socket, bind, listen, accept…) with some IO multiplexing buddies (select, poll, epoll…) connect the whole world, wonderful! From that time, I developed a habit that is when touching a new programming language, network programming is an essential exercise. Even though I don’t write socket related code now, reading netcat socket code indeed refresh my knowledge and teach me new stuff. (2) Write a tutorial about netcat. I am mediocre programmer and will forget things when I don’t use it for a long time. So I just take notes of what I think is useful. IMHO, this “tutorial” doesn’t really mean teach others something, but just a journal which I can refer when I need in the future. (3) Submit patches to netcat. During reading code, I also found bugs and some enhancements. Though trivial contributions to OpenBSD, I am still happy and enjoy it. (4) Implement a C++ encapsulation of libtls. OpenBSD‘s netcat supports tls/ssl connection, but it needs you take full care of resource management (memory, socket, etc), otherwise a small mistake can lead to resource leak which is fatal for long-live applications (In fact, the two bugs I reported to OpenBSD are all related resource leak). Therefore I develop a simple C++ library which wraps the libtls and hope it can free developer from this troublesome problem and put more energy in application logic part. Long story to short, reading classical source code is a rewarding process, and you can consider to try it yourself. ###What I learned from porting my projects to FreeBSD Introduction I set up a local FreeBSD VirtualBox VM to test something, and it seems to work very well. Due to the novelty factor, I decided to get my software projects to build and pass the tests there. The Projects https://github.com/shlomif/shlomif-computer-settings/ (my dotfiles). https://web-cpan.shlomifish.org/latemp/ https://fc-solve.shlomifish.org/ https://www.shlomifish.org/open-source/projects/black-hole-solitaire-solver/ https://better-scm.shlomifish.org/source/ http://perl-begin.org/source/ https://www.shlomifish.org/meta/site-source/ Written using a mix of C, Perl 5, Python, Ruby, GNU Bash, XML, CMake, XSLT, XHTML5, XHTML1.1, Website META Language, JavaScript and more. Work fine on several Linux distributions and have https://en.wikipedia.org/wiki/TravisCI using Ubuntu 14.04 hosts Some pass builds and tests on AppVeyor/Win64 What I Learned: FreeBSD on VBox has become very reliable Some executables on FreeBSD are in /usr/local/bin instead of /usr/bin make on FreeBSD is not GNU make m4 on FreeBSD is not compatible with GNU m4 Some CPAN Modules fail to install using local-lib there DocBook/XSL Does Not Live Under /usr/share/sgml FreeBSD’s grep does not have a “-P” flag by default FreeBSD has no “nproc” command Conclusion: It is easier to port a shell than a shell script. — Larry Wall I ran into some cases where my scriptology was lacking and suboptimal, even for my own personal use, and fixed them. ##News Roundup ###OpenBSD’s unveil() One of the key aspects of hardening the user-space side of an operating system is to provide mechanisms for restricting which parts of the filesystem hierarchy a given process can access. Linux has a number of mechanisms of varying capability and complexity for this purpose, but other kernels have taken a different approach. Over the last few months, OpenBSD has inaugurated a new system call named unveil() for this type of hardening that differs significantly from the mechanisms found in Linux. The value of restricting access to the filesystem, from a security point of view, is fairly obvious. A compromised process cannot exfiltrate data that it cannot read, and it cannot corrupt files that it cannot write. Preventing unwanted access is, of course, the purpose of the permissions bits attached to every file, but permissions fall short in an important way: just because a particular user has access to a given file does not necessarily imply that every program run by that user should also have access to that file. There is no reason why your PDF viewer should be able to read your SSH keys, for example. Relying on just the permission bits makes it easy for a compromised process to access files that have nothing to do with that process’s actual job. In a Linux system, there are many ways of trying to restrict that access; that is one of the purposes behind the Linux security module (LSM) architecture, for example. The SELinux LSM uses a complex matrix of labels and roles to make access-control decisions. The AppArmor LSM, instead, uses a relatively simple table of permissible pathnames associated with each application; that approach was highly controversial when AppArmor was first merged, and is still looked down upon by some security developers. Mount namespaces can be used to create a special view of the filesystem hierarchy for a set of processes, rendering much of that hierarchy invisible and, thus, inaccessible. The seccomp mechanism can be used to make