►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Okay,
so
let
me
introduce
you,
the
co-host
for
this
first
session,
welcome
alissa
miller
and
gab
smash.
A
Awesome
great
and
the
floor
is
yours,
I'll,
let
you
run
the
show
I'll
be
here
as
becca
if
needed,
good.
B
C
C
D
E
C
F
I
used
to
work
for
ncc
group,
doing
a
lot
of
source
code
reviews
doing
a
lot
of
kubernetes
security,
stuff
and
yeah,
I'm
getting
into
a
lot
more
cloud
lately
and
now
I
work
for
snowflake
as
a
security
architect.
So
that's
my
background.
B
Nice,
nice,
we
can
anders
next.
G
Yeah
amanders,
I
work
as
a
developer
advocate
for
styra,
which
is
the
creators
of
the
open
policy
agent
project
or
oppa,
which
I'm
going
to
refer
to
for
the
next
for
the
next
hour
or
so
yeah.
I
come
from
a
background
in
identity,
primarily
so
I
worked
for
the
last
three
years
or
so
in
with
oppa
and
access
control,
before
that
it
was
all
about
identity,
identity
of
workloads,
identity
of
users
and
clients,
and
and
so
on.
G
So
a
lot
of
oauth
open
id
connect,
so
it
kind
of
came
as
a
natural
next
step
like
once
you
established
identity
like
what
you
use
that
for
like
or
and
and
and
so
I
got
into
authorization
and
and
yeah
here
I
am.
C
H
Yeah
hi,
I'm
also
a
developer
relations
engineer.
Developer
advocate
I
work
at
new
relic
and
I
specifically
focus
in
security
and
making
security
more
digestible
for
beginners
and
newbies,
and
I
actually
live
stream
here
on
twitch.
So
if
you
want
to
follow
me
on
twitch,
I'm
at
ending
with
ali,
where
I
do
a
lot
of
learning
in
public
of
teaching
myself
security.
Most
of
my
practical
knowledge,
I've
actually
learned
live
here
on
twitch.
So
I
do
a
lot
of
different
lessons
and
education
on
twitch.
So.
B
I
Hello,
hello,
I'm
andy,
I'm
a
founder
and
ceo
at
control
plane
where
we
do
cloud
native
security
stuff,
I'm
a
little
bit
dev
a
little
bit
of
ops,
a
little
bit
of
security
in
there
as
well,
very
proud
to
say
I've
just
just
finished.
Writing
a
book
shout
out
to
mark
some
awesome
review,
work
there
as
well
and,
of
course,
lewis
who's
over
there
and
james.
I
We
were
both
instrumental
in
making
that
thing
more
polished
fixing
the
bug
bounces
up
all
that
kind
of
good
stuff,
I'm
a
sans
instructor
as
well
sans
sex,
584,
again
with
the
more
than
capable
yes,
this
is
lewis,
aiding
and
abetting
in
that
and
yeah
like
a
zealous
ctf
maker
and
player
and
enjoyer.
So
yeah
super
pleased
to
be
here
and
really
looking
forward
to
today.
I
C
C
E
Covers
for
books,
so
I'm
very
proud
to
say
that
the
book
has
got
a
duck
on
it.
So
I
think
that's
the
highlight
of
my
year,
possibly
last
10
years,
to
be
honest
and
I'm
not
in
kubecon,
I'm
back
at
home
in
wales,
which
is
well
england,
is
the
sidecar
of
wales,
but
hey
I'll
deal
with
that
next
week,
yeah
so
day
to
day
within
control
plane,
I
do
lots
of
training.
I
used
to
go
lots
of
different
places,
but
I
pretty
much
give
training
in
here
now.
E
So
this
is
my
little
training
dungeon.
No,
no!
It's
it's
lovely!
It's
been
great,
like
it's.
We've
had
to
change
our
ways
over
the
last.
However
many
months
and
it's
I
just
got
to
meet
lots
of
people
get
to
help
them
out
and
it's
super
awesome
and
I
get
I
I'm
gonna
point
that
one
and
point
that
one
I
get
to
work
with
these
every
day
and
it's
phenomenal
they've
really
helped
me
push
my
career
and
super
awesome
people,
and
thank
you
for
having
me
don't
follow
me
on
the
internet.
D
B
C
J
Hi
everyone
I'm
a
security
engineer
at
control
plane
with
these
two
and
I
sort
of
deliver
security,
consulting
e
type
services
of
these
guys.
I
was
previously
a
security
consultant,
so
it's
that's
pretty
much
my
my
wheelhouse
when
I'm
not
helping
andy
with
books
or
help
building
these
awesome
cts.
J
Well,
there's
there's
a
there's,
a
huge
team
of
us
at
control,
plane
that
have
all
put
in
lots
of
efforts,
so
I'd.
