BG - Collaborative Penetration Testing With Lair - Tom Steele & Dan Kottmann

okay guys uh thanks for making an out uh this is a collaborative P testing with Lair um about me I'm Tom steel I'm from Seattle Washington currently a senior security consultant with security been for about two years there's my Twitter handle if you guys want to follow me and I'll follow you back uh I'm Dan toan I'm also a Fishnet security uh security consultant security assessments team there as well together Tom and I okay so the current problem the problems that we're trying to ident or fix with the tool that we're releasing today is um that um when you're doing a penetration test you got you get tons of data and they come in from lots of

different tools um you know manually you're you're creating data yourself and there was no real easy way to manage that data um there are some existing tools there that can't do it um but uh you know if if you're not using one of those um you you're basically just going to have tons of files open tons of terminal windows with data and files all over the place and notes all over the place randomly and and just uh yeah not not too much uh you organization um another problem that we identified was that when you were doing actual penetration test with more than one person there would sometimes be a lot of duplication of work because there wasn't

any way to tell who who had done what and who hadn't done what besides maybe um just communicating with each other but uh you know when you're in communicating over I or IRC or something like that it's not always uh the best form of communication it's very hard to track who's done what um you know we some some things that some people use like one note or things something like that just didn't didn't uh didn't work for us um the other thing was just off thoroughness of a penetration test um we wanted to create a tool that would would really guarantee that we didn't miss anything um that we didn't miss any hosts we didn't miss any Services we

didn't miss any applications um things like that so we saw kind of a we didn't we didn't really couldn't find a tool that fit our needs and so we s like develop on ourselves um so really what we did is we um we uh we asked for two months to develop a w application after we come up with some ideas and we spent uh two months uh straight building this application um the past four months kind of improving it improving improving it and uh letting our team work it out and find the bugs and fix the bugs and Inter cycle so um this is kind of the tool that we came up with to help us uh solve

all those problems so this is the architecture and um if you look on the right side of the screen hopefully you can see that you can see at the top that you see a medor web server so like I said it's a it's it's at its heart it's a web application um the web application is built on top of something called meteorjs um which is a JavaScript framework built on top of another framework called node.js so if you're familiar with node and with metor you might have understanding of what those are but but real quick the benefits of meteor I'm just going to cover some of them um first one being data on The Wire uh when you first load

up a meteor JS application it it just ships you a whole bunch of HTML and JavaScript code and templates um so the initial loading happens and then the rest of the time it's just Json back and forth to the web server so it's very uh very quick very Snappy um the next thing is you know obviously um being know and being leader is all one language what this lets you do is it lets us write the clients and the server code all at JavaScript so we don't have to jump back and forth and it's pretty convenient for for some developers that way um next point I want to talk about here is a it has a concept of database everywhere so

um it's it's it has a mongod DB back end um and that database when I say database everywhere um you can actually write your queries on the client which is very very cool U it's very very convenient for developing a real- Time application um the next point that uh me has kind of going for is a full stack reactivity so everything that you do in meteor when you're building an application is real time um it's meant to you know if something changes in the database it's sense to the browser and immediately updates for you um so that's kind of how you interact with the application interact with the data once it's in there and uh and it does talk to [ __ ]

database and so Dan's going to talk about how you actually get data from automated Tools in there um so so we kind of came up with this concept called drones is the kind of the name that we gave them but uh they're Standalone Python scripts that actually interact with an API that we built and uh these Python scripts basically take data from a number of different tools um and then they carse the data uh aggregate it normalize it and then they put it into the uh the centralized [ __ ] database that we have running on kind of our Master uh meteor server right um so we've only got these these drones built currently because

those are the primary tools that we use but uh we built them in Python for a number of different reasons um so first of all we thought that that maybe Community was going to be a little bit more adoptive of of python versus like uh JavaScript if we try to build these directly in node um JavaScript if you haven't used it is maybe a little bit more difficult it's got a steer learning curve I think and it doesn't really um uh go so well with like traditional object oriented programming that that you know may python wents to um and then we also uh separated the drones to just be kind of Standalone scripts so that it

