►
From YouTube: Securing Critical Projects WG (February 25, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Yeah
the
first
well,
I
guess
it's
now
the
second
item
in
the
agenda.
I
was
going
to
see
what
we
we
have
this
little
tool
we
wanted
to
demo
and
the
engineers
that
built
it
from
google
live
in
australia.
A
So
I
was
going
to
see
if
I
could
find
one
of
the
future
meetings
that
was
an
australia
friendly
time
zone.
So
I
think
I
think
we
have
something
scheduled
for
the
11th,
so
I
was
going
to
propose
the
25th
to
move
this
time
to
be
an
early
afternoon
time,
so
2
p.m
or
3
p.m.
A
So,
look
out
for
that.
I
will
move
the
the
meeting
time
and
then
I
think,
going
forward.
If
there's
a
lot
of
you
know
interest
in
like
flipping
the
time
zones,
we
should
talk
about
that
and
maybe
we
can
alternate.
I
think
that's
what
a
lot
of
groups
do
for
something:
that's
more
apac
friendly.
So
that
is
it
from
me
and
I
think
today
we
have
a
demo
of
tracy
we're
pronouncing
it
right.
B
Now,
yes,
hi
yeah,
so
hello,
everyone,
my
name
is
itai,
I'm
from
aqua
security
on
the
open
source
team
in
aqua
security.
B
C
B
Hi
everyone
so
so
yeah
idan
is
superman
is
from
the
research
team
in
aqua
security.
So
they
do
quite
incredible
stuff,
and
I
I
watched
a
few.
This
is
the
first
time
that
I'm
joining
the
meeting.
I
watched
a
few
recordings
on
youtube
before
and
I
I
I
saw
that
you
were
working
on
the
package
feeds
and
scanning
of
like
trying
to
detect
malicious
packages
in
package
repositories,
and
it
ring
the
bell
because
we
were
working
on
similar
stuff.
B
So
I
said
why
not
jumping
and
show
you
what
we
were
working
on
and
maybe
maybe
we
could
collaborate
on
something.
B
So
I
think
I'm
going
to
start
by
just
first
of
all,
talking
like
introducing
you
to
tracy,
which
is
the
tool
that
we
use
to
to
drive
a
lot
of
this
work,
and
then
maybe
we
can
talk
besides
the
technology,
about
our
goals
and
so
on.
B
So
I
didn't
prepare
a
presentation
or
anything
I
can
do
a
quick
demo
first,
I
just
want
to
say
that
tracy
is
a
random
security
and
forensics
tools
using
evpf
I
this
is.
This
is
a
this
is
not
the
usual
audience
that
I
give
this
demo
to.
So
I
assume
that
you
kind
of
know
what
you
know.
Random
security
means
evpf
means
it's.
Basically
what
we
do
is
we
trace
the
operating
system,
linux
operating
system
using
the
ebpf
technology,
and
we
collect
a
lot
of
events.
We
analyze
them
to
detect
suspicious
behavioral
patterns.
B
Tracy
by
the
way
is
open
source.
It
is
apache
to
license
so
people
can
and
are
encouraged
to
use
tracy
to
do
other
stuff.
Besides,
what
I'm
about
to
to
demonstrate
to
you
so
tracy,
basically,
is
composed
of
two
parts.
The
first
one
is
tracy
ebpf,
which
is
just
a
system
tracing
tool.
You
it's
a
cli
tool
that
you
would
run
it.
B
You
can
configure
it
to
to
specify
exactly
what
you
want
to
trace
and
it
will
start
collecting
events
from
the
operating
system.
Collect
events
can
be
stuff
like
system
calls.
Events
can
be
stuff
like
internal
kernel
functions
even
that
we
trace.
It
can
be
a
lot
of
things
and
it's
also
an
extensible
platform,
but
usually
what
most
people
are
interested
in
is
tracing
system
code.
B
So
once
you
start
tracy
ebpf
the
cli
tool,
it
will
start
collecting
events
from
the
for
the
operating
system
and
and
and
like
that
tool
by
itself
is
quite
useful
for
people
who
want
to
understand,
what's
going
on
to
do
some
security
research,
maybe
or
to
a
debug
or
troubleshoot
applications
or
stuff,
like
that,
it
has
a
very
comprehensive
set
of
filters
that
can
allow
you
to
very
precisely
specify
what
you
want
to
what
you
wanted
to
trace.
B
Can't
your
screen
all
right,
I
need
to
give
it
permissions.
This
is
the
first
time
that
I'm
using
google
maps,
so
apologies.
B
D
B
D
D
Well,
I
it's
not
a
new
topic,
but
I
was
going
to
ask
him
about
welcome
back
sometime
when
you
get
a
chance,
I'd
love
to
chat
about.
You
know
how,
in
the
world
to
use
chase
tracy
to
discover
things
that
sit
around
for
a
while.
D
Unfortunately,
increasingly,
a
lot
of
these
malicious
tools
will
be
playing
nice
for
a
while
solarwinds,
for
example,
it
was
random,
but
I
think
it
was
average
was
like
two
weeks
before
it
started
to
do
its
thing,
which
makes
it
obviously
harder
to
detect
and
you
can
play
games
with
clocks.
I
don't
know
if
you've
got
any
experience
with
trying
to
detect
malicious
code,
that's
trying
to
be
stealthier
and
any
tips.
B
Yeah,
I
think
I'm
gonna,
let
it
dan
take
that
after
we
after
we.
