 People are still rolling in from breakfast, so I'll start slowly and we'll see how that goes Let's see Some appear and then disappear All right. Well, well, we're working on that I'm here today with Rob Clark from HP. My name is Brian Payne and I'm from Nebula and This what we're talking to you about today really started at the last summit I had given a talk on measuring attack surface areas for the cloud and Rob came up afterwards and we started chatting about all the security work that needs to happen and Over the course of the past six months We sort of figured out that perhaps what's needed is this notion of an open-stack security group and so we're back here today to talk about it and To give you a sense of how we're thinking about it and hopefully to kick off an effort so, you know My not-so-subtle goal here is to try to get people excited about it Try to get people involved and see if we can get more people contributing to security aspects of open-stack so To get there. I'm going to start on a little bit of a tangent And then I promise to come back to the open-stack security group at some point before you guys leave the room You know by noon so, okay, I Used to live in a neighborhood that was in an up-and-coming part of town, right? It was a nice neighborhood, but the area around it was still up and coming and Of course, everyone thinks of their homes in their neighborhood is something like a fortress on a hill, right? Nothing can ever go wrong. Nothing bad can ever happen to me Unfortunately shortly after I moved into the neighborhood We started to see lots of this So the neighborhood wasn't filled out yet. There weren't a lot of people around People would run into the neighborhood do a smash and grab at our clubhouse and take a TV and of course We'd just put another TV in there Hoping that it would never happen again, and they would say oh a great new TV I'm gonna take that one too and so this process would repeat and what starts to happen is we we start to go through This process mentally in the neighborhood and everyone's kind of starting to get panicky and paranoid and think what can I do to protect my house I don't want my house to be broken into and so What do what do you do? Well, of course you go into Google and you start searching for how do I protect my house? What do I do? Well, certainly you need to install an alarm system, right? So so lots of people in the neighborhood went out and got an alarm system But then there were those that had spent a little more time on Google and said well all these little switches that you put in Your house for the alarm system by your windows and by your doors Apparently you can just put a magnet next to the switch open the door and the alarm doesn't go off Well, that's that's troubling So maybe an alarm system is good, but maybe it's not perfect. Maybe I need something else So you start researching more and you say ah Put bars my window except they're not terribly pretty and you know people have mixed opinions about them And then there's always the question about how do you do bars if you need to escape in a fire? And and so the more you research these you say well this This may not be too ideal either and it turned out in our neighborhood We had these beautiful like 16 foot windows in our houses and and no one wanted to put bars on their big windows So what else do you do? Well, you know a lot of us had dogs and I love dogs. This is actually my dog Dogs are great and dogs are can be a good security mechanism, right? Of course, if it's my dog you just throw some food at her and you're in so it's not really a big deal Um, I suspect other dogs are like that, too. So so you say okay. Well, let's go high-tech, right? We're a technical crowd. Let's put a security camera up And and I actually read a story online where someone had put security cameras in their house And they would monitor them online while they were at work and at one point they actually caught someone breaking into their house Called the police the police came over caught the guys took them to jail. They didn't lose any other stuff It sounds sounds ideal of course you have to be watching the security camera all the time and it's kind of expensive And then you start to realize well The security cameras often produce images like this they're kind of blurry And of course the bad guys are gonna wear masks And if you're not watching the footage all you see is a nice recording of your house getting broken into and probably nothing more to Go on Okay, so that's exciting. That's high-tech. You could even maybe run your video streams through OpenStack, but Maybe it's not exactly what you want. So well, I guess you could just move Right so you could use some technology to figure out where to move to and this is this is a heat map Actually the area that we're in in San Diego showing the crime rates overlaid On top of the areas and so you could look at a map like this and say well, I'm written I'm middle that red zone. Maybe I want to move down to the green zone, but that's not perfect, right because you're Maybe wanting to live in the red zone for a reason. Maybe you like to be able to walk to work You know, there's more to life than having your house broken into so all of a sudden Don You're looking at all this stuff and you step back and realize well, this is actually kind of hard How do I prevent someone from breaking into my house? Right and so you go out and you talk to the neighbors you beat your head against the wall and you just realize that Maybe you move to this neighborhood for a reason and maybe you need to To sort of find some sort of risk acceptance level right figure out what can I live with how to make things a little bit better But