was kind of loosely coupled with the actual uh medor so you didn't have to um integrate tightly with meteor in order to write a script if you just wanted to write one for you know some tool that you have or some data set that you have in your organization you know you can do that without having to know the entire like metor framework um and then uh let's see we also did that um just to try to get uh you know just more Community addition to um the project you know we want other people to come in and help help develop and um so that was kind kind of the the decision why weu with python rather than uh than

no yeah it's it's a lot easier to develop a python script that can use an API we provide and um then learn how to you know actually put up a full web application um another good point of why the drones are is that if you develop a drone and you developing another language or it's it's code that we don't want or something like that and don't have to worry about you know like getting anyone's approval you just release it on yourself you know put it on get a bit on bit bucket and other people that um you know there's no problems there um so uh majority of this talk is actually going to be a demo

because that's kind of the me

um so here's L here's like kind of name screen and uh I guess I'm going to create a demo project here

so once you've created a project and loaded the project you're brought so you're brought to this kind of uh kind of this dashboard and the first screen you see is is host and um you know we don't have any host right now you can add them manually any and keep anything that we do with automated tools we can also do manually we also do we do a lot of manual testing you want to manage that data um but you obviously don't want to go add every single host that you're testing you want to use the tools that we use every day so um one of those being um inm so I'm going to show how to

use drones to import data into the

app so uh first thing you need to do is grab a project ID this is a unique identifier for the database so the drones know what to insert okay so the first file I'm going to import was just a standard vanilla scan of my network and I had metable running to kind of just get some data um so it's no version detection and uh no system detection and no script scanning anything like that so it's just very vanilla um standard U standard ports like that

so can you guys see that I can improve this we go so yeah it just connects to the database parses the XML and inserts into the database and what you end up getting is you get this list of uh list of ips and Cas there's not much data there yet U you know the operating system is obviously marked as unknown because M didn't find anything um and so let's load up this this this idea here down one two um so this next view is just a single host view with a list of services and um what I want you guys to focus on is this TN next Port um we can see that the since

we didn't do ver detection with them that the product is unknown so that so you know um the idea here is on a pen test that you could you know we' like to do penetration testing starting off with very small targeted in map scans and um when you do that you end up with tons of files and no real way to uh put them together and if you do you're probably using like BM or something like that with the final product um and certainly other there are some other applications that do this but maybe ours will show some some benefits that that are not built into those but so my next step was just to show the

show how it works is to do a version detection of that t netport and so that's what the second file that I'm import is H has it just has a version detection on that single port uh tet and so we're just looking at it um it gets the database and if you guys noticed it immediately updated there was no browser refresh um the way media works is really cool the messages actually get sent up from the server to the client telling it that it needs to refresh it data with new data um so that's very cool um you know it uh the way the drones work now is it's always has what I call one version of the truth

so it's always additive it's never taking away so if it sees that a port was open but then it didn't have service of the product it's going to updated when it can um the next thing that's really cool about the mmap Drone in particular is it parses the mmap scripting engine for you which is the m scripting engine is great you know just for checking for low hanging fruit or anything else in particular the only problem is that when you start running lots of scrip scans you get lots of files in hand and how do you bar those out um so this third one is actually um the full end up of the environment with

operating system detection vergin detection and script scanning

enabled so you can see that the product is again updated and we also get a note showing us that showing us the script scan output so these are these are in notes what we call it so this would be a service level note um each Port would get would get these based on the script output and so a lot of the drones are built to do this uh in particular the Ness drone will put IND ual vulnerability evidence in a service level note for you um this is also the place you probably want to create um notes for yourself as your testing an application testing an individual service you want to make a note of maybe

what you found or what you did you know the reason why you skipped it everything like that um I'm going to go back here and I'm going to import ANS file now

right now we have yeah so right now we have we have part written for nessus nexos and that and um and like I said there's an API that that we that we hope people would use and help us write more part we just don't have the time to write these all day um so but if you have a need for something you'd really like to see it written you can certainly probably send us a a sample XML file and you probably be able to write for you pretty quick um so I just imported the the NS data and you can see that kind of um got updated with a much more information um in particular um this

