[erlang-questions] Erlang offensive paper

Uniaika uniaika@REDACTED
Wed Jun 1 16:00:26 CEST 2016

Hash: SHA512

One of the first things I did when starting to play with distributed
Erlang was to set a Tinc VPN between all my nodes. It's a mesh VPN so
the setup is fairly easy (and scalable), and it provides good guarantees
in terms of crypto (that can be enforced when following the instructions
at https://bettercrypto.org).
That's basically all the security I have for inter-node communications
and I'm satisfied enough.

Version: Keybase OpenPGP v2.0.53
Comment: https://keybase.io/crypto


On 06/01/2016 03:51 PM, Eric des Courtis wrote:
> I would be nice if BEAM could address these issues (not Erlang) so that
> new more secure languages could be implemented on the BEAM.
> I think it will be done sooner or later. The sooner the better IMO if
> BEAM is to remain relevant in the long term.
> On Wed, Jun 1, 2016 at 7:32 AM, Nathaniel Waisbrot
> <nathaniel@REDACTED <mailto:nathaniel@REDACTED>> wrote:
>>     Does anyone know if there is anything in the works or proposed
>>     around the "If someone gets inside the network, the cookie is the
>>     only protection left" situation?
>     Yes: use SSL for distribution and to talk to other services.
>      http://erlang.org/doc/apps/ssl/ssl_distribution.html
>     This assumes that by "inside the network" you mean past the
>     firewall/gateway/NAT. But you could also view this as using
>     encryption to build an inner network that just contains your Erlang
>     nodes. Once you're inside *that* network things are still open.
>     The author suggests that since the BEAM is an OS you might want all
>     the access controls that a full OS offers. This would (e.g.) allow
>     some people to launch processes and kill the process that they'd
>     launched, but only some root user could terminate the Cowboy
>     application. This would take an enormous amount of work and there
>     are other ways of getting the same effect, so I can't imagine this
>     happening.
>     What you should do is understand that a network of Erlang nodes
>     behaves (as much as possible) like a single node. If you don't trust
>     a remote node, do not link with it under any circumstances. If you
>     want to allow trusted and untrusted code to interoperate, you need
>     to write your own communication layer for them.
>     Finally, to get the security model of all the other languages that
>     I'm aware of, you can disable distribution.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xDD4316EC.asc
Type: application/pgp-keys
Size: 3090 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160601/8b4cefdd/attachment.bin>

More information about the erlang-questions mailing list