realize that it's never gonna be perfect from a you can't prevent someone from breaking into your house perhaps so You start to get a little philosophical and you start to wonder how to proceed And and the point here is that it's kind of similar in the world of software, right? so In the world of software, I just went on and pulled some headlines from the past year and it's it's kind of both sad and Remarkable all the things that we've seen happening RSA for example, I don't know how many of you carry these RSA hardware security tokens on you See a few hands. So RSA was broken into back in 2011 and Some information was stolen that would allow people to basically impersonate these hardware tokens And then there was another story I flashed up there that people basically turned around and use that information to break into Lockheed Martin So, you know, I mean these are relatively sophisticated attacks and how do we protect ourselves against this, right? These are other companies that you're relying on to get your job done Just recently White House had a military network and unclassified military network that was hacked into it made big news Splashes because the organization that the network belong to also happened to be responsible for sending things like nuclear weapons codes around But don't be too worried because the network that was broken into of course was not that network It just happened to be the same organizations network Suffice it to say computer security incidents are happening everywhere here we are at the open-sex summit and We're all involved in creating this framework for cloud that is getting adopted very very rapidly, right? I mean it's it's still a relatively immature product I was just talking with someone before about it's sort of a curse and a blessing So it's been adopted so fast that we've got APIs for example that are they're getting hard to change Right because you have so many people that are using an API So if there's a problem with it changing it now isn't a matter of you know A dev going in and just flipping a bit and saying oh now it's better We have to think about all the users that are now using this and how do we migrate them from A to B and get them to be More secure so the the longer we wait to get into these problems and really address them the harder. It's going to be So there we are okay Finally, there's this question of well, okay What is this guy talking about open-stack? No one's going to actually want to break into open-stack right and hopefully this is kind of like a funny slide But but in the event I've actually spoken with a fair number of people this week that have asked me questions like well, you know Does security really matter like what sort of workloads? I mean people are running in private clouds. It's behind a firewall Maybe we don't care And you know my answer to this is I think it I think it does matter deeply right So we have all sorts of people that are running workloads on open-stack And as soon as those workloads become anything important Then it matters right as a bank going to deploy open-stack is an institution working with Medical data doing maybe biomedical research going to deploy open-stack Is a government's going to deploy open-stack? Are you going to deploy it and put your personal data on it, right? I? think the answer to all of these questions is yes and at differing degrees security matters and it matters differently for each of these groups and so one of the challenges and Creating something like open-stack is to figure out How do we create the security knobs and dials so that people that want to deploy like high-performance computing workloads on it and have Zero latency and just you know completely scream can do what they want to do But the people that want rock-solid security and are willing to give up some performance can also do what they want to do And so these are real challenges and these are down the road challenges because today The question is how do we get a baseline of security in here that really I would argue that everyone needs or should need So generally when people ask this question, I love this picture. I just you know I try not to bang my head against the wall, but sometimes I have to okay So I know several of you came into this room wanting to hear about open-stack security group And you now you're probably thinking okay too much motivation. Let's move on with it So for those of you, I am finally finally there and we're gonna move on But I appreciate you waiting and hopefully by having a little bit of an intro I was able to sort of bring everyone on a little bit to the same page And if you still don't agree with me that security is useful or that security is hard I'm happy to bang my head against the wall with you somewhere after the session. All right, so so what do we know? What do we know about security? Well, I sort of listed some things sort of better and worse As far as how you would go about approaching security here In an ideal world you design security in from the start, right? And we've all done this anyone that's worked for a commercial company the very first thing you do when you start Designing a product you think about how it's going to be secure, right? That's how it always works No, unfortunately not But that's okay. That doesn't mean it can't be done But I think the longer you wait the harder it gets Right, so and we're starting to hit an inflection here with open stack Where I think if we don't don't start acting a little more quickly we might run into some really big challenges Okay understanding your threats so these next two things I talked about I understand your threats and anything standing your goals It goes towards what exactly do you