►
From YouTube: KBE Insider (Ep 3): Luke Hinds
Description
We talk to Luke Hinds, Security Lead for Office of CTO, Red Hat, about his work on the Kubernetes Security Response Team (CNCF), Sigstore, and the Kubernetes Hackerone Bug Bounty program. Sigstore was the topic of a recent Wired story. Luke is involved in many other projects and hobbies. KBE Insider, hosted by CNCF Ambassador Chris Short and Developer Langdon White, lets you reach people deeply involved with Kubernetes, hear what they have to say, and interact with Kubernetes experts from across the globe.
A
A
A
B
Exactly
yeah:
well
I
try
to
keep
the
reminder
with.
I
have
my
oh,
you
don't
have
the
hat
in
the
background
today
I
was.
I
was
looking
for
matching
hats.
As
you
can
see,
I
have
a
boston
university
hat
behind
me
over
my
left.
Shoulder
yes,
but
you
often
have
the
hat
there
so
welcome
to
everybody
for
the
the
third
edition,
as
you
said,
of
the
kubernetes
by
example
insider,
although
we
we
may
be
changing
the
name
soon,
I
don't
know
it'll.
B
B
One
had
to
put
the
dig
in
so
today
we
always
like
to
start
the
show
with
a
little
bit
of
kind
of
news
from
what's
going
on
in
the
kubernetes
world
and
unfortunately,
our
normal
news
host
is
currently
on
vacation,
I
believe
or
starting
school,
and
so
we
have
gordon
here
for
us
as
a
fill-in
replacement
and
I'm
sure
he
will
do
a
lovely
job,
maybe
not
as
good
as
mina.
But
you
know,
it'll
be
close.
C
C
A
C
C
C
Right,
so
you
know
traditional
tools,
traditional
approaches,
traditional
policies,
even-
and
this
is
of
course
a
mistake
for
so
many
reasons
right.
So
the
author
then
goes
on
to
define
cloud
native
security
which
helps,
but
he
also
breaks
it
down
into
something
I
hadn't
heard
of-
maybe
you
guys
have
heard
of
it.
Maybe
I
think
he
coined
this
phrase.
Actually,
it's
called
the
four
c's.
C
So
if
you
picture
a
cake
starting
at
the
bottom
layer
with
with
the
platform
with
with
cloud
right
and
then
you
move
up
to
the
next
layer
and
it's
cluster
and
then
you
move
up
to
a
third
layer
and
it's
container
and
then
code
is
your
final.
So
this
this
four
c's
and
and
the
whole
this
whole
idea
behind
this
is
look.
Each
of
these
layers
is
different
and
you
got
to
treat
each
of
these
layers
differently
with
your
security
approach
right.
C
But
it's
in
you
know
these
guys
are
essentially
showcasing
a
recent
report
that
was
put
out
by
our
friends
at
the
nsa
and
also
at
the
cyber
security
and
infrastructure
security
agency,
say
that
five
times
fast,
but
so
nsa
and
cisa
right
and
so
the
report
yeah.
The
report
lays
out
the
primary
threats
to
kubernetes
environments
and
actions
that
we
should
all
take
to
combat
these
threats,
but
chris
langdon
luke,
even
how
about
a
quiz?
In
your
opinion,
what
are
the
threes
I'm
keeping
it
interactive
here?
C
A
C
C
B
A
C
You
know
it
always
comes
back
to
cryptocurrency.
Doesn't
it
but
there
you
have
it.
So
thank
you
nsa,
but
they
spell
out
any
number
of
ways
that
we
can
all
minimize
these
threats
right,
anything
from
scanning,
pods
and
and
clusters
for
vulnerabilities
to
running
containers
and
pods
with
the
latest
privileges
or
the
least
privileges
possible,
and
you
know
using
strong
authentication,
firewalls,
etc.
All
that
fun
stuff,
but
the
full
report,
this
full
article,
of
course,
is
art,
is
available
on
kbe
news.
C
I
again
will
post
all
these
links
here
in
a
moment.
The
third
item,
the
third
article
I
want
to
speak
to
you
guys
about
this
morning.
Interesting,
is
called
concerned
about
kubernetes
security
check
out
these
free
tools.
So
techgenix
puts
this
out.
They
they
focus
on
these
four
open
source
tools
that
will
help
us
maintain
kubernetes
security.
I'd
heard
of
one
of
them,
I'm
curious.
C
There
you
go
yeah
q
burner
is
another,
so
stress
testing
I've
heard
of
that
one
yeah
sono
buoy,
which
is
determines
overall
security
levels
of
a
kubernetes
cluster
by
running
a
set
of
plug-ins
and
then
the
fourth
one's
my
favorite
one.
Just
because
of
the
name-
and
I
haven't
heard
of
this-
maybe
you
guys
probably
have
powerful
seal
anybody
heard
of
that
it
injects.
C
A
B
B
B
B
A
C
C
Maybe
that
speaks
to
my
age,
but
anyway,
let's
talk
about
the
article
in
here
and
it's
cool
because
it's
from
wire,
but
it's
also
cool
because
it
features
somebody
near
and
dear
to
to
the
kubernetes
community
and
somebody
appearing
on
the
call
to
on
the
the
show
today,
a
new
tool
wants
to
save
open
source
from
supply
chain
attacks.
So
we've
all
been
hearing
more
and
more
about
supply
chain
attacks
in
the
news
as
of
late.
