Wednesday, 2015-03-11

« Tuesday, 2015-03-10 Index Thursday, 2015-03-12 »
*** bpokorny has quit IRC01:10
*** salv-orlando has quit IRC01:30
*** tmcpeak has quit IRC01:35
*** browne has quit IRC02:04
*** elo1 has joined #openstack-security02:08
*** salv-orlando has joined #openstack-security02:31
*** salv-orlando has quit IRC02:38
*** pdesai has joined #openstack-security02:50
*** salv-orlando has joined #openstack-security02:57
*** pdesai has quit IRC03:09
*** salv-orlando has quit IRC03:10
*** pdesai has joined #openstack-security03:12
*** vozcelik has quit IRC03:30
*** pdesai has quit IRC03:32
*** elo1 has quit IRC03:41
*** elo1 has joined #openstack-security04:13
*** salv-orlando has joined #openstack-security04:57
*** salv-orlando has quit IRC05:10
*** salv-orlando has joined #openstack-security05:12
*** salv-orlando has quit IRC05:16
*** browne has joined #openstack-security05:16
*** salv-orlando has joined #openstack-security05:29
*** salv-orlando has quit IRC05:34
*** salv-orlando has joined #openstack-security05:35
*** salv-orlando has quit IRC05:35
*** salv-orlando has joined #openstack-security05:41
*** salv-orlando has quit IRC05:45
*** salv-orlando has joined #openstack-security06:04
*** salv-orlando has quit IRC06:08
*** salv-orlando has joined #openstack-security06:15
*** salv-orlando has quit IRC06:20
*** salv-orlando has joined #openstack-security06:21
*** salv-orlando has quit IRC06:26
*** salv-orlando has joined #openstack-security06:27
*** salv-orlando has quit IRC06:32
*** salv-orlando has joined #openstack-security06:38
*** salv-orlando has quit IRC06:43
*** browne has quit IRC06:47
*** rkgudboy has joined #openstack-security06:57
*** rkgudboy has quit IRC07:28
*** salv-orlando has joined #openstack-security08:05
*** salv-orlando has quit IRC08:15
*** rkgudboy has joined #openstack-security08:16
*** rkgudboy has quit IRC08:17
*** rkgudboy has joined #openstack-security08:18
*** salv-orlando has joined #openstack-security08:25
*** salv-orlando has quit IRC08:25
*** rkgudboy has quit IRC08:34
*** elo2 has joined #openstack-security09:21
*** elo1 has quit IRC09:24
*** salv-orlando has joined #openstack-security09:44
*** salv-orlando has quit IRC09:46
openstackgerritMerged stackforge/bandit: Fix a leftover tuple unpacking in reporting code  https://review.openstack.org/16316909:48
*** salv-orlando has joined #openstack-security10:10
*** rkgudboy has joined #openstack-security10:11
*** rkgudboy has quit IRC10:12
*** rkgudboy has joined #openstack-security10:13
*** salv-orlando has quit IRC10:14
*** salv-orl_ has joined #openstack-security10:15
*** salv-orl_ has quit IRC10:15
*** rohitkashyap has joined #openstack-security10:28
*** rkgudboy has quit IRC10:30
*** rohitkashyap has quit IRC10:33
*** rohitkashyap has joined #openstack-security10:33
*** rohitkashyap has quit IRC10:34
*** rkgudboy has joined #openstack-security10:35
*** rkgudboy has quit IRC10:38
*** rkgudboy has joined #openstack-security10:38
*** tmcpeak has joined #openstack-security10:43
*** salv-orlando has joined #openstack-security10:48
*** hyakuhei has joined #openstack-security10:54
*** rkgudboy has quit IRC11:20
*** markvoelker has joined #openstack-security12:14
openstackgerritMerged stackforge/anchor: Adding more tests against X509 certificate code  https://review.openstack.org/15852112:26
*** dave-mccowan has joined #openstack-security12:40
*** hyakuhei has quit IRC13:03
*** dave-mccowan has quit IRC13:06
*** dave-mccowan has joined #openstack-security13:07
openstackgerritTravis McPeak proposed openstack/security-doc: Add OSSN-0045 for FREAK attack on TLS connections  https://review.openstack.org/16304113:15
*** dave-mccowan has quit IRC13:20
*** singlethink has joined #openstack-security13:32
*** dave-mccowan has joined #openstack-security13:32
openstackgerritTravis McPeak proposed stackforge/bandit: Fixing uncaught 'InvalidModulePath' exception  https://review.openstack.org/16343113:34
