InfoSec Industry in the dawn of a new Era
FUD-Free insider stories live from the Unicorn pile of Poo — BB 0.1
“Throughout human history, as our species has faced the frightening, terrorizing fact that we do not know who we are, or where we are going in this ocean of chaos, it has been the authorities — the political, the religious, the educational authorities — who attempted to comfort us by giving us order, rules, regulations, informing — forming in our minds — their view of reality. To think for yourself you must question authority and learn how to put yourself in a state of vulnerable open-mindedness, chaotic, confused vulnerability to inform yourself. Think for Yourself. Question Authority.” — Timothy Leary
Author’s note: This paper is an attempt to put words on personal thoughts, and thus do not represent any work done for previous or actual employers. Obviously, it is not sponsored by any of the below cited companies, and [insert additional lawyer disclaimer] — Excuse my French, Kudos for challenging. After all, it’s full of open-source ideas shared in CC BY-NC 3.0 FR
See one, Do one, Teach one
I have this unique opportunity, besides my day job as pentester, to be a lecturer in a one-year (Licence Professionnelle) experimental “Full Stack web dev” diploma at Cergy-Pontoise University. “See one, Do one, Teach one” is the main leitmotiv of this team of hackers, makers and builders, aiming for one goal: sharing their childish passions to this little crowd we call a classroom. The creative energy of these “free and available minds” is leveraged by crash courses and collaborative projects format, with IoT hands-on workshops in the Faclab, Cergy Pontoise University’s Fab Lab.
Looking back at these years of ongoing experimentation, it is not only a great opportunity to nourish this egoistic urge to share, or to catch this little glimmer of understanding in the students' eyes, or to have my finger in the pulse on Dev and IoT innovations, but mainly as a great IRL sandbox to experiment some pieces of idea that pops out in my daily OSINT as a “white-hat” hacker.
Le cartésien désabusé — a part of me that can be worded as “I think, therefore I am, but I don’t care anymore”, and built upon InfoSec and Data Analysis’ professional experiences with a hell lot of IRL facepalms — discovered and learned from Vagrant, Docker and other digital unicorns, through the eyes of these Github-raised young generation of script kiddies that are building the future.
Docker Inc, a “Dev Revolution”
Docker’s vision can be considered as a hack of the Dev ecosystem: By building bridges between the Software delivery and Freight transport, Solomon Hykes disrupted the former in the same way intermodal containers revolutionized the latter. This stepping stone gave birth to a Cloud environment driven by the community and endorsed by the industry, as it allows a collaborative, and thus standardizable communication through open and extensible API.
Docker Inc figures, technical roadmaps and relentless energy re-injected in the open source community speaks for themselves: Software standardization is on the way, and faster than we can imagine. We can only but admire the work done so far, and the guts they have to keep it going with the valley's big whales. Chapeau bas.
In the other hand, a global consensus around this vision seems to be held back by one key barrier: Security.
Did the InfoSec community got a glimpse of Docker’s potential to help companies go beyond this barrier and ease interaction? Nope. We’re too busy keeping the FUD roulette spinning from one side, or eventually trying to stop it from the other. We need a third way to bypass or even hack this whole mess.
I had, for instance, the opportunity to attend BlackHat Europe conference last December, and I was excited to see what InfoSec researchers has thought about Docker. The level of excitement dropped six feet under when one of the talks ends on comparing Docker Hub and early days of the Android Market.
I may have misunderstood the overall message of this talk, but the TL;DR off the top of my head is “Docker is vulnerable because more than 90% images seems to be vulnerable, Docker should do like Google and perform auto analysis because it’s their responsibility”. Yes, sure, they are working on it, but Docker is not Google and not alone neither: Upstream providers, that are also part of Docker’s community, have to keep the moral responsibility of maintaining their own “official” image. I’m sure that we, as in the Hacker community, will be delighted to help heal those "sick" containers.