C
So
in
essence,
right,
a
hacker
slips,
some
code,
bad
code
into
legitimate
software,
it
propagates
and
well
before
you
know
it.
Destruction
ensues
right.
So
we
saw
that
with
with
heck
this
russian
solarwinds
cybernet
cyber
espionage
effort,
which
we're
still
plagued
by.
I
think
we
saw
it
with
not
pecha
the
malware
attack.
Yeah.
C
B
Right
right,
I
I
think
that's
pretty
good.
I
did
want
to
make
a
quick
comment
about
the
first
article
you
mentioned,
which
was
kind
of
talking
about
the
three
or
four
c's
there.
I've
been
reading
a
lot
of
spy
novels
lately
and
one
of
the
things
that
kind
of
keeps
coming
up
is,
you
know
layered
security
right
is
that
you
know
if
you
have
multiple
layers
of
your
of
your
security
mechanism,
and
this
is
talking
about
in
the
physical
world
right.
B
That's
how
the
best
way
to
do
it,
because
you
know
you
breach
one,
and
then
you
have
to
breach
the
next
one
right,
they're
not
dependent
on
each
other,
and
I
think
I
think,
in
the
back
of
a
lot
of
technologists
kind
of
mind
right.
They
they
knew
about
this
concept
right
for
a
long
time,
but
you
know
it's
really
started
to
show
in,
I
would
say
more
recent
years.
Is
that
we're
really
starting
to
have
a
much
better?
You
know,
effort
towards
that.
B
Do
you
want
to
give
a
brief
introduction
to
yourself,
as
as
I
often
joke,
you
know
it's
very
hard
to
keep
track
of
titles
and
organizations
inside
red
hat
and
now
that
I'm
not
even
employed
there?
It's
even
worse
so
rather
than
me
guessing
and
being
wrong.
I
will
just
say:
could
you
please
introduce
yourself,
tell
us
what
you
do
for
red
hat
and
and
then
we
can
kind
of
start
talking
about
kubernetes.
D
D
So
I
have
a
team
of
engineers
that
I
lead
in
the
security
domain.
Okay
and
we
look
at
all
sorts
of
areas,
predominantly
cloud
native,
okay,
there's
a
lot
of
stuff
around
cloud
native
stuff,
so
container,
runtime
security,
but
also
things
like
trusted
execution
environments
trusted
computing.
So
it's
for
tpms
and
so
forth
and
of
course,
software
sign-in,
okay
and
software
transparency
and
supply
chain
security.
D
A
A
B
D
We've
seen
it
better
too
yeah,
I
think,
to
be
fair.
There's
been
a
lot
of
disruption.
Okay,
so
if
we
look
at
security,
so
so
landon,
you
made
the
point
area
earlier
about
layered
defense,
okay,
so
traditionally
security
has
been
a
relatively
simple
ground.
Okay,
to
think
about
you,
you
had
a
green
zone
and
a
red
zone.
Okay,
so
effectively.
D
Everything
outside
there
is
just
not
trusted.
Okay,
everything
inside
is
trusted,
and
this
is
our
citadel
and
we
protect
that.
So
I
used
to
work
on
firewalls
quite
a
long
time
ago.
You
know
you
literally
had
a
red
interface
and
a
green
interface
good
and
bad
good
and
bad
cop
sort
of
thing
cloud
came
along.
Okay
and
then
the
principles
are
elasticity:
scalability,
hybrid
infrastructure,
hybrid
cloud,
all
these
sorts
of
things
and
it
just
turned
the
whole
thing
on
its
head,
essentially
where
the
truss
boundaries
were
no
longer
easy
to
define.
D
You
know
it
was
a
very
mixed
grouping
of
security
controls
that
needed
to
be
thought
about
and
then
implemented,
and
then,
of
course,
software
has
accelerated
software's
eating
the
world
so
we're
starting
to
see
projects
utilize.
A
magnitude
of
dependencies
that
come
from
multiple
different
sources,
so
it's
in
a
lot
of
ways.
D
Security's
definitely
got
to
be
more
of
a
challenge,
but
it's
an
exciting
challenge.
I
feel,
but
I
think
in
the
olden
days
I'm
sounding
like
the
old
guy
now
yeah,
I
would
have
said
it
was
simpler.
The
attacks
could
have
been
very
complex.
You
know
right
and
the
particular
vulnerabilities
that
there
were,
but
the
whole
architecture
was
definitely
easier
to
grapple
with
really.
B
So
so
I
would
slightly
disagree
with
you
in
on
one
aspect,
which
is
that
one
of
the
things
that
I
thought
as
a
consultant
in
those
days
about
the
move
to
the
cloud
was
it
actually
made
people
start
to
think
significantly
more
about
the
kind
of
like
holes
in
their
firewall
or
whatever.
Like
you
know,
I
still
remember
working
with
a
lot
of
banks
and
you
know,
and
basically
they'd
be.
B
You
know,
like
most
banks
right,
they
run
kind
of
batch
jobs
of
processing
overnight
or
whatever,
and
they
would
have
all
of
these
holes
in
their
firewalls
from
all
these
different
organizations
they
worked
with.
But
then,
when
they
kind
of
moved
to
the
cloud,
they
did
a
bunch
of
things
right.
They
started
to
split
their
services
up
across
virtual
machines
right
they
started
to
have
to
be
conscious
of
like
what
was
routing
where
and
so.
