 Hello. My name is Sean. I actually work in our North America government practice where I lead all of our security efforts, making our products government ready. So can it handle healthcare data? Can it handle tax records? So one of the things we came to discuss was really how do we start taking open source, whether it's community or whether it's downstream enterprise, and begin making it ready for government. And the second half of that is to start sharing stories. And a lot of the times when we think of government, it's this nebulous, nobody knows what they use it for, or maybe they associate it to only military use. So we wanted to start telling some stories about where things like Fedora, JBoss, OKD, even downstream OpenShift are being used, and how to start preparing community as well as enterprise for those use cases. So as part of that, we wanted to start talking about healthcare first. And with that theme, there's something called the Broad Institute. And what they end up trying to do is through collecting genomic data, they try and cure childhood cancers as well as childhood birth defects. So they're one of the largest institutes in America, and all of this data is donated to them by patients around the world. So whether it's a child with leukemia, whether it's a child with birth defects, all of a sudden we're getting the personal healthcare information, their blood type, their name, their medical situation, and we're storing that. So what Broad ended up doing a couple of years ago is implementing an OpenStack cluster. And what made them so interesting is they started with OpenStack.org. They were trying to build their cluster off of trunk, and eventually they moved into what is now the community bit, sorry, oh, and by doing so, by creating an open environment, about 12 years ago we started this initiative. And at that time, it took us roughly 12 years and 3 billion US dollars to sequence a single genome. When we implemented the OpenStack based environment on community bits, we took that to roughly four days and $1,000. And we now opened up scientific computing to being able to find cures quite literally for cancer. And as a result, one of the things that came out of this are there are four primary types of breast cancer. Without getting into them, there's four known. Because of this research, three of them now have treatments that lead to cures, and it all runs on OpenStack. And it's all happened in the past couple of years. So are these the kind of stories that you find interesting? Just out of head nods. Yeah? Okay. So when we have this patient data, there's a couple of things we have to start preparing community as well as downstream derivatives for. Within America and most governments, there are actual regulated laws that say, here's how we have to handle citizen information, healthcare information. And for us, in the US, it's called electronic, electronically protected health information. And when we have this healthcare information, social security, unique identifiers, medical situations, we have to encrypt it. And whether that's encryption at rest, encryption during network transmission, we have a federal standard about how encryption should be used. And it's actually a law, which means if we have community software like RDO or OKD or Fedora that doesn't use the cryptography correctly, we can't use it in government, which means all of the open source innovation that's happening, it's illegal to use. So we wanted to start dispelling rumors about, you know, can community bits and downstream bits implement this crypto without having to be over military or over government. Is it actually community ready instead of some barrier of entry? And to that point, if we don't use the, for example, the evaluated crypto, not only is it against the law, it's considered plain text. Which means if we want to do data sharing, or when Harvard and MIT opened the open stack environment to share with European researchers, the healthcare information was considered plain text. So Europeans couldn't use it, South Americans couldn't use it, and neither could APAC, Asia Pacific region. So with that then, transfer it over to Gabe to talk a little bit more about what FIPS is. All right, so typically what happens is when it comes to FIPS and FIPS validation, in certification, vendors will take the FIPS modules and go through a process to validate that, yes, these are the FIPS cypers that the standard has set and has deployed that VAL shell to use. But this typically derives a cost, and it is an extensive cost, right, because you're paying people in the labs to go through and validate. So for open source projects, well, what do you need to do? So up here I have a list of some of the top modules that go through FIPS validation and certification. The most common one is actually open SSL. So if your projects use, and in crypto, my recommendation and what a lot of open source products do is use open SSL. And you can actually go and check out this very easy and handy URL. So you can actually go and check out products and modules that happen in certified with FIPS. All right, so just some examples. If your projects might have software, obviously the top, I have an example of FIDL target where it will enable you to open SSL. And like I said before, since it's the most commonly FIPS validation certified module, I recommend using open SSL. Now, if you and your project or application might want to create the ability for administration or users, or even your own development team to be able to specify cypers because maybe you have customers and maybe you don't want to do the cypers overall in your project upstream. Typically what's popular and recommended is to in your application, pre-regional file, create an ability for you or your users or administrators to go in and specify the cypher list. This way they can go through and say, hey, I want to specify the cypher, and that takes the onus off of you and your project to kind of manage FIDL's cypher list. Also, there's a presentation I think yesterday, kind of talking about not rolling your own crypto. So in one of the videos I posted, I