►
From YouTube: CNCF SIG Security 2020-01-29
Description
CNCF SIG Security 2020-01-29
B
B
A
Everybody
should
put
add
yourself
as
an
in
in
the
attendance
in
the
notes
or
shout
out
if
your
can't
access
a
computer
right
now
and
would
love
to
I'm,
facilitating
the
meeting
and
would
love
because
I
think
I
forgot
to
line
up
a
facilitator
for
this
week.
I
would
love
to
have
help
with
scribes.
If
somebody
could
volunteer.
A
And
we'll
just
spend
a
few
minutes
for
people
to
be
and
then
also
feel
free
to
this
is
a
working
session.
So
that
means
for,
if
anybody's
new,
what
we
do
is
we'll
add
ourselves
to
the
agenda
and
the
meeting
notes,
and
if
you
have
something
that
might
be
of
interest
to
the
group,
add
a
note
and
we
do
a
sort
of
intros
update
sort
of
stand
up
and
also,
if
you
are
in
a
role
in
the
group
or
leading
a
project.
A
Put
that
add
that
note
so
that
new
people
or
people
who
are
newer
to
the
group
know
who
you
are
and
will
do
just
sort
of
quick
intros
of
people
with
updates
and
people
with
roles
and
then
four.
We
have
a
somebody,
some
folks
from
the
kubernetes
working
group,
security
audit
who
put
something
on
the
agenda
and
so
and
then
I
also
have
some
coupon
updates.
A
I
have
we
have
I'll
give
those
when
we
have
them
about
the
session,
and
you
know
also.
This
is
a
good
time
to
talk
about
stuff
that
we
might
want
to
do
there
that
you
know
I
heard
a
bunch
of
ideas.
Last
cube
con
so
I'd
like
to
kind
of
chat
about
the
things
that
I've
heard
and
see
what
people,
if
people
have
enthusiasm
to
do,
various
things.
A
D
A
F
G
A
And
you
officially
and
also
I'm,
asking
people
to
I
think
we
did
an
edit
to
governance
a
while
back
that
if
you
accept
a
role
that
you
are
responsible
for
having
reviewed
the
governance
and
that
they
details
and
responsibilities
of
being
a
member
and
being
the
person
in
your
role.
So
so
Robert
I'm
gonna
just
start
with
you
and
require
you
to
have
some
assertion
that
you've
read
the
stuff
in
the
governance,
because
Lucy
and
I
want
to
just.
It
is
a
lot
of
important
detail
in
there
and
I.
Just
wanna.
A
A
Actually,
I
won't
take
the
time
to
screen
share,
but
in
the
readme
I
refactored
it
a
couple
weeks
ago,
so
that
it
has
roles
in
a
section
and
so
the
it.
So
we
did
this
basically
because
we
were
trying
to
when
we
were
sorting
out
the
priorities
for
the
security
assessments,
because
they're
prioritized
some
because
the
TOC
can
like
we're
giving
them
the
authority
to
intervene
and
reprioritize.
Even
though
that
has
you
know
that
doesn't
happen.
That
often
we
needed
to
specify
the
different
roles.
A
So
basically
for
the
working
groups
we
have
or
the
different
ongoing
projects.
We
have
a
project
lead
or
you
know,
working
group
leads,
and
then
we
have
a
chair,
who's
responsible
and
so
the
chair
acts
as
if
the
TOC
is
ever
like,
hey
where
we
want
information
or
we're
concerned
about
this
particular
subgroup
or
work
stream.
Then
there's
a
specific
chair,
who's
responsible
for
like
knowing
what's
going
on
and
being
able
to
communicate,
and
vice
versa.
A
So
so
Robert,
just
like
add
yourself
to
the
route
meet
me
and
then
assert
that
you've
read
the
governance
roles
and
when
you're
reading
it.
If
you're
like
this,
isn't
totally
not
clear
what
my
responsibilities
are
is
one
of
the
leads
of
a
project.
Then
that's
a
good
time
yeah.
Absolutely
you
can
open
an
issue.
