►
From YouTube: CNCF SIG-Security Meeting - 2019-07-10
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
Aaron
thanks
for
donating
your
issue,
you
picked
up.
Lakshmi
actually,
could
you
but
the
issue
chimed
in
on
an
issue
I
think
I
wanted
to
raise.
Everybody
is
what's
that
you
yeah.
B
A
You
would
dig
it
up
and
yeah
Lincoln
I
love.
The
idea.
I
saw
it
on
my
phone
when
I
was
in
the
Muni
this
morning,
so
I
didn't
have
a
chance
to
chime
back
in,
but
it
look
great
for
me
so
so
at
minimum
we
have
a
special
guest
coming
at
10:30.
So
we
may
have
not
have
time
for
to
discuss
all
the
open
things,
but
I
want
to
at
least
raise
it
for
people
to
chime
in
on
to
give
people
a
heads
up
that
I
would
love
to
have
people's
feedback
yeah.
A
We
have
anybody
who
somebody
is.
Volunteering
and
I
will
send
the
link
again
because
you
don't
get
to
see
chat,
history
and
I
was,
and
so
that
is
I
just
sent
the
link
to
everyone.
So
thank
you
Robert
now
you
can
start
your
chicken
and
I
will
and
ask
and
take
notes
yay.
So
we
have
a
couple
of
ribes,
which
is
fabulous.
D
A
F
Yeah
we
did
our
TOC
presentation
for
in
toto
there,
because
I
think
of
the
time
frame.
There
was
basically
no
discussion
of
what
the
t's
he
thought
about
the
assessment
itself
for
the
process,
which
was
not
the
way
I
was
hoping
that
would
go.
I
hope
there
will
be
a
broader
discussion
at
some
point
and
part
of
what
they're
supposed
to
do
is.
Is
there
were
some
grumbling
and
complaints
about
how
things
were
picked
or
who
we
picked
or
whatever
else?
F
So
there
are
a
bunch
of
people
warmed
up,
but
we
can
either
just
pick
somebody
and
move
ahead
or
let
them
a
at
us
later
or
we
can
go
and
ask
them
to
tell
us
who
they
think
we
should
do,
and
then
they
can
fight
amongst
themselves
for
now
and
then
come
up
come
to
us
with
an
answer.
I
pray
to
the
left.
E
E
A
A
How
do
we
organize
ourselves
with
our
TOC
liaisons,
because
we've
been
doing
it
by
a
you
know:
slack
conversations
with
Liz
and
Joe,
because
they've
been
like
in
the
loop
we've
been
checking
in,
but
we
haven't
heard
that
like
meeting
of
minds
and
so
I
think
that
that
will
take
some
time,
maybe
as
long
as
it
will
take
to
do
a
security
on
it.
Yeah
so
like.
Let's
just
move
forward
with
what
we've
been
doing
like
pick
something
and
go
and
then
in
parallel
we
will
formalize
the
process
of
prioritizing.
E
A
Let's
put
that
on
the
agenda
for
next
week
for
we'll
do
a
discussion
I
mean
feel
free
to
like
keep
moving
forward
on
the
issue,
but
I
think
we
want
to
do
the
discussion
of
the
supply
chain
proposal.
Just
so
everybody
has
a
chance
to
hear
kind
of
about
it
and
I
think
we
have
some
volunteers
and
there's
nothing
yeah.
G
Yeah,
so
just
in
an
effort
to
get
started,
did
a
quick
PR
for
changes
to
the
Identity
and
Access
Management
section
of
the
landscape,
doc,
hoping
to
try
and
address
folks
concerns
about
differentiating
between
systems
that
support
and
manage
those
things
versus
like
embedded,
libraries
that
are
going
to
be
in
every
single
application.
So
Robert
from
your
update,
it
sounds
like
there's
some
more
fundamental
questions
about
what
the
targeted
point
of
the
landscaping
is.
So
I'll
probably
put
my
head
into
your
issue
and
and
pull
out
and
see.
A
So
that's
something
that
I'm
learning
about
if
anybody
just
in
my
non
cig
security
world,
but
if
anybody
actually
app
knows
stuff
about
security
on
high
ot
devices,
that
would
love
offline
DMS,
and
maybe
we
can
I
know.
I
haven't
heard
that
it's
a
priority
for
the
group.
But
if
we
decide
that
that's
a
cloud
native
thing,
then
we
could
maybe
bring
some
of
that
knowledge
to
the
group.
H
A
I
Right
so
I
missed
the
last
couple
of
ones,
trouble
and
other
things
trying
to
focus
on
the
microsite
now
and
I
think
me
to
make
a
decision
at
some
point
in
time,
because
we
keep
going
back
and
forth
in
terms
of
should
we
continue
down
that
route
that
we
initially
had
with,
who
whatever
or
something
else,
so
you
know
I'd
like
to
get
that
stuff
out
at
some
point.
I'm,
you
know
if
it's
minimum,
then
we
can
iterate.
But
you
know
getting
it
out.
Is
my
iceberg.
Yeah.
A
I
would
love
to
have
like
an
offline
discussion
about
it.
If
you
want
to
pick
a
time
that
we
both
can
make
it
and
remote
colleague,
whose
name
I've
forgotten,
and
we
could
just
like
find
a
time
that
three
of
us
can
make
it
and
then
we
could
just
put
it
out
to
the
group
if
anybody
else
wants
to
join
in
just
so
that
we
can
have
a
live
conversation
focus
on
that
I
go
back
to
these.
The.
I
A
B
So
that
was
the
whole
purpose
and
then
added
some
simple
things
like,
first
of
all,
their
advice
to
join
the
slack
group
and
introduce
themselves
and
then
join
the
meeting,
go
through
the
repo
and
keep
an
eye
out
for
the
Help
Wanted
labels
and
issues,
and
then
I
also
added
one
new
thing:
I,
don't
know
how
how
you
all
like
it
but
I.