No
it's
a
good
question.
That's
I
think
it's
being
asked,
so
I
I
let's
get
the
demo
first
out
of
the
way
and
then
we
can
talk
about.
D
D
D
G
B
Get
this
out
of
the
way
all
right,
so
you
know
you,
can
you
can
start
tracy
and
tell
it
to
trace
a
very
comprehensive
filtering
mechanism
you
can
tell
it's
like.
I
want
this
system
call.
I
want
this
set
of
system
calls.
I
want
this
process
id
this
this
process.
Id3,
I
want
to
trace
new
containers.
I
want
to
trace
a
particular
container.
B
You
can
look
at
actually
at
data
that
comes
out
of
the
traced
system,
call
and
say:
okay,
you
know
actually
there's
when
I'm
tracing
this
system
call
it's
going
to
return
an
argument,
so
I
want
to
see
if
that
argument
is
going
to
be
equal
to
something
only
that
is
interesting
to
me,
so
I'm
not
going
to
go
into
that.
B
I
just
want
to
say
that
there's
a
very
comprehensive
filtering
mechanism
that
allows
you
to
precisely
express
what
set
of
events
you
want
to
extract,
and
I
also
want
to
mention
that
besides
system
calls,
we
also
trace
other
events.
For
example,
we
plug
into
internal
kernel
functions
that
allows
us
to
get
more
reliable
information.
For
example,
a
very
common,
a
thing
that
people
want
to
trace
is
exactly
e
system
called,
which
is
the
system
called
used
to
execute
anything,
but
that's
actually
somewhat.
B
It
can
be
manipulated
in
some
way,
so
we
have
an
alternative,
for
example,
to
trace
the
security
bprm
check,
which
is
an
internal
cannon
function
that
is
guaranteed
to
provide
a
more
accurate
and
reliable
information.
That
is
that's
more
useful
in
a
security
setting.
So
it's
just
one
example:
we
have
a
number
of
those
a
number
of
those
cases
where
we
allow
you
to
trace,
not
only
system
calls,
but
other
events
that
happen
in
the
operating
system
and
the
reason
why
this
is
important
is
because
we
are
discussing
security
here.
B
If
this
was
you
know,
just
another
monitoring
tool,
it
probably
was
meaningless,
but
because
we
are
looking
for
very
specific
things-
and
we
know
that
the
other
party
is
trying
to
hide
from
us
all
the
time
it
can
be
helpful
to
to
trace
these
as
well.
I'm
fast
forwarding
for
that,
because
I
want
to
get
to
the
more
interesting
part
we
can
maybe
dive
into
other
areas
at
the
end.
B
So
I
mentioned
that
there
is
tracy
abpf,
which
is
the
cli
tool
and
there's
also
tracy
rules,
which
is
the
rule
engine.
Basically,
you
can
run
them
individually.
You
can
run
tracy
ebpf
get
the
stream
of
events,
you
know
and
feed
it
to
whatever
processing
tool
you
want,
but
we
also
have
the
processing
tool,
which
is
the
rule
engine
the
rule
engine
lets
you
create
what
we
call
behavioral
signatures
that
looks
for
specific
patterns
in
the
stream
of
events
that
you
get.
We
have
we're
supporting
two
ways
to
author
signatures.
B
One
is
using
golang.
This
is
an
example
for
a
signature
don't
want
to
get
in
the
into
that
business
logic.
Now
I
just
want
to
show
that
it's.
It
can
be
quite
comprehensive
and
complex
code.
That
is
looking
for
actually
more
than
just
into
an
event.
It
can
do
things
like
keep
state
and
track
a
a
complex
behavior,
a
long
time
to
see
that
something
is
happening.
In
this
example,
this
signal
yeah.
D
B
Yeah,
so
one
is
called.
Let
me
just
open
this
as
a
reference.
One
is
called
tracy
ebpf,
which
is
the
which
is
collecting
the
events.
Ebp
ebpf
evpf
ebpf
is
the
technology
that
we
use
in
order
to
instrument
the
operating
system
and
the
other
one
is
called
tracy
rules,
which
is
the
rule.
D
D
Okay:
okay,
all
right,
eeg,
potentially
malicious,
behavior;
okay,
those
of
you
who
are
looking
at
the
notes.
You
can
see
what
nonsense!
I'm
writing
down
and
hopefully
capture
it
now,
because
it
depends
on
ebpf.
That
obviously
requires
that
the
underlying
kernel
have
evpf,
which
is
true
for
linux,
but
obviously
that
you're,
depending
on
that
particular
technology.
Thanks.
B
B
B
So
I
started
to
say
that
signatures,
which
are
the
the
the
way
that
you
can
express
what
you
are
looking
for
exactly
can
be
written
in
golang
and
if
you
write
a
signature
in
golang,
it's
just
a
go
program
that
you
can
write.
We
orchestrate
like
feeding
it.
The
relevant
events
and
you
just
handle
the
events
and
see
if
you're
interested
in
something
there
and
it
can
be.
You
know
any
arbitrary
code.
You
can
also
track
state,
which
is
a
very
I
think,
a
powerful
feature.
B
This
particular
signature,
for
example,
looks
for
if
someone
is
opening
a
socket
and
then
redirecting
standard
output
over
that
socket,
so
it's
trying
to
you
know
expect
accelerate
whatever
is
going
on,
and
for
that
to
happen,
we
need
to
track.
Actually
a
number
of
system
calls,
but
not
only
not
only
those
system
calls
the
relationship
between
them.