didn't recommend doing that. This is just to kind of reiterate and kind of drive home what I'm talking about. Just read in the cypher's configuration file. But ultimately, going the distance, Fedora and Enterprise Linux now handles the ability to do crypto policies, and it's really nice as an administrator because I just have a single command line, and I just go type and say, and any software configuration file, which are crypto policies, will then set it to use the cypher's. This is an example at the top of an open SSH from FIDL's crypto policy in Fedora. And as you can see at the top, it's setting cypher's to FIDL's. And then below, you'll also see in the SSH thing that it now includes, there's an include line, right? So you're not reading that thing, the system-wide crypto policy. It blows the link to the Red Hat crypto project. So if you, in your project, want to start on cypher's and different cypher's, such as a complex fix, you can upstream that and it will be supported in Fedora. And that's handy, right? Because once again, an administrator goes in to set up fix. They use the suit command line, and once again, you don't have to worry about that in your project. And so on the FIPS note, one of the things is, and Gabe colluded, within Fedora and REL, Red Hat will take the onus to upstream all of the current crypto cypher's and algorithms that are FIPS-validated. So it's no longer a burden that you have to track out, like the open SSH, NGINX, Apache, OKD projects. As long as you do some QE or your CSCD build runs with, like, crypto policy FIPS, you run your unit tests, assuming they pass. You're using all of the crypto correctly. So if you take a couple of years ago view, all of a sudden projects would have to go to the government, check the cypher suite of whatever the latest validation was, and it was just too encumbered. But one of the other stories is actually from the American Aviation Administration. They're the people who run air traffic control and keep the planes on the air. So right now, I didn't give them time. There's about 8,000 to 9,000 different planes in the air heading to or from America, about 2 million people. And one of the things they ended up doing is migrating workstations to a combination from a PowerPC-based platform to X86, and some of the workstations are Fedora and some of them are REL. So by moving that migration, all of a sudden the system cost went from 25 to 3,000 US dollars. And by using a combination of upstream open source, a lot of their developers are using Fedora libraries. Some of their apps are built on Nome. They wanted to test on the latest KDE. And then when you actually have the air traffic control tower, like at the airport, they're running on the enterprise bits for the support and all the normal enterprise reasons. But what makes them, I think, kind of interesting is that they started to measure in the government bureaucracy. We have this certification and accreditation problem where even if they want to use different technologies, all of a sudden they have to go through this government certification plan. Meaning there's a catalog of certification controls. Like does it do password lengths for 13 character passwords and two uppers and two lowers? Is it doing memory management a certain way? And roughly there are 1,500 technical controls. So one of them could be something like audit-privileged users. Well, what does that mean? Like what audit events do I have to capture? Maybe we do user log in and log out, but what else? So by the time you expand it to user log in, user log out, add a user, remove a user, next thing you know you're about 7,000 compliance items that every open source project has to document. And I don't know many who are. So as a result, on average we found that it takes between 8 and 12 months just to create the documentation to use something like OKD or OpenShift or JBoss, because they have to do this. And unfortunately that documentation is entirely in government spreadsheets with small fonts, about like 8,000 rows, and it's insane. So what ends up happening is the first couple columns are like a requirement number. Like requirement number one, requirement number two. Number two.a.one and so forth. So that spreadsheet has about 7,000 rows. They're color coded about what's red, meaning hey, this is super important. Are you using FIPS Crypto? Put an X in the red column if you're not. And this ends up taking almost a year. So imagine what happens now when the open source projects, like this week it was announced, the next version of RHEL is going to six-month cadence. We have Fedora, which cuts much more faster than that. CoreOS upstream is basically every eight weeks or less. So if it takes me a year to make the paperwork, but releases are, let's say, three months, six months, I'm already a year and a half behind, year to a year and a half behind, before I fill out my spreadsheet. So what we tried to do is to increase the adoption rate, begin building open source configuration guides. And for that project, Gabe? Yeah, so to change configuration guides, document how to secure your application in any way and every way possible. And this is just high level like, for example, you can set a character password to a minimum of 10 months or you can require that users, I don't know, use special characters or uppercase, lowercase. And it's really just a way to document how can I harden your application. Me as a user or the government or as a policy writer, how can I come in and tweak the nerd knobs, if you will, to say, this is how I can harden your application code to make it more secure. And from there, typically what happens, and this is the bonus, you can create some security automation content out of that or that. And there's actually a project called Compliances Code, which they did a demo earlier this week. So if you can check that out when that's posted, that'd be awesome. So that can help you try to create SCAP content for your project. So this is an example of what I'm talking about. As you can see, you know, it's talking about how do I configure the password policy and poequality.com, you