While
I
completely
agree
with
you,
it
is
way
more
complex.
B
B
A
Yeah,
well
I
mean
to
speak
to
luke's
point.
We
wouldn't
I
mean
we
have
things
like,
let's
encrypt
now,
where
more
of
the
internet
is
it
served
over?
You
know
a
secure
connection
than
not
so
I
would
say,
yeah
that's
a
win
for
security,
but
we've
also
evolved
from
the
days
of
like
worms
and
such
to
now.
It's
like
a
massive
distributed
denial
of
service
attack
right.
A
A
B
D
B
All
right
so,
let's
bring
it
back
around
to
kubernetes
and
kind
of
open
source.
So
one
of
our
kind
of
standard
questions
that
we
like
to
do
on
the
show
is
you
know,
and
this
may
be
indeed
you
know
independent
for
you,
but
it's
like.
So
what
brought
you
to
open
source
or
what
brought
you
to
kubernetes
first,
I'm
not
sure
which
one
you
were
involved
in
beforehand.
You
know,
if
you
were,
you
know
what
why
why
open
source.
D
D
Yeah
so
this
was
there
was
I
I
worked
for
a
as
a
software
developer,
okay
and
we
were
developing
a
speech
recognition
engine,
so
this
was
actually
for
mobile
devices,
so
this
is
stuff
like
palm
os
and
windows,
ce
okay
technology,
and
we
had
a
couple
of
offices,
one
in
london
and
one
sort
of
out
in
the
sticks
where
I
was
okay
and
we
needed
a
a
simple
point-to-point
office.
Vpn
connection.
D
Okay,
because,
like
we
had
an
exchange
server
and
the
sales
folks
needed
their
their
email
and
stuff
like
that
and
I'd
predominantly
windows
had
been
my
gig
really.
I
didn't
really
know
much
about
linux
at
all
and
I
started
to
play
around
I.
I
got
a
a
very
early
version
of
rail,
red
hat
linux,
okay
and
installed
it,
and
then
I
remember
sort
of
double
clicking
on
things.
Thinking
there'd
be
like
an
executable
and
nothing
was
happening,
and
I
was
quite
confused.
D
This
new
alien
world
sort
of
thing
you
know,
like
I,
had
to
total
my
whole
frame
of
perception
around
operating
the
computer
was
specific
to
windows.
I
hadn't
even
touched
a
mac,
and
so
anyhow,
I
kind
of
fell
into
that
pandora's
box
and
fell
in
love
with
it
and
so
yeah.
I
had
to
create
this
sort
of
vpn
tunnel
effectively
and
then
think
about.
D
D
Yeah
so
I
I
started
to
get
those
working
and
I
had
to
learn
how
to
compile
things,
compile
a
module
for
the
kernel
and
so
forth,
like
that,
so
I
got
involved,
helping
them
with
documentation,
trying
to
sort
of
fix
things
that
didn't
work
and
and,
interestingly
enough,
the
distribution
where
I
was
quite
as
I
was
more
prolific
with
the
work
that
I
was
doing
was
rel
eight
well.
This
was
actually
called
red
hat
eight.
D
So
so
yeah
I
kind
of
caught
the
I
I
caught
the
buzz
there.
Really
I
be,
you
know,
became
a
linux
user
effectively.
I
joined
the
linux
user
group
and
yeah
and
then
it
just
sort
of
throughout
the
years
I
sort
of
gravitated
to
that
ecosystem.
More
and
security
had
always
been
something
that
interested
me
and
you
know
I.
I
started
to
sort
of
gravitate
towards
that
area
and
that's
where
I
am
today
really
so.
D
B
That's
but
it's
part
of
like
in
some
ways:
it's
like
the
drive
for
like
fedora,
you
know,
ambassadors
or
whatever,
to
try
to
drive
adoption
right,
because
the
best
way
you
get
contributors
is
people
using
your
software
right
and
then
then
something
annoys
them,
and
then
they
want
to
fix
it,
and
so
they
come
along
and
become
a
contributor
yeah.
Going
back
to
the
red
hat
linux,
nine
I
or
eight.
Rather,
I
think
the
next
version
of
rel
will
be
the
first
version
that
actually
goes
past.
A
B
A
B
Mostly
like
some
asian
countries,
I
can't
remember
which
exactly
that
that
part
of
the
world,
so
all
right
so
so
kind
of
going
back
to
kubernetes.
Okay,
so
you
talked
about
kind
of
becoming.
You
know:
a
linux
power
user.
You
know
that
kind
of
you
know
pulled
you
into
the
fold.
So
what
attracted
you
about
kubernetes
and
what
brought
you
to
that.
You
know
that
particular
project.
D
Yeah
sure
so
I
followed
kubernetes
from
pretty
much
the
early
days.
I
think
when
it
first
started
creeping
outside
of
google
and
getting
known
by
various
getting
on
the
map
of
various
people
as
an
interesting
technology,
and
I
I'd
actually
been
an
open,
stacker,
so
another
sort
of
cloud
type
infrastructure
project.
So
I've
been
working
there
for
quite
some
time
and
I
had
a
community
position
as
a
project
team
lead
like
an
elected
lead
within
the
community
for
security,
so
in
there
we
would
manage
sort
of
help
with
embargoes
and
creating
projects.
D
We
we
sort
of
do
all
sorts
of
things
really
documentation.