We
need
to
keep
state
of
what's
exactly
what
exactly
is
happening
at
every
point
of
time.
B
So
that's
an
example
for
a
pretty
sophisticated
behavioral
signature
and
the
other.
The
other
way,
which
is
also
quite
interesting,
is
you
can
write
signatures
in
rego,
which
is
rego
is
you
might
be
familiar
with
oppa
the
open
policy
agent?
This
is
a
pretty
popular
cncf
project
for
enforcing
the
policies,
and
we
let
you
also
write
tracy
signatures
using
rego,
which
is
the
language
of
opa.
B
So,
if,
if
anyone
is,
is
writing
or
using
oppa
the
open
policy
agent,
which
is
very
very
popular
in
the
cloud
native
world,
they
can
use
those
skills
to
write
signatures
for
traces.
Well,
this
is
an
example
for
a
a
regular
signature
that
looks
for
a
pitch
race
with
the
pit
race
me
argument,
which
indicates
an
anti-debugging
technique,
never
mind
the
the
signature
here.
Just
we
have
these
two
options.
Both
of
them
are
pretty
unique
because
it's
not
just
a
simple
predicate
that
you
can
say.
B
Okay,
if
the
event
name
is
that
and
do
something
you
can.
You
can
really
build
up
a
pretty
complex
behavioral
patterns
all
right,
so
this
entire
experience
is
currently
packaged
into
a
docker
container
that
people
can
just
run
and
it
takes
care
of
running
tracy
evpf
and
you
know
creating
the
stream
of
events
passing
this
into
tracy
rules,
loading
all
of
the
signatures.
We
have
built-in
signatures
that
we
ship
with
tracy,
and
this
is
actually
backed
by
actual
research
that
is
being
done
by
our
security
research
team.
B
So
we
will
start
building
this
library
of
behavioral
signatures
and
again
everything
that
I'm
showing
you
is
open
source.
So
you
can
go
and
check
check
it
out
yourself
later.
If
I'm
running
this,
let's,
let's
do
two
things.
First
of
all,
I'm
gonna
run
this
look
around
this
container.
B
Never
mind
these
settings
here:
basically,
the
image
name
is
tracy
and
I'm
telling
it
to
trace
trace
will
just
start
the
tracy
ebtf
component,
which
is
just
dumping
a
lot
of
information
here,
there's
a
lot
of
things
going
on
on
this
machine.
So
we
can
see
the
raw
data
here.
B
It
will
load
signatures
into
tracy
rules
and
we'll
connect
the
two-
and
in
this
case
I'm
going
to
go
over
here
and
I'm
going
to
simulate
an
anti-debugging.
B
Technique
as
it's
a
behavior
that
we
sometimes
associate
with
malicious
behavior,
and
once
I
do
that
we
can
go
here
and
see
that
it
was
picked
up
by
tracy.
We
have
a
detection
for
this
signature,
which
is
anti-debugging
and
also
this
is
currently
using
a
falco
psychic,
which
is
a
a
nice
tool
that
allows
us
to
pass
that
detection
on
to
other
systems
that
you
might
use.
For
example,
slack.
B
Let
me
see
how
am
I
sharing
that
all
right,
never
mind.
I
think
I'm
not
gonna
mess
with
google
me
today.
Trust
me
it's
on
my
slack
window
on
my
other
monitor
yeah,
so
that
was
a
very
quick
demo.
There's
there's
like
a
ton
to
show
here,
I
just
wanna,
to
give
you
a
general
sense
of
what's
going
on
what
what
it
does
and
I
want
to.
Besides
the
technical,
technical
stuff,
we
are
already.
B
You
know
scanning
a
lot
of
things.
For
example,
we
are
scanning
docker
hub
and
looking
for
a
malicious
behavior
there,
and
we
actually
have
a
lot
of
success
in
that.
If
you
go
to
the
aqua
blog,
for
example,
you
can
see
a
lot
of
breakdowns
and
analysis
of
what
we
found
there
and
we
do
the
same
for
packages.
B
So
I
think
that
this
is
where
the
presentation
becomes
more
of
a
discussion
on
like
if
you
find
this
interesting.
First
of
all,
I
think
that
you
have
been
doing
similar
in
conceptually
similar
things
with
the
package
fits
project
and
the
package
malware
project.
I
think
it's
called
and
we
would
love
to
see
if
tracy
can
fit
in
there.
We
can
also
help
not
only
with
the
engineering
part
of
it,
but
also
with
some.
B
You
know,
thinking
about
what
to
look
for
and
how
to
look
for
it
and
so
on
yeah
and
like
I
to
hear
what
you
think
about
it.
First
of
all,.
F
Yeah
this
looks
this
looks
awesome,
we're
just
trying
to
find
all
the
different
ways
to
look
for
a
malware.
We
can
experiment
and
play
around
with
it
a
little
bit
on
anything
that
helps
us.
You
know
find
more
things
and
then
filter
out
noise
to
get
better
lists
of
things
we
can
look
through
manually
to
try
to
detect
this
stuff
is
is
useful.
D
Yeah
dan,
I
don't
know
any
particular
reason
that
we
even
have
to
pick
the
one
true
way.
You
know
use
multiple
tools
and
I'm
you
know
they're
obviously
advantages
to
working
on
rules.
This
is
almost
kind
of
a
side
note,
but
I
noticed
you're
looking
at
the
you
know
the
anti
and
the
anti-debugging.