host now you can see all the vulnerabilities that are just associated with P poost you can link to that vulnerability you can go this to this particular port and see all vulnerabilities that are just link to this port um and like I said that you can see U that the way the nesus parser works and next in particular they actually pars the evidence per vulnerability will save them as a service Lev note um also what's cool about this is um a lot of times particular reporting reasons are just for um having the best updated information um on things like operating systems we put weight on different tools so we happen to think that um the ness's and Expos

engines are better at detecting operating systems um rather than inap certainly because it do a lot more things like vulnerability dediction and things like that um so you can control which operating system has the most weight and which one um you know you're going to you're going to base your your testing off of um and while you're testing these you can be tracking this information manually in in a centralized location easily by having a new fingerprint Etc um okay so that kind of handles the data problem right the I need I just need my data in a centralized location and I need it all to sync up um the next issue is collaborating and that issue involves

you um we don't want to duplicate work and we also don't want to miss anything so the way we came up to fix that is um a color based system it kind of actually started funny because I used to use before this full existed I would use an Excel spreadsheet so I would parse all my outputs together and then I would put into this big Excel spreadsheet and then be using colors in Excel um I particularly like Excel and I can't really share that over the network with my teammates and things like that um so we kind of like what version of file do you have what version of file do I have you take the top half I'll take the

lower half and it didn't really work too well so we came I we just like let's just keep the same color based system and use that so we have a color based system for hosts services and vulnerabilities and the colors they're rather meaningless they're not meant to mean anything now what they mean to us doesn't necessarily have to match what your workflow is we find that the colors that this is the best workflow for us and that's that gray is kind of undetermined State no one's looked at it um blue means that um to us means that um someone's currently looking at it you know someone's currently working on that don't touch it or you know move to

something else green means that didn't have any High severity issues or critical issues that gave you private information or um just anything worth noting hold the network um orange to us means that um there's something very interesting there but we just don't have the time right now or we found something else that's more interesting but we'll come back later it's it's just kind of a mental note and red means it's ped like that's a foothold in the network um that has something like SQL injection that's feeding back private data um stuff like that so where meteor comes in is really cool is that me and Dan are a penetration test and we're both looking at this host space view as soon as he

clicks on a host to update the color oh yeah first we need to add into the project so that would help so yeah this is the collaborators dud this is the collaborators too um so basically you know you'll just seal this stff users and these are the people that you can work on the project with so I add into it as a collaborator if I back here he clicks on a [Music] host um and he took a while to get there but um as soon as he clicks something it changes colors immediately for me so that data is pushed up from the server to the client so there's no polling involved um it's real real time um and

so yeah the way you change these colors on most things is just by clicking it and TI on it um and what's really interesting is let's say you have everything green or most things green you want to see like if you had hundreds of posts this obviously you know you have a lot of them green you only want to see what's maybe gray you can actually just turn off green and filter them out and you can do that anywhere so this works just about anywhere also all these searches are reacted well so if you just want to see Linux you just type Linux um the next kind of main tab here that we have here is the services tab

this is what we found very useful and we didn't actually didn't have until about a couple weeks ago I think um we basically wanted some way to see what what Individual Services are open individual fingerprints meaning that um all these four columns must match um so this is this is a unique list of Court protocol service and products um and we wanted way to query these and generate unique list of posts that's convenient right like if you're on a pent test and you want to and you have you know there's a lot of Oracle stuff and you just want to go test all the Oracle Services you can just use the search function to maybe search for 1521 or

search for Oracle um and this is case insensitive so search Oracle um also what you can do is you can simply just click it which is very very cool um and you just click search again for BL search so um as you're going through here and you want to get a list up all the HTTP servers well clicking it probably wouldn't work but um what you can do is uh is just type HTTP and so while these all have different fingerprints these are actually individual supp post right so then you're on this list and you just want to be H htbs servers simple just just clicking um and like I said this is all reactive so if Dan's still work if