A
You
don't
have
to
actually
resolve
the
problem
before
we
cuz
you're
already
acting
as
Lee
I
mean
we're
still
a
little
bit
in
the
bootstrapping
process,
so
people,
you
know
the
policy
group
has
been
going
on
for
a
really
long
time,
but
we're
kind
of
formalizing
it
and
writing
up
the
you
know
like
the
governance
of
it
after
the
fact
so
could
be
a
little
light
on
the
process.
Great.
A
So
so
I
will
just
kick
off
our
agenda
with
Craig
I'm
talking
about
the
committee's
working
group.
First,
security
audits,
yeah.
E
A
E
E
Yeah
they
handle
triage
of
incoming
like
security,
vulnerability
reports
and
things
like
that
and
then
release
at
a
Joel
from
our
group
is
a
member
of
it
and
it
sounds
like
maybe
we
have
some
other
members
on
the
team,
but
so
they
can
probably
explain
it
better.
But
essentially
you
know
managing
and
triaging
vulnerabilities
related
to
the
kubernetes,
and
so
we
went
through
the
whole
process
of
a
request
for
proposals
from
vendors
evaluating
those
and
he's
sending
the
criteria
for
what
we
wanted.
E
The
audit
to
accomplish
and
then
having
this
big
audit
and
threat
model
done
for
kubernetes
is
product
that
was
released
at
the
end
of
last
year.
We
are
ramping
up
to
start
another
assessment,
and
after
a
kookn
and
and
a
lot
of
like
press
and
articles
about
it,
there's
been
more
interest
in
our
working
group.
E
Other
than
you
know,
contracts
and
things
like
that
with
vendors,
but
with
the
additional
interests
in
our
working
group
and
what
we're
doing
just
looking
for
some
guidance
and
advice
on,
and
you
know
what
you
all
have
seen
that
works-
how
we
can
be
more
open
about
what
we're
working
on.
If
anyone
else
is
interested
in
helping
out
with
this
round
of
creating
a
new
proposal,
getting
a
new
assessment
going
and
things
like
that.
Basically,.
A
Well,
thank
you
we're
working
hard
to
make
it
everybody
be
able
to
act
autonomously
and
communicate
so
so
yeah.
So
first
I
one
thing
that
I'm
not
sure
that
we
that
you've
heard
about-
or
maybe
not
even
everybody
in
this
group
has
heard
about,
but
we're
we
sort
of
switched
up
the
process
in
the
last
I.
A
You
know
like
there
are
people
who
do
security
audits
in
their
day
job
and
they
don't
particularly
need
to
be
doing
it
as
a
volunteer
in
this
group
and
the
real
value
of
having
the
diverse
experts
that
we
have
in
this
group
is
being
able
to
kind
of
have
an
outside
look
at
the
project
and
understanding
like
sort
of.
What's
it
supposed
to
be
doing
anyhow,
right
and
what's
you
know,
what
is
the
threat
model
and
how
does
that
fit
in
with
other
projects?
A
And
you
know,
which
you
know
kind
of
trying
to
tease
out
the
ecosystem
from
a
security
perspective,
and
so
we're
envisioning.
This
thing
that
you
know
like
we're
bootstrapping,
so
things
have
happened
out
of
order
in
the
past,
but
that,
as
the
as
we
went
through
the
audit
process
last
year,
sorry
in
process
last
year,
what
we
realized
is
that
the
majority
of
the
documentation
is
like
or
like
half
of
it.
I
would
say
is
what
is
this
thing
in
Hanul?
A
What's
it
supposed
to
be
in
a
lot
of
what
we
end
up,
adding
value
in
is
helping
a
project
see
where
its
bounds
are
or
communicate,
where
its
bounds
are,
because
what
we
find
is
that
a
project
will
be
like
well,
of
course,
we're
not
doing
that,
but
looking
at
it
from
the
outside.
That's
not
at
all
clear,
and
so
so
anyhow.
A
I
just
wanted
to
mention
that
and
like
I
think
it
would
be
exciting
if
you
wanted
to
go
through
the
assessment
process,
because
now
that
you've
done
a
lot
of
the
pre
work
and
so
and
it
would
be
the
first
product
like
kubernetes,
is
a
many
part
project
and
we
may
get
be
getting
a
little
bit
of
that
with
spiffy
spire,
because
it's
a
spec
and
an
implementation
right.