D
D
C
Yeah,
I
have
something
to
add
to
that.
Actually
one
of
the
cool
things
about
the
ebpf
technology
is
that
we're
doing
all
the
tracing
straight
from
the
kernel.
So
there
is
nothing
in
user
space
which
means
that
most
anti-debugging
techniques
that
are
based
on
using
the
p3s
call
won't
be
triggered.
So
we
actually
have
the
ability
to
trace
everything
that
happens
in
the
container
in
a
manner
that
the
malware
can
detect.
That
is
being
detected
at
less
unless
he
has
root,
and
then
he
has
the
ability
to
query.
C
C
G
B
Similar
technologies,
are
you
already
you
I
I
mean,
I
see
that
you
already
have
some
kind
of
framework
in
place,
and
I
want
to
ask
what
what
does
it
look
like
today
and
how?
How
if
you
think
that
we
can
leverage
tracy
inside
of
this
framework?
Where
can
it
be
and
how.
F
What
the
real
goal
is
so
we've
decoupled
things
a
bit
so
there's
one
one
project
which
is
just
package
feeds,
I'm
not
sure
if
jordan's
here,
but
the
idea
there
is
just
to
get
a
uniform
way
to
watch
all
the
package
registries
for
a
uniform
api
to
subscribe
to.
So
you
can
see
all
new
packages
and
new
versions
coming
across
as
many
languages
as
we
can.
They
all
have
rss
feeds
or
databases.
F
You
can
query
your
apis
or
things
like
that,
but
you've
got
to
figure
out
each
one,
so
there's
no
easy
way
to
just
watch
them
all.
Then,
from
that
we've
set
up
just
a
couple
different
experiments
on
things
we
can
do
with
that
data.
One
of
them
is
the
malware
analysis
pipeline
that
I
set
up
so
far
with
the
falco
rules.
F
The
idea
is
to
do
as
many
different
ones
as
we
can
there
and
make
them
pluggable,
and
what
I
really
want
to
do
is
just
set
up
a
way
where
people
with
ideas-
or
you
know,
researchers
and
stuff-
can
come
with
with
different
analyses.
They
can
do
like
typo,
squatting
or
things
like
that,
and
we
can
give
you
know
a
real
production
place
to
put
those
rules
and
you
know,
pay
for
the
infrastructure
and
keep
them
running
long
term.
B
F
G
D
F
Yeah
two
repos
now,
okay,
did
a
bunch
of
that
work.
B
Okay
and
it
sounds
like
we
could
use
the
package
feed
one
on
its
own,
because
we
also
like
scan
package
repositories,
so
that
could
be
really
really
cool
for
us
and
okay,
so
you
mentioned
you're
using
falco
rules
today.
So
is
this
using
rules
that
you
have
written
yourselves
to
yeah.
B
F
Yeah,
I
don't
really
know
anything
about
falcor
rules.
I
just
kind
of
hacked
something
together
right
now.
It's
just
logging.
I
think
every
file
name
that
gets
opened
when
you
do
a
pip
install
or
an
npm
install
of
a
specific
version.
So
it's
logging
that
and
then
we
can
go
through
and
look
for
suspicious
stuff
later.
All
of
that
data
later
now
just
gets
published
into
a
whole
bunch
of
json
files
that
we
can
look
through
whenever
we
decide
what
to
look
for.
B
For
so
you
log
every
file
that
is
being
touched,
and
then
how
do
you
know
which
one
is
suspicious
or.
F
Yeah,
we
don't
yet
I've
been
looking
through
manually
and
I've
been
able
to
find
some
stuff
just
by
kind
of
scrolling
through
we
found
a
bunch
of
spam
that
was
getting
uploaded
to
pi
pi.
All
these,
like
all
capitals,
click
here
to
get
free
discord,
credits
that
kind
of
stuff
people
doing
seo
style
attacks
just
manually,
but
nothing
automated.
Yet
we're
trying
to
figure
out
the
right
formats
and
also
make
that
data
available.
So
other
people
that
have
ideas
can
run
queries
later
without
having
to
set
this
stuff
up.
G
B
So
was
that
a
question
for
for
me
or
for
them
yeah.
G
B
Yeah,
I
I'm
pretty
sure
that
we
can
reach
a
similar
point
where
you
know
we
give
the
list
of
files
that
were
touched.
That
would
be
quite
easy
to
do.
Actually,
there's
a
lot
of
other
capabilities
of
tracy
that
I
didn't
show
around
forensics.
B
So,
for
example,
if
you
were
talking
about
which
files
were
accessed
so,
for
example,
we
have
some
way
for
the
operator
to
say
I
want
tracy
to
capture
everything
that
was
executed
during
the
trace,
or
I
want
tracy
to
capture
every
file
that
was
written
or
every.
We
have
some
very
specific
things
like,
for
example,
if
we
identify
a
memory,
unpacking
behavior,
we
can
grab
that
memory
region
from
memory
and
dump
it
to
disk.
So
we
have
a
lot
of
capabilities
around
that.
B
So,
in
addition
to
generating
a
list
of
files
which
should
be
quite
easy
to
do
with
tracy,
we
can
also
like
give
the
files,
and
then
we
can
do
further
analysis
on
them,
even
just
scanning
them
with
anti-malware
or
but
also
do
further
analysis
on
them.
B
C
C
Something
regarding
like
the
files-
I
know
that
I
mentioned
that
before,
but
I'm
just
double
clicking
on
it
again.
