Usually we launch hundreds of instances in AWS for day to day work. As long as they are accessible from our hosts (probably a RHEL or Ubuntu or your own mac), we are good to go. But there are some instances where you might get a patch from IT for your host. Once you apply the patch, you realize that you are unable to access your AWS instances anymore. And your IT team doesn't have any clue on what happened. You contact AWS support, and they say it all looks good. So how do you proceed from this scenario? Where to start and what to do. This talk goes through all the steps starting with most basic checks all the way to updating the crypto key exchange algorithms on your host.
Ara Pulido, Datadog -
Container technologies, although not new, have increased their popularity in the past few years, with container orchestrators allowing companies around the world to adopt these technologies to help them ship and scale microservices with precision and velocity. Kubernetes is currently the most popular container orchestration platform, and while many organizations are migrating their workloads to it, Kubernetes is still relatively immature. New corner cases, errors, and quirks are regularly discovered as users push the boundaries of size and scale. When Datadog adopted Kubernetes we discovered some of these boundaries the hard way, and we continuously challenge and modify our infrastructure decisions in order to fit our use case. Join me in this talk for our story on what we learned while we scaled our Kubernetes clusters, the contributions to Kubernetes we made along the way, and how you can apply those learnings when growing your Kubernetes clusters from a handful to hundreds or thousands of nodes.
Ara Pulido, Datadog -
Container technologies, although not new, have increased their popularity in the past few years, with container orchestrators allowing companies around the world to adopt these technologies to help them ship and scale microservices with precision and velocity. Kubernetes is currently the most popular container orchestration platform, and while many organizations are migrating their workloads to it, Kubernetes is still relatively immature. New corner cases, errors, and quirks are regularly discovered as users push the boundaries of size and scale. When Datadog adopted Kubernetes we discovered some of these boundaries the hard way, and we continuously challenge and modify our infrastructure decisions in order to fit our use case. Join me in this talk for our story on what we learned while we scaled our Kubernetes clusters, the contributions to Kubernetes we made along the way, and how you can apply those learnings when growing your Kubernetes clusters from a handful to hundreds or thousands of nodes.
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
DOD 2016 - Kamil Szczygieł - Patching 100 OpenStack Compute Nodes with Zero-d...PROIDEA
YouTube: https://www.youtube.com/watch?v=OsgNn-D9KFc&index=15&list=PLnKL6-WWWE_VtIMfNLW3N3RGuCUcQkDMl
Undisclosed vulnerabilities are very serious threat to the cloud security. Once the flaw leaks to the public information, the risk of attacks increases dramatically. In our talk we will go through case study of patching 100 OpenStack compute nodes consisting of 4000 virtual machines with zero-day patch within 16 hours. We will talk about the challenges we have encountered, how we faced them and we will answer the most important question – did we make it within 16 hours.
Kube-proxy is a Kubernetes component responsible to re-conciliate the state of the Service resources. This component can be configured in four different modes: userspace, iptables, IPVS or Kernel space (Windows). In big scales, the IPVS mode offers better performance resulting in an attractive offer. In this session, I'll try to explain the IPVS internals, and how Kubernetes automates the management of services through basic examples.
Jaime Piña, @variadico, Software Engineer at Apcera
Microservice issues are networking issues. Fixing code in your app is easy, but the hard part of using microservices is the networking. How do you actually know if you're sending what you think you are? Why does this request fail in my app, but not when I use curl? Is this service very slow or is it up at all?
This talk will help demystify some common problems you might experience while building out your collection of microservices. Once you can find the issue, it becomes way easier to fix.
Snaps are a new packaging format that allows unmodified binaries to run across a wide variety of distributions. Snapd is the software that manages snaps on a running system. Learn about the basics of snaps, snapd and what is needed to port snapd to OpenSUSE.
Building a network emulator with Docker and Open vSwitchGoran Cetusic
A short description of container namespaces, Linux virtual Ethernet interfaces and how to use them in Docker and Open vSwitch to create a self-contained network with hundreds of nodes on a single host machine.
FPV Streaming server system built by Go with ffmpeg.
Receive analog video transmitted by drone, convert it to digital video and streaming to mobile devices.
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.
But who cares about 2G? Those who are concerned switched off of 2G. AT&T is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?
Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.