It
was
a
kind
of
a
multi-role
group
and
there's
quite
a
few
people
collaborating
and
things
started
to
quieten
down
there.
So
security
started
to
establish
itself
quite
well
in
openstack
and
I'd
I'd
been
following
kubernetes
for
a
while,
but
I
wasn't
prolifically
developing
to
the
project
and
somebody
that
I
I
know
was
on
the
security
used
to
be
called
the
product
security
team.
D
Okay,
so
now
we've
just
renamed
it
to
the
security
response
team,
okay
and
they
wanted
to
rotate
out
and
they'd
heard
that
I'd
had
a
fair
amount
of
experience,
managing
embargoed,
responsible
disclosure,
type
vulnerability
programs
in
open
source
projects.
So
they
you
know,
asked
if
I'd
be
interested.
I
said
I
certainly
would,
and
you
know,
and
and
from
there
I
started
to
get
involved.
You
know
so
I
I
kind
of
came
into
kubernetes
security
without
a
very
in-depth
knowledge
of
the
code
base.
B
D
The
architecture
a
bit
more
and
so
that
really
sort
of
got
me
more
involved
in
in
really
starting
to
ramp.
Up
on
what
I
understood
about
the
architecture
of
kubernetes,
you
know
what
was
a
pod:
what
was
the
host?
What
levels
of
access
did
the
container
have
to
the
host?
And
you
know
what
was
the
scheduler?
And
I
just
you
know,
because
I
was
looking
at
these
vulnerabilities
that
were
coming
in
and
would
have
to
sort
of
replicate
those
to
make
sure
that
they
were
in
fact
real
vulnerabilities.
C
B
Makes
sense
yeah
I
mean
to
to
your
point
about
them.
You
know
it's
like
there's
nothing
new
under
the
sun
kind
of
right.
I
mean
that's,
why
I
think
it's
oh
aspire.
It
has
that
nice
set
of.
I
think
it's
11,
you
know
top
vulnerabilities.
You
should
watch
where
you
know
like
there's
like.
If
you
do
a
little
bit
of
research
as
an
average
developer,
you
can
have
a
really
good
idea
of
the
traps
you're
likely
to
fall
into,
which
is
one
of
the
nicer
things
about
kind
of
doing
a
secure.
B
You
know
development,
but
it
can
be
tough
all
right
so
so
that
brought
you
to
the
security
response
team
and
then
you,
you
were
largely
involved
with
that.
I
assume
primarily
for
a
while,
but
what
kind
of
brought
the
sig
store
kind
of
concept
forward
for
you
or
what
you
know
like?
What?
What
it
were
you
trying
to
scratch.
D
A
D
B
B
D
D
Me
on
to
this
principle
of
merkel,
trees,
okay
and
at
the
same
time,
I've
been
wanting
to
find
a
some
sort
of
system
that
can
act
as
a
source
of
truth
around.
What's
happened
in
a
secure
supply
chain
because
a
lot
of
the
time
you're
you're
you're,
relying
on
auditing
systems
that
are
susceptible
to
manipulation
effectively,
you
know
if
it's
like
a
login
system
or
you
know,
syslog
or
some
sort
of
data
store,
a
hacker
could
one
breach
a
system
and
then
they
could
cover
up
their
tracks
effectively
and
just
this
there
was.
D
And-
and
so
I
was
just
thinking-
it'd
be
great
if
we
had
this
sort
of
some
sort
of
source
of
truth
that
that's,
that
has
an
immutable
structure
again.
So
merkle
tree
was
the
perfect
example
there.
So
I
started
to
to
experiment
and
and
to
prototype
around
that
technology
and
came
up
with
a
project
that
I
called
recall.
Okay
and
recall
is
greek
for
record
okay.
A
B
D
D
So
I
should
explain
for
folks
what
a
merkle
tree
is
so,
to
put
it
simply,
murkle
trees
are
actually
leveraged
in
a
few
technologies.
You'll
find
them
in
a
blockchain.
The
transactions
are
signed
with
a
merkle
tree,
a
git
actually
operates
a
form
of
merkle
tree.
Okay
and
bittorrent
is
a
quite
an
technology,
but
it's
a
technology.
That's
not
an
utilized.
D
D
And
then
the
idea
is,
if
you
change
a
single
bit
for
that
object,
it
would
change
the
entire
stream.
So
what
a
merkle
tree
does?
Is
it
takes
these
digests
and
it
has?
Let's
say
you
have
a
layer
of
eight.
It
adds
two
together
and
it
hashes
those
which
then
go
up
to
four,
and
you
go
up
the
tree
until
eventually,
you
have
a
root
hash,
which
is
a
bit
like
a
commit
hash
effectively
and
that's
kind
of
a
very
good
representation
of
the
integrity
structure
of
that
tree.
D
So
I
came
up
with
that
idea
and
had
a
prototype,
and
this
is
where
it's
a
kind
of
classic
open
source
story.
Really
I
had
this
code,
I
wasn't
quite
sure
what
to
do
next.
You
know,
so
I
thought
I
need
to
share
this
with
some
people
see
what
they
think.
Let's
see
what
I
mean
and
there's
a
an
engineer
at
google
dan
lawrence
who
I've
been
collaborating
with
around
different
projects:
techton
cd
and
the
open
ssf,
the
open,
open
source
security
foundation.
So
I
shared
it
with
dan.
