FreeBSD and the absurdities of security compliance

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

The root account thing is pretty wild. It would drive me up the wall to have to deal with this.

👍︎︎ 3 👤︎︎ u/VM_Unix 📅︎︎ Jul 06 2020 🗫︎ replies

Worked in banking for about five years. Can confirm internal auditing works much in the same way.

Honest professional employees, given liveable wages, creating well designed and auditable digital and physical systems, and who are not driven by the size of their next bonus, are any society's foremost guard against fraud and corruption in the sector.

Laws and regulations, auditing and banking authorities are distant second, third and fourth places.

👍︎︎ 2 👤︎︎ u/throwaway997918 📅︎︎ Jul 29 2020 🗫︎ replies

Captions

all right settling down so the good news is that you only have to listen to me for a few more seconds applause so please welcome Eric and he'll be talking about the blame game or the strangeness around security compliance [Applause] like this yeah hey slightly scary this so yeah welcome the talk was supposed to be the absurdities of compliance freebase tea and the secrecy the absurdities of security compliance this is shorter it fit on the slide does this even work of course not yeah found it also it needs to be in range or something whoa hey sort of this is very weird okay it's infrared right okay cool okay yeah yeah away with you so what I want to cover the power button there we go so I want to say something about the business were in just a little bit about the security standards that we have been exposed to throughout the years auditors said that's looking back a bit a little bit about how it looks nowadays and then auditors are still saying so might say something about that our approach and the tools we use I'm not going to spend too much time on that because I have no idea what I could possibly be telling you guys but we'll find out and then some ideas some advice for the future if you end up in this situation I'm here because I've been used for using FreeBSD since the early 2000s privately mostly ever since i remote upgraded my Slackware to freebsd that was all sorts of fun I was bored at work I absolutely love open-source especially our variety of it the type of help I'm getting from the community in my daily work is incredible I absolutely love it I was I landed in the payment industry in 2003 I had no idea where I was going to as pure coincidence incredibly steep learning curve when it comes to the security requirements it was truly wild west from my perspective in the beginning and I'd like to try and show how it's become a little bit west world I'm not sure I'm succeeding idea being someone thinks they're in control now but when they lose it it's gonna blow up bad but that's for another time and I've been speaking about this for years mostly over beers to people who probably didn't care so let's see how this works out modern my company has been doing in-house developed software and hosted it on FreeBSD since around three all my fault when you're shopping online and you're asked to authenticate in some way or other here in Norway to typically be using Bank ID these national ID schemes you will have similar things in other countries or simple boring stuff like a password or an OTP sent to you via SMS something like that that typically hits us or one of our competitors because what we do is we help the bank's authenticate you as card holders during the payment process we make software for everyone involved in a payment process the banks on one side then you have the merchants and processors like Amazon and PayPal on the other side of the pond and then you have the card companies in the middle trying to keep control of everything this particular protocol that allows this to happen is called 3d secure some of you might have heard of it it's also known as verified by Visa MasterCard secure code back in the day they all change names now sorry yeah so the whole idea is to let the bank's intercept the payment process so that they can make sure that you're allowed to use whichever card you're currently trying to use when you when you pay the banks will sell it to you guys as cardholders as secu for your security it really has nothing to do with that this is all about shifting blame elsewhere someone did something absolutely brilliant back in the day sorry I went too fast here there when this protocol was implemented they gave all the web shops all the merchants out there a huge carrot if they even tried to make use of this protocol they would automatically lose 90% of the risk with online transactions which meant that all this risk that had traditionally been on the merchants was shifted to the banks so the banks had to you know scramble to him to implement some sort of authentication and not all of them are able to do that but they can choose freely how to do this which is why we have some really crazy authentication schemes out there in loading please wait operate it from the bank is going to call you and then you have to wait until you get that phone call and then they will ask you okay what are you up to and then they might allow your transaction or not that's quite common in the u.s. at least it used to be and now we have this beautiful new PSD payment service directive - in Europe which means that they have to implement strong authentication not going to spend time on that but it's a good thing finally and there nowadays trying to use to risk look at your payment history and all that stuff to figure out if the CVC is even necessary but too much about that this is what we do I have spent too much time comparing myself to you know doctors who save lives than that sort of thing but that's what we do so sorry about that in online payments worlds that I'm exposed to you have these three players you have the guys who decide how we are supposed to do things then you have pretty much everyone trying to cover their asses in some way or other usually by pointing fingers and then it's us and we're like at the bottom of the food chain is when when all the blame has been shifted somewhere it finds its way to us somehow I said in my abstract that we prefer to be there that's probably because we haven't been hit really hard yet I might change my mind about that but so far at least it means we can own our own