Preformatted

Original article

Yesterday at OSCON Russell Lewis, a senior software engineer at Netflix gave a talk
entitled How Netflix Gives All Its Engineers SSH Access to Instances Running In
Production.
The talk introduced a system called BLESS, which
issues short-term SSH client certificates based on AWS IAM roles. We’re excited to see Netflix
join the growing ranks of companies opening up about how they use client certificates to
control access to their infrastructure.

Background

Modern authentication systems operate by having a user authenticate against a central
service in exchange for a limited access token. Using that token the user can access
various services for a limited period of time. After that they are required to
re-authenticate. If you’ve ever logged into a corporate single sign-on (SSO) system,
or even just a Gmail account, you’ve experienced this before.

By decoupling the authentication workflow from the underlying services these systems
offer a multitude of benefits: only a single system needs to handle sensitive
credentials, lowering the surface area for attack. Authentication policies can be
easily extended or modified by changing a single configuration. And in some cases
the centralized system can make more intelligent decisions based on additional factors
such as the user’s location or behavior.

In contrast, most organizations still use relatively primitive authentication schemes
to secure the SSH and RDP services that guard access to their most sensitive
infrastructure. Many rely on static SSH keys, which are difficult to centrally manage
and audit. Others use centralized systems like LDAP, which require users to enter
passwords or MFA codes directly into the servers they are authenticating to – hardly
a best practice even for a low value target.

Client Certificates

Systems like ScaleFT and BLESS use client certificates to modernize infrastructure
authentication. Instead of trusting widely distributed static credentials, or requiring
users to enter sensitive credentials into untrusted servers, these sytems operate as
a Certificate Authority (CA), allowing users to authenticate against a central authority
in exchange for short-lived infrastructure credentials.

Servers configured to trust certificates issued by ScaleFT or BLESS can cryptographically
verify that a user is authenticated, without requiring sensitive information from the
user or even needing to communicate with the CA.

Legacy infrastructure authentication mechanisms pose a major risk to organizations,
and client certificates are a critical part of any modern replacement. We’re excited
to continue seeing the creative solutions that companies like Netflix are using to
combat these risks, and we can’t wait to learn how other organizations are using
client certificates.

For details on how Netflix authenticates engineers to their production infrastructure,
check out the talk.

Original article

README.md

npm install serverless -g

serverless project install serverless-starter

serverless project create

Original article

README.rst

$ apt-get install tesseract-ocr libtesseract-dev libleptonica-dev

$ pip install tesserocr

from tesserocr import PyTessBaseAPI

images = ['sample.jpg', 'sample2.jpg', 'sample3.jpg']

with PyTessBaseAPI() as api:
    for img in images:
        api.SetImageFile(img)
        print api.GetUTF8Text()
        print api.AllWordConfidences()
# api is automatically finalized when used in a with-statement (context manager).
# otherwise api.End() should be explicitly called when it's no longer needed.

import tesserocr
from PIL import Image

print tesserocr.tesseract_version()  # print tesseract-ocr version
print tesserocr.get_languages()  # prints tessdata path and list of available languages

image = Image.open('sample.jpg')
print tesserocr.image_to_text(image)  # print ocr text from image
# or
print tesserocr.file_to_text('sample.jpg')

from PIL import Image
from tesserocr import PyTessBaseAPI

image = Image.open('/usr/src/tesseract/testing/phototest.tif')
with PyTessBaseAPI() as api:
    api.SetImage(image)
    boxes = api.GetComponentImages(RIL.TEXTLINE, True)
    print 'Found {} textline image components.'.format(len(boxes))
    for i, (im, box, _, _) in enumerate(boxes):
        # im is a PIL image object
        # box is a dict with x, y, w and h keys
        api.SetRectangle(box['x'], box['y'], box['w'], box['h'])
        ocrResult = api.GetUTF8Text()
        conf = api.MeanTextConf()
        print (u"Box[{0}]: x={x}, y={y}, w={w}, h={h}, "
               "confidence: {1}, text: {2}").format(i, conf, ocrResult, **box)

from PIL import Image
from tesserocr import PyTessBaseAPI, PSM

with PyTessBaseAPI(psm=PSM.AUTO_OSD) as api:
    image = Image.open("/usr/src/tesseract/testing/eurotext.tif")
    api.SetImage(image)
    api.Recognize()

    it = api.AnalyseLayout()
    orientation, direction, order, deskew_angle = it.Orientation()
    print "Orientation: {:d}".format(orientation)
    print "WritingDirection: {:d}".format(direction)
    print "TextlineOrder: {:d}".format(order)
    print "Deskew angle: {:.4f}".format(deskew_angle)