D
I
said
dan
I've
got
this
thing,
I'm
not
quite
sure
what
to
do
next.
No,
are
you
interested-
and
he
said,
yeah
I'd
like
to
contribute
to
this.
So
then
there
was
two
of
us.
If
you
see
what
I
mean
and
then
another
guy
red
hat
bob
callaway,
he
got
involved
and
started
to
refactor
the
code
and
improve
things
and
it
just
sort
of
expanded
from
there.
D
Really
it
just
sort
of
blew
up
essentially
and
and
this
the
problem
was,
we
originally
called
recall,
but
then
we
found
out
there's
a
company
operating
under
the
name
of
recall,
oh
so
right.
Well,
okay,
we
have
to
do
a
name
change.
We
had
to
do
one
quite
quickly
because
we
were
speaking
to
the
linux
foundation.
D
Okay,
we
want
those
events
to
be
signed,
cryptographically
signed
so
that
we
have
non-repudiation
around
who
made
those
signatures
who
signed
that
artifact
okay,
but
we
then
realized
that
the
signing
tools
that
are
around
kind
of
suck
a
bit
really
people
aren't
using
them,
and
then
we
realized
well,
we've
got
a
big
problem
there.
Do
you
see
what
we've
got
this
wonderful
transparency
log
thing
now?
But
how
are
we
going
to
get
people
to
use
it
because
they
don't
like
signing
things
so
that.
D
Really-
and
that
was
where
dan
had
this
really
great
idea
about
leveraging
open
identity,
connect
and
stuff
like
that,
okay,
so
that
we
could
then
handle
the
key
management
challenge
and
yeah
and
that
just
sort
of
kind
of
grew
and
grew
and
grew
until
we
started
to
look
at
signing
more
and
more
artifact
types.
So
we
started
with
containers
and
then
somebody
will
come
along
and
say
I
want
to
sign
a
jar
file.
D
D
D
Say
there's
this
analogy
and
I've
always
stuck
with
it,
which
is
in
software.
You
can
have
painkillers
or
supplements
okay,
so
a
supplement
is
something
that
people
will
say:
yeah,
that's
pretty
cool
yeah!
You
know.
That's
that's
interesting!
I'll,
follow
what
you're
doing
okay
but
you're.
Not
you
know
what
you
have
is
a
supplement.
If
people
forget
to
take
their
vitamins
in
the
morning,
they
don't
start
losing
their
mind
and
turning
the
car
around
going
back
right.
You
see
what
I
mean
yeah.
A
D
B
Yeah
yeah
totally
so
so
you
know
I
kind
of
I'm
curious.
So
do
you
see
kind
of
six
store
expanding
beyond
the
kind
of
kubernetes
realm
like?
Is
there
you
know?
Is
it?
Is
it
a
more
generic
solution
because
it
kind
of
sounds
like
it
is?
But
I
don't
know
you
know
not
knowing
the
inner
workings.
I
don't
know
how
like
how
dependent
it
is
on
that
on
that
tool
chain
in
a
sense.
D
Yeah
very
much
yeah,
so
so
with
sigstor,
we
have
the
kind
of
the
infrastructure
services
which
is
two
of
our
sort
of
core
projects.
So
one
is
recall
that
I
described,
which
is
the
transparency
log
and
the
other
one's
called
forcio,
which
is
the
the
pki.
The
ca
software
signing
solution
again
and
those
can
sort
of
on
their
own
stand
without
the
other
services
and
still
have
use
okay.
B
D
Recall
has
been
one:
that's
attracted
a
lot
of
people
that
have
these
non
sort
of
clout,
native
cube
type
usage
scenarios,
so
there's
many
of
them
around
recall.
One.
That's
quite
interesting
recently
is
arch
linux
and
looking
at
doing
binary,
transparency
and
and
their
security
team
is
starting
to
implement
that
and
we've
had
people
looking
at
sort
of
firmware,
blobs
or
sort
of
drivers
and
stuff
like
that,
where
those
can
be
recorded
in
the
transparency,
log
and
other
people
interested
in
signing
documents
using
this
as
well.
You
know
so
so.
A
D
It's
it
it's.
Luckily,
a
very
customizable
system,
recall
you,
you
get
to
choose
what
data
sets
you
want
to
go
in.
You
can
design
your
own
manifest.
Essentially,
so
we
call
it
manifest
agility,
so
we
always
try
to
make
it
so
that
we
could
support
any
type
of
schema
that
comes
along
that
people
want
to
use.
D
So
a
lot
of
this
was
preemptive
around
the
work
that
is
happening
around
secure
bill
of
materials,
s-bombs
and
so
forth,
so
that
we
know
we
have
the
agility
to
to
be
able
to
work
with
different
data
types
and
different,
manifest
types
and
so
forth.
So
yeah
there's
a
there's,
a
lot
of
interest
in
people
that
are
coming
forward
that
are
finding
they
could
utilize
the
technology
to
solve
a
particular
problem
that
they
have
within
their
particular
vertical.
B
B
Wherever
you
did
your
undergrad
and
prove
you
know
your,
you
know
what
you
did
and
one
of
the
challenges
making
sure
that
that
is,
you
know
if
you
want
to
do
it,
digitally
right
is
making
that
cryptographically
secure
and
it
sounds
like
this
might
actually
be
a
really
good
solution
for
that
kind
of
problem
as
well.
Yeah.