Just
since
we
were
just
suggesting
I
just
said,
every
new
member
could
be
assigned
a
body,
preferably
in
the
same
time
zone.
B
A
I
personally
love
that
idea,
but
I
think
we
would
need
a
critical
mass
of
buddies
to
be
willing
to
kick
it
off.
So
I
wanted
to
put
a
call
out,
but
if
anybody
could
its
interest
would
be
willing
to
be
a
buddy
or
just
as
interested
in
this
new
member
onboarding
thing,
if
you
could
chime
in
on
the
issue,
if
we
have,
you
know
at
least
four
or
five
buddies
across
a
couple
of
time
zones,
then
I
think
we
could
kick
it
off
that
way
as
long
as
there
aren't
any
big
objections.
J
A
I
would
love
to
hear
more
about
that
if
you
are
when
you're
ready
to
cue
that
to
up
for
a
discussion
presentation,
whatever
format
makes
sense
to
you
just
you
know
DM
me
or
add
it
to
a
future
meeting,
I.
Think
of
that
something
that
you
know
likes.
It
has
come
up
many
times
in
conversation.
It
would
be
yeah.
K
I
missed
a
couple
of
meetings
last
meeting,
so
maybe
auto-sync
a
little
bit.
I
was
looking
at
some
of
the
edge
security
thing.
I
think
I
mentioned
a
few
weeks
back
how
that
plays
wrong
to
this
CN
CF
based
security
as
well.
So
don't
have
much
to
report
on
that
one,
but
seems
like
it's
quite
relevant,
no
matter
how
you
look
at
it,
whether
CNC
up
does
it
or
there
is
a
separate
group,
College
Enix
foundation.
K
Yeah,
that
would
be
great
because
I
think
it's
it's
not
wise
to
completely
ignore
that,
because
age
is
playing
a
big
role,
big
and
bigger
role,
I
think
in
the
upcoming
days,
we'll
be
seeing
a
lot
more.
So
much
of
the
computing
is
kind
of
shifting
different
directions,
as
it
happens,
usually
in
any
of
the
evolving
technologies,
so
I
think
somewhere.
We
need
to
have
a.
E
L
Here
so
we
are
supposed
to
be
having
a
walk
sure
the
on
conference.
Shortly
we've
got
we're
kind
of
at
a
decision
point
and
I
updated
the
ticket,
which
was
in
last
week's
meeting
notes
regarding
where
we
stand
with
the
six
security
day.
It's
the
issue
209
and
the
follow-up
comment.
So
after
we
get
the
discussion
about
unconference
going,
if
anybody
has
a
preference
one
way
or
another
formal
or
informal,
please
go
ahead
and
comment
in
the
ticket.
It
will
at
least
give
us
a
better
idea
of
what
the
community
is
looking
to
have.
A
A
A
We
will
have
her
talk
about
open
space,
have
questions
from
the
group
and
then
anybody's
welcome
to
stay,
but
not
obliged
to
from
11
to
11:30
we'll
have
the
subgroup
working
on
security
day
kind
of
figure
out
like
talk
more
about
that
format
will
come
up
with
something
so
understand
that
not
everybody
had
to
allocate
at
that
time,
but
feel
free
to
stay
on.
If
you
want
or
drop
off
it,
I
love
it.
A
So
so
in
the
next
ten
minutes,
I
love
to
if
Christian
you're
willing
to
do
this
without
visuals
I
can
bring
up
this
issue
and
I
think
it's
a.
We
can
have
a
relatively
short
discussion,
but
this
has
been
kind
of
in
the
queue
for
a
while
and
would
love
to
for
you
to
just
kick
it
off
and
talk
a
little
bit
about
this
concept.
Yeah.
I
M
We
that
we
talked
about
in
in
the
persona
that
we
have
so
far-
and
these
are
administrators
of
a
particular
type
of
policy,
but
what
these
personal
implementers
really
have
to
do
is
they
need
to
have
a
kind
of
holistic
view
of
the
existing
policies
and
think
about
how
to
combine
that.
So,
typically,
you
need
to
have
some
notion
of
there
needs
to
be
a
networking
boundary
that
needs
to
be
established.
M
You
need
to
you
want
to
somehow
make
sure
that
people
don't
expose
services
they
implement
accidentally
to
the
internet
without
going
through
some
form
of
a
firewall
rights
or
service
that
get
exposed
to
the
Internet,
and
it
will
need
to
be
reviewed.
Typically,
there
is
a
notion
of
making
sure
that
if
you
have
access
policies
that
you
don't
accidentally
put,
somebody
proposed
a
key
of
your
organization
into
the
access
policy.
M
So
what
are
the
controls
for
that
and
various
things
like
that
and
I
think
when
I
spoke
about
this
a
couple
of
weeks
ago,
there
was
somebody
else
that
said
that
they,
yes,
they
are
basically
a
platform
implemented
I,
believe
we
probably
have
on
our
platform,
implement
us
on
the
call.
Someone
is
old
enough
for
discussions
of
what
are
the
expectations
of
the
platform
implementers.
Is
that
something
that
is
worthwhile
to
look
at.
I
G
M
M
Organization
are
more
constrained
than
what
the
the
cloud
provider
offers
and
I
suspect
that
their
business
logic
then
gets
reviewed
by
a
security
review
review
all
right.
So
the
security
review
are
worse
in
collaboration
with
these
platform
implementers
to
make
sure
that
you
cannot
violate
the
security
policies
of
an
organization.