We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
DOD 2016 - Kamil Szczygieł - Patching 100 OpenStack Compute Nodes with Zero-d...PROIDEA
YouTube: https://www.youtube.com/watch?v=OsgNn-D9KFc&index=15&list=PLnKL6-WWWE_VtIMfNLW3N3RGuCUcQkDMl
Undisclosed vulnerabilities are very serious threat to the cloud security. Once the flaw leaks to the public information, the risk of attacks increases dramatically. In our talk we will go through case study of patching 100 OpenStack compute nodes consisting of 4000 virtual machines with zero-day patch within 16 hours. We will talk about the challenges we have encountered, how we faced them and we will answer the most important question – did we make it within 16 hours.
Kube-proxy is a Kubernetes component responsible to re-conciliate the state of the Service resources. This component can be configured in four different modes: userspace, iptables, IPVS or Kernel space (Windows). In big scales, the IPVS mode offers better performance resulting in an attractive offer. In this session, I'll try to explain the IPVS internals, and how Kubernetes automates the management of services through basic examples.
Jaime Piña, @variadico, Software Engineer at Apcera
Microservice issues are networking issues. Fixing code in your app is easy, but the hard part of using microservices is the networking. How do you actually know if you're sending what you think you are? Why does this request fail in my app, but not when I use curl? Is this service very slow or is it up at all?
This talk will help demystify some common problems you might experience while building out your collection of microservices. Once you can find the issue, it becomes way easier to fix.
Snaps are a new packaging format that allows unmodified binaries to run across a wide variety of distributions. Snapd is the software that manages snaps on a running system. Learn about the basics of snaps, snapd and what is needed to port snapd to OpenSUSE.
Building a network emulator with Docker and Open vSwitchGoran Cetusic
A short description of container namespaces, Linux virtual Ethernet interfaces and how to use them in Docker and Open vSwitch to create a self-contained network with hundreds of nodes on a single host machine.
FPV Streaming server system built by Go with ffmpeg.
Receive analog video transmitted by drone, convert it to digital video and streaming to mobile devices.
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.
But who cares about 2G? Those who are concerned switched off of 2G. AT&T is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?
Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.
We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.
Video: https://www.hashicorp.com/resources/operating-consul-at-scale
With more than 35k machines and first external Contributor, Criteo is a very large Consul User. This presentation describes how we operate Consul at Scale at Criteo.
Presentation at HashiTalks 2019.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
The complex architecture, design, and difficulties while troubleshooting amplifies the effort in debugging a problem with an OpenStack environment. This can give administrators and support associates sleepless nights if OpenStack native and supporting components are not configured properly and tuned for optimum performance, especially with large deployments that involve high availability and load balancing.
Talk given at ClueCon 2016 that discusses FreeSWITCH and its place in a microservices architecture. Covers a specific deployment case using Docker and Adhearsion, along with certain features that make FreeSWITCH a model use-case for such a technology stack.
SNClient+ - General purpose monitoring agentSven Nierlein
This talk will give a quick overview on nsclient alternatives and will introduce the new SNClient+ agent for Windows,Linux, OSX and BSD. This new agent is designed to replace the nsclient without having to migrate configuration or scripts. Besides this compatibility mode, i will show what else can be done with the snclient, ex.: fetching prometheus metrics.
- https://github.com/ConSol-Monitoring/snclient
- https://omd.consol.de/docs/snclient/
OSMC 2023 | Replacing NSClient++ for Windows Monitoring by Sven NieleinNETWAYS
This talk will give a quick overview on nsclient alternatives and will introduce the new SNClient+ agent for Windows, Linux, OSX and BSD. This new agent is designed to replace the nsclient without having to migrate configuration or scripts. Besides this compatibility mode, i will show what else can be done with the snclient, ex.: fetching prometheus metrics.
A story of how we went about packaging perl and all of the dependencies that our project has.
Where we were before, the chosen path, and the end result.
The pitfalls and a view on the pros and cons of the previous state of affairs versus the pros/cons of the end result.
Lessons Learned From Cloud Migrations: Planning is EverythingJohn Varghese
"Migrating to the cloud saves money!” “Not running your own infrastructure reduces your bottom line!” “Lift and shift is a legitimate first step towards moving to the cloud!” These are all potential pitfalls if you’re not careful. Proper planning prevents piss poor performance. Using a real chaotic cloud migration as a guide, we’ll walk through the pitfalls of cloud migrations and how to avoid them and the terrifying vendor lock-in (when it makes sense).
Leveraging AWS Cloudfront & S3 Services to Deliver Static Assets of a SPAJohn Varghese
Most new SAAS are structured as a SPA (single page applications). In this presentation we will discuss how to reduce the load on your application servers by serving the static assets of your applications from the S3 service by leveraging the Cloudfront service.