from tesserocr import PyTessBaseAPI, RIL, iterate_level

with PyTessBaseAPI() as api:
    api.SetImageFile('/usr/src/tesseract/testing/phototest.tif')
    api.SetVariable("save_blob_choices", "T")
    api.SetRectangle(37, 228, 548, 31)
    api.Recognize()

    ri = api.GetIterator()
    level = RIL.SYMBOL
    for r in iterate_level(ri, level):
        symbol = r.GetUTF8Text(level)  # r == ri
        conf = r.Confidence(level)
        if symbol:
            print u'symbol {}, conf: {}'.format(symbol, conf),
        indent = False
        ci = r.GetChoiceIterator()
        for c in ci:
            if indent:
                print 'tt ',
            print 't- ',
            choice = c.GetUTF8Text()  # c == ci
            print u'{} conf: {}'.format(choice, c.Confidence())
            indent = True
        print '---------------------------------------------'

Original article

What disturbed me about the Facebook meeting.

Yesterday, I had an opportunity to meet with some of the senior staff at Facebook, including Mark Zuckerberg and Sheryl Sandberg. I found the meeting deeply disturbing — but not for the reasons you might think.

Before I dig in, since I’ll be talking about bias, let me share a bit about mine. I have been an avid Facebook user for about 8 years. I have 3.2 million followers. I consistently see high engagement on my Facebook page. We have begun using Facebook’s live video streaming platform and are encouraged by the results and plan on utilizing it more. The Facebook staff has always treated me and my staff kindly. They have been responsive, helpful, and available. I came into the meeting today wanting to believe that Facebook was a good, if not perfect, actor.

Walking out of the meeting, I was convinced that Facebook is behaving appropriately and trying to do the right thing. They were humble, open, and listened intently to everyone in the room.

So what disturbed me?

Before I answer, let me give a bit more background.

I am not an expert on data or AI or algorithms. If I had all the time, data, and money in the world, I would not be able to do anything with it.

I accept the possibility there may be evidence that Facebook — or said more clearly, someone or even multiple people who work for Facebook — may have done something that skewed the output in some way to game the system. But so far, I have not seen that evidence. And we looked for it. There are people at my company who understand this stuff far better than I do and they haven’t seen that evidence.

As a reminder, this entire controversy began when one former member of the Trending team — one — claimed Faceboook was suppressing conservative voices.

Now I want to be very clear on this point. This issue, the Trending Topics issue, the reason we are supposed to be up in arms, is a relatively new product that Facebook readily admits is far from perfect. Maybe later we will go into the details of the multiple products and how each one MAY be impacted by an unconscious bias — and how Trending topics in particular MAY be vulnerable to manipulation — but the reason I went to Facebook was not to find out whether there was a small issue, but to see whether there was a real issue. A top-down initiative from management to marginalize conservative voices. We can, and will, debate the merits of some of the complaints against Facebook, but, in my opinion, there is no evidence of a top-down initiative to silence conservative voices.

Even if some employees would want to do so, it would be really hard. It does not seem reasonable to me (or the President of my company who is far more technical then I am) that this bias could have the impact some claim unless it comes from the top. Just a couple bad actors could not move the needle in a significant way.

I don’t know off the top of my head how many employees Facebook has, but it’s a lot more than one. I do know they have 1.6 billion users, and that serving those users can’t be easy. To ensure every user has the experience hoped for is no easy task, but what I saw at Facebook was a team of people who were trying.

So, why did Facebook hold the meeting at all if they are doing nothing wrong? Are they just looking for cover? Is this Kabuki Theatre? Am I a rube?

Maybe, but I’ve been called worse. If I find out there is more to the story, I will blast them — but I don’t think there is.

Why?

This is what I heard yesterday:

In a country that is deeply divided, the largest and most important company in human interaction and content consumption saw the conservative movement in an uproar over ONE person, making ONE accusation, against ONE of their products. One story and the pitchforks came out. Now that’s something we conservatives are accustomed to, but not so much for those on the left.

Sure, the purpose of the meeting yesterday was to appease the angry voices, at least to some degree. They took the opportunity to explain to us the details of their products and how they really can’t be consciously biased, although they did admit that unconscious bias can creep in. But to me, the purpose of the meeting from Facebook’s point of view was to acknowledge that if one story and one accusation can bring out the pitchforks, the more fundamental issue to address is a lack of trust.

Conservative media, which was started as a reaction to the inherent bias in the main stream media, does not trust anyone outside our circle. Hell, we don’t even trust the people inside our circle. So it’s understandable that going to Silicon Valley, for many conservatives, is like going into enemy territory.

Silicon Valley is liberal, not a little bit liberal, a lot liberal. For example, I had a lunch yesterday with the very prominent Silicon Valley entrepreneur who donates to Democrats. If the internet is to be believed, he donated $250,000 to an Obama Super PAC. And when he (or was it someone else on his team?) described San Francisco, he described it as “leaning to the left.” Conservatives see San Francisco as falling off a cliff to the left.