That's
sort
of
a
mini
project
with
different
things
in
it
and
in
toto
was
kind
of
like
that,
a
mini
project
with
different
things
in
it.
A
Because
it's
got
you
know
different
sub
projects,
but
kubernetes
is
a
really
big
project
with
many
things
in
it
and
I'm.
You
know
I'd
be
curious
about
that,
but
but
first
I
want
to
give
Justin
Campos
the
floor.
You
know
like
chime
in
because
Justin
compost
facilitates
our
security
assessments
and
actually
was
doing
this
before
we
were
yeah
before
we
were
and
brought
kind
of
his
experience
as
a
TOC
contributor,
doing
audits,
slash
assessments,
you
know,
and
that
really
is
what
informed
our
process
and
kind
of
kicked
this
thing
off
so
Justin.
D
Sure,
I'm
not
sure
exactly
where
the
best
place
to
start
is
I
mean
I
can
talk
about
some
of
the
history
of
that
and
some
of
the
things
you've
done
with
like
spiffy
inspire
assessments
and
the
way
that
we
we
set
things
up,
and
these
are
different.
But
I'd
also
like
to
kind
of
hear
from
you
about
what
you'd
like
us
to
discuss
and
talk
in
more
detail
about.
How
can
how
can
what
the
things
that
I
say
be
most
useful
to
you?
Well,.
A
D
Mostly,
it
will
fit
one
thing
that
we
haven't
done
that
much
in
the
assessments
we've
done
so
far
that
we
did
do
in
the
spiffy
fire
assessment
that
you
probably
want
to
borrow
is
is
dealing
with
basically
failures
or
attacks,
or
things
that
that
have
multiple
to
components
inside
of
them
and
have
an
attacker
that
that
can
sort
of
move.
D
You
know
like
move
between
components
because
they
get
access
to
one
thing
so,
rather
than
then
sort
of
thinking
about
you
know
individual
points
in
a
system
as
being
separately,
compromisable
and
separately
vulnerable
and
providing
separate
security
guarantees.
Thinking
about
what
happens
when
somebody
gets
into
place
a
and
how
they
can
use
that
to
then
move
and
and
compromise
BCDE,
because,
obviously,
in
any
type
of
distributed
system
like
that,
like
you
know,
kubernetes
it's
much
more
of
that
type
of
thing
than
some
of
the
things
that
we've
been
we've
been
doing.
H
I
was
gonna,
go
yeah,
I,
caught
that
with
Jay
and
Joel
on
the
line.
Also,
we
just
kind
of
brought
everybody
apologies
chime
in
if
they
have
something
to
say
what
is
in
the
vernacular
of
this
group.
What
is
the
difference
between
an
audit
and
an
assessment?
Cuz
a
lot
of
times
we
use
them
interchangeably,
yeah.
D
Is
something
sorry
so
in
order
to
something?
That's
typically
going
to
look
at
source
code
and
look
for
very
specific
vulnerabilities
in
at
like
a
quite
a
deep
level,
an
assessment
is
trying
to
understand
sort
of
the
design
of
the
system
and
the
components
and
the
way
that
they
work
together,
and
it
looks
more
at
sort
of
modeling
and
understanding
things
at
a
higher
level.
D
So
you
often
won't
look
directly
at
source
code
in
in
an
audit
and
audit
we'll
catch
something
like
here's,
a
buffer
overflow,
a
an
assessment
will
do
things
like
point
out,
hey
you
know
if
somebody
breaks
into
thing
X
that
you
didn't
think
was
important,
there's
a
big
problem,
or
did
you
realize
that
you
know
you're
going
to
be
leaking
all
this
sensitive
information
into
logs
that
the
typical
way
you
set
it
up?
Is
you
put
these
in
some
public
forum?
D
H
See
that
my
interesting
ok,
so
I
think
maybe
we
might
need
to
back
up
a
few
steps
and
explain
what
it
is.
We've
been
doing,
what
we
intend
to
be
doing
and
how
we
would
well
how
what
kind
of
help
we
think
we
might
need.
So
the
four
of
us
who
have
joined
you
today
have
backgrounds
in
commodities
and
security
and
we
were
asked
to
help
facilitate
getting
a
third
party
to
come
in
and
perform
it
on
it.