mistakes so that is the one nice thing about it we have a whole bunch of security requirements that apply to us the most important one that some of you or many of you might have heard of is the PCI DSS payment card industry data security standard it is supposed to cover all the payment industries including this hotel and us and any merchants online anyone handling card numbers there are so many exceptions to that that it's not even funny but we're subject to that one and it has a sort of a sibling called the 3ds as in the 3ds your specific requirements then we have the different payment schemes we some also go and the others they have their own idea of how things should be done then we have legal requirements that's it's always been there but it's only recently been enforced in any meaningful way so we're actually somewhat grateful for that it helps a bit and then every customer again they need to cover their asses so they might have to make it look like they're inventing some sort of requirements that we have to follow so that we have done something wrong when hits the fan so yeah the Wild West that's a while ago so no relevant security requirements that were being enforced maybe except in the US but not even really there it was just everyone did whatever they wanted there were so many cases of fraud and fallout of various kinds they're all it's like it's like violence and theft and stuff back in the day you didn't hear about it because you know no Twitter back then you had all this stuff but it didn't usually make it to the news because online shopping or still kind of tiny but I haven't I don't have the numbers but I'm pretty sure that a larger percentage of transactions were fraudulent back then than they are now a huge by a huge margin server under the desk the industry was literally scared about that and there were so many of them I mean I've been in a company where we have servers under people's desk it doubled as a developer workstation so yeah and then you have the you know all the receipts tax in shops in hotels you know you have these receipts stuck on a pin with full card data or even they ask you to write down your card number expiry date and this code on the back of the so called password that they come up with it's it's absolutely crazy and crypto really who has time for that as in CPU time really so we got some requirements PCI DSS was an attempt to have a coherent approach to all this but it stank it was again lots of copy-paste and basically none of the auditors had really any idea about this but they were well-paid so they were ticking boxes for you so-called qualifying auditors they were popping up everywhere some of them were you know in the business for three or four months so they were auditing a few companies giving you prefilled pieces of paper taking a bunch of money and then they disappeared again absolutely terrible then you had the Visa 3d secure acquirements they were actually kind of interesting because they were based on the physical card world which has been there for a long time so these requirements were more mature more thought through a bit overkill given that you know this was no producing cards and shipping them by mail and that sort of thing but at least they were strung together but we had some interesting audits anyway not entirely terrible but it got so bad because suddenly the card companies they had to start fighting for attention because you had the PCI taking over and you had all sorts of other requirements taking over and the card companies themselves started being less and less relevant in the security requirements and they didn't like that at all so I mean I like this picture yes it's by the book so some of the things we've experienced this is the first part of the absurdities thing we've been asked to look for data that cannot possibly exist again requirements come from a different world the world of physical cards we have the magnet strip on the back so even though we're doing only online stuff we've been forced to use various approaches to looking for stripe data on our servers it we do look for card numbers stored in log files and all that sort of thing that's easy but the stripe data now that's hard we had people come and take pictures with their phones I mean back in 2005 ish sixes forms and cameras interesting combination they came into the data center when the pictures of my password files because that should prove that the passwords are encrypted and then so at some point we were asking for an auditor that knew UNIX and I said I will use grep to look for card numbers yeah man I you have to document that graphic and do regular expressions believe it or not one of the big card companies published a set of official regular expressions to look for card data and they suggested we got this tool I don't remember what it was called spider or something some alpha build for FreeBSD existed binary blob they wanted us to run this I suggested using grep yeah we did use grep because we don't run untrusted binaries usually but yeah yes that's the binary blob we were two guys we had an office about a third of this stage but yes we had to have a visitor bad system for our office because otherwise we couldn't be sure that whoever was in the office was actually employed in our company or not oh this is my absolute favorite and auditor was connected here to to the big you know projector like this like I am now and he was bringing up our documentation on his laptop he was typing in a URL in in his browser and he thought he had focus on his screen too bad focus was over there in the browser window he had there so he got his browser history so this was the first PC I or did we ever had and the auditor took the pictures he took all the screenshots from our wiki all the scanned documents and stuck in a folder on this desktop of his windows XP laptop next to a folder for 1 2 3 10 15 20 of our competitors customers other banks etc etc and then he brought up his browser history on the same level I absolutely loved that when they asked yes top-level level 1 yeah so when after the audit I called the boss of this guy and told him about this story he just said I think you will not be receiving a quote from us for next year so the low point of my career was after a lot of back and forth with these requirements and they were developing