 All right, settling down. So the good news is that you only have to listen to me for a few more seconds applause So please welcome Eric and he'll be talking about the blame game or the Strangeness around security compliance like this. Yes, okay Slightly scary this so, yeah welcome the talk was supposed to be the absurdities of Compliance free best in the secos the absurdities of security compliance. This is shorter. It fit on the slide Does this even work of course not Yeah, I found it also it needs to be in range or something Why sort of this is very weird, okay? It's infrared, right? Okay, cool. Yeah, yeah Away with you. So what I want to cover the power button There we go so Want to say something about the business we're in just a little bit about the security standards that we have been Exposed to throughout the years Shit auditors said that's looking back a bit A little bit about how it looks nowadays and then Auditors are still saying shit. So might say something about that Our approach and the tools we use I'm not going to spend too much time on that because I have no idea what I Could possibly be telling you guys, but we'll find out and then some ideas some Advice for the future if you end up in this situation I'm here because I've been used for using free BST since early 2000s privately mostly Ever since I remote upgraded my slack wear to free BST. That was all sorts of fun. I was bored at work I absolutely love open source especially our variety of it The type of help I'm getting from the community in my daily work is incredible. I absolutely love it I was I landed in the payment industry in 2003. I had no idea where I was going to was pure coincidence Incredibly steep learning curve When it comes to the security requirements, it was truly Wild West from my perspective in the beginning and I'd like to try and show how it's become a little bit Westworld. I'm not sure I'm succeeding idea being Someone thinks they're in control now But when they lose it, it's gonna blow up bad, but that's for another time And I've been speaking about this for years mostly over beers to people who probably didn't care So let's see how this works out Modern my company has been doing in-house developed software and hosted it on free BST since around 2003 All my fault When you're shopping online And you're asked to authenticate in some way or other Here in Norway, it would typically be using bank ID. There's national ID schemes you will have similar things in other countries or simple boring stuff like a password or an OTP sent to you by SMS something like that That typically hits us or one of our competitors because what we do is we help the banks Authenticate you as card holders during the payment process We make software for everyone involved in a payment process the banks on one side Then you have the merchants and processors like Amazon and PayPal on the other side of the pond And then you have the card companies in the middle trying to keep control of everything This particular protocol that allows this to happen is called 3d secure some of you might have heard of it It's also known as verified by VISA Mastercard secure code back in the day. They all change names now And Sorry, yeah, so the whole idea is to let the banks Intercept the payment process so that they can make sure that you're allowed to use whichever card you're currently trying to use when you when you pay The banks will sell it to you guys as card holders as Secure for your security. It really has nothing to do with that. This is all about shifting blame elsewhere Someone did something absolutely brilliant back in the day. Sorry. I went too fast here there When this protocol was implemented They gave all the web shops all the merchants out there a huge carrot if they even tried to make use of this protocol They would automatically lose 90% of the risk with online transactions Which meant that all these risks that had traditionally been on the merchants was shifted to the banks So the banks had to you know Scrambled to him to implement some sort of authentication and not all of them were able to do that But they can choose freely how to do this Which is why we have some really crazy authentication schemes out there including please wait Operator from the bank is going to call you And then you have to wait until you get that phone call and then they will ask you Okay, what are you up to and then they might allow your transaction or not? That's quite common in the US At least it used to be and now we have this beautiful new PSD payment service directive to in Europe Which means that they have to implement strong authentication not going to spend time on that but it's a good thing finally and They're nowadays trying to use to risk look at your payment history and all that stuff to figure out if this is even necessary, but Too much about that This is what we do I Have spent too much time comparing myself to you know doctors who save lives and that sort of thing, but that's what we do So sorry about that In the online payments worlds that I'm exposed to You have these three players you have the guys who decide how we are supposed to do things then you have Pretty much everyone trying to cover their asses in somewhere or other usually by pointing fingers and then it's us You know we're like at the bottom of the food chain is when when all the blame has been