D
To
share
yeah-
and
I
know
other
people
were
looking
at
utilizing
transparency
logs
as
a
way
to
combat
fake
news,
okay,
so
effectively.
What
somebody
does
is
they
write?
Something
about?
I
don't
know.
Xyz
politician
had
an
affair
with
a
an
alien,
okay
and
then
possible
that
will
kind
of
blow
up
on
social
media,
and
then
somebody
will
call
them
out
the
experts
will
round
up
on
them
and.
D
B
Yeah
yeah,
no,
it's!
It
is
definitely
an
interesting
problem.
I
mean
I
know
from
even
like
you
know,
there's
even
something
in
http
right.
That
tells
you
when
something
was
actually
printed.
You
know,
but
everybody
just
manufactures
that
header
you
know
based
on
whenever
they
generate
you
know,
sometimes
they
just
generate
it
or
auto
generated
yeah
right
and
what
I
want
to
know.
A
lot
of
the
time
is:
when
did
this
actually
come
out
right
or
when
was
it
updated
or
whatever?
D
It's
an
interesting
area
because
I
obviously
work
in
the
software
right
and
I
I
do
I
I'm
very
heavily
focused
on
what
can
we
do
to
improve
software
security?
Okay
and
then
I
look
down
and
I
go.
Oh
god
you
know
it's
just
I
don't.
You
know,
there's
that
whole
base
layer
of
of
in
the
hardware,
these
firmware
blobs,
where.
B
D
B
B
B
D
D
D
It's
safer
for
the
users
and
traditionally
people
would
report
for
an
email
address
that
sends
us
an
email,
okay
and
then
we
would
then
have
our
embargo
program,
which
we
would
kick
off
and
handle
things
from
there,
and
this
was
you
know
there
was
a
good
volume
of
issues
coming
in,
but
we
realized
that
in
a
lot
of
ways,
people
should
really
be
rewarded
for
doing
the
right
thing,
so
that
was
one
of
the
main
drivers.
Okay
and.
D
More
eyes
on
the
code
as
well.
Okay,
so
you
know
there's
this
security
idiom
that
we
have
of
the
more
eyes
on
the
code,
the
better,
the
more
secure
the
more
people
looking
at
the
code.
So
so
yeah
we
launched
a
hacker
one
bug
bounty
program,
okay,
and
so
how
this
operates
is
that
hacker
one
have
a
portal
where,
if
somebody
discovers
an
issue
involve
a
security
issue
in
kubernetes,
they
can
raise
it
with
haka
one
and
hacker.
One
then
have
a
team
that
will
do
an
initial
triage
of
the
issue.
D
D
B
Yeah
totally
yeah,
I
think
the
kind
of
bounty
programs
in
general
that
you
know
they
kind
of
been.
You
know,
they're
slow
to
start
right
there,
but
maybe
they're
starting
to
actually
kind
of
take.
But
that's
a
it's
a
really
great
way.
You
know
to
kind
of
you
know,
support
open
source,
you
know
or
support.
You
know,
kind
of
change
or
whatever
you
know,
because
you
know
some
people
have
more
money
than
they
have
time.
You
know,
and
you
know
especially
you
know
if
you
have
kids
for
example.
B
I
definitely
you
know
often
have
more
money
than
I
have
time
and
I'd
like
to
see
some
changes,
but
can't
do
it
myself,
but
kind
of
in
the
reverse,
the
you
know
getting
the
credit
for
discovering
these
things.
You
know
and
you
it's
it's
not
just
like
money
right.
It's
also,
you
know
the
the
you
know
hutzpah
right
or
the
you
know,
publicity
or
whatever
around
having
discovered
some
of
these
things,
but
you
need
you
need
some
backing
to
kind
of
say.
Oh
yes,
you
really
did
discover
a
real
vulnerability.
B
You
know
it's
not
just
me
claiming
on
the
internet
that
something
happened
and
then,
as
you
say,
right
embargoes
are
really
important.
So
one
of
the
things
that
I
thought
was,
I
think,
a
lot
of
people
who
don't
work
in
software
companies
in
particular,
especially
even
ones
that
are
kind
of
infrastructure
layer.
Software
companies,
like
you,
don't
realize
how
important
those
kind
of
security
embargoes
are.
We've
talked
about
it.
B
You
know,
on
the
you
know,
channel
a
few
times,
but
basically
it's
like
it
was
common
for
me
to
be
in
a
meeting
or
something
like
that
or
whatever
and
they'd
be
like.
Oh,
you
know
we.
We
need
to
do
this
other
release
and
somebody
would
say,
obviously
why
do
we
have
to
do
this?
Other
release
and
they'd
be
like?
Oh,
I
can't
tell
you
and,
and
it's
just
par
for
the
course
like
it's
just
you
expect
that
to
happen
on
occasion.
B
B
D
B
D
B
D
D
You
know
that's
scary,
stuff,
where
people
can
destroy
pods
or
perhaps
you
know
even
more-
and
I
would
say
those
are
the
two
ones
really
and
yeah
it's
interesting
with
security
vulnerabilities.
You
have
the
the
magnitude
of
the
the
criticality
of
the
vulnerability.
That's
one
thing:
okay
and
then
there's
the
the
marketing
spin,
the
kind
of
the
the
fud.
If
you
like
you
get
around
that
vulnerability,
you
know
and
they
don't
always
marry
up.