and it was getting difficult and especially the ones from visa they have they have essentially three large regions in the world and they each have their own auditing authorities it's the same document but different authorities with different interpretations which meant that our competitors who were usually in the US or Asia or somewhere they had reasonable auditors that would go in and say ok this is the security problem you have to solve how did you do it while the guys from we say Europe they did not so we went there to talk to them and explain this since I hate you're making our lives really difficult because we have to do things that are absolutely absurd this was the response I got we are not in the business of all playing fields they didn't care and they had no interest in caring the same guys also told us our but we don't audit you for the money we're only taking fifteen thousand euros of you for the privilege of being audited plus the time and material of the auditor plus a hundred thousand euros protects money every year so you know but not in it for the money at all love that so as time goes by and the requirements develop some of them grow up the PCI DSS is getting better it is currently a decent security standard our audits tend to be useful to us we find stuff we fix it we have we get help and everything and they are not as locked down to a Windows group policy as they used to be more problem focused and solution focus as in they don't tell you how to do things as much as they used to but what the problem is and the type of approach you should have and you can actually do stuff on other platforms than Windows but they still have a password policy in there that sucks and that you simply cannot do on freebsd which i'm getting back to they've the other set of requirements from visa they are so absurd at this point that you cannot even read them they have copy pasted stuff from their own documents indenting doesn't make sense grammatically it doesn't make sense you're it's like making pigs fly it just cannot you cannot confirm there is no way logically impossible and they actively reduce security and this is my favorite kind of requirement of course a colleague of mine said what they asked us to do was that we have to have a strong password on the root account we cannot disable the root account entirely because the requirement says you need a password and that password needs to be split in two halves and given to two different people so it's like telling us sorry telling us to take a slowly brick wall is put in a door with a strong lock on it my preference would still be the brick wall but you know this is probably the one time I've outright lied to an auditor and said yes we did this we've never had passwords for root really these guys these guys go for naming not numbering I get it another nice absurdity was when they told us so I mentioned before OTPs via SMS one-time passwords when you're shopping or something these guys didn't understand that this is fundamentally different from a static password when you use the same password all the time so they told us you have to secure this OTP the same way you would secure a password which means you have to use an HSM to encrypt them now for those who don't know an HSM is one of these crypto units that someone else I spoke about earlier they cost a lot of money they're either a PCI card with some physical security on them or it's a network mounted unit we use the network mount the rack mounted variety they cost eighty thousand euros apiece and they suck they're slow and the only thing they're good at is keeping our keys secret and that's because they have explosives inside so if you try to take it out of the AK stuff will blow up inside it that's kind of cool so how do we encrypt an OTP and send it to someone do is ship an HSM to everyone I mean you have like 15 kilos of a too-sami new pocket that we pull out every time you know that doesn't work obviously oh we're we've done that we've done that there was a time the the supply would not under any circumstance ship these ATMs to Tallinn Estonia this is a part of the EU but they were so afraid of this because it sounded Eastern Bloc and all that so they refused to ship them so they ship to Norway put them in there our check-in luggage and we flew over yes receive been carrying HSM oh and of course auditors not understanding how TLS works that you have a server and a client the server decides on the crypto but if we're sending stuff to someone they decide on the crypto then we can't make sure that using an HSM so the auditor told us yeah but how about you me the server and they be the client how do you even compute that yeah exactly so is there some sort of sanity coming they're gone the requirements room from all the card brands own requirements are basically gone because the PCI has grown up and taken over all this stuff they all agreed that ok we like we use the PCI standards the all of them sort of to achieve much the same and it has the PCI has gotten this new extension covering what we do what we saw I used to ask for and the others and then we got regulation that is almost same GTR is awesome for the consumer for people in general PSD to tears down some of these walls that all the banks and other others in the business have been building up to keep business in their own hands so it's funny I'm getting mails from my bank now telling me I can use one online bank to check that my accounts in another bank because they had to open up api's and everything to talk between the banks this is awesome I mean it's a tiny island of Awesome but is still awesome I like it and it helps guide all these requirements and temper them so all the requirements that come out of the u.s. they are tempered by European regulation which means there are some things that even though it's required of us we simply cannot do it like having a camera behind my back in my office that sort of thing but you still have auditors from hell that really do not understand what they're talking about they have no idea which means they either have a checklist there you asked to fill out or you have you have to take them to school through every single requirement and this is so tiresome and then even though they've sort of given up control the card companies they haven't really so then inventing