[erlang-questions] Erlang offensive paper

Uniaika uniaika@REDACTED
Wed Jun 1 16:00:26 CEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

One of the first things I did when starting to play with distributed
Erlang was to set a Tinc VPN between all my nodes. It's a mesh VPN so
the setup is fairly easy (and scalable), and it provides good guarantees
in terms of crypto (that can be enforced when following the instructions
at https://bettercrypto.org).
That's basically all the security I have for inter-node communications
and I'm satisfied enough.

Anne-Gwenn.
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.53
Comment: https://keybase.io/crypto

wsFcBAABCgAGBQJXTupTAAoJEAaxffTdQxbs5sUQAKyT3OaThA6PsrjUOj/G7rrQ
c5++u04H5dxMPzndnm6XZv41nbAZWHdMf1tg0b82Hvy5kYvDa3a1/6nTIA8WwLO8
+Xuo9oUWsBG4CF8qJ4rX37IKt8/ZDgOvAag0if2hv3K7XLn8bhsPQdn4KzuiuzAS
d8wM6dtTic9343o+nUyrQJc6qov1xmoKQSlitCc9ZggPeyi5B8KsGe/kNykdEZuD
IpfXKCtBBOrbXb3nJ+JPNwm7OZ6q0eyQ/ccH8a3WliRbPVkaY7DVpVpQme4jzSs6
do/tvYraSw/lUIXirsHOp3J9kXQ8GxklsVmJwkfqguytLV9U5WFdqLAHHuPIR/FA
E8GKmu/+kv1KRjyh5ttzYoa4wb/xQ6Z3T3NdPTnNJnCBMPDkPAKFW3RMZvWzrIjx
89VG47Om8olFUnpIa+Re2YzgmgRcWzhwK42vVPxich6rd1IPOF5ODj8McmZ7Gdwv
jx75a7kP2+nL44/oTxNSirmu3rMYoFqFLgczPSR7UZ8YO9/OLgofzRG1/KQMegIZ
eSwLe/OcYkuES07TEYAtreJuhinXuRrFykGDdOdqgrhoSuzf79D5hZDLxf2VXbL7
9hQwY60rLRAxayfzGinfmDTQh5bOa4W5Zk/ogGo9Kok9GG3uEeqDTKPkIIOYAgzG
f+3x2xl0qEKUKjyPbhd0
=cr0u
-----END PGP SIGNATURE-----

On 06/01/2016 03:51 PM, Eric des Courtis wrote:
> I would be nice if BEAM could address these issues (not Erlang) so that
> new more secure languages could be implemented on the BEAM.
> 
> I think it will be done sooner or later. The sooner the better IMO if
> BEAM is to remain relevant in the long term.
> 
> On Wed, Jun 1, 2016 at 7:32 AM, Nathaniel Waisbrot
> <nathaniel@REDACTED <mailto:nathaniel@REDACTED>> wrote:
> 
>>     Does anyone know if there is anything in the works or proposed
>>     around the "If someone gets inside the network, the cookie is the
>>     only protection left" situation?
> 
> 
>     Yes: use SSL for distribution and to talk to other services.
>      http://erlang.org/doc/apps/ssl/ssl_distribution.html
> 
>     This assumes that by "inside the network" you mean past the
>     firewall/gateway/NAT. But you could also view this as using
>     encryption to build an inner network that just contains your Erlang
>     nodes. Once you're inside *that* network things are still open.
> 
>     The author suggests that since the BEAM is an OS you might want all
>     the access controls that a full OS offers. This would (e.g.) allow
>     some people to launch processes and kill the process that they'd
>     launched, but only some root user could terminate the Cowboy
>     application. This would take an enormous amount of work and there
>     are other ways of getting the same effect, so I can't imagine this
>     happening.
> 
>     What you should do is understand that a network of Erlang nodes
>     behaves (as much as possible) like a single node. If you don't trust
>     a remote node, do not link with it under any circumstances. If you
>     want to allow trusted and untrusted code to interoperate, you need
>     to write your own communication layer for them.
> 
> 
>     Finally, to get the security model of all the other languages that
>     I'm aware of, you can disable distribution.
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xDD4316EC.asc
Type: application/pgp-keys
Size: 3090 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160601/8b4cefdd/attachment.bin>


More information about the erlang-questions mailing list