major.io - Page 3 of 146 - Words of wisdom from a Linux engineer focused on information security

RHEL 7 STIG v1 updates for openstack-ansible-security

April 5, 2017 By Major Hayden Leave a Comment

DISA’s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) came out a few weeks ago and it has plenty of improvements and changes. The openstack-ansible-security role has already been updated with these changes.

Quite a few duplicated STIG controls were removed and a few new ones were added. Some of the controls in the pre-release were difficult to implement, especially those that changed parameters for PKI-based authentication.

The biggest challenge overall was the renumbering. The pre-release STIG used an unusual numbering convention: RHEL-07-123456. The final version used the more standardized “V” numbers, such as V-72225. This change required a substantial patch to bring the Ansible role inline with the new STIG release.

All of the role’s documentation is now updated to reflect the new numbering scheme and STIG changes. The key thing to remember is that you’ll need to use --skip-tag with the new STIG numbers if you need to skip certain tasks.

Note: These changes won’t be backported to the stable/ocata branch, so you need to use the master branch to get these changes.

Have feedback? Found a bug? Let us know!

IRC: #openstack-ansible on Freenode IRC
Bugs: LaunchPad
E-mail: [email protected] with the subject line [openstack-ansible][security]

Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”

March 21, 2017 By Major Hayden Leave a Comment

Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World“, covered a wide range of security concerns.

There were plenty of great quotes from the talk (scroll to the end for those) and I will summarize the main takeaways in this post.

People, process, and technology

Bruce hits this topic a lot and for good reason: a weak link in any of the three could lead to a breach and a loss of data. He talked about the concept of security as a product and a process. Security is part of every product we consume. Whether it’s the safety of the food that makes it into our homes or the new internet-connected thermostat on the wall, security is part of the product.

The companies that sell these products have a wide variety of strategies for managing security issues. Vulnerabilities in an internet-connected teapot are not worth much since there isn’t a lot of value there. It’s probably safe to assume that a teapot will have many more vulnerabilities than your average Apple or Android mobile device. Vulnerabilities in those devices are extremely valuable because the data we carry on those devices is valuable.

Certainty vs. uncertainty

The talk moved into incident response and how to be successful when the worst happens. Automation only works when there’s a high degree of certainty in the situation. If there are variables that can be plugged into an algorithm and a result comes out the other end, automation is fantastic.

Bruce recommended using orchestration when tackling uncertain situations, such as security incident responses. Orchestration involves people following processes and using technology where it makes sense.

He talked about going through TSA checkpoints where metal detectors and x-ray scanners essentially run the show. Humans are around when these pieces of technology detect a problem. If you put a weapon into your carry on, the x-ray scanner will notify a human and that human can take an appropriate response to escalate the problem. If a regular passenger has a firearm in a carry-on bag, the police should be alerted. If an Air Marshal has one, then the situation is handled entirely differently — by a human.

One other aspect he noted was around the uncertainty surrounding our data. Our control over our data, and our control over the systems that hold our data, is decreasing. Bruce remarked that he has more control over what his laptop does than his thermostat.

OODA loop

Bruce raised awareness around the OODA loop and its value when dealing with security incidents. Savvy readers will remember that the OODA loop was the crux of my “Be an inspiration, not an impostor” talk about impostor syndrome.

His point was that the OODA loop is a great way to structure a response during a stressful situation. When the orchestration works well, the defenders can complete an OODA loop faster than their adversaries can. When it works really well, the defenders can find ways to disrupt the adversaries’ OODA loops and thwart the attack.

[Read more…]

Five reasons why I’m excited about POWER9

March 21, 2017 By Major Hayden Leave a Comment

There’s plenty to like about the POWER8 architecture: high speed interconnections, large (and flexible) core counts, and support for lots of memory. POWER9 provides improvements in all of these areas and it has learned some entirely new tricks as well.

Here are my top five reasons for getting excited about POWER9:

NVLink 2.0

In the simplext terms, NVLink provides a very high speed interface between CPUs and GPUs with very low latency. This is quite handy for software that needs to exchange large amounts of data with GPUs. Machine learning can get a significant performance boost with NVLink.

NVLink 2.0 connects CPUs and GPUS with a 25GB/sec link (per lane). That’s not all — GPUs can communicate with each other over their own independent lanes. Drop in a few NVIDIA’s Tesla P100 GPUs and you will have an extremely powerful accelerated system. NVIDIA’s next generation GPUs, codenamed “Volta”, will take this to the next level.

CAPI 2.0

The Coherent Accelerator Processor Interface (CAPI) allows the CPU to quickly access accelerators (think ASICs and FPGAs) over a high bandwidth interface with very low latency. CAPI 2.0 gets a 4x performance bump in POWER9 since it uses PCI-Express Gen 4.

The OpenCAPI 3.0 interface is also available, but it doesn’t use PCI-Express like CAPI does. It has an open interface with 25GB/sec of bandwidth and it uses direct memory access to perform operations very quickly.

