Dormant Docker Disasters | TechSNAP 212

chris

7 years ago

The man who broke the music business, the major downsides to the container culture & yes, they really are trying to sell you Security Snake Oil.

Plus your great questions, our answers & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

The man who broke the music business

A story from inside one of the original warez and mp3 distribution groups on the Internet
The guy worked at a CD pressing plant, and smuggled out the latest music up to a month before it hit stores
He traded these mp3s for access to the “top sites”
The top sites were the top of the warez scene hierarchy, and contained all of the latest movies and other pirated content
He built some recording towers and burned movie disks he sold for $5
He didn’t selling music to avoid raising suspicion on himself, because the cd pressing plant started cracking down
It also covers how the FBI broke up the ring and prosecuted the members
An interesting story especially if you were around at the time

The sad state of sysadmins in the age of containers

“System administration is in a sad state. It in a mess. I’m not complaining about old-school sysadmins. They know how to keep systems running, manage update and upgrade paths.”
“This rant is about containers, prebuilt VMs, and the incredible mess they cause because their concept lacks notions of “trust” and “upgrades”.”
“Consider for example Hadoop. Nobody seems to know how to build Hadoop from scratch. It’s an incredible mess of dependencies, version requirements and build tools.”
“None of these “fancy” tools still builds by a traditional make command. Every tool has to come up with their own, incompatible, and non-portable “method of the day” of building. And since nobody is still able to compile things from scratch, everybody just downloads precompiled binaries from random websites. Often without any authentication or signature.”
“The Hadoop Wiki Page of Debian is a typical example. Essentially, people have given up in 2010 to be able build Hadoop from source for Debian and offer nice packages.”
“To build Apache Bigtop, you apparently first have to install puppet3. Let it download magic data from the internet. Then it tries to run sudo puppet to enable the NSA backdoors (for example, it will download and install an outdated precompiled JDK, because it considers you too stupid to install Java.) And then hope the gradle build doesn’t throw a 200 line useless backtrace. I am not joking. It will try to execute commands such as e.g.:
/bin/bash -c “wget https://www.scala-lang.org/files/archive/scala-2.10.3.deb ; dpkg -x ./scala-2.10.3.deb /”
“Note that it doesn’t even install the package properly, but extracts it to your root directory. The download does not check any signature, not even SSL certificates.”
“Instead of writing clean, modular architecture, everything these days morphs into a huge mess of interlocked dependencies. Last I checked, the Hadoop classpath was already over 100 jars. I bet it is now 150, without even using any of the HBaseGiraphFlumeCrunchPigHiveMahoutSolrSparkElasticsearch (or any other of the Apache chaos) mess yet.”
“Stack is the new term for “I have no idea what I’m actually using”. Maven, ivy and sbt are the go-to tools for having your system download unsigned binary data from the internet and run it on your computer.”
“And with containers, this mess gets even worse. Ever tried to security update a container?”
“Feels like downloading Windows shareware in the 90s to me.”
“When will the first docker image appear which contains the Ask toolbar? The first internet worm spreading via flawed docker images?”
“Update: it was pointed out that this started way before Docker: »Docker is the new ‘curl | sudo bash’«. That’s right, but it’s now pretty much mainstream to download and run untrusted software in your “datacenter”. That is bad, really bad. Before, admins would try hard to prevent security holes, now they call themselves “devops” and happily introduce them to the network themselves!”
I for one, am now less excited about the idea of building something docker like for FreeBSD Jails

Security Vendor Snake Oil

“As security breaches increasingly make headlines, thousands of Internet security companies are chasing tens of billions of dollars in potential revenue.”
“we are alarmed at the kind of subversive untruths that vendor “spin doctors” are using to draw well-intentioned customers to their doors.”
“What would do more good for most organizations than increased Internet security spending, is a tough love school out in the mountains where the leadership team learns what actual threats feel like and what kind of team work and planning it takes to build a secure environment. Security does not come from locks or weapons or cameras — rather, it comes from attitude and awareness and positioning. “
“In the Cloud, everything is crystal clear, look here, we instantly see where attacks are coming from.” Except that we don’t! Most of the time we have absolutely no clue as to where an attack is really originating from.
“In the Cloud, we can neatly distinguish benign user behavior from attack behavior.” Except, we can’t! This is actually one of the really hard problems of information security.
“In the Cloud, we have instant knowledge and visibility when an attack occurs.” Except, we don’t! We really don’t! The latest statistics say it usually takes around 200 days to discover an espionage intrusion.
“Just as “data” is being sold as “intelligence”, a lot of security technologies are being sold as “security solutions” rather than what they for the most part are, namely very narrow focused appliances that as a best case can be part of your broader security effort. “
“Too many of these appliances do unfortunately not easily integrate with other appliances or with the rest of your security portfolio, or with your policies and procedures”
What is needing is a platform where we can plug in various modules and do scoring and make intelligent decisions
“The buyers of magical security boxes they don’t understand based on the promise of permanent safety are probably not applying vendor patches to their infrastructure, and that infrastructure is likely to be made up of other magical boxes that nobody quite understands.“
“The weaknesses exploited by bad guys may appear to be on the perimeter of a victim’s network, or in the components of a victim’s infrastructure, but in fact the weaknesses we mostly see are in the culture of organizations and in the psychology of the staff and especially of the leadership, and no “security solution” wrapped in a black box can fix that. “
“There are no silver bullets in Internet security — no way to kill the monster in a way that it stays dead. We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what’s coming next. But rest assured that there is no end game — we put one bad guy in prison for every hundred or so new bad guys who come into the field each month.”
“There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we.“
Speaking of how Attack Maps are all flash and no substance
Threat Butt Attack Map

Feedback:

(OPEN GIFT)