D
That's
that's
the
thing
you
see
so
for
me.
I
think
it
would
be
like
both
of
those
on
rocket
fuel
really
a
particularly
nasty
vulnerability.
That
gets
a
lot
of
coverage
as
well.
Perhaps
you
know
some
high
profile,
people
or
users
of
kubernetes
undergo
some
sort
of
significant
nasty
data
leakage.
As
a
result
of
that,
you
see
what
I
mean
so
yeah.
I
guess
it
would
be
an
orchestration
of
things,
a
very
nasty
high,
critical
vulnerability,
that's
found
in
the
world
and
utilized
in
the
world
and
and
then
it
creates
a
media
frenzy.
D
D
B
So
so
yeah
I
I
mean,
I
think
I
I
I
like
that
one,
but
I
also
think
that
what
six
store
is
trying
to
do
is
one
that
particularly
concerns
me,
which
is
the
the
kind
of
the
solarwinds
problem
a
little
bit.
You
know,
which
is
that
an
attack
has
been
delivered
and
been
successful
and
no
one
knows
and
that
in
some
ways
for
me
I
think
it's
the
scariest
thing.
B
You
know
where
you
know
it's
like
the
quote-unquote
sleeper
agent
right,
where
you
know
something
something
can
happen
eventually,
but
that
the
you
know
the
infrastructure
has
already
been.
You
know
suborned
or
whatever,
to
take
it
over,
and
I
think
things
like
I
said,
like
sig
store
or
whatever
are
or
how
you
solve,
for
that
is
that
you
know
you
know.
I've
known
I've
known
a
few
people
who've
done
some
of
this
kind
of
work
in
the
past
right
and
you
know
it
is.
B
It
is
part
of
an
ex
a
successful
attack
to
clean
up
after
yourself
right
and
you
know,
and
and
if
you
can
modify
those
logs
or
whatever,
to
show
that
you
weren't
there.
Then
there
wasn't.
You
know
was
it
you
know,
does:
does
anybody
hear
a
tree
falling
in
the
woods
right?
So
I
think
that
you
know
models
where
you
know
audit
logging
or
logging
or
whatever,
where
you're
trying
to
keep
track
of
or
have
a
way
of
knowing
for
sure
whether
anything
has
been
modified.
B
D
Yeah
yeah
very
much
yeah
and
that's
where
the
transparency
component
of
sig
stories
is
so
appealing,
because
we
will
run
a
public
transparency
log
okay.
So
that
means
that
anybody
can
order
to
monitor
that
log.
So
they
can
check
the
integrity
of
that
log
to
make
sure
we're
doing
the
right
thing.
Okay
and
they
can
check
the
integrity
of
any
particular
entry
in
that
log.
Okay.
So
then
they
can
start
to
look
for
suspicious
patterns
things
that.
A
D
Happening
out
of
the
normal,
if
you
see
for
and
so
one
of
our
our
hopes
and
one
of
the
the
one
thing
that
we're
really
trying
to
encourage
with
sigstor,
is
people
to
come
along
and
innovate
on
top
of
our
platform.
So
we
have
this
transparency,
log,
okay,
so
we're
talking
to
people
about
running
these
things
called
monitors
which
will
monitor
the
log,
okay
and
we'll
start
to
look
for
certain
patterns
and
so
forth.
D
So
that's
where
the
recall,
the
transparency
log
part
is,
is
very
appealing
because,
as
you
rightly
say,
when
there
is
an
attack,
okay,
if
we're
talking
a
key
compromise
which
is
a
particularly
very
nasty
attack,
you
want
to
know
the
blast
radius.
Okay,
so
you
want
to
know
what
else
has
been
signed
with
this
private
key.
Okay
and
with
sigstor
recall,
you
can
answer
that
you
can.
D
You
can
perform
an
inclusion
proof
using
the
public
key
to
find
out
is
exactly
what
artifacts
have
been
signed
and
when
time
stamps
with
that
particular
signature
set
so
yeah
it's
it's.
It's
really
sort
of
a
nice
application
of
that
technology,
but
in
a
lot
of
ways
it's
not
new.
It's
sort
of
this
is
something
that
we
borrowed
from
certificate:
transparency
right.
A
D
D
Doing
the
right
thing:
okay
and
then
what
happened
was
a
couple
of
very
high
profile
domains.
I
think
google
and
facebook
were
somebody
went
to
a
ca.
He
said
I
need
a
certificate
for
facebook.com
and
they
got
given
one
okay
and
then
you
can
imagine
the
amount
of
damage
you
can
do.
If
you
are
suddenly
able
to
stand
up,
a
server
browser
says
is
okie
dokie.
This
is
great
facebook.com.
If
you
see
what
I
mean
so
this
kind
of
concerned
and
slightly
scared
a
lot
of
people.
D
So
they
came
up
this
idea
of
certificate
transparency,
which
is
a
similar
thing,
the
certificate
chain
from
the
root
ca
and
the
certificate.
The
sign
for
the
particular
domain
is
recorded
into
a
transparency
log
and
then
what
that
allows
you
to
do
is,
for
example,
redhat.com
can
then
monitor
the
log
that's
being
signed
for
the
domain
redhat.com.
D
A
D
D
To
do
is
sign
an
artifact
using
an
open
identity
provider-
okay,
so,
for
example,
google,
microsoft,
github,
there's
various
people
that
provide
these
open
identity
provider
solutions.