shifted somewhere It finds its way to us somehow I said in my abstract that we prefer to be there That's probably because we haven't been hit really hard yet. I might change my mind about that But so far at least it means we can own our own mistakes So that is the one nice thing about it We have a whole bunch of security requirements that apply to us the most important one that Some of you or many of you might have heard of is the PCI DSS Payment card industry data security standard It is supposed to cover all the payment industries including this hotel and us and any merchant online anyone handling card numbers There are so many exceptions to that that it's not even funny, but we're subject to that one and it has a Sort of a sibling called the 3ds as in the 3d secure specific requirements Then we have the different payment schemes visa mastercard and the others They have their own idea of how things should be done then we have legal requirements. That's It's always been there, but it's only recently been enforced in any meaningful way. So we're actually somewhat grateful for that it Helps a bit and then every customer again, they need to cover their asses So they might have to make it look like they're inventing some sort of requirements that we have to follow So that we have done something wrong when shit hits the fan So yeah the Wild West that's a While ago so no relevant security requirements that were being enforced Maybe except in the US, but not even really there. It was just everyone did whatever they wanted There were so many cases of fraud and fallout of various kinds. It's like It's like violence and theft and stuff back in the day You didn't hear about it because you know no Twitter Back then you had all this stuff, but it didn't usually make it to the news because online shopping was still kind of tiny But I haven't I don't have the numbers But I'm pretty sure that a larger percentage of transactions were fraudulent back then than they are now a huge by a huge margin server on the desk The industry was literally shit scared about that and there were so many of them I mean, I've been in a company where we had servers under people's desk it doubled as a developer workstation So yeah, and then you have the you know all the receipt stacks in shops in hotels You know you have this receipt stuck on a pin With full card data or even they ask you to write down your card number expiry date and this code on the back The so-called password that they come up with it's It's absolutely crazy and crypto really who has time for that as in CPU time really so We got some requirements PCI DSS was an attempt to have a coherent approach to all this But it's dank. It was Again lots of Kobe paste and Basically, none of the auditors had really any idea about this, but they were well paid So they were ticking boxes for you So called qualified auditors, they were popping up everywhere Some of them were you know in the business for three or four months So they were auditing a few companies giving you pre-filled pieces of paper Taking a bunch of money and then they disappeared again Absolutely terrible, then you had the visa Three dissecure requirements They were actually kind of interesting because they were based on the physical card world which has been there for a long time So these requirements were more mature more thought through a bit overkill given that You know this was no not producing cards and shipping them by mail and that sort of thing But at least they they were strung together, but we had some interesting audits anyway, not entirely terrible But it got so bad because suddenly the card companies they had to start Fighting for attention because you had the PCI taking over and you had all sorts of other requirements taking over and the card companies themselves Started being less and less relevant in the security requirements, and they didn't like that at all So I mean I like this picture. Yes, it's by the book So some of the things we've experienced this is the first part of the absurdities thing We've been asked to look for data that cannot possibly exist again requirements come from a different world The world of physical cards where you have the magnet strip on the back So even though we're doing only online stuff We've been forced to use Various approaches to looking for stripe data on our servers It we do look for card numbers stored in log files and all that sort of thing. That's easy, but the stripe data now That's hard We had people come and take Pictures with their phones. I mean back in 2005 ish six ish phones and cameras interesting combination They came into the data center wanted pictures of my password files Because that should prove that the passwords were encrypted and Then so at some point we were asking for an auditor that new Unix and I said I will use grep to look for card numbers Yeah, but I you have to document that grep can do regular expressions Believe it or not. One of the big card companies published a set of official or regular expressions to look for card data And they suggested we got this tool I don't remember what it was called spider or something some alpha build for free BST existed binary blob They wanted us to run this I suggested using grep Yeah, we did use grep because we don't run untrusted binaries usually But yeah Yes, that's the binary blob We were two guys We had an