decisions on attempts by a process to access files, but that approach is complex and error-prone. Yet another approach can be seen in the Qubes OS distribution, which runs applications in virtual machines to strictly control what they can access. Compared to many of the options found in Linux, unveil() is an exercise in simplicity. This system call, introduced in July, has this prototype: int unveil(const char *path, const char *permissions); A process that has never called unveil() has full access to the filesystem hierarchy, modulo the usual file permissions and any restrictions that may have been applied by calling pledge(). Calling unveil() for the first time will “drop a veil” across the entire filesystem, rendering the whole thing invisible to the process, with one exception: the file or directory hierarchy starting at path will be accessible with the given permissions. The permissions string can contain any of “r” for read access, “w” for write, “x” for execute, and “c” for the ability to create or remove the path. Subsequent calls to unveil() will make other parts of the filesystem hierarchy accessible; the unveil() system call itself still has access to the entire hierarchy, so there is no problem with unveiling distinct subtrees that are, until the call is made, invisible to the process. If one unveil() call applies to a subtree of a hierarchy unveiled by another call, the permissions associated with the more specific call apply. Calling unveil() with both arguments as null will block any further calls, setting the current view of the filesystem in stone. Calls to unveil() can also be blocked using pledge(). Either way, once the view of the filesystem has been set up appropriately, it is possible to lock it so that the process cannot expand its access in the future should it be taken over and turn hostile. unveil() thus looks a bit like AppArmor, in that it is a path-based mechanism for restricting access to files. In either case, one must first study the program in question to gain a solid understanding of which files it needs to access before closing things down, or the program is likely to break. One significant difference (beyond the other sorts of behavior that AppArmor can control) is that AppArmor’s permissions are stored in an external policy file, while unveil() calls are made by the application itself. That approach keeps the access rules tightly tied to the application and easy for the developers to modify, but it also makes it harder for system administrators to change them without having to rebuild the application from source. One can certainly aim a number of criticisms at unveil() — all of the complaints that have been leveled at path-based access control and more. But the simplicity of unveil() brings a certain kind of utility, as can be seen in the large number of OpenBSD applications that are being modified to use it. OpenBSD is gaining a base level of protection against unintended program behavior; while it is arguably possible to protect a Linux system to a much greater extent, the complexity of the mechanisms involved keeps that from happening in a lot of real-world deployments. There is a certain kind of virtue to simplicity in security mechanisms. ###NetBSD Virtual Machine Monitor (NVVM) NetBSD Virtual Machine Monitor The NVMM driver provides hardware-accelerated virtualization support on NetBSD. It is made of an ~MI frontend, to which MD backends can be plugged. A virtualization API is provided in libnvmm, that allows to easily create and manage virtual machines via NVMM. Two additional components are shipped as demonstrators, toyvirt and smallkern: the former is a toy virtualizer, that executes in a VM the 64bit ELF binary given as argument, the latter is an example of such binary. Download The source code of NVMM, plus the associated tools, can be downloaded here. Technical details NVMM can support up to 128 virtual machines, each having a maximum of 256 VCPUs and 4GB of RAM. Each virtual machine is granted access to most of the CPU registers: the GPRs (obviously), the Segment Registers, the Control Registers, the Debug Registers, the FPU (x87 and SSE), and several MSRs. Events can be injected in the virtual machines, to emulate device interrupts. A delay mechanism is used, and allows VMM software to schedule the interrupt right when the VCPU can receive it. NMIs can be injected as well, and use a similar mechanism. The host must always be x8664, but the guest has no constraint on the mode, so it can be x8632, PAE, real mode, and so on. The TSC of each VCPU is always re-based on the host CPU it is executing on, and is therefore guaranteed to increase regardless of the host CPU. However, it may not increase monotonically, because it is not possible to fully hide the host effects on the guest during #VMEXITs. When there are more VCPUs than the host TLB can deal with, NVMM uses a shared ASID, and flushes the shared-ASID VCPUs on each VM switch. The different