J
In
just
saying.
J
But
it's
been
a
lot
of
fun,
contributing.
E
B
C
So
I'm
curious
how
you
guys
got
into
cloud
native
security
right
I
mean
what
does
it
even
mean
to
say
cloud
native
security?
I
mean,
I
think
everybody
kind
of
has
their
own
idea
of
what
cloud
native
is
and
then
okay
on
that
top
of
that
we
put
security
and
then
sometimes
on
top
of
that
we
put
cloud
native
application,
security
and
then
there's
going
to
be
cloud
applications,
security
brokers-
I
don't
know
it,
it
keeps
growing
right.
But
how
did
you
guys
get
here?
I
mean
allie,
let's
start
with
you,
how?
H
Yeah,
so
I'm
I
was
thinking
about
the
right
way
to
say
this:
I'm
going
to
reverse
age
myself,
I'm
going
to
baby
myself
in
a
way
because
to
me
it's
only
been
cloud:
there's
never
been
on-prem.
So
when
I
yeah
okay,
I'm
sorry
like
I'm
baby,
I
know
so
to
me.
H
Yeah,
I
know
I'm
I'm
making
myself
be
baby,
but
to
me
like
whenever
I
like
am
doing
anything,
it's
always
been
cloud
first.
So
to
me
they
are
synonymous
it's.
I
am
now
actually
learning
more
about
how
it
used
to
be
done
back
then,
as
I
dive
more
into
kubernetes
and
how
servers
were
are
are
still
somewhere
in
the
world
still
being
hosted.
But
to
me
it's
always
been
cloud
first
and
I've
always
had
an
interest
in
security
and
I've
always
had
an
interest.
H
I've
always
thought
people
who
work
in
security
are
the
smartest
people
in
the
world
and
people
that
I've
always
looked
up
to
like
alyssa
and
gabby.
I
follow
you
both
on
twitter
fangirling
just
a
little
bit,
but
I've
always
thought
people
that
work
in
security
were
such
amazing
people
and
just
thought
in
such
a
different
way,
and
so
I
was
like
how
can
I
learn
to
be
like
that
and
to
me
that
first
step
was
figuring
out
just
how
everything
works
from
a
security
aspect.
H
C
Security
list,
I
can
definitely
understand
that.
I'd
just
give
you
a
hard
time
there
we
go
yay
cool.
So,
let's
I'm
not
gonna,
say
it
that
way.
That
would
be
cruel.
So
anders
I'm
I'm
guessing
that
you,
like
me,
probably
didn't
start
in
cloud
native,
but
I
could
be
wrong
so
correct
me.
D
G
G
Yeah
yeah,
that's
a
good!
That's
a
good
question.
I
think,
eventually,
that
that
same
organization,
where
I
stayed
for
a
couple
of
years,
they
they
eventually
understood
that
things
had
to
change.
G
There
was
like
that
whole
gap
between
development
and
operations
was
it
just
wasn't
a
viable
model
and,
of
course,
so
like
slowly,
but
but
still
we
try
to
adopt
like
devops
practices,
try
to
to
be
more
agile
and
and
so
on,
and
and
then
eventually
I
I
ended
up
working
more
in
identity
systems
and,
of
course,
in
those
like
those
standards,
stay
around
for
something
like
20
years.
G
So
so,
once
you
learn
something
like
olaf,
you
can
you
can
kind
of
work
on
that
for
the
next
decade
or
two,
but
yeah
and
and
then
coming
into
authorization
and
oh
or
in
oak
hours.
There's
there's
really
no
standards
and
there's
really
a
lot
of
ideas
on
how
to
best
do
that
that
was
that
was
kind
of
a
shock
for
me
coming
from
from
the
identity
world,
where
there's
all
these
like
very
strict
boundaries
on
on
what
you're
allowed
to
do
and
not
do.
G
So
yeah
and
and
to
answer
like
how
I
got
involved
in
in
the
cloud
native
space,
I
guess
this
is
true
oppa,
which
is
of
course
one
of
the
graduated
projects
in
the
cncf.
C
B
F
F
F
But
I
was
I
was
a
pen
tester
doing,
network
penetration
stuff
and
when
virtualization
was
just
starting,
so
it
was
kind
of
like
that
was
the
first
revolution
that
I
saw
in
the
industry
and
somehow
I
migrated
to
an
application
security
background,
doing
android
and
mobile
stuff,
and
I
swear
I'm
going
to
get
to
like
where
we
get
the
cloud
native,
because
it
doesn't
make
any
sense
how
these
are
related
yet.
But
I
saw
android
and
ios
that
were
doing
like
these
sandboxed
processes.
They
were
doing
like
isolated
kind
of
container
processes.