office about a third of this stage But yes, we had to have a visitor badge system for our office because otherwise We couldn't be sure that whoever was in the office was actually employed in our company or not Oh, this is my absolute favorite And Auditor was connected to to the big, you know projector like this like I am now and he was bringing up our documentation on his laptop he was typing in a URL in In his browser and he thought he had focus on his screen Too bad focus was over there in the browser window. We had there So we got his browser history Yeah So this was the first PC I audited we ever had and The auditor took the pictures he took all the screenshots from our wiki all the scanned documents and stuck in a folder on this desktop of his windows XP laptop Next to a folder for one two three ten fifteen twenty of our competitors customers other banks etc etc and Then he brought up his browser history On the same lap. Oh, I absolutely love that When they asked yes Top-level level one. Yeah, so When after the audit I called the boss of this guy and told him about this story He just said I think you will not be receiving a quote from us for next year So the low point of my career was after a lot of back and forth with these requirements And they were developing and it was getting difficult and especially the ones from visa They have they have essentially three large regions in the world and they each have their own auditing authorities It's the same document, but different authorities with different interpretations Which meant that our competitors who were usually in the US or? Asia or somewhere they had reasonable auditors that would go in and say okay, this is the security problem You have to solve. How did you do it? While the guys from visa Europe they did not so we went there to talk to them and explain this and say hey You're making our lives really difficult because we have to do things that are absolutely absurd This was the response. I got We are not in the business of level playing fields. They didn't care and they had no interest in caring The same guys also told us how but we don't audit you for the money We're only taking 15,000 euros of you for the privilege of being audited plus the time and material of the auditor Plus a hundred thousand euros protection money every year. So, you know, but not in it for the money at all Love that So as time goes by and the requirements develop some of them grow up The PCI DSS is getting better. It is currently a decent security standard Our audits tend to be useful to us We find stuff we fix it we have we get help and everything and they are not as Locked down to a windows group policy as they used to be More problem focused and solution focus as in they don't tell you how to do things as much as they used to But what the problem is and the type of approach you should have You can actually do stuff on other platforms than windows But they still have a password policy in there that sucks and that you simply cannot do on free BSD, which I'm getting back to They've the other set of requirements from visa. They are so absurd at this point that you cannot even read them They have copy pasted stuff from their own documents Indenting doesn't make sense grammatically. It doesn't make sense. You're it's like Making pigs fly. It just cannot you cannot conform. There is no way logically impossible and They actively reduce security and this is my favorite kind of requirement, of course a colleague of mine said what they asked us to do Was that we have to have a strong password on the route account We cannot disable the route account entirely Because the requirement says you need a password and that password needs to be split in two halves and given to two different people So it's like telling us Sorry Telling us to take a solid brick wall Put in a door with a strong lock on it. My preference would still be the brick wall but you know This is probably the one time I've outright lied to an auditor and said yes, we did this We've never had passwords for route really These guys these guys go for naming not numbering. I get it Another nice Absurdity was when they told us so I mentioned before OTPs via SMS one-time passwords when you're chopping or something These guys didn't understand that this is fundamentally different from a static password when you use the same password all the time So they told us you have to secure this OTP The same way you would secure a password Which means you have to use an hsm to encrypt them now for those who don't know an hsm is one of these crypto units that someone else They spoke about earlier They cost a lot of money. They're either a PCI card with some physical security on them or it's a network mounted unit We use the network mount the rack mounted variety. They cost 80,000 euros a piece and they suck They're slow and the only thing they're good at is keeping our keys secret And that's because they have explosives inside. So if you try to take it out of the act stuff will blow up inside It that's kind of cool So how do we encrypt an OTP and send it to someone? Do is ship an hsm to everyone? I Mean you have like the 15 kilos of hsm in your pocket that you pull out every time you know that doesn't work, obviously Oh, we we've done that we've done that There was a time the the supply would not under any circumstance ship these hsm's to