deft/tracker.org at e8c374babbe6f84f567851127dc0991de1a1f496

yogsototh/deft

Fork 0

Yann Esposito (Yogsototh) e8c374babb

tracker.org

2021-10-21 15:34:10 +02:00

2021

2021-W33

Timestamp	Tags	Headline	Time
		Total time	4:40
<2021-08-16 Mon>		2021-W33		4:40
		2021-08-16 Monday			1:52
[2021-08-16 Mon 15:11]	work	Fix Carlos Hidalgo account				0:20
<2021-08-16 Mon>	work	create an issue about email…				1:32
		2021-08-17 Tuesday			2:48
<2021-08-18 Wed>	work	Add scope to TG clients				0:38
<2021-08-17 Tue>	work	Write an issue about 1-click…				2:03
[2021-08-17 Tue 15:44]	work, chat	Jyoti about CDO 1-click module setup				0:07

Clock summary at [2021-08-19 Thu 11:04]

Timestamp	Tags	Headline	Time
		Total time	1:52
		2021-W33		1:52
		2021-08-16 Monday			1:52
[2021-08-16 Mon 15:11]	work	Fix Carlos Hidalgo account				0:20
<2021-08-16 Mon>	work	create an issue about email…				1:32

Clock summary at [2021-08-17 Tue 15:45]

2021-08-16 Monday

DONE Fix Carlos Hidalgo account work

CLOCK: [2021-08-16 Mon 15:11]–[2021-08-16 Mon 15:31] => 0:20

[2021-08-16 Mon 15:11]

ref: create an issue about email search case sensitivity

DONE create an issue about email search case sensitivity work

SCHEDULED: <2021-08-16 Mon>

CLOCK: [2021-08-17 Tue 14:16]–[2021-08-17 Tue 15:44] => 1:28 CLOCK: [2021-08-16 Mon 15:03]–[2021-08-16 Mon 15:07] => 0:04

[2021-08-16 Mon 15:03]

ref: https://github.com/threatgrid/response/issues/818

Fix email case sensitivity

We often need to search by email. The main issue being that, currently our search mechanism does not support case insensitive matches.

We have 4 possible solutions:

Lower case the user email at creation. We need to also update the user emails in our DB. The safest route to achieve this will be via the iroh-migration service.
Keep the email case sensitive and add a new case insensitive field lc-user-email

for example. But same as for case 1, we need to perform a DB migration to add this new field to all existing user in DB.

Add support for case insensitive search in tk-store, perhaps with a new tk-store service, or improving current CRUDStoreService.
Add a specific service just for search user emails that could take care of this specific case by using a Postgres specific query. This could also be the occasion to provide a tk-store hole in the abstraction service.

The simplest is probably option 1. Option 2 would be slightly more complex and we would not lose any detail. Option 3 seems the most generic one, and we could totally imagine we would appreciate a case insensitive search support. Option 4 looks like a specific case of 3.

My preference then goes to option 3, but we need to understand if this is not too difficult to achieve, what would be the API? The most natural one would probably add an option along filter-map like case-insensitive-fields. One issue would be to write the support for case insensitive match for atom and redis.

TODO Interview Steven Collins

CLOCK: [2021-08-16 Mon 15:49]–[2021-08-16 Mon 19:04] => 3:15

2021-08-17 Tuesday

DONE Add scope to TG clients work

DEADLINE: <2021-08-18 Wed>

CLOCK: [2021-08-17 Tue 17:54]–[2021-08-17 Tue 18:32] => 0:38

[2021-08-17 Tue 17:54]

In tenzin config:

- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2
- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513
- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5
- EU: a1662193-9155-44fd-aa1f-43afd42c889c

DONE Write an issue about 1-click module setup work

SCHEDULED: <2021-08-17 Tue>

CLOCK: [2021-08-17 Tue 15:51]–[2021-08-17 Tue 17:54] => 2:03

[2021-08-17 Tue 15:51]

ref: Activation Optimization

CHAT Jyoti about CDO 1-click module setup work chat

CLOCK: [2021-08-17 Tue 15:44]–[2021-08-17 Tue 15:51] => 0:07

[2021-08-17 Tue 15:44]

ref: Epics

2021-08-19 Thursday

Timestamp	Tags	Headline	Time
		Total time	1:39
		2021-08-19 Thursday		1:39
[2021-08-19 Thu 16:04]	work, meeting	Interview Olivier Barbeau			1:39

Clock summary at [2021-08-19 Thu 17:43]

MEETING Interview Olivier Barbeau work meeting

CLOCK: [2021-08-19 Thu 16:04]–[2021-08-19 Thu 17:43] => 1:39

[2021-08-19 Thu 16:04]

ref: Self Presentation

2021-W35

2021-09-02 Thursday

MEETING Weekly meeting work meeting

CLOCK: [2021-09-02 Thu 17:06]–[2021-09-02 Thu 20:00] => 2:54

[2021-09-02 Thu 17:06]

Guillaume start about the Design Planning github project.

