security – Page 2 – Made by Mikal

Learning from the mistakes that even big projects make

Post author:mikal
Post published:August 24, 2018
Post category:Conference OpenStack Presentations Python Security

The following is a blog post version of a talk presented at pyconau 2018. Slides for the presentation can be found here (as Microsoft powerpoint, or as PDF), and a video of the talk (thanks NextDayVideo!) is below:

OpenStack is an orchestration system for setting up virtual machines and associated other virtual resources such as networks and storage on clusters of computers. At a high level, OpenStack is just configuring existing facilities of the host operating system — there isn’t really a lot of difference between OpenStack and a room full of system admins frantically resolving tickets requesting virtual machines be setup. The only real difference is scale and predictability.

To do its job, OpenStack needs to be able to manipulate parts of the operating system which are normally reserved for administrative users. This talk is the story of how OpenStack has done that thing over time, what we learnt along the way, and what I’d do differently if I had my time again. Lots of systems need to do these things, so even if you never use OpenStack hopefully there are things to be learnt here.

(more…)

Adding oslo privsep to a new project, a worked example

Post author:mikal
Post published:May 8, 2018
Post category:OpenStack

You’ve decided that using sudo to run command lines as root is lame and that it is time to step up and do things properly. How do you do that? Well, here’s a simple guide to adding oslo privsep to your project!

(more…)

How to make a privileged call with oslo privsep

Post author:mikal
Post published:May 4, 2018
Post category:OpenStack

Once you’ve added oslo privsep to your project, how do you make a privileged call? Its actually really easy to do. In this post I will assume you already have privsep running for your project, which at the time of writing limits you to OpenStack Nova in the OpenStack universe.

(more…)

What US address should I give?

Post author:mikal
Post published:April 26, 2006
Post category:Travel

Many of the US forms you will have to fill out when you move will ask for an address. Use your work address until you have a permanent place. A good example is opening your first bank account. The only possible problem with using your work address for your bank account is that some people will compare the shipping address of your online order with the billing address and complain, but you can always change the address you have recorded with the bank once you have a more permanent address. Opening a bank account without an SSN can be exciting too (it seems to be the primary key for a lot of tables over here, you can't get paid without one, get health insurance without one, get some cell phone accounts without one, and so forth). Bank of America did the right thing and let me open an account though, and don't suck too much. Citibank is ok as well, although they seem to suck more for general banking than Bank of America. More on Citibank in a future post about getting money back to Australia.

Collisions in MD5 sums

Post author:mikal
Post published:June 11, 2005
Post category:Crypto

This is kind of a big deal. Cryptographic has functions are used in a lot of computer science circles to take a large document and turn it into a relatively small description of the document. The transformation has a couple of interesting properties: It's one way -- which means that I can know that I have your document, without checking the contents. There are secure file systems out there that when you give it a file give you back the ID for the file, and that's how you access it in the future. Don't know the ID? You can't possibly have seen the file. They're meant to be unique -- you can't possibly have no overlap between bazillions of documents and the comparatively few IDs available, but it's meant to be very hard to get two documents with the same ID. This is commonly used for CD downloads for instance where people want to be sure that you got the file intended completely, or to make sure that you're not storing information twice. EMC for instance has an email storage system which only saves an email if the MD5 ID is new, otherwise it must be a duplicate. It turns…