Tallinn Estonia This is a part of the EU But they were so afraid of this because it sounded eastern block and all that so they refused to ship them So they shipped to Norway put them in our check-in luggage and we flew over Yes, we see when carrying hsm. Oh and of course Auditors not understanding how TLS works that you have a server and a client the server decides on the crypto But if we're sending stuff to someone they decide on the crypto then we can't make sure they're using an hsm So the auditor told us yeah, but how about you be the server and they be the client? How do you even compute that? Yeah, exactly, so is there some sort of sanity coming They're gone the requirements from from all the card brands on requirements are basically gone because the PCI has grown up And taken over all this stuff. They all agreed that okay. We let we use the PCI standards that all of them sort of to achieve much the same and It has the PCI has gotten these new extension covering what we do what visa used to ask for and the others and Then we got regulation that is almost sane GTPR is awesome for the consumer for people in general PSD to Tears down some of these walls that all the banks and other others in the business have been building up to keep business in Their own hands, so it's funny. I'm getting mails from my bank now telling me I can use One online bank to check that my accounts in another bank because they had to open up APIs and everything to talk between the banks. This is awesome. I mean It's a tiny island of awesome, but it's still awesome I like it and it helps guide all these requirements and temper them so all the requirements that come out of the US They are tempered by European regulation Which means there are some things that even though it's required of us We simply cannot do it like having a camera behind my back in my office. That's all the thing But You still have auditors from hell That really do not understand what they're talking about. They have no idea Which means they either have a checklist that you asked to fill out or Or you have you have to take them to school through every single requirement and this is so Tiresome and then even though they've sort of given up control The card companies they haven't really so they're inventing all sorts of other ways to keep control This is the West world so they think they're in control They're not really so they don't even know when things start slipping and then you all still have all the people who are Trying to cover their own eyes as they haven't understood that all they need is a certification that we passed a certain set of requirements So they invent their own and that's usually copied and pasted just stuff in a different order But it's still mostly based on some ancient PCI so it might not even be compatible anymore So we've literally been asked to specify the kind of lighting We have outside our premises and in this case our office actually which is completely relevant and We still don't know Sorry, why they asked this we have no idea, but we had to try and find out somehow How does how often does police patrol outside your offices? How should I know this is not the US where you can pay the local sheriff to check by a couple of times a day Do you have a priority phone number for the emergency services in your area? I was so pissed off when I got this one in my lap because there's a hotel across the road Please go there first. If there's a fire go to the hotel. Don't care about us. I don't care people don't die and When you have a guy coming into your office and he and his Bosses have already decided that your business is worth the sorry the data you process for them is worth 400 million US dollars That is a very big number anyone would be interested when they see such a number So he has this on a piece of paper It says modern MDP and our address phone numbers everything on top and then it says the the the name of the bank You know huge US bank everyone's heard of it and The 400 million USD is also in big fat letters. So you can see this from 100 meters away And this is in his briefcase and he's carrying this through the airport and his next stop is St. Petersburg This is the single Biggest liability that our company has ever been exposed to I'm sorry. I'm trying to find that never mind Because imagine someone seeing that document It's about a company in Tallinn and it's 400 million dollars if you can get our our hands on 1% of that data and we can get 1% of the value of that data You can still pay a lot of hackers and hookers and whatever else you need in order to get to us so war stories and all that How have we gone about doing this and as I said before I don't think I can teach a lot of you a lot about free BSD So I won't even go there But feel free to ask So it's about thinking about security first and then compliance. It's not free, but it's easier mostly that one if you can show that you don't even trust yourself that goes a long way towards Convincing your auditor that at least you don't trust anyone else. You shouldn't be trusting and This one has got me out of so much trouble that we we might choose solutions that don't necessarily follow people's expectations But being able to explain why we've done certain things. That's a big deal Because it me it it helps show that you have understood the underlying challenge and you've solved