do in security? So a common problem that I run into as you talk to folks and they say oh my god I need security. I should encrypt this I should authenticate that I should you know Change the file permissions here. These might all be good things to do But have you stepped back and have you thought about what are you trying to protect against? What what is this? Hypothetical attacker that's going to come into your system How are they going to hit your system and how are the changes that you're proposing going to actually? prevent this attacker from getting in and a common mistake is to be so worried about the Really high-end security stuff and completely overlook the obviousness that you know Maybe there's a vulnerability where anyone can connect without authorizing and you're sitting here worried about you know encrypting your back-end data stores So you have to balance it you have to understand who you're protecting against and you have to be a little smart about how you apply your resources to the problem and you can't just pour on security right and Finally the one thing that I've seen as well is I think you need a certain level of a security culture to achieve traction with this stuff and so what we're here talking about today is The idea of starting up an open-stack security group But I don't want to give the impression that my feeling is that we can somehow magically have a group of five ten twenty security folk and Then everyone else dealing with open-stack can just forget about it because we'll have it under control I don't think that's how it works and I think There's plenty of evidence to that point if you look back at different organizations The one that I always like to draw from is if you look at Microsoft Back in around 2002. There was this huge mandate at Microsoft and do we have any Microsoft employees in the room? Let you tell us the rings. Okay. Good. So I can just make this up So back in around 2002 Microsoft was really getting beat up from a security standpoint and And and I would argue that to this day there is still Sort of a doubt and a lot of people's minds. They're the you know, you see here Microsoft He's saying I don't know how to feel about their security But the fact of the matter is they came down from the very top level in their organization at that time and said security matters And we're gonna change how we do things right? We're not gonna release your product unless the security guys say it's okay We're gonna change all of our development practices And they spent a ton of time and effort working on this to the point where if you actually look at some of their products That are coming out and now and over the past several years They are way way better They've done a really good job and it started because they changed the culture right and so That's I think even harder to do when you're looking at something like OpenStack Because we don't have the OpenStack CEO that can come down and say security matters They'll shall do it right we have a community of disparate interests and people and so so You know we just can't do that But hopefully we can find enough of a critical mass right there's been social science research that says that if you take an idea and You get 10% of a community Really behind a certain idea Then that's enough if they are really really excited about this idea from 10% threshold You can then spread that to the rest of the community pretty easily So we don't have to necessarily just take over OpenStack by storm, but you know, there's 1400 people at the conference I don't think we have 140 people in this room. So I'm gonna need some some help here to get the word out, right? Okay So where are we today What have I seen and and I'll readily admit so I you know this is a little bit of an outsider coming in I've been involved with OpenStack for about half a year now and But this is this is what I've seen and I've spent a lot of time talking with folks and I think it's it's not an inaccurate view so So we have a vulnerability management team and I think they're doing a good job. So they're responsible for handling reported vulnerabilities that come in so if If someone finds a security problem in any of the OpenStack products They manage it from the perspective of you don't want the whole world to know about it right away You sort of have to understand the problem release the patch and and do all this stuff in a nice nice fashion So they've been doing I think a decent job Of course, I have my comic here on the right that security patching is hard Right, so you often want to do a small change to fix a security problem And often it has cascading effects that you don't realize and stuff And so at the end of the day you really want to make sure that your system is built for security from the ground up And you're not just putting out fires every time someone brings it to your attention But the other thing that I find very promising that I've really started to see at this summit is there's a lot of people walking around talking about Maybe we need to do something about security I dropped in on all the sessions that I had time for this week where there was something related to security in the title right, so things like encrypting Swift back-ends or Or things like you know getting better authentication for RPC packets And it's really nice to see that people are starting to realize that security is something that we need to think about On the downside, I think a lot of the people that are thinking about security would benefit from Talking with folks who have done more security work, right? So security is really hard and it goes back to my side of hitting your head against the wall It's so easy to get things wrong and