Dan's still importing inmap stands and doing all kinds of crazy stuff while I'm looking this it will just automatically keep up for me and give me more data I don't have to refresh or anything can can you copy that PO oh yes so uh very good point so uh I uh I used all of my possible uh CSS and uh HTML skills to make this a text area with no styling so that you can easily just do contr a control C and get the list so uh that took me a while took like two hours that so um the next the next tab really is uh is the vulnerabilities view um and this just just really standard along the

same lines like we we have uh we have statuses here as well so you can see what services you haven't checked out and if you load up a particular vulnerability um you can see the description of standard evidence solution you can see the hosts that are affected by that vulnerability you can add hosts manually that's what we do a lot you know when you when you found a host you know this isn't just for automated tools this is for manual testing so the idea is that as you're finding vulnerabilities you're your manual vulnerabilities you're sharing them and creating all the data here so your other testers can see that data too um and of course it has cves and uh and

vulnerability level notes um project level notes this is really good for keeping things like attx scenarios that you've completed or maybe um Rules of Engagement or just like you know certain things that you want to share this project level very basic um the next thing that I'll show is the credentials darkening now so let's go create some let's assume that maybe we got on this box and we guess some SSH credentials so let's add some manual ones and uh you know they're running called and it's like Root tour um so what's very you know when you're on a pin test you can sometimes just gather insanely an insane amount of creds and hashes and how do you share

that data efficiently and keep make sure they're keeping them all in one place it's kind of difficult um so it's very convenient when you add them to the service they're just kind of here for you so just a convenience thing um you already looked at the contributor view uh the files View had done it was pretty it was pretty interesting I actually had I wrote my own version of draw box uh which I think is very cool you can go use it but uh it didn't kind of feat my meet my standards for this app so um we are we are investigating another another piece um metor doesn't have any sort of file uploading by default um but there

has been something made recently for it so we're going to import that I just didn't have the time to do that this week um so that's a very recent addition um and this is very simple this is just the command log so after importing things from automated Comm automated uh sources this will just show you what command you for or you views and um and uh you know what's been found and what's been added it's just very simple to do here um so um as well as D can you I can't I can barely see that yeah so um it also is Facebook compliance it has chat so um well so the idea the idea that we

thought is you know we if we're doing a perimeter engagement and we're we're at our home sitting there we're probably not going to use this chat we're probably going to use something else um um but if we're both on an internal Network and we're behind a strict firewall and we don't feel like breaking out they just feel like sitting there and and being restricted and not like you know stealing Cs and authenticating to their proxy that type of thing um we can just use the chat so okay yeah so Dan sent me a message and is telling me what to do so um that's very very cool um the next thing that I want to show you guys um is so I

mentioned that metor is databased everywhere and I really meant that so they really mean it too U you can actually to um the equivalent of um if you're not familiar with nosql the equivalent would be select insert um update and delet um they actually called U select update or a find update insert removes in nosql they're the same thing but since the database is in the clients as well you can actually run database queries and do whatever you want in in client now security best practices will tell is is is it going to say you should turn that off and I completely agree if you're develop a meter application do not have these these insecure settings

turned on so let you do that's more of a development thing but we what we can do is we can take advantage of that to do crazy things in the browser um so I'm going to so there's a setting here and we can so first and so we can allow client side updates and what this does lets the client browser do whatever they want to the database so you know there is an admin setting so I'm an admin so I can only allow this so if you didn't want to let everyone do this you know of course um so I'm going to allow this and you get this you get this security notification well you know it's probably

not a good idea and you should only do this if you know what you're doing um so we allow it and then uh I need Dan to send me over his script so what this what this lets you do is it lets you do anything you want in the browser console so if you're in Chrome or Firefox you can open up the browser console and run database queries in there so um a common thing that that we you know that we do is we write little scripts to help us out and share them amongst the team and one of those ones that danro recently was um you know if you're testing thousands of hosts and you hundreds of