F
I
was
like.
Oh,
this
is
awesome
and
when
containers
started
becoming
adopted,
kubernetes
was
around.
I
was
like
this
is
this:
is
the
future
of
all
servers
we're
going
to
have
a
containerized
processes,
we're
going
to
be
isolated,
so
I
started
adapting
what
I
was
doing
for
like
application
security
stuff
and
looking
more
towards
what's
kubernetes
doing
like
let's
help
secure
this
thing
and
and
of
course,
that
didn't
really
flush
out,
as
I
wanted
it
to
this
thing,
we
don't
have
we
don't.
F
Sandboxes
per
se,
but
we've
got
some
level
of
isolation,
it's
cool,
so
I
think
I
was
just
pushed
into
cloud.
I
had
a
whole
bunch
of
customers
and
it
was
just
the
industry's
moving
the
cloud
like
who's
who's,
doing
on-prem
stuff.
In
fact,
earlier
on
in
my
career
I
was
flying
everywhere
because
everything
was
on-prem.
I'd
go
to
like
data
centers
and
I
had
to
go
to
physical.
You
know
servers
and
stuff,
and
then
it
just
stopped.
You
saying:
oh,
no,
it's
all
remote!
F
We'll
just
give
you
shell,
you
know
we'll
just
give
you
access
to
the
things
you
need,
so
I
had
customers
that
were
just
in
the
cloud.
You
need
to
adapt
or
die
right
in
the
security
industry.
So
I
was
doing
a
lot
of
kubernetes
stuff
and
I
built
a
team
at
ncc
group
that
was
just
doing
containers
and
sandboxes
and
kubernetes
security
assessments,
and
we
kind
of
built
built
some
staff
around
that.
So
so
now.
K
D
F
C
I
That
is
a
fine
question.
I
was
very
privileged
in
that
my
first
job
out
of
uni.
I
ended
up
doing
something
that
I
was
perhaps
under
qualified
for
at
the
time.
So
there
was
a
small
startup
in
bristol
which
is
out
on
the
on
the
west
coast
of
england,
close
to
lewis's
proximity,
and
it
was.
It
was
a
software
as
a
service
back
when
that
was
actually
a
definition
of
something
business
business
management
system.
I
I
was
the
first
employee,
so
I
had
the
incredibly
fortuitous
position
of
doing
operations
doing
the
development
doing
pci
compliance
back
when
back
when
we
still
stored
numbers
for
people
that
very
quickly
failed
to
be
the
case,
and
everything
was
rackspace.
So
so
everything
was
like.
You
were
buying
space
in
a
colo.
H
I
You
got
us
again,
mate
hysterically,
I
was
saying
we
had
availability
issues
and
then
everything
froze
so
there's
some
sort
of
resonant
induction,
conductive
coupling
with
silicon
I'll
have
to
be
careful
what
I
say
and
yeah.
So
so
amazon
opened
eu
west
one
and
like
some
will
probably
call
me
out-
2008,
maybe
and-
and
we
just
jumped
on
it,
so
going
from
going
from
that
position,
where
I'm
just
kind
of
de
facto.
This
thing
needs
to
be
done.
There's
a
cloud
over
there.
I
Why
don't
you
try
and
unify
our
approach
to
the
way
we're
delivering
services
and,
and
that
was
it
kind
of
steamrolled
from
there
and
then
after
that
role,
I
I
started
to
be
a
consultant
and
I
just
found
that
regulated
industries
had
more
interesting
problems
and
everything
in
engineering
is
a
compromise
and
often
it's
trying
to
like
fit
something
into
a
fit
something
into
a
shape
that
doesn't
really
naturally
fit
and
yeah,
certainly
escalating
through
through
different
organizations
and
then
finally
sort
of
cloud
native
turns
up
and
everything
just
makes
sense.
I
You
can
kind
of
take
the
big
multi-tenant
linux
system,
squeeze
it
into
a
microcosm
and
then
run
or
bin
pack
them
and
add
them
for
nyson,
and
it
was
pretty
clear
from
sort
of
early
early
musings
with
docker
that
there
were
lots
of
security
opportunities
and
yeah.
It's
just
all
kind
of
steamrollers
from
there.
So
yeah
again,
like
very
fortunate
to
have
that
that
luxury,
and
I
often
wonder
if
people
like
joining
joining
the
train
or
like
getting
on
the
ride
at
this
point.
I
H
Yeah,
there's
there's
a
lot,
there's
a
lot
that
I'm
I'm
it
there's
so
much
that
I
feel
like
I'm
always
learning
and
it's
as
especially
as
I've
been
digging
more
into
kubernetes.
It's
just
been
like
so
much
to
break
down
and
just
be
like.
Oh
yeah
like
this
is.