Rob's going to talk a little bit about this later, too But you can get really brilliant people put them in a room They can come up with an idea that just just makes perfect sense on that whiteboard and and then you go implement it And then six months later someone finds the little weakness in it, right? And then deploy it and that's why there's this whole history of like best practices in the world of security where where Certain technology certain ideas in the world of security are sort of Tested and thought to be a little more bulletproof and there's certain axims like you don't invent your own cryptography, right? You use known good stuff and so I think understanding this and having security experts be able to help guide the thinking as we get down this path would be very very useful Okay, I Think I've hit on a lot of these but One thing that I think is worth mentioning is this notion of security as silos So there's a lot of different projects with open stack You know we have Swift and Nova and Lance and quantum and all these different projects and I would argue that it's not sufficient to have Each of those projects thinking about security all by themselves without talking to others because what you're gonna happen is they might they might go down Different paths. They might be incompatible with each other You might create a user experience that just isn't acceptable, right? What if what if the type of tool for encryption you need to connect to quantum? It's totally different than the type of tool you need for connecting to Nova All of a sudden the user is just having this collection of tools and they can't keep them up to date There's just problems so There's all these issues where you really need to look at security deep inside each project We also need to be able to look across the whole spectrum and think about how it works and how it gets installed how it gets deployed Okay, so open-stack security group sort of Robin I've been being this is sort of a dual prong thing the goal here is to see if we can create a group of people that can serve as a security expert resource within the open-stack community and to really Have this happen. We need people that are good at security to step up and be able to help All right So if you are one of those people you know those people if you have people like that working for you and you want to help Open-stack be better You know, let's come together and I'll have some contact information at the end about how we can move forward on this But the other side is equally important and that's building a security culture. So this is gonna happen By people doing code reviews and commenting on security problems, right and making suggestions for improvements It's gonna happen by people proposing architectural changes that will improve security It's gonna happen by people actually implementing those architectural changes and and really making that positive change themselves It's gonna happen by better documentation right ways that we can make it easier for people to deploy open-stack securely from the start even if they're a novice So all these things need to happen and that's part of the community culture right and so I Had this slide that was full of words and I don't like words on slides when I can avoid it So he's created this graphic and at the end it's almost obnoxiously high-level, but that's okay So the idea here is is that we would lead through doing all these different things, right? So it provides security leadership by helping it redesign where it needs to be redesigned And that could be long-term things if it's architectural or API changes, etc Writing documentation writing code implementing code all these things become very important and really just providing that resource, right? So if you're if you're extending a protocol and you're gonna add security bits to it And you're not sure if you're doing it the right way, but you should be able to ping some security folk and say well Does this look good? Can you review this for me? Hopefully before it even gets implemented, right? Okay I'll just go through this somewhat quickly, but I wanted to have at least some slightly more concrete details The notion that that we've been thinking of this is that we'd like to have at least one Hopefully more security people that are really Assigned to each project, right? So you'd have like a Nova security expert who could live deep in that project Understand the guts of the projects contribute code to that project and and be sort of the go-to security guy for deep Nova issues And same thing for each of the other projects But you'd also have people that are sort of higher level people who see across all the projects And the idea is then have these deep dive people and the higher level people all in communication So you can be aware of their very security issues that are happening and I mentioned documentation up here as well Maybe you'd have someone assigned to a documentation team. Maybe you'd have this higher level person do this I don't know the best way to approach that if there's any documentation folks in there I'd love to get a sense of how that's how that's working right now in open-stack and how the best plug-in there And we already have a mailing list. It's up. So there's a mailing list on launchpad for the group We currently have it as a closed list And that is really just so that we have the ability to help the vulnerability management team talk about things that might still be You know locked down But we can certainly have more open Security discussions and all the normal channels the dev lists and all that kind of stuff and the idea that we'd be monitoring that as Well, yeah Yeah so On one hand, it's hard. You