intercepts are configured in such a way that they cover everything that needs to be emulated. In particular, the LAPIC can be emulated by VMM software, by intercepting reads/writes to the LAPIC page in memory, and monitoring changes to CR8 in the exit state. ###What ‘dependency’ means in Unix init systems is underspecified (utoronto.ca) I was reading Davin McCall’s On the vagaries of init systems (via) when I ran across the following, about the relationship between various daemons (services, etc): I do not see any compelling reason for having ordering relationships without actual dependency, as both Nosh and Systemd provide for. In comparison, Dinit’s dependencies also imply an ordering, which obviates the need to list a dependency twice in the service description. Well, this may be an easy one but it depends on what an init system means by ‘dependency’. Let’s consider ®syslog and the SSH daemon. I want the syslog daemon to be started before the SSH daemon is started, so that the SSH daemon can log things to it from the beginning. However, I very much do not want the SSH daemon to not be started (or to be shut down) if the syslog daemon fails to start or later fails. If syslog fails, I still want the SSH daemon to be there so that I can perhaps SSH in to the machine and fix the problem. This is generally true of almost all daemons; I want them to start after syslog, so that they can syslog things, but I almost never want them to not be running if syslog failed. (And if for some reason syslog is not configured to start, I want enabling and starting, say, SSH, to also enable and start the syslog daemon.) In general, there are three different relationships between services that I tend to encounter: a hard requirement, where service B is useless or dangerous without service A. For instance, many NFS v2 and NFS v3 daemons basically don’t function without the RPC portmapper alive and active. On any number of systems, firewall rules being in place are a hard requirement to start most network services; you would rather your network services not start at all than that they start without your defenses in place. a want, where service B wants service A to be running before B starts up, and service A should be started even if it wouldn’t otherwise be, but the failure of A still leaves B functional. Many daemons want the syslog daemon to be started before they start but will run without it, and often you want them to do so so that at least some of the system works even if there is, say, a corrupt syslog configuration file that causes the daemon to error out on start. (But some environments want to hard-fail if they can’t collect security related logging information, so they might make rsyslogd a requirement instead of a want.) an ordering, where if service A is going to be started, B wants to start after it (or before it), but B isn’t otherwise calling for A to be started. We have some of these in our systems, where we need NFS mounts done before cron starts and runs people’s @reboot jobs but neither cron nor NFS mounts exactly or explicitly want each other. (The system as a whole wants both, but that’s a different thing.) Given these different relationships and the implications for what the init system should do in different situations, talking about ‘dependency’ in it systems is kind of underspecified. What sort of dependency? What happens if one service doesn’t start or fails later? My impression is that generally people pick a want relationship as the default meaning for init system ‘dependency’. Usually this is fine; most services aren’t actively dangerous if one of their declared dependencies fails to start, and it’s generally harmless on any particular system to force a want instead of an ordering relationship because you’re going to be starting everything anyway. (In my example, you might as well say that cron on the systems in question wants NFS mounts. There is no difference in practice; we already always want to do NFS mounts and start cron.) ###Jailing The bhyve Hypervisor As FreeBSD nears the final 12.0-RELEASE release engineering cycles, I’d like to take a moment to document a cool new feature coming in 12: jailed bhyve. You may notice that I use HardenedBSD instead of FreeBSD in this article. There is no functional difference in bhyve on HardenedBSD versus bhyve on FreeBSD. The only difference between HardenedBSD and FreeBSD is the aditional security offered by HardenedBSD. The steps I outline here work for both FreeBSD and HardenedBSD. These are the bare minimum steps, no extra work needed for either FreeBSD or HardenedBSD. A Gentle History Lesson At work in my spare time, I’m helping develop a malware lab. Due to the nature of the beast, we would like to use bhyve on HardenedBSD. Starting with HardenedBSD 12, non-Cross-DSO CFI, SafeStack, Capsicum, ASLR, and strict W^X are all applied to bhyve, making it an extremely hardened hypervisor. So, the work to support jailed bhyve is sponsored by