can say minimum length, minimum class. And this is nothing that's related towards policy like GDPR, for example, right? Or common criteria. But from there, as you can see, you can get a red light green light tree from an SCAP content, which is derived from the Compliances Code project. So now we have a way to take your security documentation and create a validation engine and tool that goes in and validates that per policy your application is now hard to meet those compliance requirements. And kind of what we do through that Compliances Code project, we're some of the developers on it. And when a project decides to partner with us like EAP or OKD, which led to the OpenShift baseline, we actually translate all of that government 7,000 controls to human speak. Like audit privilege users means the following 10 things. So we need to have the following 10 audit events. And that leads to creating a configuration guide, like a specific setting, this name pair value or the YAML value for OpenShift. And we do some of that with you guys. So it's kind of a call for collaboration. So one of the things we often forget, maybe by kind of head nods or show of hands, anybody know anybody, anybody know anybody who works on Gluster or Seth? Jboss? Dora Orrell? SCLinux? IDM? All of that's running on the International Space Station. So that mission there, last year, I'm going to get the month wrong, so I'm going to call it fall of 2017. We worked with HP, the computer manufacturer, to build a chassis, a terraflop of computing power that got launched by SpaceX to the International Space Station in roughly August of last year. So what we're doing now is that consolidated all of the compute power of our International Space Station module into that rack mount system. I want to say it was like 8U. So what's crazy is by using, excuse me, by using Linux and Gluster and Seth, IDM, there was like a Jboss component, upstream Jboss, interestingly, we're actually able now to build supercomputers on the space stations to do things like navigation control. Is there a solar flare and we need to shut down the electronics? Is there an air leak, which you may have seen in the press lately? This was the system that detected the air leak. Outside of that, there's the Curiosity rover. So what we're doing in that case is actually all of the images that are being streamed from the Curiosity rover go to a Gluster FS, the .org side of Gluster environment, and they're joined with technologies from Nginx Railroad, which is a content management system. So whenever the public goes to view the Curiosity or any of the Mars imagery, it's actually using AMQ to send the message from space to a ground station that goes to a Gluster FS backed file store, and then it uses Nginx as well as a content management system to send it out to whoever's looking at the web page. So a lot of people don't realize, by late last year, one of the, there's this big RFE to add SE Linux policy to Gluster FS, and at the time we couldn't tell anybody why. We couldn't announce that the government was about to land on Mars for whatever reasons. But it was actually, Lukasz Frebek, who I think I saw in the room, added the SE Linux policies to Gluster FS, and now all citizens of any country in the world can see the Mars imagery. So that's some of the back story. But with it, kind of the primary takeaways does your technology work in FIPS mode? Is it part of your QE process? So oftentimes people will take, like, Fedora latest, Rail7 latest, it'll run their CICD on it, but it doesn't actually have FIPS enabled, it's a kernel option. So what we've started to do is publish baselines that meet the minimal viable government security standards, where they're not overly militarized for one country or another, they're not over the top MLS or something, doesn't have some audit events, doesn't have some SE Linux enabled, our FIPS ciphers implemented, and by using those images as part of your QE process, we stop running into issues where technologies get GA downstream, like satellite, which broke when FIPS was enabled. So all of a sudden when satellite 6 came out, nobody in the government could use it. When JBoss EAP-70 came out, nobody could use it because it didn't integrate with Bouncy Castle. So that's part of it. And then outside of that, there's a couple other concerns. Questions, I mean. How many of you have a baby cat? How many of you have been hatched? Right? Hopefully... None, really? So the reality is today, this is the more personal matter, you, myself, everyone in the world is now vulnerable because hackers have not become a hot thing. And nation states and everyone else who wants to get your data, get your money, are kind of going after those vulnerable systems. And if they have complied or created security policies, if they had done things like FIPS validation and certification and enabled systems with FIPS, those attack vectors would have been reduced, right? So now more than ever, this becomes personal. Versus just, oh, the government wants this and the government wants you to comply with it. Now it's more like, can we, as the open source community, as the developers, the coordinate developers, can we come together and start to say, my projects, my code, my applications, I want them to be secure. I want them to follow policy and I want them to do all the same so that in the end, myself, my friends, my family is no longer affected by these events. We're seeing that institutionalized. So what once was for the American government, the tax collectors, the airplane controllers, all of a sudden now to get things like cyber insurance, at least in the United States, you have to follow the federal standards. If you're a regulated industry, like banking, transportation, telecommunications, federally regulated, you have to follow the federal standards. So it's no longer just a couple of government agencies. It's people like Verizon, Ericson, Bank of America, Merrill Lynch, Visa, they all have to follow this now. So as we want our technologies to integrate into those spaces, these are some things we have to do. But with that, any questions?