What Docker simply offers is the ability to build a bridge between Dev and Ops teams: It is a means to an end, not an end in itself.
The high number of vulnerabilities found in Docker Hub is symptomatic of a simple fact: the InfoSec archetype of the “PEBCAK dev that don’t know how to write secure code” is now writing not only application code, but also system code. Dan Walsh, aka Mr SELinux, summed it all, in his infamous "Do containers actually contain?", with one question:
“Do you trust developers to fix security issues in their images?” — Mr SELinux @ RedHat
No. Because it is not about trust. It is simply not their job, it’s our job as “security researchers” to help securing images, and ease Devs work, to in fine ease ours.
By building this bridge between Hackers and Devs, le téléphone arabe will be smoother, thus leveraging it to finally do something about this Security Awareness that we have been advocating for years.
Dev Make — Hacker Heal
Hashicorp, an “Ops Revolution”
Hashicorp is home of the notorious Vagrant, a higher-level wrapper around virtualization adventure that started 5 years ago. Armed with this heavy experience, Mitchell Hashimoto and his team are doing a relentless work on automating all the “heavy lifting”, as Portal cranes working on loading/unloading containers and moving it around. Ops have now the ability to push pre-build images to cloud providers, define network segregation and execute post deployment system instructions, in a human readable configuration file.
This new level of abstraction can be comparable to the C++ paradigm change: “compiled and ready to roll” machine images can be viewed as objects, thus allowing Ops to collaborate, to improve and to deploy Docker containers, VMs and AMI in a quick and easy fashion, and most importantly, wherever they want in the planet.
The “moving it around” part is interesting in today’s cloud based Internet, especially when taken into consideration the geo-political chess board. The ongoing Balkanisation d’Internet is giving endless headaches to law makers and EFF, but will soon be a hell to manage in Ops POV: How can you manage legal liability, for instance, if your company's servers are shared between New York, Nice, Madrid and Erding? Is the Patriot Act aka NSA root access applicable to all of your servers? Will it be risk assessed following SOX, ISO 2700X and ANSSI PSSI at the same time? And, most importantly, can you keep an up-to-date compliancy considering the mad pace of InfoSec environment? Should you declare your entire clients' personal data to the CNIL or only your French customers?
Having in hand this elasticity, scalability and this new high-level abstraction, Ops will be able, in a near future, to move an entire “virtual datacenter” from a country to another within minutes, allowing thus companies to be reactive in case of law enforcement requests of compliancy, Or at least give them the choice to move entire infrastructure and it’s underlying data to a safe haven for data privacy or for eco-green friendly neighborhoods.
These are exciting times from Ops perspective, as we may be in the verge of a new decentralized “all inclusive” network. Experiments like Docker ❤ Tor were conducted, and results looks already promising. What will be your experiment?
I may not need to emphasize this, but Ops and Hackers are cut from the same cloth: A Hacker need to build things to know how to break it, and the other around is true for Ops.
Let’s talk about perspective again, or maybe a picture will be enough…
Or maybe by leveraging Docker Inc and Hashicorp potentials, Red Team and Blue Team can finally speak to each others in a more collaborative and efficient way. It will be better than a 100 pages pentest report that the client will never read, eventually it will end up in the bin, along with any motivation left if we continue down this FUD/1984 road that InfoSec Industry is taking us to.
Op Build — Hacker Heal
InfoSec Industry Reaction? French do it better
Full disclosure: Even if I spent more than 10 years in France, I’m not, technically speaking, French.
Born in Morocco, I had this chance to be raised in multi-cultural environment, where Brel wisdom meets Oum Kalthoum’s poetry, where you can equally be amazed and build connections between “Le Siècle des Lumières” era and how North Africa, since the 11th century, constructed this tradition of openness, sharing and mutual enrichment, with Al Andalus as climax, and Morocco as a backup ‘safe haven’.
When I got here, I was happy to find the same tradition of sharing in the French and International Hacker community through my spokesman experience for HackerzVoice, one of the oldest French non-profit hacker association and organizers of La Nuit du Hack.