H
But
in
our
case
we
actually
asked
them
perform
an
audit
and
an
assessment
and
your
vernacular,
because
we
thought
both
were
really
important
to
them
to
the
security
of
the
project,
and
we
did.
We
finished
that
we
finished
that
whole
ordeal,
so
we
ran
a
comprehensive
assessment
and
a
comprehensive.
Well,
that's
member,
the
wrong
word
in-depth
assessment,
an
in-depth
audit
of
cádiz
and
got
the
results
back
and
we,
those
are
publicly
available
and
I
think
that
they
would
be
an
enlightening,
read.
We've.
H
D
Yeah
and
the
assessment
process
would
definitely
spend
more
time,
thinking
and
reasoning
about
that
and
would
be
something
that
is
more
appropriate
for
for
you,
folks,
like
folks
in
your
community
to
basically
go
and
help
to
guide
with,
because
you
may
also
understand
things
about
how
the
you
know
like
basically
how
the
system
is.
You
know
like
how
its
deployed
and
ways
in
which
people
are
using
it
and
stuff
like
that.
That
might
be
hard
for
for
them
to.
D
D
I
will
also
say
from
my
experience,
although
I
it
doesn't
I'm,
not
saying
that
it's
true
of
the
situation
you
had,
you
seem
to
have
a
good
team
go
through
and
do
like
the
assessment
/
audit
as
I
guess
we
would
call
it
in
our
vernacular,
but
I
have
seen
quite
a
few
firms
that
are
quite
good
at
doing
audits,
but
are
not
very
good
at
doing
assessments
because
it,
the
skill
sets,
are
not
the
same.
D
You
know,
being
able
to
find
kind
of
like
buffer
overflows
in
code
does
not
necessarily
mean
you've
really
taken
the
time
to
understand
how
the
software
gets
used
in
practice
and
whether
you
know
the
people
there's
some
UI
thing,
that's
going
to
just
confuse
users
and
make
them
default
into
insecure
configurations,
really
op,
really
often
or
all
the
other
weird
stuff.
That
just
comes
up
yeah.
H
Philosophically
I
think
we're
in
a,
which
is
why
we,
we
asked
them
to
build
a
threat
model
East
that
was
the
the
motivations
behind
it,
as
well
as
the
rapid
risk
assessments.
So
maybe
I
don't
think
I
understand
fully
what
it
looks
like
for
a
project
like
kubernetes
to
go
through
to
go
through
your
assessment
process
like
what
do
we
assume
that
we
have
to
dedicate
some
some
energy
into
helping
that
happen,
and
then
I
assume
there's
value
that
occurs?
He's
don't
really
know
what
that
is.
A
A
It
would
be
kind
of
sucky
not
to
have
heavies
in
that
list
once
we
have
more
than
a
few,
and
so
so
I
think
that
that
would
be
high-value
to
have
like
that's
a
big
we're,
anticipating
that's
a
key
value
that
is
sort
of
independent
of
the
work
that
the
security
experts
do
in
the
community
here
right
and
then
I
think,
there's
and
so,
like.
That's
like
a
like.
So
then
the
other
thing
that
I
think
we
get
out
of
six
security
that
you
would
the
paid
service
is
not
in
a
position
to
do.
A
That
says
here
are
things
that
you
can
use
for
this
thing,
that
we
don't
do
and
out
of
that
came
you
know
when
we
did
work
with
in
toto
and
it
you
know.
Santiago
was
very
clear
that,
like
this
does
this
doesn't
mean
there
are
no
vulnerabilities
in
your
supply
chain.
If
you
use
in
toto
there
are
there's
a
place
that
it
begins
in
a
place
that
it
stops,
and
so
that
led
to
his
contributing
the
catalog
the
list
of
supply
chain
compromises
that
he
had
collected
and
we're.
A
We
have
a
little
sub
team
working
on
categorizing
that
to
help
the
community
understand
that
right.
So
in
that
case
it
was
like
a
piece
of
documentation
that
came
out
of
it
right
that
was
bigger
in
scope
than
in
toto
right,
and
so
similarly
there
might
be
some
edge
of
kubernetes
right
where
everybody
inside
kubernetes
is
like.