know, I can't like pen test Something in the middle of CI, but there are things that you can do You can you can look for you know problems in the code base that you know might be bad You can look for people setting file permissions wrong You can look for sort of basic things if If there's a move so that there was for example a talk at the open-set comments session the other day about taking some The root wrap functionality and moving it into comments and then making sure that all the individual projects didn't have their Own sort of forked version of it once people make that migration You could then check and just make sure that people always use that one and not the old one or something So just little things even just to sort of make sure that things they clean and crisp okay, so I'm going to transition a little bit here and and try to further motivate why cross project is useful and and why even we need some security help today and I'm going to give just one case study real quick here And then I'm going to ask Rob to come up and he's got some thoughts from from this week at the summit So it'd be more recent information So I drew this picture here. This this is a Current state of affairs If you are deployed an open-stack cloud and you want to make sure that you're talking to the cloud via HTTPS You might deploy something that looks a little like this and again I've gone a high level just to make it easy But you might have some sort of HTTPS endpoint that all the clients connect to and then it's backed by all your various open-stack services So let's imagine you wanted to do that today. And why would you want to do that? Of course? There's Security UIDs and other things flying across the network that if someone grabs on to you know It's going to mess up your security. So I would hope that everyone would be thinking about this the problem Is that while your web browser? Will do a really great job with with SSL these days because of course that sort of bread and butter on the internet When you start to go down through the the open-stack command line clients You quickly realize that they have some fundamental problems with regards to support for this what I didn't even mention on here Is that most of these clients? Don't support TLS. So if you're if your endpoint is TLS and greater which is really sort of best practices today. I would argue Then you're going to just not be able to work with the clients so first thing you have to do is downgrade your end point to like SSL v2 or SSL v3 and Then you've got these clients and the clients have problems where you can't give them your own certificate chains for example So let's say you're a corporation who maintains your own pki because you don't necessarily trust You know verisign or any of the outside chains or just just because this is sort of how you've decided to do things and You then need to provide your own companies Route CA chain into these tools to verify that everything is correct. Well, currently the tools don't allow you to do that And that's you know, that's troubling Similarly one of them. Oh, yeah the Swift client today It's not even checking the the server CA certificate So basically it will connect and it will see that there's an SSL connection there and then it will just proceed It won't do any certificate checking which means it'd be really easy to do sort of an active man the middle attack on that connection You're sort of encrypting to Who knows who? It's perhaps better than not encrypting, but it's not not ideal so Suffice it to say this is sort of a Pretty straightforward cross-project problem and to address this problem to really get past this We're gonna have to step into each one of these tools and fix them one by one And it's not until they're all fixed that we'll be able to actually turn on that HTTPS endpoint to you know TLS via one with you know strong certificates and expect it to work and work nicely So that's just one example of going cross-project. I'm gonna hand it off to Rob here for a few more thoughts So thanks to Brian who will be back up to close out this talk My name is Rob Clark. I'm a cloud security architect of the HP We have a pretty big public cloud and because of that we're really concerned about security and open stack How many people here have a security responsibility in some form within open stack? Okay, that's good. So that's about a third of people. So everybody else is either Interested in security or in the wrong room, right? Every talk I've been to this week has ended up in a discussion about Crypt about authentication about authorization all the different parts with an open stack Especially internally a really lacking or deficient and at least one of these parts And we really really need to fix that Because one of the things we've noticed is As a public cloud, we're worried about everything. We're very paranoid. We think things are gonna break We expect bad people in the data center from time to time things get compromised. That's life You need to plan around it and For a long time open stacks being kind of blinkered to this I feel when you look at some of the design work, but what's really been noticeable at this summit Is how many people who are involved in private deployments and in small-scale deployments are coming to us and saying we have these Same problem we can see that in a year or two. We're gonna do this We've got more and more customers standing up private clouds to support internet-facing functions There's a lot of people that are starting to see the problems that we see coming and There's a month. There's more on that in another session later today But I just wanted to point out it's really good to see everybody coming together on the security