M
G
The
there's
sort
of
two
or
three
versions
of
this
and
I
guess
to
speak
to
to
speak
to
not
not
Google,
but
right.
If
what
we're
looking
for
is
something
like
what
AWS
put
out
in
terms
of
the
security
adoption
framework
where
they
say:
here's,
the
core
things
you
need
to
know
about.
Logging
here
are
the
core
things
you
need
to
know
about
network
configuration.
So
that's
like
one
approach.
Another
thought
would
be
to
structure
it
by
the
most
common.
G
There's
a
couple
of
those
like
what
would
tend
to
happen
is
the
security
team
would
say
like
here:
are
the
top
things
we're
worried
about
and
then
platform
and
sort
of
have
to
figure
out
how
to
implement
them,
but
then
security
needed
a
checklist
to
verify
against.
So
so
those
are
the
you
kind
of
need
it
kind
of
ends
up
being
used
by
both
players.
A
best.
G
A
So
I'll
just
speak
is
a
participant
here,
like
I've,
been
involved
in
like
SAS
for
like
be
creating
tools
that
are
designed
as
a
SAS,
API
right
and
then
sometimes
you
end
up
with
situations
where,
if
it's
on
top
of
a
platform,
a
public
cloud
platform,
then
sometimes
you
don't
have
the
controls.
You
can
implement
anything
you
want,
but
you
can't
give
those
controls
to
your
customer.
So
that's
the
thing
that
I
see,
sometimes
the
you
know
like
if
you're
using
somebody
else's
api's
right.
J
This
comes
down
to
implementing
secure
defaults
into
the
platform,
any
services
that's
doing
before
and
in
fact
with
sending
that
out
group.
So
it's
not
so
much
coding.
It's
just
mutilating
the
same
API
we
get
from
Amazon
you
just
implementing
base
level
of
security
for
application
developers
to
use.
M
Yes,
security
force
is
certainly
one
SPECT
of
it,
but
it's
also
sometimes
that
you
need
to
make
sure
I
guess
securely
files
addresses
that
mostly
so
I.
Don't
think
you
need
to
make
sure
that
multiple
policies
don't
interact
in
a
not
in
a
surprising
way,
but
sometimes
you
may
have
the
expectation
that
something
is
secure,
but
there's
some
other
policy
and
it's
not
set
up
correctly.
But
you
know
security
force
would
address
as
well.
A
Right
or
like
something
like
I
mean,
there's
always
workarounds.
You
can
always
write
code
that
does
this
but
I.
Think,
like
you
know,
the
platform
will
have
the
like
generate
an
access
key
that
you
have
to
do
in
the
UI
or
on
the
commit
some
way
that
you
have
to
do
with
your
superpowers
right
and
it's
then,
if
you
want
to
provide
a
key
to
your
customer,
you
have
to
be
like.
Oh
now,
I
have
to
build
a
whole
subsystem.
A
That
is
exactly
what
the
underlying
platform
has,
except
that
I
can't
build
a
multi-tenant
API
on
top
of
their
thing.
So
that's
what
you
can
say
it's
like
you
know
it's
it's!
It's
a
need
right,
but
of
course
you
can
serve
your
only
it's
just
computing
storage
under
the
hood
after
all
right,
but
those
are
some
of
those
things
where
like
well.
You
know
it's
sort
of
like
well,
you
can
do
anything
as
long
as
every
customer
gets
its
own
instance
of
kubernetes,
like
maybe
you
don't
want
to
do
that.
M
And
so
what
are
the
aspect
of
the
underlying
system?
Not
not
even
the
cloud
provide.
Obviously
we
don't
have
control
over
that,
but
in
the
CNCs
we
could
we
could
help
make
that
easier
right.
So
there
are
some
not
missing
to
allow
you
to
expose
something
so
that
you
maybe
have
to
reinvent
the
wheel
that
it's
already
you
know
perfectly
working
in
the
context.
B
The
I
have
built
api's
doctrine
and
cover
design
and
Google
Florida
gentle
and
usually,
when
I
been
a
build,
an
API
and
give
it
out
to
users
who
consume
it.
The
only
thing
I
give
them
is
a
service
account
to
access
to
eiope
I
have
a
permissions,
so
I
was
wondering
if
there
are
any
minimum
minimal
things
minimal,
permissions
people
would
need
to
consume
those
API
is
or
services.
A
M
A
I
A
Probably
is
addressing
this
kind
of
a
need
and
I
think
like
up
level
a
bit
and
be
like
as
cloud
native
security.
What
are
the
things
that
are
the
like?
What's
the
use
case
that
is
implemented
by
some
of
these
things,
or
maybe
is
missing
and
everybody's,
you
know
a
lot
of
the
things
in
the
security
space
where
we're
finding
a
lot
of
the
projects
are
replacing
something
that
everybody
is
just
writing
custom
coding
scripts
to
do
right,
and
so
that's
kind
of
this
exciting,
emerging
cloud
native
security.
A
Yeah,
actually,
if
we
can
add
a
a
going
to
ask
on
what
we
usually
do,
is
put
a
thing
in
the
notes,
so
that,
if
anybody's
on
the
call
you
can
chime
in
in
the
notes
of
the
chat-
and
so
people
can
know
each
other-
which
we
have
at
least
a
few
people,
then
usually
we
put
up
an
issue
and
somebody
volunteers
to
create
a
meeting
space
and
anybody
else
going
on.
I.
A
A
A
Just
heard
from
Julia
that
she's
on
her
way,
I
will
give
a
little
bit
of
an
introduction
to
this
I'm
here
you're
here,
yeah
I
will
give
them
a
part
of
the
introduction.