*** singlethink has quit IRC13:36
*** sicarie has joined #openstack-security13:40
*** singleth1nk has joined #openstack-security13:43
*** singleth1nk has quit IRC13:43
*** singleth1nk has joined #openstack-security13:43
openstackgerritTravis McPeak proposed stackforge/bandit: Fixing uncaught 'InvalidModulePath' exception  https://review.openstack.org/16343113:52
*** dave-mccowan has quit IRC14:02
*** singleth1nk is now known as singlethink14:04
*** hyakuhei has joined #openstack-security14:20
*** salv-orlando has quit IRC14:23
*** bknudson has joined #openstack-security14:24
*** salv-orlando has joined #openstack-security14:31
*** elo2 has quit IRC14:32
*** voodookid has joined #openstack-security14:43
*** dwyde has joined #openstack-security14:46
*** voodookid has quit IRC14:47
*** voodookid has joined #openstack-security15:01
openstackgerritMerged stackforge/bandit: Fixing uncaught 'InvalidModulePath' exception  https://review.openstack.org/16343115:06
tmcpeaknkinder, bknudson: if you get a chance could you have a look at https://review.openstack.org/16304115:18
nkindertmcpeak: I have it up and have been reviewing it15:19
bknudsonis getting sick of these SSL attacks.15:19
tmcpeaklol15:19
tmcpeaknkinder: cool, sounds good, thanks nkinder15:19
bknudsonstop using it since it doesn't do anything anyways.15:19
bknudsonluckily we don't use java.15:19
tmcpeakI think what we have is a behavior problem, not a tech problem.  If we could all just agree not to MITM eachother's traffic the world would be a much better place15:20
bknudsondirect connections.15:20
bknudsonline of sight15:20
*** bpokorny has joined #openstack-security15:24
bknudsontmcpeak: do the configurations in http://docs.openstack.org/security-guide/content/tls-proxies-and-http-services.html disable export ciphers?15:25
bknudsonSSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM has !EXP15:25
tmcpeakyeah, I assume that's what this line does15:25
tmcpeakyep, that's the one I was going to paste :)15:25
tmcpeak!EXP15:26
tmcpeakDisallows export encryption algorithms, which by design tend to be weak, typically using 40 and 56 bit keys.15:26
tmcpeakUS Export restrictions on cryptography systems have been lifted and no longer need to be supported.15:26
openstacktmcpeak: Error: "EXP" is not a valid command.15:26
bknudsonjust make it the default for crying out loud.15:26
bknudsonno wonder everyone messes this up.15:26
bknudsontmcpeak: read through https://review.openstack.org/#/c/163041/ and looks good to me.15:28
tmcpeaklol, yeah.  Insecure defaults suck15:28
tmcpeakbknudson: cool, thank you sir15:28
*** singlethink has quit IRC15:35
*** browne has joined #openstack-security15:40
sicarieOpenStack Operators meetup in Philly just happened - here's the security etherpad: #link https://etherpad.openstack.org/p/PHL-ops-security15:50
bknudsonsicarie: neat, thanks15:56
bknudsonsicarie: nkinder was working on some docs for policy.json15:56
bknudsonI was also working on some docs for keystone.15:57
nkinderbknudson: some of those were merged (on the oslo side)15:57
bknudsonhttps://review.openstack.org/#/c/155919/ -- documents keystone policy.json15:57
tmcpeaksicarie: cool stuff15:58
bknudsondamn, should have gone to the ops meetup.15:58
sicarieThe general page: #link http://superuser.openstack.org/articles/openstack-mid-cycle-meetup-day-one-roundup15:59
*** singlethink has joined #openstack-security16:01
*** hyakuhei has quit IRC16:02
*** hyakuhei has joined #openstack-security16:05
*** browne1 has joined #openstack-security16:11
*** browne has quit IRC16:14
*** bdpayne has joined #openstack-security16:15
*** pdesai has joined #openstack-security16:17
*** singlethink has quit IRC16:18
*** pdesai has quit IRC16:26
tmcpeakcool, so nkinder, hyakuhei, bdpayne: could use final thumbs up here: https://review.openstack.org/16304116:27
* bdpayne looks16:27
*** dwyde has quit IRC16:28
bdpaynetmcpeak lgtm16:33
tmcpeakbdpayne: thanks!16:33