This
is
how
it's
done,
and
this
is
like
where
I
I
feel
like
I've
been
like
missing
in
my
education
as
I
am
continuously
learning
so
yeah.
I
C
You
mention
the
regulatory
environments,
I
think
gabby
and
I
can
both
kind
of
identify
with
that
me
from
the
financials
and
gabby
and
her
industry
yeah.
I.
A
C
E
I
I
don't
know
what
I'm
allowed
to
say
on
that
point.
I
think
we're
exclusive
I
I
am
just
with
control
plane
now
and
it's
I'm
not
anywhere
else.
It's
with
control
plane,
but
yeah,
no,
my
career,
it's
it's
been
varied.
You
can
look
on
linkedin
and
if
you
can
figure
it
all
out
as
how
I
got
there,
congratulations
I
don't
have
a
clue.
E
Please
tell
me,
but
the
main
point
for
me
was
about
five
six
years
ago
now
I
just
hit
this
like
lull
in
my
career,
where
I
was
a
developer,
I
got
into
it.
I
have
a
lot
of
developing,
I
just
love.
For
me.
It's
puzzles
everything
I
see
is
a
case
of
how
do
I
fix
this?
How
do
I?
How
do
I
make
this?
How
do
I
solve
that
problem?
E
And
I
go
into
this
position
where
I
wasn't
solving
any
problems
whatsoever
and-
and
it
was
last
sunday
it
was
world
mental
health
day
and
at
the
time
I
was
also
suffering
from
depression,
which
I
wasn't
aware
of
because
it
was
a
biological
thing,
but
it
absolutely
sucked
and
so
but
then
having
solved
my
depression
made
me
realize
it's
like
I
like
solving
problems,
so
I
kind
of
jacked
in
my
career
of
being
a
developer,
and
then
it
was
like
what's
interesting
and
at
the
same
time
I
was
starting
the
family
and
then
containers
and
it
was
like
stop
stop
for
containers.
E
That's
that's
going
to
help
me
because
I
need
to
be
like
I'm
going
to
have
a
child
and
they're
going
to
be
screaming
in
the
night.
I
can't
work
to
like
4
a.m,
so
I
started
that
way,
but
then
and
for
me,
there's
always
conferences
as
well.
There's
events
like
this.
You
get
to
meet
people
who
are
like-minded.
E
Sometimes
you
you
feel
like
you're
in
a
bit
of
a
hole
on
your
own,
and
no
one
else
can
really
understand
you
when
you
bump
into
all
these
amazing
people
in
these
conferences,
you're
like
oh,
no,
actually,
we're
kind
of
alike,
it's
kind
of
okay,
it's
a
nice
place,
and
so
from
that
I
saw
andy
on
stage
hacking
containers
and
it
was
just
like
hello.
This
is
what
security
always
scared
me,
because
I
never
felt
like
it
was
a
defined
line
that
I
could
achieve,
whereas
actually,
then
I
realized.
E
This
is
the
perfect
puzzle
for
me,
because
it's
something
that's
constantly
evolving,
it's
always
something
which
I
can
work
further
on,
and
so
from
that
point
I've
worked
my
my
something
off
to
get
to
this
position
where
I
could
work
within
control
plane
and
it's
a
piece
that
I
get
to
work
with.
So
I
thought,
like
you,
know,
andy
and
you're
gonna
hear
more
about
james,
but
we've
got
some
of
people
behind
the
scenes
as
well.
E
Helping
us
today,
which
I
need
to
mention,
such
as
michael
steve
and
carl,
and
every
day
you
just
have
like
phenomenal
people
who
just
try
to
make
you
a
better
person
and
it
isn't
just
career,
it's
about
being
a
better
person
as
well,
and
so
that's
just
what
we
do
and
yeah
so
probably
in
years
time.
I
guess
I'll
still
be
in
this
kind
of
branded
top.
But
that's
where
I
am,
and
I
just
think
I
thought
that's.
E
The
main
thing
I
just
say
to
people
is
it's
like
whatever
position
you're
in
especially
with
the
ctf
and
that's
that's
a
puzzle
that
we've
made
for
you.
It
might
feel
tough
at
times,
but
don't
worry
because
it's
supposed
to
be
really
tough
and
we're
here
to
help,
but
at
least
by
the
end
of
the
day,
you're
going
to
learn
another
way
as
to
how
to
break
something
which
is
always
fun.
B
J
Hello,
so
yeah,
as
I
mentioned
earlier,
I
sort
of
started
starting
my
career
off
as
a
security
consultant.
J
So
I
guess
I
was
quite
fortunate.
I
think,
to
have
that
as
my
first
sort
of
grad
job,
because
I
don't
think
I
appreciated
it
when
I
applied
for
it
at
the
time,
but
it
exposed
me
to
a
huge
variety
of
orgs
and
environments
and
ways
some.