You
can
get
the
rest
of
the
introduction,
so
I
know
Kalia,
because
I
attended
this
conference
called
she
that
she's
doing
ages
ago,
because
they
were,
they
were
apparently
fewer
of
us.
N
So
here
is
like
that's
great
of
a
typical
conference.
Right
like
we
pre,
planned
everything.
We
know
where
it's
all
going
to
happen,
and
you
end
up
with
this
dynamic,
where
you
have
like
the
boring
panel
and
the
hallway
refugees
thing
like
we're
on
here,
and
then
you
have
the
cocktail
party,
and
so
we
end
up
with
this.
N
Like
sort
of
in
these
two
extremes
and
I'd
like
to
talk
about
on
conference
methods
as
being
more
more
less
organized
than
talk
heads
on
a
panel
and
more
organized
than
a
cocktail
party,
so
it's
a
whole
range
of
methods
for
supporting
interactions
between
people
that
fits
in
between
these
two
extremes
and
therefore
has
some
benefits
to
a
sort
of
richness
and
aliveness
that
events
can
use.
So
the
method
I
use,
most
and
I
will
walk
through,
is
open
space
technology,
but
there's
many
there's
other
things
as
well.
N
So
with
open
space
technology,
you
have
an
open
and
a
closing
circle.
This
is
a
circle
from
the
internet,
identity
workshop
that
I
need
and
in
the
middle
you
have
agenda
creation
tools,
and
these
are
blank
pieces
of
paper
and
markers.
And
what
folks
do
is
they
coming
into
the
middle
and
they're
invited
to
name
topics
that
they
would
like
to
share
a
presentation
about
a
burning
topic
that
they
want
to
discuss
with
peers,
a
problem
that
they're
trying
to
solve?
N
The
other
thing
is
this
looseness?
Not
it's
not
so
much
looseness
on
time
like
there
is
a
time
and
space
orientation,
but
you
also
want
to
help
people
go
with
the
flow
in
terms
of
not
not
it's
different,
and
this
is
other.
The
live
two
feet
motion
and
responsibility.
If
you're
not
learning
are
contributing,
it's
your
responsibility
to
respectfully
get
up
and
find
somewhere
that
you
will
so
this
is
also
what
I
was
talking
about.
N
The
energy
thing
about
people
not
getting
stuck
and
the
butterfly
and
the
bubbly
represents
people
moving
between
sessions
and
I'm,
not
feeling
like
they
have
to
go
to
session.
So
this
is
when
I
lead
open
space.
I
have
everybody
announced
their
set
proposed
topic
in
the
circle,
while
they're
still
sitting
down,
so
that
all
the
men
need
to
listen
to
each
other
instead
of
running
at
the
wall,
to
get
it
on
the
wall?
Once
everybody's
announced
their
sessions,
they
get
placed
on
the
wall
in
a
time
and
space,
this
user
manage
access.
N
One
is
in
space
I
from
twelve
to
one
and
that
room
has
a
projector.
This
is
what
the
wall
looks
like,
as
people
are
kind
of
creating
it,
and
then
this
is
without
people
in
front
of
it,
and
the
thing
that
is
here
so
then
break
out
sessions
happen.
So
each
one
of
those
sessions
is
in
a
time
in
a
place
and
people
go
off
and
do
their
thing.
These
are
happy
whiteboards
from
the
session,
so
another
key
thing
about
open
space
technology
is
the
support
documentation.
N
So
what
happens
in
outcomes?
Problems
get
explored
relationships
are
built.
Problems
can
be
explored
to
the
depth
they
need.
So
one
of
the
things
that
can
happen
is
you
can
part
one
and
two
on
the
wall
and
keep
going
if
you
need
to,
because
there
is
this
flexibility
of
time
and
space,
it's
not
over.
Until
it's
over
right,
unlikely
convergences
occur,
our
creativity
is
unleashed
and
the
community
is
made
so
here's
some
other
methods
that
I
often
work
used
with
clients.
This
is
the
spectrogram
where
you're
inviting
people
to.
N
Array
themselves
on
a
spectrum-
and
you
interview
them
like
Oprah
about
why
they
have
their
opinions
about
certain
things.
There's
a
fishbowl,
sometimes
I,
call
that
an
unknown
a
key
feature
of
the
internet
identity
workshop
and
the
events
that
I
like
to
design
is
that
people
eat
together.
It
really
is
a
fundamental
human
thing
and
it's
good
to
support
community
max
or
something
that
I
often
and
before,
when
I
work
with
clients
support
them,
making
here's
one
that
I
got
my
internet
identity
workshop
to
make.
N
In
an
hour,
it's
got
400
post-its
on
it
from
250
organizations
that
they
participate
in
and
then
speed.
Geeking
is
another
format
that
allows
it's
really
great
in
technical
communities,
for
like
demos,
they're
sort
of
like
five-minute
demos
done
and
distributed
tables
around
a
room
repeated
over
an
hour,
so
that
people
go
to
different
stations
to
see
the
demos
that
they
want
eating
together.
Again,
here's
the
closing
circle
from
cheeky,
like
Sarah,
mentioned
another
one
for
my
aw.
N
N
N
This
is
just
a
little
bit
more,
not
quite
theoretical.
It's
how
I
think
about
the
facilitation
practice.
So
if
we,
if
it's
the
shape
of
the
shape
of
the
energy
of
the
people,
that
we're
gathering
together
and
the
event
is
a
tourist
that
typical,
when
you
have
a
speaker
at
the
front
of
the
room
or
you
have
one
facilitator.
N
You're
you're
holding
the
space
for
the
energy
in
the
center
and
everything's,
going
through
the
person
in
the
middle
holding
that
space
on
that
for
an
unconference.