On-chip acceleration

POWER9 provides more acceleration for common tasks right on the chip itself. This includes the common functions, like cryptography, but it also accelerates compression. The chip will accelerate gzip compression, 842 compression and AES/SHA. It also has a true random number generator built in.

Another nice on-chip benefit is the virtualization acceleration. No hypervisor calls are needed (this depends on your hypervisor choice) and this allows for user mode invocation of virtualization actions.

Multiple core options

POWER9 comes in two flavors: SMT8 and SMT4. SMT8 is geared towards the PowerVM platform and provides the strongest individual threads. This makes it great for larger PowerVM partitions that need lots of cores. SMT4 is designed more for Linux workloads.

The chip can handle 64 instructions per cycle on the SMT4 and 128 instructions on the SMT8. There are also some compiler benefits that can improve performance for modern codebases.

OpenPOWER Zaius

I’d be remiss if I didn’t mention Rackspace’s contributions to the Zaius P9 server! Zaius is a spec for an Open Compute POWER9 server. Google, Rackspace, IBM and Ingrasys have been working together to build this server for the masses.

IBM Interconnect 2017 first day keynote recap

March 20, 2017 By Major Hayden Leave a Comment

The “Welcome to Interconnect” keynote kicked off the first day of IBM Interconnect 2017. The Mandalay Bay Event Center was quite full (which was evident as we began to file out!) and the speakers were engaging.

Some of the most memorable talks came from Indiegogo, Delos, and of course, Will Smith.

Indiegogo

Indiegogo is probably a familiar name for most people who know about crowdfunding. Over $1.1B has been raised by over 8 million backers since Indiegogo got started. They showcased three crowdfunded projects during the keynote and allowed audience members to vote for each one! The talk moved quickly, but it sounds like IBM committed to contribute one dollar per vote given to a project!

One of the most interesting one was Waterbot. It detects subtle changes in water quality and can alert people to the nature of the change.

Another project was SmartPlate. It detects the quantity of food on the plate and what type of food is on the plate. It can make estimates on the contents of the food (calories, fat, etc) and could potentially warn someone if they’re about to eat something on their list of allergies.

Delos

Delos is in the business of making buildings work better for the people who work in them. They dig deep into everything from lighting to temperature to window placement and understand the best combination of environmental factors that enable people to do great work. It’s challenging work because changing buildings is costly and different types of industries may do better in different environments.

Will Smith

The “one more thing” moment of the morning was an interview with Will Smith. It may seem odd in the context of a technical conference, but he provided lots of good advice for people who are trying to transform themselves and their companies. He shared a lot about the early days of his career and how he transformed himself from a “clean rapper” to a TV and movie star.

There were several quotable (and often hilarious) moments:

Will Smith's advice for startups: remember to pay the IRS. :) #ibminterconnect

— Major Hayden (@majorhayden) March 20, 2017

"If somebody asks you to do something, say yeah, and then go figure out how to do it." — Will Smith #ibminterconnect

— Major Hayden (@majorhayden) March 20, 2017

"I'm like an African American Watson!" — Will Smith #ibminterconnect

— Major Hayden (@majorhayden) March 20, 2017

Two things stuck with me the most: what it was like to portray a hero in film (like Muhammad Ali) and how important it is to always have a simple mission statement:

"It's powerful when you get to compare yourself to these heroes." — Will Smith #ibminterconnect

— Major Hayden (@majorhayden) March 20, 2017

"I've always had a very simple mission statement: improve lives." — Will Smith #ibminterconnect

— Major Hayden (@majorhayden) March 20, 2017

He talked about how he approached new challenges and forks in the road. Each time he approached one, he asked himself: “Will this improve people’s lives?” If the answer was yes, he signed on and put his maximum effort behind it. It’s a simple question, but he talked about how it helped him get through some highly complex decisions.

Reflecting on 10 years of (mostly) technical blogging

March 10, 2017 By Major Hayden 7 Comments

It all started shortly after I joined Rackspace in December of 2006. I needed a place to dump the huge amounts of information I was learning as an entry-level Linux support technician and I wanted to store everything in a place where it could be easily shared. The blog was born!

The blog now has over 700 posts on topics ranging from Linux system administration to job interview preparation. I’ll get an email or a tweet once every few weeks from someone saying: “I ran into a problem, Googled for it, and found your blog!” Comments like that keep me going and allow me to push through the deepest writer’s block moments.

The post titled “Why technical people should blog (but don’t)” is one of my favorites and I get a lot of feedback about it. Many people still feel like there’s no audience out there for the things they write. Just remember that someone, somewhere, can learn something from you and from your experiences. Write from the heart about what interests you and the readers will gradually appear. It’s a Field of Dreams moment.

Thanks to everyone who has given me support over the years to keep the writing going!