D
J
Do
things
some
places
do
things
badly?
Some
places
do
things
well
and
sort
of
early
early
in
my
career
it
was
invaluable
really
because
it
sort
of
it
exposed
me
to
all
those
all
those
different
things
that
perhaps
would
have
taken
me
many
more
years
to
to
witness
and
learn
from
had
had
it
been
like
a
normal
job.
Cycling
scenario
I
sort
of
started
off
in.
J
I
guess
what
you
might
call
a
more
traditional
security
kind
of
penetration
testing
thing,
whereas
looking
at
like
windows
and
linux
boxes,
and
maybe
a
bit
of
mobile
here
and
sort
of
you're
expected
to
sort
of
know,.
K
J
The
years
went
on
in
that
role
this
this
this
newfangled
thing
called
cloud
or
probably
not
so
newfangled
by
the
time
I
was
looking
at
it,
but
more
and
more
places
were
using
it,
and
I
guess
it
it.
J
It
appealed
to
me
just
I
think,
partly
due
to
the
elegance
but
yeah,
I
became
part
of
the
team
that
looked
at
looked
after
a
lot
of
the
cloud
and
especially
the
containerization
element
of
those
bits
and
pieces,
and
just
their
exposure
of
looking
at
how
different
orgs
built
things
in
different
ways
and
how
they
screwed
things
up
in
different
ways.
J
I
think
really
is
how
I
learned
and
then
sort
of
fast
forward
a
little
bit
to
today,
a
control
plane
where
I
sort
of
still
to
a
degree,
look
at
various
orgs
and
how
they
screw
things
up,
but
also
sort
of
giving
back
that
advice
and
contributing.
J
Their
to
their
security,
postures.
B
Awesome,
those
are
some
insightful
answers.
I
think
it's
really
interesting
how
everyone's
kind
of
got
a
different,
a
really
wildly
different
career
path,
but
we
all
end
up
in
the
same
industry.
So
a
few
of
you
mentioned
that
you
really
enjoy
working
on
the
ctfs
and
also
solving
ctfs.
B
F
Crew
right,
like
the
the
plug-ins
for
coop
cuddle,
like
crew,
have
a
bunch
of
like
scripts
that
are
baking
in
that
like
to
me,
is
kind
of
like
the
metasploit
of
kubernetes
or
just
got
a
bunch
of
scripts
that
they
aren't
necessarily
like
new
things.
You
got
to
compile
and
build
they're
just
these
dependencies.
You
can
yank
into
your
to
your
box
really
quickly
and
start
attacking
different
stuff.
C
C
D
F
Well,
I
think
andy's
right
or
is
it
like
everyone's
saying
bash,
because
that's
you
don't
know
the
environment
you're
going
to
get.
Are
you
going
to
get
remote
code
execution?
What
kind
of
shell?
What
kind
of
environment
are
you
in
like
what
if
it's
windows
like
everything's
out
the
window,
you
don't
know
what
to
do
so.
I
think,
like
the
core
unix
tools
running
netstat
lsof,
you
know
like
bash.
C
So
is
that,
like
a
statement
on
like
the
types
of
issues
that
people
have
typically
in
their
cloud
native
environments-
or
I
mean
what
are
your
thoughts,
is
that
because
I
feel
like
okay,
if
I'm
gonna
go
hack,
a
web
app,
you
know
this,
probably
burp
suite
or
something
like
that
is
gonna,
be
like
the
universal
tool.
Everybody
says
they
want
right,
but
when
it
comes
to
you
know
things
like
a
a
case
cluster.
We
don't
really
have
like
that.
C
I
F
H
H
H
That
allows
for
that
extrapolation
and
easier
interpretation
of
data
and
information
you
get,
but
with
how
new
cloud
native
is
and
even
a
tool
like
kubernetes,
you
don't
have
that
that
time
period
to
be
able
to
create
an
extrapolation,
because
if
things
are
moving
so
fast
that
you
just
have
to
keep
pushing
forward,
you
don't
have
that
break
point
where
you
can
just
be
like.
Oh
yeah
like
I
can
actually
build
something
around
this,
but
I
just
have
to
keep
going
and
figure
out.
H
What's
wrong
and
you're
gonna
do
it
on
the
one
thing
you
know,
as
we
all
said,
bash
terminal
command
line.
F
C
I
Yeah,
I
suppose
yes,
it
actually
goes
to
print
today,
so
it
doesn't
exist
for
another
month
or
so,
but
yeah,
I
think,
yeah.
I
mean
it's
a
really
strong
point.
We
we're
not
searching
for
vulnerabilities
in
the
code
base
itself
generally,
there
are
huge
buzzing
projects
going
on
against
kubernetes,
which
kind
of
deal
with
that
for
us.