What
you're
doing
is
you're
holding
the
space
for
the
what's
gonna
happen
at
the
edge
so
that
it's
supporting
more
self-organizing
like
there's
these
there's
the
wall
and
there's
the
opening
and
the
closing.
But
within
it
people
are
more
creative.
Everything
isn't
having
to
go
through
that,
like
central.
N
Bottleneck
of
control
so
and
then
these
are
two
cards
from
the
group
work
stack,
which
is
this
pattern.
Language
for
meetings
that
are
gatherings
that
are
really
alive
and
sort
of
at
the
core
of
these
methods
are
hosting
and
on
holding
space.
So
those
are
my
so
so
that's
sort
of
like
open
space,
but
some
other
unconference
methods
and
and
when
I
work
with
clients,
I,
typically
I
work
with
them
to
support
them.
N
You
know
they
know
who
they
are
as
an
organization
and
they
know
what
they
want
to
do.
But
what
are
the
goals
that
they
have
for
the
day
and
then
I
typically
work
with
them
to
support
like
a
good
design
for
the
day
and
and
potentially
facilitate
the
deadlines
for
the
day,
because
open
space
is
really
easy.
A
So
we
have
ten
more
minutes
left
for
the
bigger
group
and
then
we'll
have
a
half
an
hour
per
small
event.
Organizing
group,
so
I
want
to
kind
of
open
this
opportunist
like,
especially
for
people
who
have
not
experienced
this
like.
There
are
no
dumb
questions.
If
you
have
a
question,
probably
somebody
else
is
like
I.
Don't
want
to
ask
this
thing
like
just
ask
some
questions
about
like
how
does
this
work.
N
K
N
The
term
arose
because
people
were
organizing
these
events
that
were
face
to
face,
but
didn't
have
pre-programmed
pre-programmed
sessions
like
pre
program
like
who's
talking
about
where
what
in
what
room?
So
these
break
out
of
that
mold,
because
they're
less
organized
than
that
they're
supporting
participant,
driven,
attendee
driven
content
created
lives
the
day
that
it
happens.
N
So
the
other
thing
that
we
do
for
the
internet
identity
workshop
is
when
people
register
to
attend.
We
ask
them
what
they
think,
what
they
want
to
present
about
what
they
want
to
learn
about
and
what
questions
that
they
had
and
we
put
those
up
when
we
say
these
are
what
people
answered
when
they
registered,
they
may
or
may
not
happen,
but
at
least
you're
seeing
what
people
say
they
want
to
talk
about.
N
N
You
can
use
this
for
anyways
I've
thought
about
how
you
could
have
mini
unconferences
inside
2000
person,
conferences
and
then
you're,
sort
of
like
being
like
hey
all
the
people
want
to
talk
about
acts
show
up
in
this
room
at
this
time
and
we'll
do
this
unconference
thing
for
three
hours,
but
that's
different
and
I
I
definitely
would
not
have
like
rooms
that
have
seams
I
mean
one
of
the
things
that's
important
about
open
space
is
that
you
have
as
much
room.
There
is
no
voting
things
off
the
island
either.
N
So
when
people
name
a
thing,
let
them
have
a
meeting
there
isn't
like
Oh.
Only
two
people
want
that.
So
you
can't
hover.
Hey
you
make
rooms
that
aren't
exactly
rooms,
so
you
name
spaces
in
hallways
and
you
you
take
your
lunch
room
and
you
make
tables
faces.
So
you
work
on
having
really
expensive
space,
not
just
just
the
three
formal
rooms
right.
It's
like
the
three
formal
rooms,
Emma
lunch
room
and,
like
those
little
looks
over
there,
they're
all
potential
meeting
spaces
and
you
the
the
whoever
comes,
are
the
right.
N
People
is
like
those
three
people
who
want
to
talk
about.
X
are
going
to
have
the
most
amazing
conversation
that
they
could
have
that
day
and
that's
great
cuz
that
they
may
be
so
early
that
they're
like
two
years
later,
that's
like
taking
up
everybody's
time,
but
they
saw
it
first
and
they
had
the
space
to
connect,
and
you
know
do
their
thing.
So
I
hope
that
answers
the
question
about
well.
N
A
E
I'm
just
one
side:
I
do
like
the
open
spaces
for
my
Anna
and
I'm
come
first
format
and
I
think
it
given.
The
coupon
sometimes
feels
like
a
very
structured
thing
in
terms
of
the
talks
and
I
think
I
think
I
would
be
in
favor
of
having
that
kind
of
thing
for
a
free
event,
but
I
think
it
would
give
it
a
more
sort
of
my
name.
E
Easier
for
people
to
get
involved
with
format
in
a
way
that
that
keep
Khan
feels
quite
an
exclusive,
sometimes
in
terms
of
people
not
being
able
to
get
talks
accepted,
and
things
like
that
and,
and
it
being
quite
hard
to
find
ways
to
talk
to
people.
Sometimes.
And
if
you
don't
know
them,
and
things
are
that.
M
I
just
wanted
to
say
my
first
unconference
I
was
a
little
bit
apprehensive.
I
had
to
organize
a
large
conference
and
bike
organizers
suggested
you
should
do
a
non
conference
and
I
was
super
nervous
that
it
wouldn't
work
out
right,
but
it
was
surprisingly
well.
It
worked
so
well
that,
because
we
are
all
into
conference,
we're
really
the
most
important
thing
that
we
went
to
was
the
whole
wide
track
ride,
and
this
is
basically
a
whole
session.
That
is
a
well
organized
all
my
try
and
it
is.
A
All
right,
so
we
will
break
the
bigger
six
security
meeting
and
thanks
everybody
for
participating
in
your
questions,
feel
free
to
add
questions
in
the
notes.