these hosts don't have any services available there's nothing to test so what we wanted to do was we wanted to go through and turn all those to Green so d a little nice a nice script to do that um and so here's the here's the content of it and so basically what this does is it's it's doing you know the equiv a select statement on the host um table collection if you will and it's pulling back all the hosts and then it's um looking to if any of those hosts have ports open and then it's going to turn all those ports screen so it's it's kind of verose and but the idea is that anyone the community could write these

scripts and share them and store them in their browser and show them things like that so what we can do is we can drop to developer console lower this so you can actually see happening it's know for the fact that 6 and 46 don't have any ports open so if we run this sure turn in the screen that's pretty neat right um and that's that's not any of us that's just meteor being awesome for sale we can't take any of the kudos for that but uh it's very cool so you can see how it could become quite powerful if you had different transforms um you know if you wanted to turn all the you know a lot of

times the tools will report very very different versions of like Windows Server 2008 and for reporting reasons you just want to turn those all into Windows Server 2008 you don't care about R2 like you know one or something like that it's very convenient to just turn them into all windows ser

um okay so next um these graphs actually look better when they're not on a uh projector because they're reading they're reading a basic off how large the screen size is and it's not accurate for the projector so grafts don't look kind of silly but I think they're cool they bounce and everything so that's NE bouncing is always good um so um yeah the next thing that that you might want to take advantage of if if you're doing a lot of penetration tests and writing lots of reports is um it has an export function um so this will take the um the mongod DB collection or dat Collections and sync them all up into one Json uh

Json object and it we'll ship it over to an HTP or htps listener I'll use htps but I'm not going to force you um and it can US password so we we have some proprietary tools that let us take this data and import it into our proprietary tools so that we can later report on it and things like that so it's just a continuous thing for

you okay so the next steps that we have for the project are basically um we need we know we need to write more parur we need to write Mar l code that can Parts all the tools um some if you're interested in in contributing and you can code that's great you know hit us up and we have a lot of interesting ideas I know one in particular that I've been dying for is kind of like a um Pub sub type Sinker for metas split so that could sync the [ __ ] database with the postc database that way when you're using something like going split Pro or just going split you from the console um

you can import data into that and then import data into layer and they both sync up um it's a very complex issue that I've kind of spent night thinking my high I would do it so if you're smarter than me you prob really good that'd be awesome for you to come contribute to um I think and um any other particular parts that you think would be interesting requesting I think yeah I think big one we don't use quace hasn't been a pain point for us but probably be a good one as well um another thing in particular is we're not we're not just because the API is written in Python we're not we're not like we're not we

don't care if you write in another language um you know if you go write a ruby if you'll probably just share probably you know you sub request and have a ruby API or something like that um so um the other thing too is we know we need more documentation basically um you know we were coding this up until I I'm going to say that we were coding this up until we got here but that's not particularly true I mean we had the we had this application built three months ago um I'm just very particular and decided that I was going to recode the entire front end in 3 days um it looks a lot better so um so um so we have we

we've been lacking on documentation so if you'd like to get together with us and contribute that way that's awesome way to get into it too um and then we need to uh basically put it with you out there so that you can um you know learn how to learn how to use the python API learn how to learn the document schema things like that and we will be doing that um yes sir so when you guys elaborate on this words post you have this on like an internal Network you guys yeah so efficient um we have it in our lab on a server that's locked down but kind behind a network um that's you know behind a VPN like that um so this

isn't this isn't not we will not intend this to be a hosted solution for you um this is not uh this is not something you pay for it's open source um so this so the kind of the way you get it uh we have there there's two ways you can do it efficient we deploy it with M straight up mongodb running SSL on the standard boards and then we have an engine X reverse proxy speaking to the node application on GP um that's not for everyone because that takes quite a bit of configuration so what we've done for you is we' put a lot of work into making pre-compiled packages that literally just start with

um it's I'm not going to show it's literally just start. s and your IP and it will walk you through creating certificates creating database users and going um the other cool thing I think particularly about node um and some people can serve you with this but I think node is very cool because it gives you a web server kind of out of the box um we we we kind of thought about doing in shanger we thought about doing it in rails and the thing that we didn't like is that we want people to be able to get up and running with this quickly and being have have a performance application quickly and when you deliver