both HardenedBSD and my employer. We’ve also jointly worked on other bhyve hardening features, like protecting the VM’s address space using guard pages (mmap(…, MAPGUARD, …)). Further work is being done in a project called “malhyve.” Only those modifications to bhyve/malhyve that make sense to upstream will be upstreamed. Initial Setup We will not go through the process of creating the jail’s filesystem. That process is documented in the FreeBSD Handbook. For UEFI guests, you will need to install the uefi-edk2-bhyve package inside the jail. I network these jails with traditional jail networking. I have tested vnet jails with this setup, and that works fine, too. However, there is no real need to hook the jail up to any network so long as bhyve can access the tap device. In some cases, the VM might not need networking, in which case you can use a network-less VM in a network-less jail. By default, access to the kernel side of bhyve is disabled within jails. We need to set allow.vmm in our jail.conf entry for the bhyve jail. We will use the following in our jail, so we will need to set up devfs(8) rules for them: A ZFS volume A null-modem device (nmdm(4)) UEFI GOP (no devfs rule, but IP assigned to the jail) A tap device Conclusion The bhyve hypervisor works great within a jail. When combined with HardenedBSD, bhyve is extremely hardened: PaX ASLR is fully applied due to compilation as a Position-Independent Executable (HardenedBSD enhancement) PaX NOEXEC is fully applied (strict W^X) (HardenedBSD enhancement) Non-Cross-DSO CFI is fully applied (HardenedBSD enhancement) Full RELRO (RELRO + BINDNOW) is fully applied (HardenedBSD enhancement) SafeStack is applied to the application (HardenedBSD enhancement) Jailed (FreeBSD feature written by HardenedBSD) Virtual memory protected with guard pages (FreeBSD feature written by HardenedBSD) Capsicum is fully applied (FreeBSD feature) Bad guys are going to have a hard time breaking out of the userland components of bhyve on HardenedBSD. :) ##Beastie Bits GhostBSD 18.10 has been released Project Trident RC3 has been released The OpenBSD Foundation receives the first Silver contribution from a single individual Monitoring pf logs gource NetBSD on the RISC-V is alive The X hole Announcing the pkgsrc-2018Q3 release (2018-10-05) NAT performance on EdgeRouter X and Lite with EdgeOS, OpenBSD, and OpenWRT UNIX (as we know it) might not have existed without Mrs. Thompson Free Pizza for your dev events Portland BSD Pizza Night: Nov 29th 7pm ##Feedback/Questions Dennis - Core developers leaving illumOS? Ben - Jumping from snapshot to snapshot Ias - Question about ZFS snapshots Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

    Container security   Jay Beale  @inguardians , @jaybeale   Containers What the heck is a container? Linux distribution with a kernel Containers run on top of that, sharing the kernel, but not the filesystem Namespaces Mount Network Hostname PID IPC Users Somebody said we’ve had containers since before Docker Containers started in 2005, with OpenVZ Docker was 2013, Kubernetes 2014 Image Security CoreOS Clair for vuln scanning images Public repos vs private Don’t keep the image running for so long? Don’t run as root More Containment stuff Non-privileged containers Remap the users, so root in container isn’t root outside Drop root capabilities Seccomp for kernel syscalls AppArmor or SELinux All of above is about Docker, what about Kubernetes Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements Network policy (egress firewalls) RBAC (define what users and service accounts can do what) Use namespaces per tenant and think hard about multi-tenancy Use the CIS guides for lockdown of K8S and the host Kube-bench Difference between containers and sandboxing   Roll your own -     Containers         Using public registries - leave you vulnerable         Use your own private repos for deploying containers   Reduce attack surface Reduce user access   Automation will allow more security to get baked in.   https://www.infoworld.com/article/3104030/security/5-keys-to-docker-container-security.html https://blog.blackducksoftware.com/8-takeaways-nist-application-container-security-guide https://www.vagrantup.com/downloads.html   https://www.vmware.com/products/thinapp.html   https://www.meetup.com/SEASec-East/events/249983387/ S3 buckets / Azure Blobs   https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services   https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html   Join our #Slack Channel! Email us at bds.podcast@gmail.com or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Show: 14Show Overview: Brian and Tyler talk address some of the many layers of security required in a container environment. This show will be part of a series on container and Kubernetes security. They look at security requirement in the Container Host, Container Content, Container Registry, and Software Build Processes. Show Notes and News:10 Layers of