Why am I speaking about this? Because I've seen France drastically changing since the establishment of the State of Emergency. People are "afraid", not only because of the terrorist attacks that shook the world, but also about the Patriot Act like road that French government is heading toward.
InfoSec Industry, and not only in France for instance, seems to follow the same path of FUD "repression". A perfect and in-situ example is what happened just before the 8th edition of the Forum International de la CyberSécurité, where European Industry leaders draw future European CyberSecurity policies. A young security startup (FR) notified that the live website is vulnerable to an attack that could compromise their web databases, and responsibly disclosed details to the team in charge. The only response they got are cops the day after, ceasing their personal laptops, phones and even a Playstation.
I'm not interested in who is right and who is wrong in this story, I'm just astonished by the signal sent by FIC's organization toward the French Hacking community. What is is even sicker is that an additional amendment (FR) has been added to the Numeric Law to "protect" whistle blowers (FR), and has even been supported by the National Agency for Computer Security (ANSSI) just days before this "incident". Have you ever been afraid to do your job? Now, you can! #FrenchDoItBetter
Une autre? French "elites" are pushing digital sovereignty through a "made in France" OS. Yes, you read it right. Operating System. This "technological non-sense" - those are ANSSI's Head exact words pronounced during FIC (sic)- is not even new, as it is a running gag being served throughout the years. Should we really pinpoint how this "elite" is completely disconnected with (technical) reality? Nah, vaut mieux en rire.
Docker community choose "cracking" jokes about it in the issue #19396 thread, and decided to "translate" docker commands in Ubuesque French. You really need to lay an eye on it and have a laugh.
France has a long tradition of absurd, grotesque and self-mockery humor. Let's take the example of Omar & Fred's comedy show, Le SAV des émissions, when Fred says:
"62% des Français ont peur de leurs futurs? Bah ils ont qu'à vivre dans le passé! Elle est bonne celle là hein?" Fred Testot — SAV des émissions
Which can be roughly translated to “62% of French are afraid of their future? They just need to live in the past! That’s a good joke, right?!”. This is not as absurd as it seems if you think about it, as it seems that "elites" are building bridges with some of France's dark ages.
Maybe this is not the good Era to be inspired of for France's future,
Maybe InfoSec Industry is meant to stay the Ouroboros that we know today, constantly re-creating itself through FUD,
But I'm sure that Hackers, giving their talent of thinking "outside the box", will find an alternative way to change and transform drastically where we are going in this ocean of chaos.
Stay tuned for the next episode.
Cyber Peace Out,
H.A.T
“Personne ne sait ce qu’il se passe aujourd’hui parce que personne ne veut qu’il se passe quelque chose.
En réalité on ne sait jamais ce qui se passe, on sait simplement ce qu’on veut qu’il se passe. C’est comme ça que les choses arrivent. En 17, Lénine et ses camarades ne disaient pas “nous allons faire la révolution parce que nous voulons la révolution”. Ils disaient “toutes les conditions de la révolution sont réunies, la révolution est inéluctable”. Pour faire une révolution qui n’aurait jamais eu lieu s’ils ne l’avaient pas faite et qu’ils n’auraient pas faite s’ils n’avaient pas pensé qu’elle était inéluctable uniquement parce qu’ils la voulaient.
Chaque fois que quelque chose a bougé dans ce monde ça a toujours été pour le pire. Voilà pourquoi personne ne bouge ; personne n’ose provoquer l’avenir. Faudrait être fou pour provoquer l’avenir. Faudrait être fou pour risquer provoquer un nouveau 19, un nouveau 14, un nouveau 37…
- Alors il ne se passe jamais plus rien ?
- Si, parce qu’il y aura toujours des fous et des cons pour les suivre et des sages pour ne rien faire." — Jean-Pierre Léaud dans "La naissance de l'Amour"
Edit 07 Aug : Switched titles