I
Obviously,
because
it's
a
purely
declarative
system,
then
there's
best
practices
easy
to
statically
analyze
and
we've
got
a
lot
of
tooling,
and
this
makes
the
whole
pipeline
story
into
the
defense
of
devops
build
out
really
effective,
but
then,
as
a
kind
of
emergent
property
of
that
there's
so
much
complexity
in
the
number
of
permutations
that
we
can
have
set
up
that,
even
though
we
can
statically
analyze
for
like
a
known
good
baseline
on
various
different
parts
of
the
system,
it
becomes
misconfiguration,
as
mark
says,
and
just
the
interplay
between
two
things
that
are
not
correctly
configured.
I
Maybe
that's
on
a
kind
of
per
name
space
basis.
Maybe
that's
the
way
that
the
cluster
sits
in
the
sort
of
wider
topology
of
the
cloud
accounts,
because
I
mean
there's
something
in
cubanet
stocks,
which
is
like
the
four
c's
of
humanities.
You've
got
the
code,
the
container,
the
cluster
and
the
cloud.
I
think
that's
right
and
we
modeled
the
applications
already
compromised
because
we
say
the
application's
compromised.
What
about
the
topology
and
the
network
policy
around
it?
What
about
the
node
isolation?
I
What
about
the
services
and
the
workload
identity
that
that
can
hit
up
in
the
cloud
and
all
those
things
kind
of
inform
how
the
architecture's
built
so
so
the
question
there
becomes
like?
Not
only
do
we
have
misconfigurations
in
in
the
file
system
can
we
escalate
to
root
really
easily
within
the
pod
and
then
all
the
container
breakouts
generally
require
root
or
cap
awesome
capabilities.
I
So
that's
that's
kind
of
the
first
line
of
defense.
Is
the
security
context
hard
enough,
then
again,
assuming
that
that's
broken
out
of
what
identities
can
be
integrated
within
the
cloud
based
upon
what
the
service
account
has
to
some
extent
again,
you
can
statically
analyze
those
kind
of
things,
but
then,
of
course,
if
somebody
can
just
exploit
like
a
metadata
api
in
security,
where
you
can
hit
your
cloud
provider's
metadata
api
pull
back
the
instance
role
with
like
old
school,
well,
an
old-school
token
service
and
then
just
escalate.
I
The
cloud
account
well,
you
can
just
go
and
image
all
the
disks
and
it
doesn't
really
matter
about
your
configuration
of
the
cluster
itself.
So
having
everything's
clarity
is
super
useful,
but
then
the
way
that
we
kind
of
work
our
way
out
and
around
those
it
is
just
a
standard
set
of
tools
that
we
want
to
the
difficulty
is,
is
doing
it
contextually
and
understanding
the
developer's
intent
and
trying
to
figure
out
where
the
where
the
holes
would
be,
rather
than
just
kind
of,
like
spraying
scans
across
the
whole
thing.
I
But
yes,
a
meandering
way
of
saying
I
agree.
B
Awesome,
yes,
so
as
someone
who's
never
done
a
kubernetes
ctf,
I'm
super
curious.
How
would
you
go
about
solving
this
ctf
challenge
so
without
giving
too
much
away?
Where
would
you
start
and
what
would
you
look
for?
First.
I
That's
an
excellent
question:
it
kind
of
depends.
I
Speaking
generically,
like
old
school
enumeration
and
discovery
techniques,
are
still
completely
relevant.
Cloud
native
doesn't
throw
away
the
baby
with
bath
water
kind
of
thing
it
just
brings
in
some
other
abstractions
and
allows
us
a
more
fine-grained
model
to
hang
policy
around
processes.
Basically,
so
I
love
nmap.
Actually,
I
suppose
that's
another
tool
with
a
decent
scripting
engine
to
it
as
well.
I
So
yeah
like
starting
off
with
an
map
enumeration,
is
often
a
useful
thing
to
do
against
cluster
in
in
this
case,
in
the
first
thing
we're
going
into
there
is
there's
some
application
level
injection
that
we've
got
to
play
with
again,
as
ali
says,
like
it's
been
around
since
the
dawn
of
time.
This
is
the
way
that
stuff
gets
pwned
remote
code,
execution
first
in
the
door,
and
then
what's
my
privilege,
can
I
escalate?
Can
I
enumerate?
I
Can
I
attack
the
visible
horizon
all
that
good
stuff,
so
I
haven't
really
said
anything
that
I
hope.
C
H
E
I'm
just
prepping.