SecureX session
High Impact Incident

Sorry

2021-W36

2021-09-08 Wednesday

MEETING 1-click module setup weekly meeting work meeting

CLOCK: [2021-09-08 Wed 17:30]–[2021-09-08 Wed 18:22] => 0:52

[2021-09-08 Wed 17:30]

ref: https://miro.com/app/board/o9J_l57_gro=/

Miro dashboard from Chloe:

https://miro.com/app/board/o9J_l57_gro=/

Discussion:

When to TEST, tomorrow. Asking for client_id in TEST.

Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06

2021-09-09 Thursday

MEETING Interview: Florin Braghis work meeting

CLOCK: [2021-09-09 Thu 15:49]–[2021-09-09 Thu 18:45] => 2:56

[2021-09-09 Thu 15:49]

2021-W37

2021-09-14 Tuesday

IN-PROGRESS Device Grant work

CLOCK: [2021-09-14 Tue 19:31]–[2021-09-14 Tue 20:35] => 1:04

[2021-09-14 Tue 19:31]

ref

2021-09-16 Thursday

MEETING Team weekly work meeting

CLOCK: [2021-09-16 Thu 17:25]–[2021-09-17 Fri 14:32] => 21:07

[2021-09-16 Thu 17:25]

Ambrose, Irina, Guillaume, Matt, Yann

TO MENTION: Device Grant with FMC => Public clients

Incident discussion

2021-09-17 Friday

MEETING Presenting the projects work meeting

[2021-09-17 Fri 14:32]

ref: https://github.com/advthreat/iroh/projects

Pres

General

Project Organization

Every project has an owner (main point of contact for the FT) Now only leads, but could be anyone in the future.

[Design] Shared IROH Auth Session

Goal of this Project which is not an official FT is to reflect and write proposals to reach the feeling of a shared session across all Cisco Security products via SecureX.

solution using cookies
solution using Open ID Connect

[Design] High Impact Incident

Guillaume Ereteo made an awesome work to provide multiple proposals to be able to deliver the feature as fast as possible.

filter on source (only AMP)
Add severity on incident model
Incident with high impact via an IROH route: https://github.com/advthreat/iroh/issues/5710
- needs the proxy from Ambrose
- need sync with engine team too

SecureX Suite Session Improvement

Delivered yesterday in v1.81 Limit the number of interstitial pages between SecureX and CTR/SSE

For orbital, missing the Launch button, the back end work is done as we do not need any SXSO app link.

[HOLD] Cisco Secure Client Integration

Still no work to be done by the IROH Services team

Hiring

Since last meeting two new hires will join us in next few weeks. Kiril and Olivier.

Kiril lives in Germany and Olivier in France.

1-Click Module Setup

In progress integration by CDO and SWC

Irina worked to provide the vault metadata API for SWC.

AMP is in the QA test phase.

ModuleType updates

Just saw the rename of "Threat Grid" into "Secure Malware Analytics"

[HOLD] CTIA Hydrant support

CTIA Incident Manager Improvement

Bug Squashing

Fix a bug where a user could login to org that reject non-admin user login
Fix a refresh token bug that would provide too much scopes to an access token
Login Page url parsing potential discrepancy fixed

[HOLD] ES 7 Migration

Device Insights Integration

Wanderson: Webhooks work, trigger a notification for every module-instance configuration change.

AppLinks API

SSE API Extension & OAuth2 Device Grant

FMC ⇒ public clients for Device Grants

Incident Assignment Notifications

Ambrose worked to make IROH a proxy to private intel for incident assignments notifications. Should be delivered in v1.82

2021-W39

2021-09-29 Wednesday

MEETING Interview work meeting

CLOCK: [2021-09-29 Wed 16:12]–[2021-09-29 Wed 19:30] => 3:18

[2021-09-29 Wed 16:12]

ref: /yogsototh/deft/src/commit/e8c374babbe6f84f567851127dc0991de1a1f496/~/dev/ring-jwt-middleware/src/ring_jwt_middleware/core.clj::jwt-check-fn%20%28s/=>%20s/Any%20s/Str%20JwtClaims%29

2021-10-01 Friday

MEETING App Links work meeting

CLOCK: [2021-10-01 Fri 17:26]–[2021-10-01 Fri 19:07] => 1:41

[2021-10-01 Fri 17:26]

ref: Secure Client

MEETING Secure Client work meeting

CLOCK: [2021-10-01 Fri 15:55]–[2021-10-01 Fri 17:26] => 1:31

[2021-10-01 Fri 15:55]

Meeting link: https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e

2021-W40

2021-10-05 Tuesday

MEETING DI weekly work meeting

[2021-10-05 Tue 15:30]

From Yuri

Hi, Things I’d like to discuss on our today sync meeting:

The integration modules screen:

When will all the modules be updated with the relevant text?