AWS Transit Gateway-Benefits and Best PracticesJohn Varghese
Managing connectivity between many Amazon Virtual Private Clouds (VPCs) and on-premises networks can be operationally complex and costly. In this tech talk, we will discuss how AWS transit gateway simplifies network architecture, reduces operational costs and improves security. We will also discuss best practices for designing and monitoring a global network using AWS transit gateway and Network Manager.
Bridging Operations and Development With ObservabiltyJohn Varghese
Monitoring and observability are often viewed as post-deployment tools focused on operations. But development done in isolation limits visibility to the system as a whole, and issues tend to manifest only in production.
In this talk I will show:
How to leverage Infrastructure as Code (Terraform) to manage AWS ECS/EC2 and Datadog across development and production environments
How introducing monitoring and observability earlier provides greater visibility for both developers and operations.
Strategies to segment development and production environments within ECS and Datadog
Security Observability for Cloud Based ApplicationsJohn Varghese
You can't control what you can't see. Security observability is an intrinsic attribute of an application that provides direct observation of software vulnerabilities and attempted exploits as they happen, in order to allow rapid proactive remediation and prevention. Security Observability can be achieved by taking an instrumentation based approach that provides continuous visibility and exposure of vulnerabilities and threats and their context from within the software itself. This approach is particularly appropriate for cloud-based and hybridized distributed environments, because the instrumentation is agnostic to deployment methodologies and runtime environments. A demonstration will be provided that demonstrates the benefits of this approach for both custom code and open source dependencies, as well as across the software development lifecycle, showing both the rapid pinpointing of line-of-code level vulnerabilities for developers, and realtime exploit prevention in production.
Building an IoT System to Protect My LunchJohn Varghese
What do you do when your dog keeps eyeing your lunch? Build an IoT monitoring system to make sure you get a text message every time she gets close to nabbing your sandwich! In this presentation, you’ll learn the basics of connecting a Raspberry Pi device with a PIR sensor to AWS IoT. You’ll see how to:
Secure the connection between the device and AWS IoT
Leverage services like AWS Lambda to act on MQTT events that come from the device
Build a web portal to keep track of past alerts
And send yourself text notifications whenever your sandwich is at risk After the presentation, you'll have access to all the code used and other resources on getting started with using a Raspberry Pi and AWS IoT.
Amazon S3 probably gets a lot of use at your company—the object storage service was one of the first cloud services offered by AWS way back in 2006. Its ease of use, reliability, and scalability have proven incredibly popular over the years.
But S3 security isn’t so simple—it’s easy to get wrong and think you got it right. Recent high-profile cloud-based data breaches that involved S3 cannot be chalked up to simple customer mistakes. Rather, advanced cloud misconfiguration attacks exploit S3 buckets that otherwise appear to be configured securely.
In this talk, Fugue CTO Josh Stella will dig into the complex layers of S3 security to help you think critically about security for your unique AWS use cases. You’ll understand how other AWS services such as IAM and EC2 can create S3 vulnerabilities you may not be seeing—and how malicious actors exploit them.
Reduce Amazon RDS Costs up to 50% with ProxiesJohn Varghese
Amazon RDS is one of the more expensive line items in an AWS bill. In this session, we will discuss techniques to offload SQL for improved performance while reducing database costs. Features include:
Query caching into Amazon ElastiCache
Read/Write split We will go over customer case studies on how they were able to drive down costs while scaling out.
John will talk about how progress happens constantly in every field and keeps pushing the boundaries of human knowledge. He will review the advances in the field of cloud computing as a microcosm where progress is always happening on every front. How does one keep up with the change? Is it just good enough to keep up with the change? John wants you to not just keep up with the changes, not just stay ahead of the curve, but to lead the change so that your work benefits everyone.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Who Broke My Crypto
1. Who broke my crypto
Nikhil Prathapani
Enterprise Routing – SDWAN group
Cisco Systems Inc
2. Things you WON’T learn in this talk
• Crypto currency
• Bitcoin
• Blockchain
3. Agenda
• Chapter 0 – The Problem
• Chapter 1 – The Puzzle
• Chapter 2 – The Chase
• Chapter 3 – The Eureka
• Chapter 4 – The End
4. On a fine Monday morning:
I tried to SSH to my EC2 instance, but it kept bailing out on me.
Chapter 0 – The Problem
5. • Why am I unable to SSH to an instance which worked fine until Friday.