Well,
of
course,
we
don't
do
that
mm-hmm.
Yet
what
I'm
hearing
in
the
community
is
people
new
to
our
community
are
bigger
community.
A
D
D
H
D
D
D
So
in
general,
what
we
tried
to
do
is
just
try
to
encourage
there's
a
lot
of
people
that
I
think
want
to
be
involved
in
security
and
want
to
help
out,
but
maybe
aren't
that
confident
like
they
feel
like
they've
done
a
little
bit
and
so
on,
and
then
there's
some
people
that
have
been
doing
this
for
a
long
period
of
time
and
feel
very
comfortable.
D
The
next
generation
of
people
who
are
going
to
lead
the
next
set
of
security,
audits
and
I,
don't
know
the
actual
numbers,
but
there's
something
like
four
or
five
people
per
security
assessment
that
that
we're
doing
tends
to
be
quite
typical,
of
which
I'd
say
you
know.
Maybe
one
two
of
them
are
people
that
you
know
don't
didn't
necessarily
view
themselves
as
comfortable
going
in
and
being
and
sort
of
equal
member,
but
I
think
rapidly
kind
of
get
up
to
that
level,
and
we
try
to
be
supportive
of
encouraging
and
encouraging
about
things.
D
Working
with
the
puck
has
has
also
been
really
key,
trying
to
give
them
good
feedback
trying
to
have
the
the
process
they
go
through
where
they
provide
this
self-assessment.
We
iterate
back-and-forth
with
them
quite
a
bit
to
make
sure
that
this
is
as
clear
as
possible,
and
one
of
the
other
things
we
are
trying
to
do
is
because
the
documentation
we
want
to
provide
is
supposed
to
be
useful.
Lots
of
people
really
anybody
who's,
contributing
security,
a
level
of
security
background.
D
You
know
the
the
documentation
to
be
cleaner
when
everybody's
talking
about
oh,
we
have
this
agent
and
this
and
that
and
it's
like
well,
what
does
your
agent
really
mean?
What
does
it
really
do?
Is
it
you
know
like?
How
does
you
know
what
does
that
mean
to
people
that
haven't
been
steeped
in
your
knowledge,
yeah,
and
so
that's
a
that's
a
big
part
of
it
and,
of
course
maybe
Sara
others
want
to
say
more
about.
You
know,
she's
been
great
and
and
others
something
committee
bringing
people
in
and
making
this
a
friendly
place.
So.
H
I'm
gonna
drop.
Thank
you
guys.
So
much
I'll
take
it
with
foregrip
when,
when
we're
done,
I'll
probably
come
back,
say
hello
again,
great.
A
You
know.
We
have
an
open
issue
with
the
conflict.
You
know
like
I,
worked
to
write
everything
down
and
then,
when
we
actually
need
to
use
that
or
like
this
doesn't
make
sense.
This
is
ambiguous
right.
You
have
to
practice.
You
know
people
using
these
guidelines
right
for
it
to
actually
work,
but
then
that
means
that
it's
like
people
who
were
around
or
what
like,
there's
always
a
smooth
path
for
people
to
step
up
and
do
something
which
then
allows,
and
we
kind
of
have.
A
We
have
this
philosophy
that
you
know
there's
certain
things
that
the
TLC
prioritizes
right
and
those
of
us
in
tuned
rules
like
the
chairs
were
like
okay.
If
the
TOC
asks
us
to
do
something
we'll
do
it,
they
might
have
to
prioritize
things
in
a
queue,
but
you
know
we
serve
at
the
pleasure
of
the
TOC,
but
everybody
else
in
the
group
is
here
for
their
own
reasons.
A
You
know
it's
not
you
know
like
and
then
so.
If
somebody
feels
that
something
is
important
and
they
have
the
time
and
we
have
the
bandwidth
to
like
coordinate
it,
then
that
gets
prioritized
right.
It's
not
that
anything
gets
prioritized
just
because
somebody
wants
to
do
it,
because
we
want
to
have
peer
review
in
a
certain
group.
Bandwidth
and
so
I
think
that
that,
like
the
fact
that
people
see
things
happening
that
they
raise
their
hand,
they
want
to
make
something
happen.