Container SecurityGoogle, VMware and Pivotal announced a Hybrid Cloud partnership with KubernetesGoogle and Cisco announced a Hybrid Cloud partnership with Kubernetes (and more)Docker adds support for Kubernetes to DockerEERancher makes Kubernetes the primary orchestratorMicrosoft announces new Azure Container Service, AKSOracle announced Kubernetes on Oracle Linux (and some installers)Heptio announces new toolsTopic 1 - Let’s start at the bottom of the stack with the security needed on a container host.Linux namespaces - isolation Linux capabilities and SECCOMP - restrict routes, ports, limiting process calls SELinux (or AppArmor) - mandatory access controls cGroups - resource managementTopic 2 - Next in the stack, or outside the stack, is the sources of container content.Trusted sources (known registries vs. public registries (e.g. DockerHub) Scanning the content of containers Managing the versions, patches of container contentTopic 3 - Once we have the content (applications), we need a secure place to store and access it - container registries.Making a registry highly-available Who manages and audits the registry? How to scan container within a container? How to cryptographically sign images? Identifying known registries Process for managing the content in a registry (tagging, versioning/naming, etc) Automated policies (patch management, getting new content, etc.) Topic 4 - Once we have secure content (building blocks) and a secure place to store the container images, we need to think about a secure supply chain of the software - the build process.Does a platform require containers, or can it accept code? Can it manage secure builds? How to build automated triggers for builds? How to audit those triggers (webhooks, etc.)? How to validate / scan / test code at different stages of a pipeline? (static analysis, dynamic analysis, etc.) How to promote images to a platform? (automated, manual promotion, etc.)Feedback?Email: PodCTL at gmail dot comTwitter: @PodCTL Web: http://podctl.com

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-023-Jay_Beale-selinux-apparmor-securing_lxc.mp3   Jay Beale works for a pentest firm called "Inguardians", and has always been a fierce friend of the show. He's running a class at both BlackHat and Defcon all about hardening various parts of the Linux OS. This week, we discuss some of the concepts he teaches in the class.  Why do we disable Selinux? Is it as difficult to enable as everyone believes? What benefit do we get from using it?  We also discuss other hardening applications, like ModSecurity for Apache, Suhosin for PHP, and Linux Containers (LXC). What is gained by using these, and how can we use these to our advantage? Really great discussion with Jay, and please sign up for his class for a two day in-depth discussion of all the technologies discussed on the show. -------- Jay Beale’s Class “aikido on the command line: hardening and containment” JULY 22-23 & JULY 24-25    AT BlackHat and Defcon https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html       ------- Brakesec also announces our "PowerShell for Blue Teamers and Incident Responders" with Mick Douglas (@bettersafetynet). A 6 week course starting with the basics of powershell, and goes into discussion of frameworks using Powershell too assist in assessing your network. It starts on 10 July and run each Monday evening until 14 August 2017. You'll receive a certificate suitable for CPE credit, as well as the videos of the class available to you on our YouTube channel. To sign up, go to our Patreon Page (http://www.patreon.com/bds_podcast) and sign up at the $20 USD level labeled "Blue Team Powershell - Attendee". If you are looking to just get the videos and follow along in class, pick the $10 USD "Blue Team Powershell - Attendee- Videos Only" Classes will be held on Monday Evenings only for 5 weeks, ending on 1 August.   #RSS: www.brakeingsecurity.com/rss Youtube Channel:  https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2  #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast     Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/       --- Show Notes:   AppArmor   SELinux   Privilege Escalation - InGuardians Murderboard   Port Knocking (Single Pack Authorization)   OSSEC   ModSecurity   Linux Containers   Jess frizelle -bane   Dan walsh - selinux   Selinux troubleshoot daemon   https://en.wikipedia.org/wiki/System_call   “In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.”   OpenBSD pledge(2): https://man.openbsd.org/pledge.2   https://www.raspberrypi.org/products/raspberry-pi-2-model-b/   Suhosin   https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html   @inguardians @jaybeale www.inguardians.com ----   What are you doing at Black Hat and Def Con?   Training class at Black Hat - 2 days Def Con Workshop - ModSecurity and AppArmor - 4 hours Packet Hacking Village Workshop - Container security Vapor Trail at Def Con Labs (Larry and Galen) Dancing my butt off?