a project that's rails or Jango or something else there's a lot of configuration that goes into making sure the server Works um and we found that a lot of people would just use like the built-in web R server for rails thing which is like single threaded and perform well so we kind of like okay let's look for a platform that's easy e a deploy so yes it has pre-compiled packages that you can just run on your own Stu on own box um but we do intend on putting documentation in place that will walk you through installing from Source I guess you could say um so the next thing is that it's on git uh the source code is on get the

pre-compiled packages are about 100 megabytes each and we have three of them we don't have really good internet here so we haven't been able to push them but they will be up um if you want to follow me on Twitter that probably the best way to get updates about it um or you can follow security and they'll probably tweet about it as well um I'm also on free node under Hydro wat so if you're on free node and you want to message me and have questions or you want to work if you want to keep start working on it just go ahead and uh give me a message um and Dan is Dan is at djen at on

Twitter as well so um are there any questions on the search can you search random

texts kind ofu specifically like you have sometimes you use like scripts you have some types of text that you want to find out that's in particular service oh so like maybe like a global search to se repeat the question oh yeah so um the question was if you can use some sort of Rex cap ability to maybe look for um certain things globally in all the services um currently we don't have that but that's a very good idea and we um we should probably add that I think like a search tab that takes a redx just shows like everything that it found that'd be pretty cool so I do that long AG ago probably not easy but

hopefully we we've talked about doing like a query Builder basically where you could um basically have every single key value that's in the database you able to search on that and uh yeah I think that's a very good idea so thanks a lot for yes so when you click to change the color status do you keep track of who it is that that that one um it it keeps track of if you notice it had a last modified buy so the last person to click it it will be tracked so as soon as you click something it says last Modified by which is why it works because I can see if you know if I mean if it was two

people yeah you might not know if you know you might not need that but when you start working with 10 people five people you quickly need to track who's doing what and who's working on and and it's just not person spe specific it'll also track which tool imported it as well yeah so if if if if like Ness comes along and updates something they'll say nus update that any other questions um yes the table that creates when it has credentials it has thep address on it is that as well yeah let me just uh can you sort it pce of question um yes so he was asking if the credentials tab had uh was uh copy pastable for the

IP address and if you could sort it um currently it's not sorted I think it's sorted by username um but you can click on this and you could just uh copy paste it like that like could you like I click on password and by because if you have like a th CR and you find it password used on like 500 host you want all have that would be very convenient so yes we will build that in um and just and just so you know if you wanted to do that you can always drop into the console and basically do something along the lines of like this and I hope this works live I don't think cool myself

okay I don't want to do this live but yes learn learn mang be a bit better than me work but yeah basically you can write you if you you do something like that it's all in the database so um you know if you learn mango DB syntax obviously better than I do it takes me one or two times to figure this stuff out so yeah you would be able to do it that way and there's a question in the back is there a question yes sir how about starting drones and things like that from the web itself like is this all can you start off like a b jop based on an IP list or something that

um um so the question was that if we can start the Drone from the web interface um based on maybe list five Peters that um no the short answer is no long answer is um you know why we did that way we found that most of the time we were running tools from the command line anyway so it was just convenient to have the journals in the command line and import the files after that um we found that it was kind of an extra step to run a tool to generate a file and then take that file and then I drop it into the server and then watch the server Spin and then watch the server Parts it and

then wonder if it Parts it can happen with some of the tools um so that's kind of where we build it um I could see a benefit in maybe you know I think I think there's other tools better suited for that thing for that functionality I think one that coms to my is as Pro um with running you know tools and tools from the browser and tracking that output I think uh I think just the tool and set for that but that's something you want uh and'll be talking about more for sure yes sir how do you uh handle virtual hosts and keeping track of yes um so what tools are you using to handle virtual host now to find those

