This talk will cover the important bits:

1. A brief overview of my homeserver setup
   i. What all Hardware is involved ii. What all services are running iii. Networking and how to route traffic to your home.
2. Infrastructure Setup
   i. Terraform Configuration ii. Service Configuration iii. Running a Kubernetes Cluster iv. Security
3. Q&A

• Traditional Public key (asymmetric key) cryptography authentication(2 min)
  • Traditional SSH authentication methods
  • Password-based authentication
  • Public-key (asymmetric) based authentication
  • Generic Security Service Application Program Interface (an API to access servers)
• Centralized authentication approach & limitations (3 min)
  • How LDAP/Kerberos working (in brief)
  • Limitations of a cenralized system
• A adventures ride with SSH certificates (6 min)
  • Working of SSH certificates
  • Generate signed certificate from CA
  • Configuration on the host system
  • Configuration on the user system
• Demo (3 min)
• Features of SSH CA (3 min)
  • Role-based access
  • Host-based access
  • Certificate validity
  • Certificate identity
• Limitation & solutions (3 min)

• What is OSINT?
• What can attackers do with OSINT data?
• Where/How do attackers(or I) find this OSINT data? (Tools/Techniques)
• What can I do about OSINT data on my organisation?
• Building visualisation, monitoring and alerting solutions
  • Monitoring an organisation’s SSL/TLS certificates, domains and subdomains in near-real time
  • Visualising public datasets (scans.io) to gain insights into an organisation’s external posture
    • Answering business related security questions using visualisations
  • Building monitoring and alerting solutions around various OSINT data
• Key takeaways and Moving forward

• Introduction to client-side Data Exfiltration attacks
• Introduction to Content-Security Policy
• Content Security Policy to prevent Data Exfiltration attacks ○ What is possible ○ What are the limitations
• How to design and deploy CSP to detect/prevent Data Exfiltration attacks
• How to monitor policy violations and alerts

• Introduction - 1 minute
• Why all of these painful steps? 2 minutes
• SecureDrop client desktop tools and their dependency on other upstream projects (or think about an application structutre and standard deployment strategy)- 3 minutes
• Updating dependencies or do we read all updates? - 2 minutes
• Development environment and using pipenv + tools to create requirements.txt wtih hashes only for source - 3 minutes
• Structure of a static HTML based private package index - 4 minutes
• GPG signed list of already built wheels + syncing them locally - 2 minute
• Running python3 setup.py sdist to create the release tarball + a step before to have a requirements..txt with only binary hashes from our list of wheels. - 5 minutes
• Final Debinan packaging script (for automation) which does double verification of the wheel hashes. - 3 minutes
• Reproducible Debian package as end product - 2 minutes
• Possibility in the RPM land - 1 minute
• QA/feedback

Problem Statement: Stateful Realtime Processing of multi-million events.

1. Intro Kafka Streams and event flow (2 slides)
2. Challenges in Kafka Streams
   a. Fault Recovery b. Horizontal Scalability c. Cloud Readiness d. Restricted RocksDB e. Large Clusters
3. Lay a background on why are these a challenge.
4. How we forked the code to solve each of these over the past year.
5. Conclusion
6. Future Works

• Objectives
• Lua and Wireshark Lua
• Usage and Example
• Debugging and Linting
• Literate Programming
• Markdown Structure
• lit2lua
• Protocol Dissection Pattern
• Dissector Table
• Wireshark User Interface
• Info, Message and Heartbeat Protocol
• Hot key Report
• Testing
• Demo
• Future Work
• References

Source Code: https://github.com/aerospike/aerospike-wireshark-plugin

All the technical diversity we enjoy in our industry is the result of internal evangelism 20 yers ago. Now all three major cloud providers have been pushing their serverless solutions to lure customers into a new form of vendor lock-in. I think it is time, to remind ourselves about Open Standards.

• Setting up the scene: MySQL database flooded with connections, more than it can handle
• Vision: Achieve 10x scale without 10x cost
• An ideal solution?
• Solutions available: ProxySQL, MaxScale, Nginx, HAProxy
• Why ProxySQL?
• Benchmarking ProxySQL
• Conneting the missing dots
• Chosing an architecture for deployment and why
• Challenges and workarounds
• The end result!
• The Future

This talk will start with current state of Kubernetes security and how folks are setting up their clusters. How folks are using shortcuts to get around changing their old bad practices. The talk will explain folks what’s worst that can happen if they keep using those bad practices. Specially in the multi-tenant setup this can lead to massive breakouts.

The above topics are there to create a ground for folks to appreciate the security feature of Kubernetes Pod Security Policy.

We then come to core of the talk this is where I will explain what Pod Security Policy is and how it can help in hardening the cluster. I will explain all the supported features that PSP has and what feature stops what kind of attack vector in a multi-tenant untrusted environment.

Also I will explain the benefits of having secure & hardened clusters from the development phase itself and how it helps you understand and catch the issues that you might encounter only while deploying on production.

We are looking to bring forth the following issues:

-Challenges in integrating security in a fast paced DevOps Cycle -Current Practices being followed for DevSecOps in their Organizations -How is SAST & DAST placed in the lifeCycle -Embedding Security in the Pipeline and Automation -Whats different when dealing with containers and cloud

This talk covers how (in)secure in the routing at the global scale, covers about IRR in detail. Includes examples, tools and challenges with IRR based BGP filtering. It also gives a brief introduction to RPKI as well as latest developments in this domain (AT&T doing RPKI based filtering, Google about to do IRR based filtering etc)

Let’s see a demo application using ServiceMonitor for Prometheus, a HPA, and a custom container that will count the instances of the application and expose them to Prometheus. Finally, Grafana dashboard to view the metrics in real-time.