This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software. Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors. We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD ---------- HITB announcement: “Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/ ---------        Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-004-Sandboxing_technology.mp3 iTunes: https://itunes.apple.com/us/podcast/2017-004-sandboxes-jails-chrooting/id799131292?i=1000380833781&mt=2 YouTube: https://www.youtube.com/watch?v=LqMZ9aGzYXA   Join our #Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582     ----------- Show notes:   Sandboxing tech  -  https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf   A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.   Various types of sandbox tech   Jails - freebsd     Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian         http://devil-detail.blogspot.com/2013/08/debian-linux-freebsd-jail-zfs.html   Pledge(8)  - new to OpenBSD     Program says what it should use, if it steps outside those lines, it’s killed     http://www.tedunangst.com/flak/post/going-full-pledge     http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2?query=pledge     http://www.openbsd.org/papers/hackfest2015-pledge/mgp00008.html   Chroot - openbsd, linux (chroot jails)     “A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”     Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’   Rules based execution - AppArmor, PolicyKit, SeLinux     Allows users to set what will be ran, and which apps can inject DLLs or objects.     “It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.” https://en.wikipedia.org/wiki/Seccomp https://en.wikipedia.org/wiki/Linux_Security_Modules   Android VMs   Virtual machines - sandboxes in their own right     Snapshot capability     Revert once changes have occurred     CON: some malware will detect VM environments, change ways of working   Containers (docker, kubernetes, vagrant, etc)     Quick standup of images     Blow away without loss of host functionality     Helpful to run containers as an un-privileged user. https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/   Chrome sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md   Emulation Vs. Virtualization   http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware  --seems like a good link   VMware Thinapp (emulator): https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030224   (continued next page) Malware lab creation (Alienvault blog): https://www.alienvault.com/blogs/security-essentials/building-a-home-lab-to-become-a-malware-hunter-a-beginners-guide   https://www.reverse.it/   News: (assuming it goes short) SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/   (whitelisting files in Apache) https://isc.sans.edu/diary/Whitelisting+File+Extensions+in+Apache/21937   http://blog.erratasec.com/2017/01/the-command-line-for-cybersec.html https://github.com/robertkuhar/java_coding_guidelines https://www.us-cert.gov/sites/default/files/publications/South%20Korean%20Malware%20Attack_1.pdf#   https://www.concise-courses.com/security/conferences-of-2017/

Overview Ted and Erin interview the guys in Novell IS&T to find out how and why they use open source software for running Novell’s business. Then comes News from Support, where we delve into what the upcoming change in Daylight Saving Time may mean to your organization. Time: 30:38 Size: 21.0 MB Segment Times Using […]

Novell Open Audio brings you backstage at BrainShare to talk with people who did the technology demos in the Monday keynote session. Crispin Cowan comments on his demo of Novell AppArmor. Robert Wipfel and Lars Marowsky talk about the clustering technology they demo'ed. Eric Anderson sums up the demos and how to find more about SUSE Linux Enterprise Server 10 at BrainShare.