And
then
you
know,
after
a
while,
we
queue
it
up
and
it
happens.
A
E
C
Did
you
want
to
sorry
I
keep
unmuting
on
the
on
my
phone,
but
not
almost,
but
not
on
the
screen?
That's
just
I
keep
trying
to
talk
and,
and
but
I'm
put
my
own
muting.
So
my
own
buting
is
stopping
me
from
saying
anything
yeah.
So
for
me,
Joel
and
I
are
the
other.
Two
working
group
leads
on
the
on
the
kubernetes
third
party
security,
audit
group
and
I.
Think
the
biggest
takeaway
for
me
here
is
wow.
I've
got
a
lot
to
read.
I,
don't
think
I
can't
wait
to
read.
I
can't
wait
to
read.
C
You
know
more,
like
I
started
to
read
the
the
50
spire
self-assessment
doc
during
this
call
like
as
Sarah.
It's
just
been
really
awesome
for
you
to
paste
all
these
links
in
and
so
yeah
I
just
I
want
to
I
want
to
read
and
understand
more
about
what
the
what
what
the
CN
CF
SIG's
security.
You
know,
security
assessment
is,
you
know,
kind
of
like
and
understand
the
gaps
you're
like
where,
where
are
places
where
our
threat
model
did
it
more
than
you
do
where?
C
Where,
where
are
the
many
places,
potentially
where
our
threat
model
did
a
lot
less
than
what
you
do
and
and
can
we
you
know
and
and
that'll
give
us
a
I'll
give
us
a
part
of
the
reason
for
that
gap?
Analysis
is
if
we
know
the
places
where
the
threat
model
you
know,
may
have
fallen
short
of
the
of
the
assessment
model.
You
guys
do,
then
we
can
take
all
the
volunteers.
C
You
know
and
take
all
the
signal,
the
oldest
all
the
working
group
members
we
got
of
cube
con
and
and
ask
them
to
help
us
fill
in.
You
know
and
ask
us
to
fill
in.
You
know
the
last
year's
worth
of
effort
to
at
least
have
it
so
that
our
first,
you
know
our
first
go-around
we're
doing
this.
You
know
we're
doing
this
cyclically
is,
you
know,
is
more
complete,
then,
because
that
sounds
it
sounds
great.
D
C
Would
there
be
one
that
you
guys
think
like
if
we
were
to
read
cease
fire?
So
it's
like
if
we
were
to
take
like
a
kind
of
reading
list,
it
seems
like
these
fires
on
the
list.
The
you
know
the
the
overarching
you
know
this
is.
This
is
what
you
know.
This
is
what
we're
doing
is
well.
You
know
this
is
what
we
call
each
of
these
things,
but
is
there?
Is
there
a
second?
D
Obviously,
but
it's
not
going
to
be
it's
not
going
to
be
identical,
whereas
the
smithee's
fire
one
was
sort
of
they
done
some
extra
work
in
some
areas,
and
maybe
there
were
a
few
things
they
didn't
quite
need
to
do.
For
this,
like
only
later,
did
we
add
some
of
the
discussion
about
how
is
your
software
actually
built
and
who
refused
things
and
stuff
like
that?
D
Where
that
wasn't
part
of
the
examination,
you
know,
I
didn't
look
at
how
they
built
the
this
50
spire
like
to
you,
know
the
spy
report
they
were
using
as
part
of
it
that
initial
pre
is
like
pre
assessment
thing,
but
but
that
sort
of
got
the
spiffy
spire
is
I.
Think
the
most
exhaustive
one
that
we've
had
due
to
the
fact
that
they've
had
sort
of
both
these
processes
happen,
but
something
like
in
toto
the
in
toto
assessment,
which
I
can
post
a
link
in
a
minute,
would
be
I.
Think
more
representative.
C
C
A
So
so
I
want
to
leave
a
little
time
to
talk
about
cute,
con
and
I
just
wanted
to.
Maybe
we
can
have
a
point
person
who
would
be
interested
in
following
up
I
think
that
there
was
a
kubernetes
threat
model
that
was
presented
last
week
from
the
financial
user
security
group
and
there's
we
had
sort
of
like
well,
that's
not
really
particular
about
finance,
and
we
were
thinking
about
you
know
like.