all sorts of other ways to keep control this is the West world so they think they're in control they're not really so they don't even know when things start slipping and then you all still have all the people who are trying to cover their own RSS they haven't understood that all they need is a certification that we passed a certain set of requirements so they invent their own and that's usually copied and pasted just stuff in a different order but it's still mostly based on some ancient PCI so it might not even be compatible anymore so we've literally been asked to specify the kind of lighting we have outside our premises and in this case our office actually which is completely irrelevant and we still don't know sorry why they asked this we have no idea but we have to try and find out somehow how does how often does please patrol outside our offices how should I know this is not the u.s. where you can pay the local sheriff to check by a couple of times a day do you have a priority phone number for the emergency services in your area I was so pissed off when I got this one in my lap because there's a hotel across the road please go there first if there's a fire go to the hotel don't care about us I don't care people don't die and when you have a guy coming into your office and he and his bosses have already decided that your business is worth sorry the date you process for them is worth 400 million u.s. dollars that is a very big number anyone would be interested when they see such a number so he has this on a piece of paper it says modern MD pay and our address phone numbers everything on top and then it says the the name of the bank you know huge US Bank everyone's heard of it and the the four hundred million USD is also in big fat letters so you can see this from 100 meters away and this is in his briefcase and he's carrying this through the airport and his next stop is st. Petersburg this is the single biggest liability that our company has ever been exposed to I'm sorry I'm trying to find that oh never mind because imagine someone seeing that document it's about a company in Holland and it's four hundred million dollars if you can get our hands on one percent of that data and we can get one percent of the value of that data you can still pay a lot of hackers and hookers and whatever else you need in order to get to us so war stories and all that how have we gone about doing this and as I said before I don't think I can teach a lot of you a lot about freebsd so I won't even go there but feel free to ask so it's about thinking about security first and then compliance it's not free but it's easier mostly that one if you can show that you don't even trust yourself that goes a long way towards convincing your auditor that at least you don't trust anyone else you shouldn't be trusting and this one has got me out of so much trouble that we we might choose solution that don't necessarily follow people's expectations but being able to explain why we've done certain things that's a big deal because it means it it helps show that you have understood the underlying challenge and you've solved that it doesn't matter exactly how and you have to be able to show that your choice is deliberate you have to be able to show that this is the end of a thought process not the thought process started when the auditor raised the question if you can think quick enough to come up with something at that point then you're really good I would like to hire you and this is something that always brings a lot of discussion and this depends very much on what industry you're in and what kind of data you have and what kind of attack vectors and everything but generally it kind of sucks to find out three years down the line that you had three four or five audits everyone said it was almost hunky-dory and then someone's been in your systems all the time because as soon as you have an audit and you pass you think everything is fine because whatever was there you must have found it by now right so people spend a lot of time trying to prevent a break-in but if you already had if you find an open hole in your wall it's not enough to plug it you have to go check if anyone actually got in and surprisingly many don't get this so detect before you try spend too much time trying to prevent because yeah you should of course try to do both but we have our servers in a data center we have a rack in the data center with our stuff and at some point I just have to say yeah whatever the data center is doing it's okay if someone managed to get to my rack and get to our equipment they're probably there with a forklift anyway what can I do so no amount of you know kernel auditing is going to help you them and dual control physical dual control goes a long way to convincing an auditor that what you're doing is okay because especially in a small company when you have to share hats you wear a lot of hats if you have dual control meaning that you need to be two different people from the company to access your server rack for example it means you can show with a very high degree of certainty that no one has been playing around there on their own and then make sure that whatever you really want dual control for you can't do remotely so this is one of the nice things with the network month there rack mounted HSM there are certain things you simply cannot do you cannot remotely insert a smart card in it to do administration administrative operation you can't remotely turn physical Keys this is very visual but it it's also very nice to just close of entire categories or requirements so the tools we use I didn't say so before but we have been putting a lot of effort into just staying open source all the way so a lot of these auditing requirements will assume that you're using some sort of commercial tools for various parts of your compliance work we didn't do that so lately we even have our routers on BSD which is really nice I I really like that the only closed source software we have is the stuff we develop ourselves and you may boo I think it sucks but then again I've seen the source it's ok so probably the the one the most important underpinning of being able to comply is about providing forensics data when hits the fan and that's where the kernel audit logs come in I'm gonna complain about them in a couple of