If
you
have
after
questions
and
weekend
or
on
slack-
and
we
can
be
we're
going
to
have
kind
of
a
discussion
today
about
what's
the
unconference
format
and
what
would
it
be
if
we
did
that
and
then
we're
going
to
circle
round
and
be
like
what
are
we
actually
going
to
do
as
a
follow-on,
so
there'll
be
a
little
time
for
people
to
chime
in.
A
O
A
A
L
P
P
A
Who
is
also
experienced
with
organizing
events
from
sistex,
so
we
have
like?
We
have
like
Emily
me,
JJ
or
actually
like
Emily
JJ
Michael,
who
are
more
technologists
worrying
about
like
what
ways,
the
content
that
we
want
to
have
happen
right,
and
then
we
have
some
a
wealth
of
awesome
experts
who
are
going
to
help
like
make
the
thing
happen
with
the
logistics
and
all
of
those
important
things.
Well,
so
Emily
I'm
gonna
pass
it
to
you
to
like
think
about
well
actually
where's
our
issue,
I'm.
A
L
So
the
whole
point
of
the
day
is
to
get
everybody
together
and
allow
them
the
opportunity
to
have
conversations
that
are
vendor
agnostic
platform,
agnostic
and
very
much
the
open
source
and
cloud
native
space,
because
right
now
there's
a
lot
of
vendor
security
days
and
they
usually
end
up
being
tutorials
about
a
vendor
product
about
how
to
secure
cognitive,
compute
and
that's
there's
more
to
security
in
the
cloud
like
native
landscape
than
just
vendor
products.
There's
other
problems.
There's
data
management
problems.
L
There's
a
user
identity
problems,
it's
pretty
extensive,
so
we
had
talked
originally
about
doing
a
more
formal
forum
for
that.
But
we're
not
sure
I,
Michael
and
I
have
had
success
individually
in
the
past,
engaging
in
hallway
tracks
or
other
open
space
like
conversations
with
people
about
security.
That's
how
Netflix
got
feedback
to
do
the
bug
bounty
program
for
container
isolation
in
containers.
L
It
was
actually
from
a
hallway
track,
an
open
space
opportunity
that
they
engaged,
and
then
we
want
to
allow
that
kind
of
innovation
and
those
conversations
to
occur
so
where
we're
at
right
now
is,
if
we
do
formal,
the
whole
thing
should
kind
of
be
formal
and
we're
running
at
a
time
to
do
call
for
proposals.
If
we
do
informal,
whole
thing
should
be
informal.
N
A
N
So
I
think
that
so
I
I'm,
not
so
when
I'm
this
is
great
to
have
okay,
the
goals
for
the
dick.
Can
you
scroll
up
a
little
bit?
No
I'm
the
github
one
yeah
there
right,
so
this
is
you've
already
got
like
this
is
really
fantastic.
Right
like
this
is
the
goal
you
have
is
to
bring
together
as
a
community
like
these
are
all,
and
you
think,
you've
got
potential
topics
right
and
you
have
even
like
impact.
N
This
is
fantastic,
so
I
would
say
that
you
that
it
would
be
good
to
move
towards
using
open
space
technology
to
support
those
conversations.
So
I,
often
like
when
I
like
I,
also
will
put
different
things
at
the
beginning
or
the
end
or
the
middle,
depending
on
what
the
goals
and
needs
are
right
and
I
think
that
this
were.
This
is
where
we're
at
with
this
conversation.
I
feel
like
I,
don't
quite
understand
enough,
but.
N
N
One
way
that
you
can
provide
anchoring
for
people
is
to
to
to
sell
who's
signed
up
to
go
already
right.
So
this
is
this
is
the
it's
it's
it's
mapping
into
the
who's,
gonna
speak
question
that
people
have
and
you
go.
These
people
are
participating,
they're,
coming
and
they're,
probably
gonna,
say
interesting
thing,
because
you
know.
N
You're
gonna
find
out
when
and
where
they're
going
to
say
anything
at
Oak
circles.
So
you
better
be
there
right,
like
that's
how
you
you
should
take
that
kind
of
thing
that
the
signaling
people
are
looking
for.
You
signal
in
a
similar
way,
but
you
know
but
but
the
agenda
gets
created
lives.
So
that's
where
you
that's
how
this
is
different.
N
A
I
think
they,
the
challenge,
is
right.
That
there's
definitely
a
no
large
number
of
people
in
this
big
security
thing
who
have
been
to
unconferences,
or
at
least
the
hallway
track
at
docker
pond,
who
are
like,
oh
my
god,
I'm,
so
excited
about
that
thing
right
and
then
cute
con,
which
I
don't
think
you've
been
to
is
very
high
production
value.
Orchestrated
it's
giant
right
like
you,
don't
even
it's
hard
to
even
find
somebody
else
like
I've
been
like.
Oh,
you
are
cute
god.
A
How
would
you,
prime
the
people
who
are
coming
expecting
for
this
highly
orchestrated
thing
right?
They?
They
know
that
that's
what
they're
going
to
get
on
Tuesday
through
Thursday
right,
yes,
and
they
neither
have
a
need
for
internet
security
right
for
gap
or
they're
like
or
they're
like
a
security,
expert
right
and
they're
like
hey.
This
is
for
me
I'd
like
to
do
this
thing
on
Monday,
but
they
never
experience
an
unconference
right.
A
N
You
don't
call
it
I
mean
you
can
call
it
whatever.
You
want,
I
think
the
description
you
have
already
works.
I
have
a
bunch
of
language
on
my
site
that
I
work
with
clients,
like
often
I
get
clients
to
write
up
what
how
they
think
they
should
describe
open
space
to
their
audience
and
then
I
make
sure
that
they
don't
say
inaccurate
things.