that It doesn't matter exactly how and you have to be able to show That your choice is deliberate You have to be able to show that this is the end of a thought process Not that the thought process started when the auditor raised the question If you can think quick enough to come up with something at that point, then you're really good I would like to hire you and This is something that always brings a lot of discussion and this depends very much on what industry You're in and what kind of data you have and what kind of attack vectors and everything but generally It kind of sucks to find out three years down the lane that you had three four or five audits Everyone said it was all was hunky dory and then someone's been in your systems all the time Because as soon as you have an audit and you pass you think everything is fine because whatever was there you must have found it by now, right? So people spend a lot of time trying to prevent a break-in, but if you already had if you find An open hole in your wall. It's not enough to plug you Do you have to go check if anyone actually got in and surprisingly many don't get this? so detect before you try to spend too much time trying to prevent because Yeah, you should of course try to do both but We have our servers in a data center. We have a rack in the data center with our stuff and I do at some point. I just said to say yeah, whatever the data center is doing It's okay if someone managed to get to my rack and get to our equipment. They're probably there with a forklift anyway What can I do? so no amount of you know Colonel auditing is gonna help you then and Dual control Physical dual control Goes a long way to convincing an auditor that what you're doing is Okay, because especially in a small company When you have to share hats you wear a lot of hats If you have dual control meaning that you need to be two different people From the company to access your server rack for example it means you can show with a very high degree of Certainty that no one has been playing around there on their own and then make sure that whatever you really want dual control for You can't do remotely. So this is one of the nice things with a network mount the Iraq mounted HSM There are certain things you simply cannot do you cannot remotely insert a smart card in it To do administrative administrative operation. You can't remotely turn physical keys This is very visual, but it it's also very nice to just close off entire categories of requirements so The tools we use I didn't say so before but we have been putting a lot of effort into just staying open source all the way so a Lot of these auditing requirements will assume that you're using some sort of commercial Tools for various parts of your compliance work. We didn't do that so lately we even have our routers on BSD which is really nice. I really like that The only closed source software we have is the stuff we develop ourselves and you may boo. I think it sucks But then again, I've seen the source. It's okay Um So probably the The one that the most important underpinning of being able to comply is About providing forensics data when shit hits the fan and that's where the kernel audit logs come in I'm gonna complain about them in a couple of slides, but they're really really important And it's it's easy to turn on it's very hard to do anything useful with them Then we use Freemius the update and PKG. I remember spending a couple of weeks trying to implement tripwire at a point This is very long time ago before we had these tools, but those actually do Almost everything you need them to do they can check the integrity of what you have installed as long as you don't build your own Kernel and world and everything. It's actually quite okay PKG does its job You need to know a little bit of what you've done yourself and keep track of this, but they can do it PCI requires a web application firewall. I think the concept is weird But mode security you can actually do that with engine X now On stock free with the and it works surprisingly. Well, we had some interesting Cases where engine X would blow up to like 12 gigabytes of memory usage per worker or something But it looks good now one of my colleagues is maintaining the live mode security port My skill for data Oracle actually told us at the point that we have the second largest my skill installation in the world I don't think that's true any longer, but it's pretty big. I think we're handling like five times 15 terabytes online storage at any given time and My skill can actually log access But good luck finding in that documented anywhere. You can actually do it It's it can log to syslog and it gives you everything a PCI auditor will ask for surprisingly PfSense Siricata tools that most of you will know on some level or other puppet for config management ZFS Whenever puppet runs in one of our jails, it will tell the host to snapshot the jail before it proceeds And if that fails, it would just bomb out. That is very nice when you have to show rollback capability Love put here and Bonchelle and all that it's nothing really out of the ordinary the kernel auditing is the only thing that we're Kind of struggling with and that a lot of people probably don't use Check the man page It will give you lots of data, but you can tell it only is you know save away some of it So be careful with that Don't