slides but they're really really important and it's it's easy to turn on it's very hard to do anything useful with them then we use freebies the update and pkg I remember spending a couple of weeks trying to implement tripwire at a point this is very long time ago before we had these tools but those actually do almost everything you need them to do they can check the integrity of what you have installed as long as you don't build your own kernel and world and everything it's actually quite ok pkg does its job you need to know a little bit of what you've done yourself and keep track of this but they can do it PCI requires a web application firewall I think the concept is weird but mod security you can actually do that with nginx now on stock FreeBSD and it works surprisingly well we have some interesting cases where nginx will blow up too twelve gigabytes memory usage per worker or something but it looks good now one of my colleagues is maintaining the live mode security port MySQL for data Oracle actually told us at the point that we have the second-largest MySQL installation in the world I don't think that's true any longer but it's pretty big I think we're handling like 5 times 15 terabytes online storage at any given time and MySQL can actually log access but good luck finding in that documented anywhere you can actually do it it's you can log to syslog and it gives you everything a PCI auditor will ask for surprisingly pfSense sericata tools that most of you will know on some level or other puppet for config management ZFS whenever puppet runs in one of our jails it will tell the hosts to snapshot to jail before it proceeds and if that fails it will just bomb out that is very nice when you have to show rollback capability love put rear and bond trail and all that it's nothing really out of the ordinary the kernel auditing is the only thing that we're kind of struggling with and that a lot of people probably don't use check the main page it will give you lots of data but you can tell it only you know save away some of it so be careful with that don't try to do a lot with the data on the server where you're collecting it get it out of there and process it elsewhere one exception being BSM trace which is seriously undervalued it can look at the events from the audit pipe and tell you when a certain chain of events happen so for example if the triple W user just Forks a process that is bad that means someone all my Tomcat and that is a beautiful way of showing that hey I will pick it up if someone gets in that way you can do similar things with the you know nginx users or whatever and that is pretty simple or brute-force login attempts that sort of thing so check it out it's cute but I'll get to that so you have different philosophies in the industry I'm sorry I'm going a bit faster and someone showed me a sign here so probably the biggest one here is again they need you to have to store away the last ten passwords it's used for a user on the system I don't know how to do that on FreeBSD 15 years later I still don't everyone expects a large organization we started out as two people now we're eight in our hosting business doing the work and it's still small compared to what a lot of the auditors expect it's not very open-source friendly because you cannot be create links with open source because Linux comes with corporate stuff so although the software is technically open-source they don't like the open-source community also because all these HSMs they require drivers and that sort of stuff unless you use the network units that kind of sucks and just because you're compliant doesn't mean you're secure and vice versa so you have to keep an eye on both interpretation everyone will interpret the standard differently even to auditors from the same company shall appear mentioning names will have wildly different interpretation of the same requirements so make sure you know it before they do what the requirement actually says and choose your auditor wisely for PCI you can actually choose your auditor which is nice which means you can make sure their technical make sure they understand technical things because this is technical anyone who tells you differently is wrong yes there's a lot of business processes and all that stuff but at the end of the day its technical how will your auditor handle alternative solutions if you haven't done something by the book what have you done are they able to interpret and understand what you have done and will they help you find a solution sometimes the auditor will say I can't but my colleague over here can and that is perfectly fine do the dust Auditor trust their own judgment this is probably the hardest one because they again are part of the blame game so if we're broken our auditor will burn so does the order to trust their own judgment well enough to actually give you a pass even if you haven't followed the letter but actually solve the problem and if someone wants you about a particular auditor you should listen to them because that usually means there is something you need to look out for but if someone recommends you an auditor that doesn't come often then you really should listen and you are the client you're paying their bills so even though you can't demand compliance you can demand qualified people I'm not sure what else I really can do about that but then you have the situations where you cannot choose your auditor which means you will get some random guy chemistry is everything it can go down the drain the moment you shake the guy's hand but don't ask you so explain what you've done early and your key concepts I mean your decision your design choices etc and be prepared to use generic terminology if they call your platform Linux don't don't get too upset it's going to happen they're gonna think it's a linux and don't talk about jails if they clearly don't understand what you're talking about but everyone understand virtual virtual machines and think that's a good thing so play them like that dammit almost every requirement stems from the PCI DSS so do your homework read their requirements and find out where they come from so you can show that yeah this has already been asked and we did it like this because it's already covered they all come from the same place but they might be different generations of requirements so