hyakuheiThe only concern I have is the services section16:34
hyakuheiThey layout is very different to how we normally do it16:34
tmcpeakcopied that from bdpayne's poodle note16:34
hyakuheiand if we ever get around to pushing these all through some parser it’ll break16:34
hyakuheinkinder: not around?16:34
bdpaynelayout?16:34
hyakuheiIt’s kind of ok if it breaks the parser because it can be manually fixed up if we only have that issue with one or two notes and at least this is nice and readable.16:35
bdpaynepretty sure the Poodle note started with the official template16:35
bdpayneso if there's an issue, perhaps the template needs fixing?16:35
hyakuheiNo, if that’s how the poodle note does it it’s technically wrong too16:35
nkinderhyakuhei: I'm around, but in a meeting16:36
hyakuheiServices are normally just comma separated https://wiki.openstack.org/wiki/OSSN/OSSN-004216:36
tmcpeakhyakuhei is talking about the list of services and versions16:36
tmcpeakalthough that isn't really applicable to general TLS problems16:36
hyakuheiYeah, just the Affected Services / Software section16:36
hyakuheitmcpeak: that’s true16:36
hyakuheiHowever, you probably want each of the openstack services listed in there and move the (very good) list of TLS stuff into some other section16:37
bdpaynenot sure I agree with that, tbh16:37
tmcpeakhyakuhei: so every version and every service?16:37
bdpayneit will make the note harder to parse16:37
tmcpeakwhat about other components which might be using TLS16:37
hyakuheiThat way if we ever have some tool that allows you to, for example, view all OSSNs that potentially affect Keystone it’ll come up in the search16:37
bdpayneparse... by humans in this case16:37
hyakuheibdpayne: That’s the standard, we can talk about changing the standard but that’s an entirely separate conversation16:38
hyakuheione I want nkinder to be around for.16:38
tmcpeakwell, in this case I just chose to match what we already had for POODLE.  IMO listing all services and versions will be horrible to look at, but yeah, makes it machine parseable. We really aren't using that currently though, so we'd need to do work in any case16:40
hyakuheiSo I’m ok with it going through but it will break the tooling we want to put around OSSNs later.16:42
tmcpeakyeah, agree16:42
hyakuheiIncidentally I think this is a very good OSSN, my comments are only a reflection on the standard schema we currently use16:42
tmcpeakhyakuhei: thank you16:42
hyakuheiand that we should adhere to in most cases until we fix the schema…16:43
*** hyakuhei has quit IRC16:45
*** hyakuhei has joined #openstack-security16:47
*** hyakuhei has quit IRC16:50
*** hyakuhei has joined #openstack-security16:51
*** openstack has joined #openstack-security16:54
nkindertmcpeak: ok, out of my meeting...16:55
nkindertmcpeak: so the list of affected services is a bit odd, but these generic crypto vulnerability notes don't really fit the mold of real bugs/issues in OpenStack itself16:56
nkinderI don't want to list every possible service, and this affects more than OpenStack services (messaging brokers, SSL terminators, etc.)16:57
*** singlethink has joined #openstack-security16:57
tmcpeaknkinder: yeah, I agree16:57
sicarienkinder: I think one of my comments led to this - I was trying to get a concrete method for determining exposure there16:58
tmcpeakhyakuhei agrees also16:58
tmcpeakit doesn't fit our traditional method of listing services and versions16:59
nkinderwell, I would love to have an automatic parsing tool16:59
nkinder...but we don't have one here today16:59
tmcpeakso a smart parser could recognize when something doesn't parse and leave a smart comment instead16:59
nkinderI think if we wanted a real format that could be parsed, it wouldn't be what we have today17:00
openstackgerritMerged openstack/security-doc: Add OSSN-0045 for FREAK attack on TLS connections  https://review.openstack.org/16304117:00