try to do a lot with the data on the server where you're collecting it get it out of there and process it elsewhere one exception being BSM trace Which is seriously undervalued it can look at the events from the audit pipe and Tell you when a certain chain of events happen So for example, if the triple W user just forks a process that is bad That means someone on my tomcat And that is a beautiful way of showing that hey, I will pick it up if someone gets in that way You can do similar things with the you know engine X users or whatever and that is pretty simple or brute force login attempts that sort of thing so Check it out. It's cute, but I'll get to that so you have different philosophies in the industry. I'm sorry. I'm going a bit faster and someone showed me a sign here So Probably the biggest one here is again They need you to have to store away the last 10 passwords used for a user on the system I don't know how to do that on free BSD 15 years later. I still want Everyone expects a large organization we started out as two people now we're eight in our hosting business Doing the work and it's still small compared to what a lot of the auditors expect It's not very open source friendly because you cannot equate Linux with open source because Linux comes with corporate stuff so although the Software is technically open source. They don't like the open source community Also because all these hsm's they require drivers and that sort of stuff unless you use the network units that kind of sucks And just because you're compliant doesn't mean you're secure and vice versa So you have to keep an eye on both Interpretation Everyone will interpret the standard differently even Two auditors from the same company shall not be mentioning names Will have wildly different interpretation of the same requirements So make sure you know it before they do what the requirement actually says And choose your auditor wisely For PCI you can actually choose your auditor which is nice which means you can Make sure they're technical Make sure they understand technical things because this is technical Anyone who tells you differently is wrong. Yes, there's a lot of business processes and all that stuff But at the end of the day it's technical How will your auditor handle Alternative solutions if you haven't done something by the book. What have you done? Are they able to interpret and understand what you have done? And will they help you find a solution Uh, sometimes the auditor will say I can't but my colleague over here can and that is perfectly fine Do the does the auditor trust their own judgment? This is probably the hardest one because they again are part of the blame game So if we're broken our auditor will burn So does the auditor trust their own judgment well enough to actually give you a pass? Even if you haven't followed the letter But actually solve the problem And if someone wants you about a particular auditor you should listen to them Because that usually means there's something you Need to look out for but if someone recommends you an auditor That doesn't come often Then you really should listen And you are the client you're paying their bills So even though you can't demand compliance you can demand qualified people I'm not sure What else I really can do about that But then you have the situations where you cannot choose your auditor Which means you will get some random guy Chemistry is everything it can go down the drain the moment you shake the guy's hand But don't assume So explain what you've done early and your key concepts. I mean your decision Your design choices, etc And be prepared to use generic terminology If they call your platform linux Don't don't get too upset. It's going to happen. They're gonna think it's a linux And don't talk about jails if they clearly don't understand what you're talking about But everyone understand virtual virtual machines and think that's a good thing. So play them Like that damn it Almost every requirement stems from the PCI DSS. So do your homework Read their requirements and find out where they come from. So you can show that yeah, this has already been asked and we did it like this Because it's already covered They all come from the same place, but they might be different generations of requirements. So It can be interesting anyway They will typically recognize your PCI certificate, but not necessarily it depends if they know someone on the board in which case they might not It's um, it is a somewhat small industry and you People have spoken to each other So I have a couple of complaints about the current state of affairs The kernel auditing stuff is awesome, but it's not done There's not a lot of good documentation or examples. I mean if you look at the the trusted bsd website for example, it's so old It's not even funny I'm not sure a lot of people are using this Who's using the auditing framework in any capacity? Excellent one two a few Not a lot And come on I don't know we're what 20 years in and we still don't log the jail ID of something that's happening This is just not okay, but I've been Yelling about that for 15 years now and nothing's happening. So I haven't yelled in the right direction. I guess Package base. I know there was a talk about that here just before I came on I was panicking over there. So I didn't get it someone summarized for me But I really look