So
I
think
one
of
the
key
things
that
we
did
because
again
we
we
built
it
from
for
security
purposes
from
the
ground
up.
So
one
of
the
things
that
we
wanted
to
do
is
exactly
to
understand
exactly
which
file.
If
they
touch
something
in
the
operating
system,
they
are.
Writing
into
chrome
they're,
putting
a
code
in
chrome
job
to
do
a
persistency,
or
anything
like
that.
C
So
one
of
the
problems
with
using
cisco
is
basically
that
they
can
get
a
relative
path,
not
only
the
absolute
path
so
and-
and
this
can
create
a
lot
of
problems
when
you
want
to
do
or
if
someone's
trying
to
do
an
xxv
but
they're
using
an
alias,
for
example.
This
is
the
kind
of
things
that,
when
you're
using
cisco
can
can
sometimes
bypass
your
detection.
C
So
this
is
why
we
did
a
further
research
into
the
linux
scan
and
we
actually
placed
hooks
lower
at
the
stack
at
the
lsm
hooks
level
and
there
we
are
actually
when
we
are
doing
execuve
when
you
are
executing
a
binary,
there
is
going
to
be
an
lsm
hook,
check
that
is
going
to
take
the
absolute
path,
so
we
are
actually
hooking
and
getting
the
absolute
path
of
the
file
that
is
being
executed,
and
this
is
something
a
lot
more
robust
when
you
want
to
do
security
analysis.
When
you
know
something
is
happening.
C
The
same
goes
with
your
when
you
are
opening
a
file.
If
it's
a
relative
file
or
something
like
that,
you
can
still
use
a
security
file
open,
which
is
another
lsm
hook
that
we
are
using
in
order
to
detect
the
absolute
path
of
the
file
on
disk,
and
this
is
very
helpful
in
the
context
of
security.
B
F
Mike
you
sent
me
something
a
long
time
ago,
like
one
that
I
still
haven't
quite
looked
through.
You
have
something
like
this
for
ssh
audit
logging
too
right,
where
you
can
log
certain
commands
that
people
run
and
you
stick
all
of
that
somewhere
that
can
be
easily
searched
and
queried.
They
were
thinking,
maybe
could
be
similar.
E
Yeah
we
we're
doing
something
similar.
It
sounds
like
tracy
actually
has
more
sophistication
around
filtering
and
probably
is
closer,
a
closer
match
to
your
needs.
What
we're
doing
in
our
one
of
our
ssh
product
features
is
just
tracing
all
of
the
sys
calls
we're
using
ebp
app,
so
I'm
actually
learning
a
thing
or
two
about
the
lsm
hook
stuff,
which
is
interesting
and
and
collecting
that
to
just
create
sort
of
a
a
trace
of
an
entire
ssh
session.
G
G
B
H
I
Since
the
80s,
then
you
know,
like
I
think,
1980
or
so
I
wouldn't
say,
go
is
necessarily
easier,
but
that's
okay!
Sorry,
I
just
thought
would
represent,
for
some
of
us
who've
been
around
a
little
bit
longer.
B
So,
coming
back
to
the
previous
question,
I
would
love
to
take
a
look,
for
example,
on
what
you
suggested
the
then.
I
think
the
ssh
a
logging
like
if
a
general
question
like,
if
you
see
a
place
where
you
would
like
our
help
to
see
if
like
we,
can
help
plug
tracy
in
and
help
you
understand
what
to
do
there
like.
B
We
can,
we
can
help
and
we
would
love,
because
our
goal
is
to
you
know,
make
sure
I
see
better
by
more
people
using
it
getting
more
feedback,
so
any
any
opportunity
for
others
to
use
tracy
with
love
and
would
love
to
also
help
in
like
implementing
it.
I
I
Critical
projects
is
the,
which
is
our
charter.
Right
is
the
idea
here
that,
if
you
have
a
project
with,
that's,
perhaps
considered
pretty
critical,
but
it
doesn't
have
a
very
good
maintainership
around
it,
which,
I
think
is
is
probably
one
of
our
big.
You
know
challenges
right
is
the
whole
idea
that
we
would
we,
the
community
somebody
puts
together
some
automation
around
tracy,
some
rules
or
around
you
know,
falca
or
or
something
else
of
this
sort
that
we
could.
I
Then
you
know,
as
these
things
get
updated,
we
can
kind
of
you
know,
do
a
little
bit
of
some
rules
tracing
to
see
if
the
behavior
has
somehow
changed.
Is
that
kind
of
the
approach
we
want
to
take
with
this?
Is
that
I'm
sorry
for
if
this
is
a
stupid
question,
but
this
is
sort
of
just
trying
to
relate
this
back
to
the
charter.
D
Yeah,
oh
it's.
Okay,
as
I
say,
I'm
not
so
sure
that,
right
now
it's
noting
changes.
It's
just
looking
for
suspicious
behavior
and
focusing
more
on
the
malware
side.
We've
got
two
different
issues.
One
is
the
unintentional
problems
and
one
is
the
you
know
it's.
The
package
has
gone
bad,
it's
you
know
it
for
whatever
reason
it
now
has
malicious
code
in
there
it
could
be
a
malicious
developer
could
be
somebody's
account's
been
taken
over,
but
for
some
reason
it's
gone
bad.
D
You
raised
an
interesting
point
that
we
could
do
a
difference
between
old
and
new
and
noticed
real
big
changes.
I
don't
think
dan.