just some internal I was going to guess Nick toe you have aen hat on that's so um the question was how are you man how are you managing virtual hosts which is very good because a lot something a lot of pinest over Overlook and uh so we've we've developed a lot of tools uh um to do that and one in particular is black sheet ball so uh slight pimping out of my tool to go to check up but uh yeah you can actually you would actually probably want to build a drone for it and we're thinking about building um building a drone for a lot of these tools as well um tell me when I'm on the X

okay so how that works is that how how we would handle that is uh let's click on this one here this an internal Network so the host nams aren't going to be particularly good um if you actually go to the host Nam tab it will parse through and look for all the HTTP and htps ports and do kind of a best guess um so you can add as many host GES as you want here so you can add them manually or have tools like nto or um dark has a script that does it as well so um if you're if you're doing things like dictionary taxs or dictionary guessing on on post names um you could probably build a drone to add

the Z there or add them manually and then it will go through you're in cre convenient links to the ports so um you can quickly get to them currently we don't have any way of tracking which ones you've looked at um You probably if it were me I'd probably choose a service level note and and track of it but if it's something that you know if it's something that that you're noticing that you guys are just you it's like you have you always have hundreds of like we do some test and just find hundreds of eost um I could see it being its own status each host name being its own having its own status and you checking that app out

I can see that happening um the other thing I want to do is I actually wrote another tool which will go to list of URLs and gra a screenshot I want to somehow put in here a basic C4 encoded uh PNG of this uh you know a wrapper around fjs but it'd be cool to have a screenshot of of the uh of the imag in here as well so that's something we're kind of thinking about how we're going to do it surprisingly takes a lot of brain power and and thinking to to to make a web app and make everything organized and I've just put CRA yeah a well for sometimes but a question yeah

um so first of all um my question is kind of what did you do to secure this see you don't want to like put all your stuff in there and get home um because the question was what do we do to secure it um so the database itself is running with authentication and SSL so so the the credential R the clear it's the database um and they do require for obviously um the application will not let you use or HTP um and the application is also password protected um and um it uses something called SRP so I'm not going to go into what SRP is it's kind of there could be a talk all itself a meter uses SRP um which doesn't

really benefit us cuz we're transferring the credit over htps anyway so we don't really care if we encrypted beforehand but yeah so it's basically just a web You by authentication um I mean there's password requirements you can't put a password under nine characters um so yeah um and then um you know um uh for someone for someone the projects are are um accessing data on an app you can only access data that you're the owner or contributor of um now obviously that gets interesting the drones because you have to give a database password out which is rewrite on the whole database um our idea is that this is for teams uh trust the people you're working with I know that

sounds weird but you got to trust people um if you know we're hackers if I want to get in that database I probably have root on the server you know that it's deployed on but the point you know if you had some if you had some people that you wanted to share data with what you could do is just have them send you the files and you use the drones in board that's what I would do um on that note we are looking at investig maybe the Drone speak to a rest interface um recently there rest interface kind of easy easy to implement rest interface for least for meteor um so we can Implement that and the drones

could actually just speak over rest interface after being authenticated to the app so we're not relying on databased authentication anymore relying on application based authentication um but yeah it's MB so the security wer on that and then it's meteor so if there's any problems in meteor um it's actually R very very responsive and very very uh you know they're quick to handle security issues it's security.com so if you find any if you find any issues in the app they're probably in the underlying framework and that would be very cool that could be a talking of itself so I encourage you to go break me

here users with password you can extract add I had that right didn't oh you're right I didn't I'm such a and so this is this is almost exactly like what you would type directly in a m like if you a command line it's slightly modified for meteor yeah so you just WR Cy about that and so that just gives you the count and it's actually um mongod DB is created by tenen and tenen has free courses and so if you want to be using this a lot and be kind of like a master user um going to Tak any longer DB course is probably a very cool idea so I would encourage you to do that any other

questions we can ask or answer all set okay guys well um thanks for coming to the tool um like I said it's on GitHub so if uh if you want to go um play around with it and have any questions just uh you know give me on IRC or Twitter anything like that so thanks a lot guys [Applause]