nkinderThere is a standard there I was looking at some time back17:01
*** salv-orlando has quit IRC17:03
*** mgagne_PHL is now known as mgagne17:14
*** dwyde has joined #openstack-security17:23
nkindertmcpeak: fyi - your line-wrap width was too wide for the OSSN17:43
nkindertmcpeak: not a big deal (I'll reformat for the e-mail)17:43
tmcpeaknkinder: crap, was it? thought I had it set for 8017:43
nkindertmcpeak: just an FYI that the width is shorter than what we use for PEP817:43
nkindertmcpeak: it's 7217:44
tmcpeakahhhh17:45
tmcpeakforgot all about that :)17:45
nkindertmcpeak: I'm fixing it17:45
tmcpeaknkinder: cool, thank you!17:45
openstackgerritNathan Kinder proposed openstack/security-doc: Correct line-wrapping width for OSSN-0045  https://review.openstack.org/16354717:56
nkindertmcpeak: ^^17:56
nkindertmcpeak: ...might as well correct it in tree17:56
tmcpeakI gave my +1 fwiw17:57
tmcpeak:)17:57
nkindertmcpeak: you're fast17:57
nkinderbdpayne: ^^ Given it's just white-space, I'm thinking we should just +A it without the standard "2 core" rule.17:58
nkinderbdpayne: care to do the honors?17:58
bdpaynesure17:58
bdpaynedone17:58
* bdpayne will approve anything ;-)17:58
nkinderbdpayne: thanks!18:00
nkindertmcpeak: I'll publish as soon as I see the merge come through18:00
tmcpeakI need to start gaming my "positive response on reviews" in stackalytics18:01
tmcpeakI have like 25% positive18:01
tmcpeaknkinder: awesome, thank you18:01
tmcpeakI'll throw up the wiki page18:01
nkindertmcpeak: that's good actually18:01
nkinderif you had 90% positive, there's likely a problem with not being thorough enough :)18:01
tmcpeaknkinder: not for my "not being perceived as an a-hole" goal18:02
*** salv-orlando has joined #openstack-security18:04
*** salv-orlando has quit IRC18:14
tmcpeaknkinder: you beat me to it on the wiki? :)18:19
nkindertmcpeak: yep, I have it ready to pull the trigger :)18:20
tmcpeaksweet! pull away18:20
*** dave-mccowan has joined #openstack-security18:24
*** bknudson has quit IRC18:30
*** salv-orlando has joined #openstack-security18:44
openstackgerritRobert Clark proposed stackforge/anchor: Added tests to bring coverage up to 100% of validators  https://review.openstack.org/16356118:49
openstackgerritRobert Clark proposed stackforge/anchor: Added tests to bring coverage up to 100% of validators  https://review.openstack.org/16356118:51
*** bknudson has joined #openstack-security19:13
*** bpokorny_ has joined #openstack-security19:39
*** bpokorny has quit IRC19:42
*** dwyde has quit IRC19:53
*** bpokorny has joined #openstack-security19:58
*** bpokorny_ has quit IRC20:01
openstackgerritMerged openstack/security-doc: Correct line-wrapping width for OSSN-0045  https://review.openstack.org/16354720:04
openstackgerritbruce-benjamin proposed openstack/security-doc: Added input about volume encryption feature  https://review.openstack.org/16101220:10
*** dwyde has joined #openstack-security20:16
*** ljfisher has joined #openstack-security20:20
*** sicarie has quit IRC20:32
*** bpokorny has quit IRC20:33
*** salv-orlando has quit IRC20:43
openstackgerritbruce-benjamin proposed openstack/security-doc: Added input about volume encryption feature  https://review.openstack.org/16101221:15
openstackgerritMerged openstack/security-doc: MySQL TLS transport config example  https://review.openstack.org/15966821:25
*** salv-orlando has joined #openstack-security21:28
*** singlethink has quit IRC21:28
*** sicarie has joined #openstack-security21:35
*** bpokorny has joined #openstack-security21:49
*** sicarie has quit IRC22:12
*** singlethink has joined #openstack-security22:31
*** ljfisher has quit IRC22:41
*** dwyde has quit IRC22:42
*** singlethink has quit IRC22:43
*** voodookid has quit IRC23:10
*** dave-mccowan has quit IRC23:14
*** bknudson has quit IRC23:31
*** bknudson has joined #openstack-security23:52
« Tuesday, 2015-03-10 Index Thursday, 2015-03-12 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!