That
was
something
that
you
had
mentioned,
although
I
don't
see
any
reason
that
we
couldn't
do
that,
I
don't,
I
don't
think
it
does
it
now.
I.
I
You
know
you
know
pimples,
if
you
will
in
our
you
know
our
beautiful
open
source
face
and
figure
out,
which
ones
are
maybe
need
to
get
a
little
bit
more
attention.
Maybe
that
was
a
bad
analogy.
G
F
The
real
history
and
how
it's
the
charter
and
everything
is
some
folks
from
the
python
software
foundation,
who
run
the
pipe
infrastructure,
came
and
presented
way
back
on
some
of
the
stuff
that
they
were
trying
to
do
here
in
ways
we
could
help
out.
Oh.
J
J
J
From
the
work
for
gradle,
we
use
the
gradle
plugin
portal,
which
is
you
know,
gradle's
used
to
build
like
99
of
all
android
apps,
and
you
know
we
have
no
idea.
What's
in
the
plugin
portal,
I
mean,
I
think,
that's
true
with
like
a
lot
of
artifact
servers
right
like
I'm
guessing
there's
nobody
auditing
jason
made
intentional
either
right
for
for
for
java
packages
anyway.
J
I
think
one
of
the
concepts
really
interesting
is
that,
like
you
see
articles
getting
published
about
vulnerabilities
and
things
like
this
malicious
in
in
npm
and
in
pip,
I
think
one
of
the
things
that
I've
kind
of
correlated
it
if
they're
scripting
languages
you've
heard
about
it.
J
But
if
they're
compiled
languages,
it's
actually
way
less
common,
just
in
general
to
hear
about
it,
at
least
in
the
major
repository
like
maven,
central
and
and
and
stuff
like
that
so
yeah,
and
that's
to
say
that
it's
probably
happening
it's
just
not
you
know
is
easy
to
find
that
stuff
in
those
compiled
languages
where
those
that's
what's
been
packaged.
F
One
exception
there
I
was
looking
at
when
we
were
setting
up
the
package
feeds
is
crates.I
o
for
rust.
It's
a
compiled
language
but
they're
very
worried
about
this,
because
the
installation
process
is
from
source
rather
than
binaries,
and
they
have
all
these
custom
build
strips
that
get
run,
and
it's
a
pretty
big
and
scary
thing.
So
they're
looking
at
ways
to
sandbox
the
build
process
and
the
build
scripts
that
people
get
to
execute
and
all
sorts
of
stuff
there,
but
yeah
it
can
happen
in
a
lot
of
places.
D
D
Yeah,
I
you
know
dan,
I
realized
you
know
you
want
to
first
get
something
working,
but
at
some
point
we
probably
want
to
talk
about.
How
can
we,
you
know,
set
up
something
on
some
clouds
services
or
something
so
that
you
know
I
would
love
to
hear.
Oh,
yes,
every
time
something
goes
into
pie,
pie
or
ruby,
gems
or
npm,
or
cargo
cargo's
repo
that
you
know
poof.
It's
it's
run
through
this
and
you
know
ideally
eventually,
there's
feedback
loops
to
the
various
repos.
I
I
You
know
they
have
a
lot
of
stuff
in
there
that
it's
very
difficult
to
know
what's
what's
in
there
and
what
might
have
been
you
know,
subverted
so
the
something
that
would
at
least
show
oh
there's
a
diff,
and
it's
like
okay,
well
who's,
going
to
look
at
the
diff
right
because
you
may
not
know
any
better
than
that.
But
it's
like
oh
look.
It
opens
a
bunch
more
file
descriptors
that
are
like.
I
I
wonder,
what's
going
on
right,
so
something
of
that
sort
that
at
least
gives
you
now,
of
course
those
things
can
be
hidden.
You
know
avoided
too.
If
you
know
people
know
what
you're
looking
for,
but
at
least
it
gives
something
right.
Some
sort
of
signal.
A
I
just
linked
a
doc,
and
I
haven't
looked
at
it
and
in
the
notes,
just
sort
of
some
ideas
and
things
that
I
had
for
the
whole
project
so
feel
free
to
you
know,
take
a
look
at
that
and
any
comments
suggestions.
I
think
it's
a
little
outdated
now
because
they
have
split
up
the
projects
like
dan
said,
but
yeah
feel
free
to
chime
in
there
link
in
the
chat.
D
Yeah
there
there's
actually
a
repo
called
mod,
a
website
called
logic:
module
counts,
which
counts
packages.
It
seems
to
be
down
right
now,
unfortunately,
but
it
it
makes
some
cool
graphs.
It.
D
Misleading,
if
you
look
at
it,
you
discover
that
there's
more
javascript
packages
than
any
other,
but
what
that
really
tells
you
is
the
radically
different
ecosystem
approaches.
You
know
and
javascript
is
full,
but
nearly
half
of
all
javascript
packages
have
either
zero
or
one
function
so
you'll
have
things
like
is
odd,
is
its
own
package,
which
basically
doesn't
happen
in
any
other
ecosystem.
D
So,
but
it's
certainly
true
that
there's
a
whole
lot
of
packages
in
these
major.
A
One
one
plug
dan
dan
mentioned
typo
squatting.
So
that's
something
I
want
to
see
if
we
can
get
integrated
within
this
malware
detection
thing
too.
If
anyone
knows
of
open
source
projects
around
typo,
squatting
or
research,
that's
happening,
please
reach
out,
or
let
me
know,
I'm
talking
to
a
couple
universities
to
see.