forward to that And then it's the whole jail orchestration thing. There's a lot of interesting Work going on there. I have a colleague is working very hard on getting things to work I can't wait for that But that's something that we should have had a while. The train sort of It's it's out there somewhere. We really need to catch up but We have the basic technology in place and it's beautiful so Thank you everybody everyone who's been contributing Awesome work organizers of this event. Thank you very much. It's been very exciting Everyone else pitching in and somewhere or other my esteemed colleagues who have Been surprisingly quiet through this Tommy from nixu who has been helping me with the slides as I panic the worst here. That was awesome. So, um Thanks for all the beer and Do we have time for questions? Cool anyone Do you have any do you have any suggestions for making the audit process in the compliance part of it better and making You know audits better Um, can you refer repeat? I'm not sure I got it Do you have any suggestions on how to make The process of auditing or you know making the standards and the auditors more well informed on How is oh, I see. Yeah, so So how we can improve the auditing process essentially, um I don't know that's an uphill battle Because we're again, we're at the bottom of this. We were all the blame is being shifted. We can't really do a lot Uh until very recently We haven't had anywhere where we could complain if we thought our auditor was doing a shit job or was plain old wrong We could not complain to anyone It's like if you have a problem then just find a different job So honestly, I don't know Is there a set of problems relating to free BSD which came up repeatedly during the audits something like If free BSD had this workaround or If they could teach the auditors about this it would simplify your life um How free BSD has been if at all a repeated sort of challenge during the audits Um, it's not a linux That that's that keeps coming up This is a linux, right? Well, yeah, so jails. What what's it actually called? It's it's like VMware, right? No, not really The big one that so this whole password history problem Is one But we've solved that by saying okay on the application level. We have Different password implementations obviously on system level. We don't use passwords. We use, you know Hardware as his age keys So no password policy required But I have to admit that sometimes it would have been nice to have a more flexible password policy in the PCI where you can say that Okay, nowadays people don't change their passwords every month because they use password managers, for example Or storing the 10 last passwords. That's actually a potential liability in itself But then you have the other side of the fence where these requirements come from who say that this is the only way to Make sure that you actually have new passwords every time. I'm I'm not sure. I don't like that Have you thought about just storing the hash? Like that's not that's bad, but it's not Yeah, sure But it's if if you attack it using a pattern, you know You assume people just add a number or something then it's very easy to verify this Oh, yeah, I'm very so so PCI level one for years and I came up with very creative ways to explain things. Yeah, so we just don't What about uh, Kerberos do they still require I use Kerberos because I could enforce The password change time. Yes and then propagate it. So again, um Kerberos or LAP that sort of thing Could use it We have chosen not to because it's simply more complexity than I think it's worth So we just don't use passwords on the system level and when we do have passwords on the system level they can only be used Physically onsite under dual control which just removes the whole problem Then you just argue the password doesn't actually matter because you still need two people and two keys Uh, when I was at the University of Oslo What we did with the password changes was that we stored the hashes for I think the last three or five hashes and then when the user Tried to set a new password. We would use the new password as the basis for a dictionary attack on the Existing on the old salted Beautiful and so we would so we we would have for instance just adding a number or Incrementing a number at the end of the password would have been that would be rejected because the dictionary attack would Would succeed against the old passwords I see Again, um We've had a lot of ugly implementations to try and comply throughout but removing the whole class of problems by not using passwords Has turned out for us to be the simplest solution Anyone What does the standard say and what did you do with respect to passwords that services used to authenticate to each other? Do you use SSH keys or or TLS or anything to authenticate to mysql and we use So I mentioned I use puppet Everywhere puppet has the nice side effect of also being an internal CA So if you're careful about how you use it, you can actually use that to authenticate all your hosts to each other because every node in the network has Certificate issued under this CA so you do have Mutual TLS level authentication um It depends on your environment whether this is good enough or not But in our case that has gone above and beyond what has been required More if nothing else, then thank you very much for your attention