security – Made by Mikal

The Kubernetes Book (2024 edition)

Post author:mikal
Post published:August 6, 2024
Post category:Book

This is yet another accidental purchase of a self-published book, although I think this one makes a lot of sense as a self published work. Writing a technical reference book isn't a particularly lucrative pastime for most authors, and self publishing likely makes it more worthwhile than the traditional publisher route, especially if you can rustle up a good set of technical editors and reviewers yourself. That said, I think one of the risks with self published technical books like this is that they are overly credulous, and I think this book falls into that trap early by describing Kubernetes as the "cloud operating system". Like I get it, you're excited about Kubernetes, but making claims that all of the cloud runs on Kubernetes just undermines your work before you've even really started. I can't find any public data, either academic or anecdotal, which supports the assertion that Kubernetes is even the most popular way to run workloads in clouds. I'm sure that AWS has more VMs not running Kubernetes for example than they do have running it. That said, it is clear at this point that Kubernetes is the dominant player for container clustering. So why not just say…

The Cuckoo’s Egg

Post author:mikal
Post published:July 4, 2024
Post category:Book

In 1986, Clifford Stoll and his coworkers were frustrated by what they thought was a billing error of 75 cents in their monthly accounting. Suspecting a software bug, the new guy (Clifford) was put on to working out the error as a starter problem while he got familiar with the systems he was to manage... I've been home sick this week with a chest infection, and what with having a limited oxygen supply I didn't feel like I was braining super well. So what better way to pass the time between naps than another old book I've read before? This is another book I must have read before I started blogging such things, but discussions of old computing systems made me a bit nostalgic for a good gold fashioned tale of computer hackery. The story has some historical significance too, as shown by this quote from Wikipedia: This was one of the first⁠ —⁠ if not the first ⁠— documented cases of a computer break-in, and Stoll seems to have been the first to keep a daily logbook of the hacker's activities. There are a few things which strike me about this story -- Stoll was lucky. He arguably committed…

Do you want the apocalypse, because this is how you get it

Post author:mikal
Post published:April 22, 2024
Post category:Security

So I read this paper over the weekend. Naively, its a resonably interesting piece of research around using a generative AI to use descriptions of CVEs from their responsible disclosures to exploit unpatched systems autonomously. Now read that sentence again -- these people prompted Chat GPT4 with CVES which didn't have fixes yet, and had it hacking unpatched systems with an 85% success rate. We're doomed.

Cult of the Dead Cow

Post author:mikal
Post published:December 29, 2023
Post category:Book

A very readable history of the early US hacking scene, including the roots of Def Con and Blackhat security conferences. The book is filled with a cast of characters many of whose names and exploits I recognize -- although I've only met one or two in person. The book is definitely US-centric in it's coverage but an interesting way to spend a summer evening or two. Menn (the author) spends a lot of time working through the moral reasoning that led a group formed out of an interest in how things worked and a sense of community among the socially awkward, to a group that made a profound difference to how we think about responsible disclosure of security vulnerabilities and our obligations as technologists while at the same time trying to be funny (the hackers, not the author). The description of how cDc dragged Microsoft kicking and screaming into taking security for their software seriously is both funny and interesting, as well as the discussion of early attempts at responsible disclosure at a time where software vendors would sue instead of fixing their products. I find the descriptions of the various players "going straight" and acquiring actual jobs in order…

Malware Analyst’s Cookbook and DVD

Post author:mikal
Post published:March 19, 2023
Post category:Book

Another technical book, this time because my employer lets me buy random technical books as long as I pinky swear to read them and this one sounded interesting and got good reviews. First off, the book is a bit dated given its from 2011 -- there are lots of references to Ubuntu 10.10 for example and they say to avoid Python 3, which has its historical charm. This is unfortunate given the first section of the book talks about setting up honeypots to collect malware to examine, but Dionaea for example had its last commit in 2021. I am left wondering if there are more modern honey pot systems that people use these days. Secondly the book is definitely a cookbook and that's on me for not noticing this about the book before buying it -- its a series of recipes / scripts that do interesting things with malware. That said, it isn't really teaching a cohesive set of skills, its more of a series of stepping stones along the path you might follow. I think that's an unintended piece of important learning -- books with "cookbook" or "recipes" in their title probably aren't very good as an overview of…

The BeyondCorp papers

Post author:mikal
Post published:March 15, 2023
Post category:Security Zero Trust

Google’s BeyondCorp effort would probably be what we would now call Zero Trust, although I am surprised by how little name recognition BeyondCorp has when I talk to security people about Zero Trust. Perhaps there are subtle differences between the two, but if there are they aren’t obvious to me. I find myself reading the relevant Usenix papers for BeyondCorp, so I figure I’ll post a summary of what I got from each paper here.

The earliest of these papers are quite old now (2014), especially for something the rest of the industry is only starting to talk a lot about at the moment. I wonder if there is a viable business model in watching what papers megacorps like Google publish, and the implementing them as commercialized products before the rest of the market catches on?

Either way, here’s a summary of the various papers from the perspective of an interested bystander…

(more…)

Cisco CyberOps Associate: Official Cert Guide

Post author:mikal
Post published:February 27, 2023
Post category:Book Security

I don't think I've really reviewed a technical book here before, but I read the thing so I guess I should. This book is the certification guide for a "Cisco CyberOps Associate" certification, which is what they now call the CCNA Security qualification. Its a relatively junior certification, qualifying you to be a level one operator in a Security Operations Centre (SOC). I read this book because I took a Cisco NetAcad course for the associated certification in the second half of 2022 (although it has continued to be a thing I plug away at in 2023). That was mainly motivated by a desire to more about a field that is clearly important, but hasn't been core to my personal career. This book is reasonably well written and readable -- I'd read a chapter in the evening after work and its wasn't a huge chore to churn though. I certainly learned things along the way, even if the certification seems to suffer from a desire to have everyone rote learn a lot of acronyms, which seems like a common ailment in the industry (AWS Certified Cloud Practitioner, I'm looking at you). My main critism is of the qualification itself, which…

Learning from the mistakes that even big projects make

Post author:mikal
Post published:August 24, 2018
Post category:Conference OpenStack Presentations Python Security

The following is a blog post version of a talk presented at pyconau 2018. Slides for the presentation can be found here (as Microsoft powerpoint, or as PDF), and a video of the talk (thanks NextDayVideo!) is below:

OpenStack is an orchestration system for setting up virtual machines and associated other virtual resources such as networks and storage on clusters of computers. At a high level, OpenStack is just configuring existing facilities of the host operating system — there isn’t really a lot of difference between OpenStack and a room full of system admins frantically resolving tickets requesting virtual machines be setup. The only real difference is scale and predictability.

To do its job, OpenStack needs to be able to manipulate parts of the operating system which are normally reserved for administrative users. This talk is the story of how OpenStack has done that thing over time, what we learnt along the way, and what I’d do differently if I had my time again. Lots of systems need to do these things, so even if you never use OpenStack hopefully there are things to be learnt here.

(more…)

Adding oslo privsep to a new project, a worked example

Post author:mikal
Post published:May 8, 2018
Post category:OpenStack

You’ve decided that using sudo to run command lines as root is lame and that it is time to step up and do things properly. How do you do that? Well, here’s a simple guide to adding oslo privsep to your project!

(more…)

How to make a privileged call with oslo privsep

Post author:mikal
Post published:May 4, 2018
Post category:OpenStack

Once you’ve added oslo privsep to your project, how do you make a privileged call? Its actually really easy to do. In this post I will assume you already have privsep running for your project, which at the time of writing limits you to OpenStack Nova in the OpenStack universe.

(more…)