Audience will learn about Openscap. Tools used by openscap along with profiles and components of openscap. I will also through some light on how we all can have our own set of policies and how we can develop certain profiles and policies that will be custom of yourself and also useful for upstream. This talk will also involve how to deploy openscap, how to use different tools of openscap and warping up with the analysis of the reports generated by the scap policies. At the end you get a clear picture of openscap also with managing all the tools and reports by them.

How’s the choice usually made? What’re the several factors involved?

Do you really have a problem the tool is solving or the tool is making us think you’ve a problem.. how to find out if you’ve the problem or going to face it later.

The cost breakup of all elements:
Benefits of the tool >> Time to decide + cost (Engineering) + Cost (Operations/maintenance) + Cost (Infrastructure) + Cost (cultural drift)+etc.
How much percentage of cost is acceptable for the benefit.

Idenfifying elements unique to your company, that contribute to overall decision.

In the wake of one data breach after another, and in this age of surveillance, security has become serious business. The trust on the big giants like Facebook, Google, etc has diminished over the years. Security has been a huge concern in the recent times for many of us, and a lot of them have grown a valid paranoia around security and privacy. The term “valid” signfies just not be a paranoid but to be methodical in your action.

As we grow dependent more and more on internet-based services, the more vunerable are we becoming to exploits, and you can easily notice how in the recent times the exploits has affected a large number of people.

And, there could be no better place to start than your OS itself. There has been a growing list of OS targeted towards security. There are bunch of options these days, like TailOS, QubeOS, Silverblue, Whonix etc each behaving a bit differently but trying to acheive the same goal, Security & Privacy

We gather to discuss our ideas and concerns on this topic, discuss our methods, how we compartmentalize applications to fight vulnerabilties.

We at Simpl manage a microservices polyglot platform with about 40 services. We handle 10 - 30 million requests per day and can handle 100x or more. We’ve managed >99.99% of availability. Containerized, auto-scalable and completely automated DevOps platform.

All these were handled by the seven backend developers and no dedicated DevOps person.

This is possible because of the unique approach we’ve taken towards DevOps. Instead of using tools like Chef/Ansible, we’ve taken a unique approach that simple and hence naturally scales.

I’ve spoken about this in couple of meetups and people found this useful. Would love to share the journey with a larger audience.

This talk would have four parts.

• Introducing the problem (tech stack, constraints, complexity etc)
• Why not config management tools like Chef, Puppet, Ansible
• The approach we’ve taken. Demo, details and of course code.
• Learning that would be useful in your org.

• Vitess history
• Vitess architecture
• Vitess resharding and demo
• VReplication explained
• VReplication demo

1. Why functions?
2. How are functions relevant to package management?
3. How are functions relevant to operating systems?
4. Development shells
5. Docker without Dockerfiles

• Referencing the 13 yr old article of willy tarreau ( 2006 )

• 5 categories of LB

• Evaluation params of LBs

• DNS Load Balancing Detail

• Layer 3/4 Loadbalancing

• Haproxy example and monitoring params

• Layer 7 Loadbalancing

• Hardware and Software Routing ( setups and cases of each )

• LVS: history and implementation

  • NAtting
  • Direct Routing
  • Tunnel Based routing

• RP Filter

• What to monitor
• Interrupts handling and CPU affinity

• HA with Keepalived and consul

• References

Business Requirements/Use Cases
- Log analysis platform (Application, Web-Server, Database logs) - Data Ingestion rate: ~300GB/day - Frequently accessed data: last 8 days - Infrequently accessed data: 82 days (90 - 8 days) - Uptime: 99.9 - Hot Retention period: 90 days - Cold Retention period: 90 days (with potential to increase) - Cost effective solution

Areas of optimization
- Application - Infrastructure

Cost Optimization
- Replica counts and its impacts - How to run ELK on Spot instances correctly. - EBS Costs can be high, how to set up Hot / Cold data storage - Auto Scaling - On-demand ELK Cluster

Infinite Data Retention
- How to setup S3 as a hot backup - Recover on Demand

Numbers/Tradeoffs
- Cost/GB data ingested - Trade-offs made - DR mechanisms

Conclusion
- Building a log analytics is not rocket science. But it can be painfully iterative if you are not aware of the options. Be aware of the trade-offs you are OK making and you can roll out a solution specifically optimized for that.

Consider a sample application:
A number that user sends an SMS text to of the form “Remind <date format> about <y>.” When it’s due, a service calls you back. User is charged for each SMS and reminders that they answer.

Where all do you think this can start failing?

Static Failures:

• Disks
• Network
• CPU
• Memory

Behaviour Failures:

• Degradation
• Latency
• Freshness
• Correctness
• DDos

What are the right tools and strategies to measure and monitor these failure points?
What is the cost of measuring or leaving it un-measured?

There are Queues in the system. How do you monitor synchronous and asynchronous architectures?

The load has started to increase, but before we discuss strategies Let’s discuss CAP quickly.
How do we decide if we need sharding, better CPU or Clustering?

How do we add backups? Should they be asynchronous or synchronous?
Criteria to consider before picking up a strategy.

So far, we have been reactive about failures. How do we move to a proactive model?
And Meanwhile, could you trace that request from that particular user for me?

At what stage and how do we start injecting reliability as a part of the Software development process?

Lastly, while all of this is said to improve and fix things, how do we prove that it does? How do you validate that MySQL replicas come back when the master dies. The only way to know is by simulating. How do we set up Simulations? A decade ago it used to be called FMEA; now it’s called Chaos Engineering.

And oh, we should also discuss Site vs Software Reliability.