E
So,
whilst
you
prep
that
just
for
today's
etf,
if
you
are
looking
for
a
cluster,
if
you
could
dm
the
taskmaster
taskmaster,
has
a
load
of
clusters
ready
to
go
that
they're
on
the
other
side
of
that
door
over
there,
we'll
send
them
across
your
way.
If
you
need
any
help,
reach
out
to
goose
other
than
that,
just
make
some
noise
on
the
channel.
Someone
will
find
you
soon
enough
and
we'll
definitely
be
there
to
help
you
out.
H
And
louis,
if
someone
who's
watching
now
wants
to
get
started,
where
should
they
go.
E
So
you
need
to
sign
up
for
the
security
days
and
then
you
should
have
had
in
email
with
credentials
so
for
today
that's
where
they
need
to
go.
We
will
promote
this
at
the
end,
there's
an
open
source
version
of
simulator,
where
we've
already
got
scenarios
out
there
and
then,
if
you
are
interested
in
this
well
we're
always
running
game
days
anyway,
and
for
us
it's
always
just
about
let
them
people
in
and
just
playing
about.
E
So
if
you
are
interested
just
reach
out
to
us
again,
I
I
put
myself
down
on
internet
there,
but
you
can
find
me
on
the
internet.
I've
got
a
double
barrel,
surname
there's
only
one
of
me,
which
is
a
terrible,
terrible
thing
for
me,
but
you
can
find
me
just
message
me
and
I'm
always
more
than
happy
to
help
out.
E
D
H
I
Sorry,
andy,
I
was
going
to
say
we
we've
got
a
theme
permeating
the
the
ctf
today
the
is
anna
in
l.a
and
and
so
we
have
a
hollywood
theme
going
through
and
and
the
first
first
film
from
which
we
have
taken.
Inspiration
is
inside
out
and,
yes,
more
will
become
apparent
over
t
james.
J
Thank
you
andy,
so
we
can
see
in
front
of
us.
We
have
the
memory
ci
cd,
build
system,
which
is
the
entry
point
to
our
first
challenge.
Today,
I'm
hoping
you
can
all
see
my
screen
and
it's
blown
up
enough,
but
just
shout
if
you
can't
top
that
up
a
little
bit
more.
J
So
we've
got
two
sort
of
web
pages
that
are
exposed
here
and
the
reason
we
sort
of
started
through
a
web
application
is.
We
wanted
to
simulate
a
little
bit
more
realistically.
J
So
if
we
explore
the
web
pages
available,
we
can
see
we
have
a
status
page,
which
just
tells
us
some
information
about
the
about
the
system.
I'm
sorry,
it's
just
just
just
tests
down
nothing
too
interesting
at
the
moment,
then
we
can
also
see
we
have
like
a
utilities
diagnostic
page,
so.
J
Of
interest,
initially,
we
can
see
this
ping
box
which,
if
any
of
you,
have
any
kind
of
hack
of
the
box
or
traditional
like
ctf
experience,
you
might
recognize
this
as
a
potential
command
injection
issue.
I
J
J
Looks
like
it
resets
every
time.
I
refresh
that's
a
lot
of
money.
J
Does
anyone
from
the
room
want
to
hazard
a
bit
of
a
guess
what's
happening
here.
J
With
you
less
so,
what
I'm
going
to
do
next
is
copy.
So
in
my
in
my
network
tab
I
can
see
this
is
the
most
recent
post
request.
Apologies!
If
it's
a
bit
small
and
then
I
can
blow
this
bit
up,
I'm
just
gonna
copy
the
request
out
as
curl.
K
J
J
K
J
J
F
J
So
if
we
try
that
again,
but
we
can
edit
say
get
rid
of
that-
and
maybe
just
say
if
we
try
replacing
it
with
id,
we'll
see
that
we
can
specify
the
whole
command
here,
which
is
great
news
for
us.
So
we
have
a
command
injection
command
execution
floor
and
this
website
we
can
see
that
we're
running
as
the
nginx
user,
so
that
kind
of
tracks,
given
that
we
potentially
might
be
using
nginx
to
serve
our
website
over
on
the
left.
Here.
J
J
For
example,
we
don't
without
doing
a
little
bit
of
further
enumeration.
We
might
we
don't
know
that
we
might
not
have
the
netcap
binary
installed
in
the
container,
but
for
sake
of
argument,
we'll
assume
we
know
that
so.
D
D
E
Cool
whilst
you're
doing
that
james
and
I'll
just
mention
as
well
that
like,
if
you've
done
our
ctf
challenges
before
we
usually
just
jump
straight
into
shell,
and
so
this
time
around,
we
wanted
you
to
have
to
do
it
this
way
to
say
like
well,
we
haven't,
given
you
credentials
to
start
with
the
next
couple
of
scenarios.
You've
got
credentials,
but
we're
just
trying
to
show
you.
This
is
how
it
can
start.