Should
we
move
it?
We
should
go.
It's
at
least
refer
to
it
from
our
repo
and
may
move
it
and
then
like.
A
If
there
is,
if
you
have
volunteers
who
are
enthusiastic
and
either
knowledgeable
about
kubernetes
are
wanting
to
learn
about
it.
There
are
some
ideas
about
you
know
like
presenting
it
in
different
ways.
You
know
maybe
experimenting
with
different
parts
of
the
tree.
So
if
you
have
interest,
maybe
I
can
follow
up
offline
with
one
of
you.
D
D
C
A
They
did
a
like
attack
tree
and
all
right,
it's
very
it's
really
nice
and
it's
nicely
presented,
and
I
think
the
format
is
cool.
I'm
like
a
bruce
schneier
paper
and
we
had
some
discussion
like
alternate
ways
to
present.
You
know
in
terms
of
you
know,
what's
a
link
and
what's
a
node
that
justin
kapos
brought
up
and
I've
been
meaning
to
like
write
up
an
issue
for
like
hey,
maybe
somebody
you
know
wants
to
do
that,
and
so,
if
I
wrote
up
an
issue
like
if
you
know
like,
maybe
you
wanted.
A
C
E
A
So
so
now,
thank
you
very
much
for
coming
in
and
talking
and
if
anybody
from
the
group
has
I
wanted
to
give
time
for
other
people
to
chime
in,
please
mention
things
in
chat,
and
then
we
all
circle
back
async,
if
needed
and-
and
you
know,
work
together
and
you'll-
hear
more
about
this.
But
I
wanted
to
just
for
a
few
minutes
chat
about
cube
con.
We
normally
at
Q
Khan.
The
sig
has
an
intro
and
a
deep
dive
session.
The
EU
venue
is
more
space
constrained
and
cube.
A
Where
do
we
meet
and
we're
like
we'll
meet
by
the
puppies,
and
it's
like
a
sync
via
slack,
but
not
everybody's
on
slack,
so
I
was
thinking
of
having
like
a
figuring
out
like
I'm
sure
we
can
get
someplace
with
a
sign
that
we
know
ahead
of
time.
That
at
least
has
like
some
places
to
sit
down
or
and
or
a
table
so
that
we
could.
A
You
know
at
minimum,
have
us
chairs,
you
know
there,
but,
like
maybe,
we
could
like
basically
have
like
office
hours
for
security
or
a
place
just
for
us
to
meet
each
other
and
I
wanted
to
just
see
if
people
had
thoughts.
Ideas
like
this
is
the
time
that
if
you
want
something
from
sig
security
at
cute
cond
you
they
were
very
influenceable
and
then
the
other
thing
about
that.
A
A
D
I
Not
I've
requested
that
so
I'll
try
Minh
here,
I
want
to
be
able
to
give
everybody
everything
they
want,
but
it
has
been
noted.
Your
app
is
really
really
space
constrained.
What
I
think
we
can
probably
do
is
definitely
get
like
a
meeting
place.
Sign
set
up.
I
am
not
sure
if
we've
got
the
space
to
be
able
to
have
the
cigs
also
included
in
being
able
to
have
the
app
and
in
the
project,
pavilion
yeah.
A
So
it
I'm
not
saying
that
it
has
to
be
any
space
that
isn't
already
planned.
It's
just
that
we
pick
one
of
the
many
meeting
areas
to
put
a
sign,
ideally
that
we
would
know
ahead
of
time
so
that
it
can
be
because
not
everybody
is
like.
Oh
it's
hard,
sometimes
to
communicate
to
new
people.
You
know,
so
that's
it's
really
just
like
picking
a
spot
and
sign
endless
and
making
a
Sun
and
having
a
sign
Amy.
I
A
Know
like
I
think
that
the
actual
venue
is
flexible,
but
what
I
wanted
to
get
feedback
from
the
group
and
thanks
to
Amy
for
chiming
in
because
I
I'd
heard
that,
but
I
think
everybody
needs
to
hear
where
we
know
we
are
in
the
process
of
preparing
for
cucum.
So
appreciate
that.