They've
done
some
research
in
this
space,
but
I
think
it'd
be
cool.
If
we
could.
J
Yeah
I
spoke
to
so
I
was
at
the
get
a
packaging
summit
which
was
a
closed
summit
that
get
up
held
for
a
bunch
of
packaging
maintainers,
and
there
is
some
ping
me
on
slack
and
I'll
put
you
in
touch
with
somebody
github
that
it
was
working
on
microsoft.
That
was
working
on
something
like
this.
Okay.
J
Yeah
they're
talking
to
them
as
well,
I
think
it's
martin
woodward
was
at
least
or
william
bars
can
at
least
put
me
in
touch
with
the
right
people.
Yeah
yeah,
awesome.
D
Yeah,
I
don't
have
any
new
insights
for
kim.
For
the
I
mean,
I
know,
there's
type
of
squatting
research
and
I
think
you're
already
talking
to
folks
that
I
I
know
of,
but
I
did
find
something
related
that
might
be
of
use.
D
I
recently
discovered
that
postgres
can
do
lievenstein
distances
indexed,
which
is
quite
a
trick,
so
so
I'll
I'll
tell
you
the
trick.
Basically,
what
they
do
is
they
index
sound,
x
and
and
that
shot,
and
that
gets
rid
of
most
of
that
makes
it
much
much
easier
and
then
they
use
that
and
then
these
leave
in
compute
lievenstein
distances
on
the
remainder,
and
that
makes
it
suddenly
super
fast
for
those
who
don't
know,
leave
and
shine.
D
This
is
a
measure
for
how
far
apart
two
words
are
or
two
phrases,
and
although
it's
not
a
perfect
proxy
for
typo
squatting,
it's
still
pretty
darn
good.
You
know,
I,
you
know
the
the
hyphen
versus
dash
the
a
versus
the
e
kinds
of
stuff,
so
I'll.
If
you
want,
I
can
try
to
hunt
that
up,
but
that
actually
may
that
may
be
one
of
those
things
that
turns
it
from
a
day
job
into
seconds.
Job.
A
Sure
yeah,
I
think,
from
what
I've
been
reading
about
it
too
there's
you
know,
there's
ways
to
there's
some
more
stuff
like
deeper
analysis
that
we
could
look
into
doing
like
looking
at
the
actual
package
contents
and
then
comparing
it
to
what
we
think
is
like
the
known
good
package.
And
then
you
know
getting
some
signal
that
way.
But
yeah
I
mean
I'm
open
to
all
ideas
and
interesting
research
area.
J
We
also
try.
I
mean
one
of
the
things
that
that's
so
typo
squatting
is.
Is
I
mean
it's
just
real
risk
that
we've
been
dealing
with,
but
like
I
mean
that
recent
disclosure
about
the
guy
that
made
130
100
100
130
000
off
of
like
just
stepping
on
the
same
names
as
companies
were
using
organizations
using
like
you,
know
those
kinds
of
things
it's
much
harder
to
do
in
the
java
ecosystem?
But
I
am
you
know
I
work
for
gradle.
J
I
have
some
ideas
of
like
how
those
kinds
of
things
could
play
out
in
the
java
ecosystem.
Just
like
anything
else,
it's
just
harder
to
pull
off,
I
mean
might
require
a
little
more
social
engineering,
but,
like
those
things
do
you
know,
exist
and-
and-
and
you
know,
packaging
maintainers
want
to
make
these
like
really
light
packages,
and
they
want
to
have
names
that
are
really
simple
and
easy.
But,
like
you
know,
the
jobbing
system
tried
to
solve
this
really
early
on
with
like
dna.
Using
dns
is
like
a
an
ownership
component
around.
F
Yeah
one
other
thing
I
want
to
mention
that
we
were
trying
to
get
creative
and
think
of
other
ways
to
do
this,
and
once
the
ideas
we
came
up
with-
and
we
got
stuck
on
other
people
might
have,
ideas
was
to
do
like
a
kaggle
or
ml
competition
here
which
people
do
like.
We
have
all
this
data.
Can
somebody
train
a
model
to
detect
or
better
filter
this
out,
and
we
started
to
run
into
all
these
weird
ethical
things
where
to
do
one
of
these
competitions?
F
E
F
J
To
build
a
ctf
around
this
right,
like
some
sort
of
like
you
know
or
bump,
you
know
like
an
ad
hoc
bug,
money
program
where
I'm
like,
hey,
like
here's,
a
build,
that's
running.
We
run
this
on
a
cron
job
as
part
of
a
github
action.
There's
a
secret
in
an
environment,
variable
poppy
poppy
environment,
variable.
A
Yeah
I
mean
doing
that.
Sort
of
bounty
thing
is
exactly
what
we're
trying
to
do
within
the
open
ssf
in
this
working
group,
but
it's
just
been
a
little
bit
tricky
to
get
consensus
on
how
we're
going
to
handle
funding
requests
and
the
process
and
everything
so.
But
in
the
meantime
I
mean
like
me
on
the
google
side,
we're
really
interested
in
this.
So
there's
things
we
can
do
like
that
that
there's
interest
and
I'm
happy
to
take
that
on
yeah
yeah
I'll
pick
you
on
slack
and
get
some
names
too.
D
To
be
fair,
I
I
I
don't
I,
I
don't
think
we
have
to
start
fancy
so
many,
the
type
of
squats
that
I've
seen
you
know
the
ridiculousness
of
them
is
that
they're
so
trivial.