So
if
you're
always
wondering
well
is
as
an
attacker,
someone
sends
me
credentials.
It
isn't
the
case.
J
J
So
I'm
now
going
to
start
enumerating
around
the
cluster
to
see
see
what
kind
of
container
is
see
what's
available
to
us.
So.
F
E
Being
british
I'd
wipe
my
feet
first
and
take
my
shoes
off
before
I
go
into
someone
else's
pod,
so
one
of
our
favorites
is:
am
I
contained
by
jesse
frazelle?
If
you
can
get
that,
if
you
can
get
that
running,
it
shows
you
a
lot
of
what
you
can
do
from
that
point.
So
big
shout
out
to
jersey,
as
ever
from
I'm
pretty
much
it's
just
what
andy
would
say
anyway.
So
I'm
just
saying
what
andy
would
say.
K
F
Sorry,
so
what
that
is,
is
it's
going.
I
I
F
J
D
H
D
F
J
F
I
E
D
J
J
E
I
was
just
going
to
save
the
searching
on
imdb
quickly.
I
was
just
going
to
mention
the
other
characters
that
were
potentially
missing
unless
there's
any
big
inside
out
fans
on
this,
but
we've
got
sadness
and
joy
missing
from
these
emotions.
K
D
H
Someone
in
chat
says
finder
ad.
It's
find
our
ad
cube
ctl,
see
if
there's
a
surface
account
token
and
run
secrets.
H
J
Well,
we
can
always
come
back
to
the
old
emotional
status
at
another
point.
J
J
Okay,
well,
I
suggest
we
maybe
follow
what
joe
was
saying
and
have
a
look
at
cube.
Ctl.
J
J
K
J
G
J
Oh,
I
need
the
redirects
to
their.
J
See
we
can't
get
secrets,
so
we
could.
We
had
a
little
more
time,
maybe
download
something
like
ruckus,
which
would
allow
us,
which
is
a
crew
plug-in,
but
it
was
just
a
standalone
binary
beforehand,
but
allow
us
to
enumerate
through
the
access
the
api
calls
that
we
were
allowed
to
allowed
to
run
and
which
ones
we
weren't.
K
Is
looks
familiar.
J
J
J
Mentioned
there's
another
couple
of
another
couple
of
character:
motions
in
the
movie.
Those
remind
me
what
those
are
please.
E
E
Don't
know
so
and
you
need
to
see
the
movie
it's
great
movie
sadness.
J
Cool,
so
what
I'm
going
to
do
is.
J
J
K
J
E
F
J
E
J
So
I
believe
it'll
kill
our
connection
for
us,
but,
as
is
the
as
the
demo
gods
appear
to
be
against
us,
perhaps
we
will
have
to
force
it.
F
J
J
Which
so
we're
waiting
on
waiting
on
kubernetes,
scheduler
and
controller?
At
this
stage.
I
It's
all
good,
eureka
is
best
yeah
blog
fool
has
pointed
out
that
they
reverse
engineered
the
status.php
page
to
identify
what
these
things
were,
which
is
which
is
a
great
shout
out
and
there's
a
question:
does
pods
have
duponts
have
a
concept
of
hostname
or
bash
history?
Well,
yes,
if
they're
baked
in
if
somebody's
gone
and
done
something
dynamic
at
build
time,
but
once
the
pod
restarts,
then
no
that's
ephemeral
and
it's
lost.
F
K
J
We
we
yes,
so
docker
cli
is
installed
very
equally.
You
could
curl
it
from
somewhere,
given
this
part
has
internet
access.
F
J
F
Just
a
reference
to
anybody's
interest
botb
like
the
static
binary
go
line
tool
can
interface
with
the
docker,
socket
tube
and
do
a
bunch
of
these
breakouts.
So
if
you
didn't
want
a
full
docker
binary
to
interface
with
it,
you
could
use
potv,
okay,.
C
So,
unfortunately,
I
got
bad
news,
because
this
has
been
awesome
and
I
know
all
our
viewers
are
really
enjoying
it
too,
but
we
do
have
to
wrap
up
so
lots
more
to
be
learned.
Obviously
james.
Thank
you
for
running
through
this.
C
I
and
thank
you,
everybody
for
all
the
the
great
suggestions,
the
ideas
and
it's
it's
cool
too,
to
see
you
know
in
the
ctf
how
maybe
there's
different
ways
to
go
about
finding
some
of
the
same
information
same
as
when
you're
you
know,
pen,
testing,
something
like
this
or
you
know,
trying
to
to
find
those
volumes
in
your
own
environment
so
but
yeah.
Unfortunately,
we
gotta
wrap
up.
So
thank
you.
Everybody
mark
lewis
anders
allie
james,
andy,
gabby.