When will all the modules be deployed to production?

Same goes for the DI module? Need help in updating its text and taking it to production as well

The filter by capability for device insights currently shows an empty result in production

Integration code

Is there still some integration code that is pending?

What is the status of https://github.com/advthreat/iroh/issues/5680?

ii. Any other open issues?

Any blockers that you see for deploying to production?

Assets API QA?

1.a. doc team 1.b

2.a

IN-PROGRESS Training Interviewing work

CLOCK: [2021-10-05 Tue 14:44]–[2021-10-05 Tue 15:30] => 0:46

[2021-10-05 Tue 14:44]

Past Perf Predict the Future

Behaviorial questions

tell me about a time when…
Where and how have you used ,,, to achieve ,,,
Walk me through the system/process/etc…

Behavioral questions better

More specific to their experience, not generic.

concise
clear
relevant
practiced
tailored to the job

Real Purpose of interviewing

Predict whether or not they'd be successful in our company

Evidence?

Yes, specific examples
Yes, demonstration

What the candidate will think about the question.

Clear on hiring criteria

skills & knownledge, attributes, achievements, motivations

targeted probing behavioral interviewing.

Go deep, specific, examples. Ask the how to detect liars, lack of honesty.

what ,,, what did you do, what was your role, etc… Question need specific responses.

Do brainteasers work? no Use problem solving questions; how would you do/solve/etc…?

Examples:

role play question. ×
problem they solved. ✓

What work-related experience(s) changed your opinion(s) on something?

On Question to rule them all?

Combination question. Find combo questions.

Probing

2021-10-07 Thursday

MEETING DI blockers work meeting

CLOCK: [2021-10-07 Thu 18:01]–[2021-10-08 Fri 17:33] => 23:32

[2021-10-07 Thu 18:01]

@Yuri:

I’ve opened the issues there, still need to set priorities. Here is the list of the issues I’m currently aware of that are important for the release:

https://github.com/advthreat/iroh/issues/5680 - didn’t open a new ticket for this one, since it already has tracking.

Umbrella module -

Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936

filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937

If you know of something else, please add here

@Matt: 2.a is also tracked here https://github.com/advthreat/iroh/issues/5821

Doc discussion 30min
show time (Yuri share chat)

IN-PROGRESS support work

CLOCK: [2021-10-07 Thu 16:45]–[2021-10-07 Thu 18:01] => 1:16

[2021-10-07 Thu 16:45]

ref: https://github.com/threatgrid/tenzin/issues/1530

new-org

{
    "id": "00000000-0000-0000-6473-000028fbaa95",
    "name": "GATE/Tier3",
    "enabled?": true,
    "created-at": "2021-10-07T17:00:00.000Z",
    "scim-status": "activated",
    "additional-scopes": [
        "iroh-master:read",
        "iroh-admin:read",
        "iroh-master/tac",
        "iroh-auth:read"]
}

Idp Mapping INT/TEST

{
    "idp": "sxso",
    "user-identity-id": "00uox5862kEG8G0CD0h7",
    "enabled?": true
}

IdP Mapping PROD

{
    "idp": "sxso",
    "user-identity-id": "00u4dmbgyjnx4glS2357",
    "enabled?": true
}

Users to invite:

[{"invitee-email":"ashakarc@cisco.com","role":"admin"},
 {"invitee-email":"bmacer@cisco.com",  "role":"admin"},
 {"invitee-email":"caknowle@cisco.com","role":"admin"},
 {"invitee-email":"cdeleanu@cisco.com","role":"admin"},
 {"invitee-email":"daphgalm@cisco.com","role":"admin"},
 {"invitee-email":"djanulik@cisco.com","role":"admin"},
 {"invitee-email":"bmahsan@cisco.com", "role":"admin"},
 {"invitee-email":"majacob2@cisco.com","role":"admin"},
 {"invitee-email":"sorianto@cisco.com","role":"admin"},
 {"invitee-email":"stabulic@cisco.com","role":"admin"}]