A
Well,
I,
guess
they
the
the
thing
that
I,
like
thinking
of
some
of
the
people
who
ask
me
questions
offline
yeah
this
they
might
be
like
well,
I'm,
not
sure
what
I
have
to
discuss
so
I'm,
not
sure
I
will
come
right.
I'd
like
to
have
them
realize
that
it's
okay
to
just
show
up
even
in
dark.
N
Right
so
part
of
my
what
I
call
them
on
I
have
a
blog
on
conference
on
that,
and
you
know,
one
of
the
issues
that
we
have
had
is
that
the
folks
who
made
BarCamp
confident
from
boot
camp
who
copied
it
from
open
space
technology
and
then
left
out
critical
design
elements
and
then
forgot
to
attribute
it
what
they
did
back
to
the
source.
So
people
could
do
to
find
the
source
and
decide
whether
they've
made
a
good
copy
of
it.
N
So
we
had
a
been
a
telephone
happen
in
the
community,
so
I
think
one
of
the
things
is
to
emphasize
the
opening.
Well,
I
mean
it's
hard
because
it's
a
Monday,
so
you
want
to
emphasize
the
opening,
but
not
to
the
extent
that
people
whose
flights
arrive
at
10:00
a.m.
feel
they
can't
go
like
yes
show
up.
You
can
still
stick.
N
This
is
already
a
great
list
of
topics
and
I
mean
the
iiw
list
is
so
long,
but
it's
a
learning
to
like
this
question
of
what
do
you
want
to
learn
is
put
forward
so
I
think
I
think
you
frame
it
as
like,
creative
and
interactive
and,
like
one
of
your
people
before
said,
is
the
structured
hallway,
like
it's
a
really
well-organized,
hallway
track.
That's
like
really
good
because
they
are
not
lost
because
people
have
these
signalling
mechanisms
in
with
the
wall
of
saying
what
they
want
to
talk
about
and
when
and
where.
N
L
So,
basically,
definitely
like
one
of
the
successes
that
we
had,
but
the
darker
hallway
tracks
is
that
they
had
two
to
three
coordinators
actively
working
to
organize
where
people
meet
at
a
specific
time.
Like
that
everybody
what
it
like,
let's
say,
1:00
o'clock,
all
showed
up
at
1:00
meeting
point
the
coordinator
said
this
space
is
free,
go
here
and
like
had
that
written
down
like
this
discussion
is
happening
over
at
this
space
and
made
that
available
for
anybody
else
that
wanted
to
show
up
and
have
that
conversation.
N
Like
me,
eat
what
I
like
I
was
saying
like
you're
holding
the
space
at
the
edge,
so
people
go
do
what
they
need
to
in
the
middle
and
they're
the
ones
who
are
empowered
to
like
with
open
space.
You
can
add
a
new
session
to
the
wall
right
and
and
they're.
Also,
hopefully,
you
can
be
in
a
space
where
there's
like
space
flexibility,
you
can,
according
it
out.
N
A
N
A
To
100
is
our
guest
right,
so
we're
gonna
like
I,
think
so
so
we
were
gonna.
We
were
thinking
of
like
picking
a
hundred
limit.
Basically
based
on
that,
like
probably
the
number
of
people
who
come
to
these
meetings
is
around
50
and
then
we
usually
have
like
lots
of
people
who,
like
might
just
come
right,
who
are
part
of
our
regular
right
calls
and
stuff.
So.
A
N
N
So
another
I'm
reading
these
notes
and
this
prison
a
kick
off
versus,
not
I.
Think
that
there's
trade-offs
in
that
I
think
if
you
have
a
charismatic
person
speak
at
the
beginning.
It
also
ends
up
like
skewing
everything
and
then
people
re-enter
the
speaker
and
not
necessarily
to
what
they
want
and
I
think
with
what
you're
talking
about
with
this
type
of
community.
A
Yeah
I've
also
seen
like
spectrographs
work.
Well,
for
that,
like
you
know,
and
I
was
a
presidential
innovation
fellow,
we
got
together
with
all
the
agency
people
and
we
like
they
would
ask
a
provocative
question
right
then
everybody
would
be
like
you
know,
like
I
mean
everything
from
silly
like
you
know,
iPhone
or
Android
to
like
serious
ones
like
do
you
think
technology
can
even
help
the
government,
it's
like
fascinating,
cuz,
really
and
then
you'd
ask
people
on
the
ends
to
kind
of
talk
about
why
they
gave
those
answers
right
and
today
that's.
N
A
A
P
A
N
N
Yeah
I
mean
I
would
push
for
the
biggest
room
you
can
get
and
the
other
thing
is
to
you
know,
don't
put
tables
in
it,
but
just
have
chairs.
So
you
put
the
number
of
people
you
have
in
the
circle
and
then
you
would
have
like
breakout
spaces
in
my
corner
is
kind
of,
and
then
you
would
have
like
sort
of
you
would
label
the
breakout
spaces
around
the
edge
of
the
room.
N
I
P
N
A
N
A
L
I
think
the
other
questions
that
I
have
is
some
of
the
stuff
that
we
talked
about
in
the
group
was
potentially
having
moderator
and
some
of
the
larger
conversations,
because
there
there
are
topics
that
get
a
lot
of
attention
and
we're
like.
If,
for
whatever
reason,
I
don't
know,
somebody
polls
decides
to
do
a
discussion
or
get
an
engagement
on
insiders,
insider
threat
and
organizations
with
access
to
your
full
cloud
project.
For
instance,
if
you're
in
a
juror
and
you've
gotta
system
admin.
L
What
are
you
doing
to
make
sure
that
your
system
admin
or
your
developer,
that
can
commit
code
to
your
production
environment
whatever?