• I listed out the things changed from my end:
• EC2 Instance type: unchanged, not even touched since Friday
• Host machine : Same host machine - RHEL instance
Chapter 1 – The Puzzle
6. Oh I know how to debug this.
Its simple:
• Instead of SSH, just add –vvv for further debug.
• ssh -v will tell you what is happening mostly on your end
• ssh -vv will tell you low level on both ends
• ssh -vvv will tell you almost everything from both ends.
Chapter 2 – The Chase
7. Contacted AWS support.
A very patient support rep helped me debug the issue further
Step 0: SSH with "-vvv" flag for verbosity
I did that, didn’t help. Still lost connection.
9. Step 2: Perform TCP traceroute over different ports, such as 22 and 443
$ mtr -c 50 --no-dns --show-ips --report-wide --report --tcp --port 443 <elastic_Ip>
$ mtr -c 50 --no-dns --show-ips --report-wide --report --tcp --port 22 <elastic_Ip>
$ tcptraceroute <elastic_Ip> 22
$ traceroute -T -p 22 –n <elastic_Ip>
To install tcptraceroute:
# yum -y install --enablerepo='*' tcptraceroute telnet
# apt install tcptraceroute # On Ubuntu
10. And that didn’t help either.
Okay, Let’s take a step back and check my email.
“IT has upgraded your VM from RHEL6 to RHEL8 over the weekend.
Please open a support case with us in case you are facing issues”.
Check the host machine:
Vm>lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: RedHatEnterprise
Description: Red Hat Enterprise Linux release 8.1 (Ootpa)
Release: 8.1
Codename: Ootpa
"ootpa" is IRC nick of Larry
Troan, who was a Red Hat
engineer and who died in
2016.
RHEL 8 "ootpa" codename
was chosen as a tribute to
Larry Troan.
11. Great, something has changed wrt host machine, but what exactly.
<Few days pass by>
How does SSH work behind the scenes?
<opens textbook>
Information Security: Principles and Practice, Mark Stamp
12.
13. <Search google for Red Hat documentation>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/using-secure-
communications-between-two-systems-with-openssh_securing-networks
• Two versions of SSH currently exist: version 1, and the newer version 2.
• The OpenSSH suite in Red Hat Enterprise Linux 8 supports only SSH version
2, which has an enhanced key-exchange algorithm not vulnerable to known
exploits in version 1.
• OpenSSH is a program depending on OpenSSL the library, specifically
OpenSSH uses the libcrypto part of OpenSSL.
Chapter 3 – The Eureka
14. man ssh_config: (on RHEL8)
The supported ciphers are:
• 3des-cbc
• aes128-cbc
• aes192-cbc
• aes256-cbc
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• chacha20-poly1305@openssh.com
15. <deep google search for redhat issues>
• “GCM ciphers are not available in SSH on RHEL 7.4 in FIPS mode”
https://github.com/ComplianceAsCode/content/issues/1613
• GCM ciphers used to be allowed in FIPS mode, but it seems that was a
bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1420910
• FIPS guide (Federal Information Processing Standards)
https://wiki.openssl.org/index.php/FIPS_mode_and_TLS
16. Go back to my host machine and look at logs:
• debug1: SSH2_MSG_KEXINIT sent
• debug1: SSH2_MSG_KEXINIT received
• debug1: kex: algorithm: ecdh-sha2-nistp256
• debug1: kex: host key algorithm: ecdsa-sha2-nistp256
• debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit>
compression: none
• debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit>
compression: none
• debug1: sending SSH2_MSG_KEX_ECDH_INIT
• debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
• Connection closed by <elastic-ip> port 22
https://www.cryptosys.net/pki/manpki/pki_aesgcmauthencryption.html
17. Go to my EC2 instance and take a look:
ec2:/etc/ssh# cat ssh_config
# Cipher 3des
# Port 22
# Protocol 2
# Cipher 3des
Ciphers aes256-gcm@openssh.com,aes128-
gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-
ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
18. Lessons learned:
1. Issue in EC2 instance code where its defaulting to GCM ciphers.
Real bug- filed and fixed
2. Genuine Red Hat bug which accidentally blocks GCM ciphers, which
kept me hanging (still not fixed yet)
3. Simple workaround:
1. Look for any common cipher in host and EC2 instance:
For example: “AES256-CTR” is there in both places
2. Use it to SSH to the instance:
Example usage: ssh - c “AES256-CTR” user@<elastic_ip_ec2_instance>
Chapter 4 – The End