CHAT check continu work chat

CLOCK: [2021-10-07 Thu 10:07]–[2021-10-07 Thu 16:45] => 6:38

[2021-10-07 Thu 10:07]

ref: support DI JWT signature

CHAT support DI JWT signature work chat

CLOCK: [2021-10-07 Thu 09:45]–[2021-10-07 Thu 10:04] => 0:19

[2021-10-07 Thu 09:45]

ref: https://github.com/advthreat/iroh/issues/5680

IN-PROGRESS client update via admin for CMD work support

CLOCK: [2021-10-07 Thu 09:27]–[2021-10-07 Thu 09:45] => 0:18

[2021-10-07 Thu 09:27]

ref: https://github.com/advthreat/iroh/issues/5827

Cisco Secure Email Cloud Mailbox

module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396
ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55
module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e
ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969

CHAT Check webex matinal. work chat

CLOCK: [2021-10-07 Thu 09:26]–[2021-10-07 Thu 09:27] => 0:01

[2021-10-07 Thu 09:26]

ref: 09:20

PAUSE Journal pause

CLOCK: [2021-10-07 Thu 09:20]–[2021-10-07 Thu 09:26] => 0:06

[2021-10-07 Thu 09:20]

2021-10-08 Friday

MEETING IDB decomissioning work meeting

CLOCK: [2021-10-08 Fri 20:33]–[2021-10-08 Fri 23:01] => 2:28

[2021-10-08 Fri 20:33]

ref: file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj
?: SSE side decomission

Chander Goyal

context; SX released as a platform, SSE had a PingFed ID Broker. Also for CSA.

We want to user IROH-Auth. We want to use directly IROH-Auth.

CSA Migration was launched. SSE-side done.

CSA should be completed very soon. Let's not change PingFed.

Nov 1919 -> nobody left in PingFed at SSE.

Very limited knowledge. The license was Cisco Wideside license. end in 2022.

We want to duplicate PingFed.

MEETING Customer Manager work meeting

CLOCK: [2021-10-08 Fri 17:33]–[2021-10-08 Fri 20:33] => 3:00

[2021-10-08 Fri 17:33]

ref: ,,,

2021-W41

2021-10-14 Thursday

IN-PROGRESS Write Customer Manager doc work

CLOCK: [2021-10-14 Thu 15:23]–[2021-10-14 Thu 16:33] => 1:10

[2021-10-14 Thu 15:23]

ref: write attack on Webhooks with JWT from emitters

IN-PROGRESS write attack on Webhooks with JWT from emitters work

CLOCK: [2021-10-14 Thu 14:58]–[2021-10-14 Thu 15:23] => 0:25

[2021-10-14 Thu 14:58]

Attack using access_token/id_token from emitters and not webhook owner.

Webhooks are a generic mechanism; but here we only focus on webhook used by internal Cisco team integration.

So the webhook mechanism should be used to push a trusted API that a changed occurred in SecureX (typically module instance change).

The call must be authenticated by the API. The call should also optionally contain access/refresh tokens to the destination so the integration team could access IROH as the event's emitter user.

The issue is that, nothing is explicitly done to prevent any user to get an access/id token generated from the same client we use to forge the authentication headers. So it means, that a SecureX user from any org that could get access to its own access token/id token (which is entirely possible, and easy to get for DI as their client is public). So any user could call the API endpoint to fake real webhook events, and potentially using cross-tenancy/cross-user false events.

So to mitigate this issue, we suggest to:

Always use the owner of the webhook & the client of the team to build id_tokens, (if possible not access_token). The forged JWT should have a specific audience (this is already the case for DI at least). The API team MUST check that the sub claim matches the owner-id field of the webhook as well as verifying the JWT signature.
Provide the emitter tokens in the body of the HTTP call made during webhook trigger.

With 1, we prevent this cross-tenant/cross-user attack.
With 2, we not only provide even more data than before but the team could

directly use the token without using the "custom route" to retrieve the refresh token (as it is already provided in the webhook HTTP body)

2021-W42

2021-10-18 Monday

TODO Write Weekly todos work

[2021-10-18 Mon 10:56]

ref

DONE Check Wanderson PRs/Webhooks

SCHEDULED: <2021-10-18 Mon>

TODO Customer Manager Doc

SCHEDULED: <2021-10-19 Tue>

TODO IROH-Auth tour

DONE Organize invitations for IROH-Auth tour + bugfix, etc…

DEADLINE: <2021-10-18 Mon>

IN-PROGRESS Discuss Exceptions organization