stuff Unfortunately What's happening is everybody's coming together and talking about how they need security how really important it is and Almost always they go straight to crypt Now I like to think I understand crypt to a certain extent does anyone know what that is what sort of function is No, okay. It's a hash function Understanding a hash function is a good way of not screwing things up understanding what a hash function actually does is important Very very few people understand what a hash function actually does I'm not a mathematician. I find the stuff incredibly hard to learn and the strap line at the bottom there is important Okay, what we don't want to do is be in a position where everybody rushes to deploy a bunch of security They take a look at Wikipedia. They see what a hash function does right you take a big day big lump of data You put it together you apply a function in that you can prove that the data You've been presented as long as the hash which came out of banned from the data Otherwise it could have been tampered in line You can marry those two up and mathematically assert that one that they match that it's right Unless your data that goes into the hash function is formed in a way that it gets parsed beforehand or something like that and people screw this up People screw this up really badly really really smart people screw it up so our version one had a Couple of guys from Twitter and a couple of other places We wanted to implement some really cool sort of 2.0 type like functionality. These guys are incredibly smart and can write code Way way better than I could ever write Okay, and they they screwed up pretty badly like the session fixation attacks in our earth are really bad And it was a while before people noticed them and basically it meant that all the security foundation that you wanted from that Went away and then you end up moving to earth 2.0 when you actually end up leveraging s itself most of that stuff and turned out You know a cool idea for doing things ended up being quite painful Amazon web services there are one of their early versions of their message signing stuff was vulnerable because Again, it comes back to not understanding the crypt that it's being as it's being applied And this goes for any security mechanism, but these are two examples that were easy to pull up that affect cloud type services and Two examples where it was easy to demonstrate with crypt so Amazon web services When you send certain messages what happened is the message was parsed and split up in a certain way Then all concatenated together and hashed and sent Now that sounds perfectly sensible and if you write that down on a piece of paper and show it to a developer they'll say yeah It's great. I'll go do it They may even go and check which hashing function to use and decide actually I probably won't use md5 so I heard about Something bad with that and I'll go and use char or whatever But there was a vulnerability in there whereby any malicious attacker could pretty much put anything they wanted into the messaging because of The way collision attacks happen in hashing now again I'm I'm not a mathematician. I can't sit there and write you a new algorithm to do collision attacks But I work in this space when you show me data that's being parsed and put back together before it's being sent I can tell you that's not a great idea and I can point to the reasons why and so can the other guys that we've got in the security group at the moment Now the open-stats security group at the moment is quite small It's as Brian says it's a closed group so we have a closed mailing list at the moment because we do some interaction with the VMT and They might come to us and say well, we've seen a vulnerability of type x. It's been reported from the community and we need to understand how bad it is and This group that we have you know, we've got Brian coming from Nebula and if someone knows what Nebula does it's great, but He understands how it affects them in the way they work in the private cloud And I understand how it will work for me in the public cloud because we have entirely different sets of threat actors So we can then provide So a well-reasoned feedback to the MT on how to work on this stuff But what we want to do is be in a position where when we've brought in enough sort of core talent and of people who Have demonstrated their ability to work in this space and to make good decisions and work well with others Then we can open this up and it can become a resource whereby those of you here that you know are interested in this talk You're not necessarily directly responsible for security stuff, but you hear you want to learn about security You can start subscribing to the security group. You can start getting involved in interactions And you can challenge the things we're saying and say well, why doesn't this work or what about this other way? Because security is a constant space of innovation So I just wanted to quickly touch on these two. I didn't really want to beat these guys up because Plenty of people in this room will have made mistakes similar to they have Brian made a very good point about not reinventing stuff. They're a really good mechanisms out there So we just want to help people Use the right one All right, so thanks, Rob. I've just got I think one more slide. Let's see. Yeah, so next steps. We're hiring I Put hiring in quotes because I don't think we're really pain But you know it's open source So but the key point is here. This is not going to happen whether a few select people we need community involvement We need we need more than HP and Nebula We need lots of people that care coming together Working on this problem at different