How
do
you
make
sure
that
they
have
the
least
blast
radius?
So
that's
one
of
the
topics
that
are
proposed
and
there's
a
ton
of
people
that
are
interested
in
it
and
it's
a
popular
topic.
L
We
had
potentially
tossed
around
the
idea
of
having
a
moderator
to
ensure
that
the
conversations
one
aren't
overtaken
by
a
vendor
that
they're
staying
on
track
and
having
that
conversation
and
potentially
taking
notes
for
like
things
that
were
discussed,
other
items
that
were
potentially
brought
up
because
the
security
group
would
like
to
be
able
to
provide
some
of
that
content
back
out
to
the
community
in
a
cognitive
fashioned
link.
They're
coming
to
us.
L
N
Like
if,
if
documentation
is
really
important,
you
need
to
stop
really,
you
know
robust
process.
For
that,
you
need
to
remind
session.
You
need
to
have
like
basically
a
notes
coordinator.
You
need
to
have
you
know
pick,
you
know,
define
a
method
that
will
work
well,
publicize.
It
well
push
people
during
the
event
to
do
it,
and
then
that
and
like
bundled
it
all
up
into
like
a
PDF.
N
A
N
That's
that's
one
piece
of
it
and
that's
like
a
whole
sort
of
like
little
system
within
the
event
that
you
need
to
create.
The
other
piece
about
moderator.
Is
that
this?
So
if
you
knew
that
you
wanted
to
host
a
section-
and
you
didn't
want
to
be
the
moderator,
then
you
could
invite
one
of
your
friends
or
someone
else
to
do
it.
The
thing
is
that
that
open
space
is
really
self-regulating,
who,
in
the
sense
that.
N
Like
okay,
so
the
people
might
name
a
conversation
topic
like
in
decider
threats
and
you
might
have
three
or
four
different
versions
or
two
or
three
divisions
of
that
on
the
wall.
You
don't
go.
There
is
no
convergent
process
like
I've
seen
this
happen
at
some
family
design
on
conferences
where
they're
like
no.
These
things
are
the
same.
N
Let's
jam
them
together
and
then
you
know,
like
a
super
big
session
with
too
many
people
and
like
people
are
frustrated,
because
the
topic
that
they
put
forward
was
slightly
different
than
this
other
topic
right
and
that
you're,
so
that
I
would
it's
like
you
have
a
documentation
process.
You
supported
happening.
If
you
really
feel
like
there's
people
who
want
to
call
topics
but
don't
want
to
be
their
facilitators,
you
maybe
look
you
know
like
Sarah.
N
You
little
group
of
people
always
like
if
you
want
a
facilitator
person,
I'll
help
you
write
like
mine,
but
your
community's
pretty
I
mean
my
sense,
that's
sort
of
like
you
could
do
that,
but
I
wouldn't
worry
about
that.
I.
Think
it's
like
the
person
who's.
Calling
the
conversation
is
the
cider
of
what
they
meant
by
the
thing
on
the
wall
and
the
session
can
go
the
direction
it's
going
and
if
people
don't
like
it
and
they
want
to
have
their
own
version
of
the
conversation,
they
put
it
on
the
wall
and
they
do
it.
L
So
last
question
that
I
kind
of
have
on
it
and
I
know
we're
running
at
a
time
was
I
had
brought
up
previously
about
in
a
different
call
that
some
sessions
that
I've
been
to
have
operated
under
Chatham
House
rule
is
that
something
that
should
always
happen
at
an
unconference
or
is
that
something
that,
like
it's
recommended
or
is
there
a
different
way
of
doing
it?
It's.
N
A
Think
that
we
wanted
to
there
was
some
interest
in
creating
a
space
of
like
I'm,
going
to
tell
you
about
this
hack
that
I
experienced
at
my
company
right,
where
you
don't
necessarily
want
that
documented,
like
people
would
have
to
that.
Have
that
pre-approved
you're,
like
I'm
gonna,
share
how
my
company
was
attacked
right
so.
N
Like
I'm
gonna
tell
you
about
what
happens
sessions
the
person
convening
at
those
I'm
only
sharing
this
with
you
we're
writing
two
sentences
in
the
notes
and
or
worse
I'm
checking
100%
before
the
notes
go
somewhere
public
that
strips
out
my
identity
and
any
identifying
information.
Companies
like
these
are
all
things
to
think
through
and
they're
totally
doable,
because
it's
a
really
flexible
format.
But
you
can
think
about
what
you
need
to
do
to
support
people
safely,
sharing
the
things
they
want
to
share
I.
A
L
A
I
think
I,
don't
know
what
happened
to
JJ.
He
must
have
been
called
out
because
I
know
he
was
then
to
come
for
the
second
half,
but
I
think
he's
had
experience
at
these
kinds
of
conferences
before
so
so
then
we're
gonna
is
gonna
schedule.
The
next
meeting,
where
we're
gonna
be
like
actually
and
then,
and
then
we
can
let
you
know
if
we
have
other
questions
or
if
we
can,
we
decide
who
it's
gonna
be
any
conference
thing.
As
we're
kind
of
you
know,
it
seems
like
we're
leaning
towards
whether.
I
A
C
N
N
Like
Sarah
or
you
can
hire
me
or
you
could
find
an
open
space,
I
am
leaning,
I,
don't
know,
I'm
a
I'm,
a
special
person,
because
I
came
from
facilitator
land
and
into
technology
like
I
can
bridge
the
two,
whereas
some
facilitator
people
facilitate
people
and
they
did
too
many
rainbows
and
flowers.
Nerdy
guys
get
frustrated
so
anyways
anyway.
You'll
do
very
alright
thanks,
bye.
Thank
you.