F
D
D
K
Yeah
sorry,
I
apologize
everyone
I
joined
late
and
have
not
been
tracking
this
particular
open,
ssf
working
group,
so
I'm
still
going
to
commit
the
mild
sin
of
speaking
during
my
first
meeting.
Could
someone
just
quickly
is
one
of
the
goals
of
this
working
group
to
identify
basically
critical
packages,
and
this
is
you
know
one
one
one
way
to
do.
That
is
this
discussion
of
how
common
are
things?
How
linked
are
they?
K
I
guess
I'll
just
quickly
ask
yeah.
Thank
you
dude.
I
guess
I'm
asking
for
the
high
level.
The
goal
here
seems
to
be
from
what
bits
I've
read
and
heard
that
how
do
we
actually
identify
or
measure
the
most
critical
things
out
there,
and
then
they
might
warrant
additional
security.
Investment
right
is
that.
J
A
One
project
criticality
score:
that's
in
the
open
soft
now
and
jenny.
I
see
her
on
the
call
from
harvard's
wish
group
that
they've
been
doing
a
lot
of
research
for
the
census
to
study.
So
absolutely,
yes
is
the
answer
to
your
question:
still
needs
work
and
see
how
we
can
how
we
can
better
the
approach
for
identifying
them.
K
Notes
got
it
reading
up
now.
Thank
you.
A
I
started
a
doctor,
I
don't
know
if
I
can
find
it
that,
like
we,
we've
started
a
conversation
of
just
about
the
like
security,
critical
projects,
meaning
you
know
projects
that
if
they
were,
you
know
if
they
were
attacked,
they
would
have
a
much
more
detrimental
effect
on
the
ecosystem
than
you
know,
others,
because
they
have
access
to
different
things.
So
I'll
see.
If
I
can
dig
that
up
and
add
it
to
the
notes
too,
it's
just
a
brainstorming
doc,
but
maybe
we
can
have.
A
Cool
well,
thank
you
so
much
for
the
presentation
on
tracy.
That
was
awesome,
and
I
I
hope
we
can
see
some
more
collaboration
and
see
if
we
can
integrate
these
things.
Does
anyone
have
the
last
any
last
minute
questions
or
about
other
times.
B
Thanks
just
a
quick
question
about
the
current
projects,
can
you
just
maybe
quickly
share
the
context
of
like
what's
the
plan
with
the
the
package
feeds
and
the
marvel
analysis?
Is
there
like
a?
Is
there
a?
Is
there
a
plan
or
what's
your
expectations
for
where
these
are
going?
You
mentioned
that
it
was
triggered
by
a
request
from
package
repository
maintainers.
B
A
Yes,
I
I
linked
the
doc
that
I
had
started
and
one
of
the
things
that
I
was
trying
to
do
and
add
to
that
doc
is
figure
out
how
we
could
integrate
with
package
managers
like
some
of
them.
It
just
seems
like
they
have
an
email
address
like
if
we
detect
something
suspicious.
Should
we
just
email
that
email
address
and
have
them
take
a
look
and
did
you
were
you
gonna.
F
Say
yeah
kim's
doc
has
probably
the
best
state
for
the
overall,
you
know
division,
which
is
still
very
valuable
yeah.
We
do
have
ongoing
relationships
with
the
package,
maintaining
repositories
and
stuff,
and
we
want
to
find
stuff
help
them
publish
it.
All.
The
above,
like
you,
said.
D
Yeah
so
I
think
clearly
contacting
the
package
managers.
I
think.
Ideally,
I
would
love
to
see
more
integration
with
the
package
management
tools.
You
know
so
that
when
you
pi,
you
know
when
you
try
to
do
pip
install
it's
on
the
way,
wait
a
minute
here,
that's
highly
suspicious.
Are
you
sure
you
want
to
do
that
and
another
project
which
is
which
is
actually
a
different
working
group?
D
Is
the
security
metrics
working
group
they're
trying
to
create
a
dashboard
and
yank
in
lots
of
data
from
different
sources,
and
so
data
from
the
malware
analysis
would
be
an
obvious
thing
to
suck
into
that
as
part
of
their
overall
display
about
you
know
I
want
to
know
about
a
project
and
it
tries
to
suck
in
different
data
sources
to
show
in
one
place,
and
that
would
be
another
good
thing
to
to
integrate
with,
and
I
think
that
wouldn't
be
hard.
D
Just
I
mean
if
you
provide
an
api
to
get
the
data
they
can
take
it
from
there.
H
Yeah,
I'm
relatively
new
to
this
project
as
well.
I
think
something
that
will
be
useful
about
package
feeds
is
that
if
it
gets
a
critical
mass
around
the
number
of
repos
it
has,
it
might
also
influence
back
to
the
repos
over
having
decent
apis
to
to
get
that
data
like,
for
example,
pipi.
I
understand
it's
just
an
rss
feed
and
you
can
miss
things
and
they
don't
want
to
be
polled
heavily.
So
maybe
there's
like
scope
there
to
have
a
more
standard
way
of
consuming
that
data.
A
Okay,
all
right,
I
just
found
the
link
to
that
for
the
doc
and
stuck
it
in
the
meeting
notes
if
you
have
access
to
the
critical
projects
cool
all
right
well,
thank
you.
Everyone
good,
seeing
everybody
and
hope
you
have
a
good
rest
of
your
day.