levels So even if you're not quite ready to do a full-on commitment to joining the group or coding stuff up or whatever it is That suits your fancy We need your help. We need you at least to be raising your hand in meetings and saying what about the security of that and And please feel free to come to us and and talk to us more Express your interest and we'll see how we can link you in best, okay? But what would be really great is if you fall into these categories like a security engineer Tech writer or even someone who has operational experience to point open stack People with security hats and any of these domains is really really useful to sort of infuse this knowledge throughout the community So that that would be fantastic with that I'm just going to leave some information up here about how to contact Rob and myself and How to find out more information on the group And I'm happy to open the floor for discussion and questions. So thank you and Rob you can come back up Because I'm going to differ all the questions to him Yeah, I agree No, I think that makes sense The suggestion came right so the suggestion came from within the group a while back as well that Probably most of our chatter should just happen on the dev list Right where all the rest of the chatter happens and I think that's a very reasonable suggestion We're not going to get rid of the closed list because there are times when that's going to be a useful mechanism for us But but I don't I don't suspect that that's going to be like where we go for a hundred percent of our communication That's right, and this would only reinforce that That's why we're not going to have a separate open security list every you know all the open stuff We can just use a normal open status. That's right so I'm actually a co-lead of one of the working groups for the cloud security alliance on big data and Attack surface analysis. I think the work that they do is largely complimentary to what we're proposing here today CSA does a lot of sort of white papers and sort of Pushing the field to think about what research needs to happen in the space Perhaps a little more forward thinking whereas I think something like OSSG is going to be a little more rubber beats the road Let's make open stack, you know secure as we deploy it So I think they both play an important role, but it's just a different different place Any other questions? Yes Yeah, we have we have a large Public cloud based off of open stuff. Yeah, right now some of them we have to say You'll need to come back in a little while the stuff we're working on We have a whole bunch of tactical security stuff in place at different points in our infrastructure to compensate For some of the problems we see an open stack and have a talk a little while later on how we move from that to actually Pushing some of this innovation out and working with the community to to raise the bar and the OSSG will be a big part But yeah, we have a public cloud the public cloud based on open stack does have certain problems And we're working hard to try and solve them. I'm not in it personally. I think some of our strategists probably are I know we definitely have representation on the CSA for example I'd certainly something I can look into if you if you want drop me a card and we'll talk about it Let's go over here Yeah, so I think the answer is unfortunately, no No, you're right and and one thing There's all sorts of discussions about how to best do this right? There's this middle ground between bug and Vulnerability report right where you see something that's sort of a weakness But it's not exploitable today But so do you file a bug do you file and and there's some process questions I think we need to resolve there's a lot of what's the word just sort of community knowledge Where if you go around talking with people a lot of people say, oh, yeah, I saw this thing an open stack And it's really terrible. You should you should watch out and we need to get that. Yeah, we need to get that down Yeah, well, I'd like to get that into the bug system, but but you're right It would be nice to have have some initial things too What one more thought real quick on that is there's a talk idea that came up the the other day about Apparently you can tag certain code reviews and stuff today with let's say this effects documentation and There's an interest in adding a security tag as well, which I think would be helpful That makes sense. That's quite common in a lot of big open source projects You know you need to be able to tag this stuff It would be great to have this list, but whenever you get whenever you have this discussion developers Are we need this list we need to work on and then you need to consider? Well, I'm worried about bad guys often Eastern Europe or wherever who will spend time working out How they can trampoline between these four things that individual developers in disparate groups Have told me aren't a problem right now to work out how to break into our system. So You there's always a balance to be found with this stuff. I'm all for having security out in the open I really am but in the same way that the BMT works, you know They get a vulnerability and they work with project leads to get it patched up and then they disclose it. So I absolutely think we should have as much in the open as we can to support developers and people who are interested in this stuff But like with anything in security, there's always a responsible disclosure element to it So we're we're at I see there's a few more questions, but we're at the end of our time and so to respect the next session I'm going to close this out and I'm happy to take other things offline right up front here. So thank you very much