Okay-
and
the
great
thing
about
that
is,
you
can
then
monitor
the
log
for
people
signing
things
with
your
identity.
You're
a
bit
like
you
know,
have
I
been
phoned.
D
Yeah
yeah
yeah
yeah
and
the
great
thing
about
an
email,
some
people
will
say
yeah,
but
an
email,
it's
not
as
secure
as
a
you
know:
five
thousand
pound
hsm
right
well,
yeah
sure.
If
you
want
to
use
that
you
can
use
that
with
sigstor,
but
a
majority
of
the
open
source
projects,
your
mum-and-pop
small
projects,
they
can't
afford
specialist
hardware
and
they
don't
like
managing
the
keys.
So
this
gives
them
a
system
where
they
can
sign
something
using
their
identity
and
they
have
protection
of
the
crowd.
Monitoring
as
well.
Okay
and.
D
Thing
as
well
is
these
systems
these
these
providers;
rather
they
they
give
you
extra
little
security
trinkets
on
top
like
two-factor
authentication,
you
know
that
you
can
use
to
protect
your
account.
You
get
that
thing.
If,
if
you
log
in
on
a
new
computer,
then
it
will
tell
one
of
your
trusted
systems.
Hey.
D
Did
you
just
log
in
from
this
country,
with
this
ip
address,
so
there's
lots
of
nice
secure,
existing
security
controls
that
we
can
leverage
there,
and
so
that's
why
we
look
to
use
this
open
identity,
connect
and
the
email
address,
and
then
we've
got
that
same
thing
as
certificate
transparency.
We
can
monitor,
who
is
using
our
identity
to
sign
effectively.
B
A
B
Is
I
think,
still
around,
but
the
idea
of
it
was
kind
of
you
would
have
it
was.
It
was
like
sso
for
the
internet
right
right
and
without
all
the
problems
of
using
facebook,
login
right
or
using
google
login
or
even
to
these
days,
microsoft
login,
because
it
was
a
kind
of
a
you
know,
an
independent
service,
even
if
it
was
owned
by
microsoft
it
was.
There
was
no
way
to
get
to
your
the
rest
of
you
right.
So
I
really
want
to
see
you
know.
B
This
is
one
of
the
things
that
I
think
has
been
missing
from
the
internet
for
a
long
time.
Right
is
that
I
have
an
identity
on
the
internet
right
that
is,
that
is
protected
by
something
that
then
I
can
use
to
manage
with
my
twitter
profile
or
my
facebook
account
or
my
you
know,
or
my
work
account
right.
You
know
one
of
the
things
when
I
left
red
hat
right.
One
of
the
challenges
I
had
was
like.
Oh
wait.
D
A
D
D
A
D
I
just
assume
this
is
langdon.
Okay
looks
and
smells
like
him.
I
accept
that
key.
I
bring
it
into
my
key
ring,
okay
or
like
we
do
with
an
ssh
server.
Okay,
you
click
yes
to
the
fingerprint
just
added
to
your.
Allow
hosts
okay,
but
that's
kind
of
that
has
its
problems.
Evidently,
okay
and
then
the
the
only
other
system
is
there's
like
a
weber
trust,
so
us
guys
meet
up.
You
know
we
look
at
each
other's
passports,
we
sign
each
other's
keys
and
that
doesn't
really
scale.
D
D
D
You
know
people
are
coming
up
with
biometrics
and
all
sorts
of
systems
to
try
and
disrupt
the
password,
but
nothing
can
quite
cut
it.
Do
you
see
what
I
mean
right?
So
identity
is
a
really
tricky
or
not.
You
know
I
would
love
to
see
some
sort
of
open
decentralized
identity
system,
but
identity
and
decentralize
the
strange
bedfellows
exactly
to
connect.
Do
you
see
what
I
mean
right?
That's
the
problem
that
the
blockchain
folks
have
a
lot
really
is
when
they
try
to
establish
an
end,
an
identity.
D
B
Well,
and
to
your
earlier
point
of
you
know,
kind
of
hitting
the
right
place
at
the
right
time
and
being
consumable.
It's
like
we've
had
a
number
of
attempts
right
where
you
know
like
we
had
some
technology
or
we
had
some,
you
know
thing
or
whatever
and
it
almost
made
it
or
whatever,
but
it
didn't.
Quite
it
wasn't
quite
consumable
enough.
It
wasn't
quite
at
the
right
time
or
whatever
so
so
I
do.
D
D
D
D
The
same
with
software
signing
as
well
project
signing
software,
so
I
think
with
sigstor.
We've
come
up
with
this
good
balance
between
usability,
accessibility
and
good
levels
of
security
protections
as
well,
where
we
have
that
transparency
and-
and
that's
that's
the
sort
of
I
think,
that's
the
the
thing
that
is
really
going
to
help.
D
B
B
A
D
A
B
So
I
think
with
that
and
we
are
already
over
time,
but
we
should
probably
kind
of
wrap
up
there.
Is
there
any
kind
of
closing
anything
you
wanted
to
kind
of
add
on
I
mean,
or
you
know
I
think
I
I
will
definitely
say:
go
check
out
sigstor,
you
know,
and
you
know,
if
you,
if
you
want
to
help,
contribute
that'd,
be
awesome,
but
you
know
at
least
start
using
it
right.
We
need
to
drive
the
adoption
for
things
to
get
better.