But
one
hear
from
the
group
like
you
know
whether
people
would
be
interested
in
like
participating
in
office
hours
or
you
just
think.
It's
a
good
idea.
I
wish
should
have
been
there
when
you
were
new
or
you
don't
care.
I
Okay,
that
wasn't
nearly
as
bad
as
I
thought
it
was
going
to
be
as
I
look
at
a
draft
of
the
schedule.
I
will
review
to
be
able
to
see
if
there's
like
obvious
conflicts
like
that.
B
Yeah
I
think
I
mean
I.
Think
it's
a
good
idea
to
have
somewhere
that
we
happen
at
I
mean
there's
enough
of
because
enough
people
involved
in
security
I
think
it's
actually
I,
don't
know
again.
I
just
know
we
didn't
ask
for
a
booth
or
anything
fiduciary.
Just
because
there's
not
enough
people
to
be
able
to.
A
Great
so
yeah
we'll
see
if
we
can
set
that
up
and
we'll
you
know
loop
Ian,
as
we
figure
stuff
out,
I,
don't
have
Dan
still
here,
I
didn't
introduce.
A
A
So
there
was
one
more
thing
about
cube:
comm
that
I
have
no
spaced,
so
I
think
that
oh
I
was
going
to
mention
the
TOC.
So
those
of
you
who
don't
know
the
TOC
is
having
elections
right
now
we
have
a
board
of
folks
who
are
being
nominated
for
the
open
positions
on
the
TOC
and
and
the
TOC
is
kind
of
paused
in
its
voting.
While
it's
onboarding
new
members,
we
have
identified
some
folks
who
have
agreed
to
be
nominated
as
tech
leads,
who
have
been
very
active
in
this
group.
A
So
we
nominated
Justin,
Emily,
Foxx
and
Brandon
Lum
and
I
have
like
little
I
want
was
getting
a
yes
I
agree
to
be
nominated
from
each
one
of
those
before
I,
communicate
it
to
the
group
so
so
yeah.
So
we're
sort
of
figuring
out
the
process
as
we
go
and
I
have
some
PRS
out
on
the
TOC
Rico
to
try
to
clarify
this
thing.
A
So
so
I
just
wanted
to
mention
that
that's
that's
going
on
too,
and
and
then
so
we're
going
to
nominate
them
and
then
they'll
be
voted
on
by
the
new
TOC
when
it's
appointed
and
that
will
probably
all
happen.
Async
so
and
then
we're
anticipating
that
that
will
be.
That
will
will
over
time
have
a
larger
group
of
tech
leads,
but
we
want
to
start
with.
A
Experts
who
could
do
like
a
deep
dive
on
a
project
and
are
like
kind
of
you
know,
sort
of
deep
in
the
I
mean
topic
matter,
I
mean,
of
course
the
chairs
would
be
knowledgeable
about
it,
and
so
we
wrote
in
our
governance
that
as
soon
as
we
had
two
tech
leads,
then
that
chairs,
can
you
know
sort
of
act
as
more
like
step
back
into
that
facilitation
role.
So
I
still
have
to
like
sort
of
I
caught
some
things
where
our
governance
isn't
aligned.
A
But
now
we
are
out
of
our
bootstrapping
mode
or
we
will
be
as
soon
as
we
actually
appoint
tech
leads
and
then
we'll
be
sort
of
disambiguating.
The
chair
from
the
tech
lead
role
and
in
the
future
you
could
have
a
chair.
That
is
a
tech
lead,
so
that
in
June,
Dan
Shaw's
term
expires,
so
that
we
can
have
staggered
terms,
and
then
we
could
have
somebody
who
is.
A
You
know
like
maybe
more
on
like
familiar
with
the
security
landscape
from
a
business
perspective,
who
isn't
wouldn't
be
somebody
who
could
also
be
a
security
reviewer
or
something
like
that
right.
It
just
sort
of
expands.
The
set
of
people
that
we
could
potentially
have
as
a
chair
and
it
aligns
with
what
the
TOC
decided
to
do
with
the
cig
rolls
so
so
I
kind
of
made
it
wanted
to
make
everybody
aware
that
that's
going
on
in
slow
motion
and
open
the
floor,
if
you
have
quick,
Amy,
knows
more
about
the
TOC
process.