it can be interesting anyway they will tip they recognize your PCI certificate but not necessarily it depends if they know someone on the board in which case they might not it's it is a somewhat small industry and you people have spoken to each other so I have a couple of complaints about the current state of affairs the kernel auditing stuff is awesome but it's not done there's not a lot of good documentation or examples I mean if you look at the the trusted BSD website for example it's so old it's not even funny I'm not sure a lot of people are using this who's using the auditing framework in any capacity excellent one to a few not a lot and come on I don't know wait what 20 years in and we still don't lock the jail ID of something that's happening this is just not okay but I've been yelling about that for 15 years now and nothing's happening so I am yelled in the right direction I guess package base I know there was a talk about that here just before I came on I was panicking over there so I didn't get it someone summarized for me but I really looked forward to that and then it's the whole jail orchestration thing there's a lot of interesting work going on there I have a colleague he's working very hard on getting things to work I can't wait for that but that's something that we should have had a while the Train sort of it's it's out there somewhere we really need to catch up but we have the basic technology in place and it's beautiful so thank you everybody everyone who's been contributing awesome work organizers of this event thank you very much it's been very exciting everyone else pitching in in some way or other my esteemed colleagues who have been surprisingly quiet through this told me from nixar who has been helping me with the slides as I panicked the worst here that was awesome so thanks for all the beer and [Applause] do we have time for questions cool anyone do you have any do you have any suggestions for making the audit process in the compliance part of it better and making you know or it's better can you refer three people I'm not sure I got it do you have any suggestions - on how to make the process of auditing or you know making the standards and the auditors more well informed on how is oh I see yeah so how we can improve the auditing process essentially I don't know that's an uphill battle because we're again we're at the bottom of this we were all the blame is being shifted we can't really do a lot until very recently we haven't had anywhere where we could complain if we thought our auditor was doing a job or was plain old wrong we could not complain to anyone it's like if you have a problem then just find a different table so honestly I don't know it's very set of problems relating to FreeBSD which came up repeatedly doing the audits something like if we ve had this work around or if we could teach the auditors about this would simplify your life how freebsd has been if at all repeated sort of challenge viewing the audits it's not a linux that that's that keeps coming up this is a Linux right well yeah so jails what what's it actually called is it it's like VMware right no not really the big one that so this whole password history problem is one but we've solved that by saying okay on the application level we have different password implementations obviously on system level we don't use passwords we use you know hardware SSH keys so no password policy required but I have to admit that sometimes it would have been nice to have a more flexible password policy in the PC era where you can say that ok nowadays people don't change their passwords every month because they use password managers for example or storing the 10 lost passwords that's actually a potential liability in itself but then you have the other side of the fence where these requirements come from who say that this is the only way to make sure that you actually have new passwords every time I'm not sure I don't like that thought about just storing the hash sure but it's if you attack it using a pattern you know you assume people just add a number or something that is very easy to verify this I came up with very creative ways to explain things yeah so we just don't password change time yes so again Kerberos or LDAP that sort of thing could use it we have chosen not to because it's simply more complexity than I think it's worth so we just don't use passwords on the system level and when we do have passwords on the system level they can only be used physically on site under dual control which is removes the whole problem then you just argue the password doesn't actually matter because you still need two people and two keys when I was at the University of Oslo what we did with the password changes was that we stored the hashes for I think the last three or five hashes and then when the user tried to set a new password we would use the new password as the basis for a dictionary attack only existing on the old salted yeah beautiful and beautiful so we would so we would have for instance just adding a number or incrementing a number at the end of the password would have been that would be rejected because the dictionary attack would would succeed yes the old passwords I see again we've had a lot of ugly implementations to try and comply throughout but removing the whole class of problems by not using passwords has turned out for us to be the simplest solution anyone what does the standard say and what did you do was respective passwords that services used to authenticate to each other do you use SSH keys or TLS or anything to authenticate to my sequel and we use so I mentioned I use puppet Everywhere puppet has the nice side effect of also being an internal CA so if you're careful about how you use it you can actually use that to authenticate all your hosts to each other because every node in the network has a certificate issued under this CA so you do have neutral TLS level authentication it depends on your environment whether this is good enough or not but in our case that has gone above and beyond what has been required more if nothing else then thank you very much for your attention [Applause] you

Info

Channel: EuroBSDcon

Views: 9,522

Rating: 4.8620691 out of 5

Keywords:

Id: I2rhwnY6Bg4

Channel Id: undefined

Length: 47min 19sec (2839 seconds)

Published: Sun Oct 27 2019