That difference in perception is enormous.

I understand why conservatives are suspicious of Silicon Valley. It can feel a lot like the main stream media. But I’ve told you many times that I feel at home in Silicon Valley. I love the energy. These are people who want to innovate and disrupt, they want the government to stop regulating their businesses, they want small business to succeed, they value personal responsibility, etc. Why they are liberal? I don’t know, but in general, they’re not Progressives, at least not the folks I met with today (though I’m sure there were a few).

So, as a general rule, we do not trust them. And with one story, conservatives told Facebook, “There’s nothing left in the trust bank. There’s no goodwill. You must have been scamming us this whole time.”

I know I will be blasted by people for my position on this. I will be called a sellout. I will be accused of taking money or cowering for fear of retribution. (Of course, if I took the other side — that Facebook really was out to screw us, I would also be called names. Oh well, I just call it like I see it.)

So what disturbed me about the Facebook meeting?

I sat through a meeting that, to me, felt like I was attending a Rainbow Coalition meeting, that people (not me) had come with a list of demands.

I looked around the room, I heard the complaints, I listened to the perspectives, and not a single person in the room shared evidence of any wrongdoing. Maybe they had some, but it wasn’t shared. They discussed how Facebook’s organic reach and changes in algorithms has impacted their business. While at the same time admitting that Huffington Post has been struggling with the same issues. I heard people discuss community standards, pages being shut down, posts being removed — and I do believe that happens and it’s something Facebook could do better, and I hope they will — but we were not there because of that. We were there because of this ONE accusation on Trending Topics.

I sat there looking around and heard things like:

1) Facebook has a very liberal workforce. Has Facebook considered diversity in their hiring practice? The country is 2% Mormon. Maybe Facebook’s company should better reflect that reality.

2) Maybe Facebook should consider a six-month training program to help their biased and liberal workforce understand and respect conservative opinions and values.

3) We need to see strong and specific steps to right this wrong.

It was like affirmative action for conservatives. When did conservatives start demanding quotas AND diversity training AND less people from Ivy League Colleges.

I sat there, looking around the room at ‘our side’ wondering, ‘Who are we?’ Who am I? I want to be very clear — I am not referring to every person in the room. There were probably 25–30 people and a number of them, I believe, felt like I did. But the overall tenor, to me, felt like the Salem Witch Trial: ‘Facebook, you must admit that you are screwing us, because if not, it proves you are screwing us.’

What happened to us? When did we become them? When did we become the people who demand the Oscars add black actors based on race?

Someone made a good point at the meeting. The invitation alone from Facebook is staggering. Conservative voices are rarely, if ever, invited to the table for an open dialogue.

Has Twitter, Google, or any other Silicon Valley giant invited conservatives to speak, to understand what we are feeling and seeing? Has any other company or entity said, ‘Yes, many of our employees are liberal, many of us don’t understand you, but our goal is to be an open platform where ALL ideas (with limitations on hate and abuse, etc..) are welcome?’ Has any other organization with 1.6 billion users admitted that while their foundational values are the opposite of ours, it is bad business to cut off a segment of the population?

Mark Zuckerberg really impressed me with his manner, his ability to manage the room, his thoughtfulness, his directness, and what seemed to be his earnest desire to ‘connect the world’. I asked him if Facebook, now or in the future, would be an open platform for the sharing of all ideas or a curator of content? When I asked this question I told him I support his right to pick either direction. They are a private-owned company with investors who can decide what is right for them. They can decide what is right based on profits or based on interests or on principles or on social justice. I hope that they want to be open, but I will fight for their right to be who they want to be even if I do not like their decision. Without hesitation, with clarity and boldness, Mark said there is only one Facebook and one path forward: ‘We are an open platform.’

He went on to discuss that they are far from perfect, that they are always working on the algorithms, the improvement of the newsfeed, the user experience, etc. The goal, though, was very clear — to be an open platform. When I looked into his eyes and his team’s eyes, I believed him and I believed them. I hope I am not proven wrong.

How do I square this with other accusations from people and organizations I respect like CPAC and Matt Schlapp? I can’t. I don’t know what CPAC experienced, and I don’t know if they are right or not. I have seen Steven Crowder’s complaint, and I have no response other than I love Steven and hope he gets the satisfaction he deserves. I have spoken to others off the record who have made similar claims as CPAC’s. How do I square those complaints? I can’t.

Maybe one day, maybe one day soon, I will be able to synthesize these two opposite perspectives. Maybe one party will show solid evidence or a smoking gun. But until then, based on our research and my personal experience with Facebook, I believe they are acting in good faith and share some very deep, fundamental principles with people who believe in the principles of liberty and freedom of speech.

Read more at my website: www.GlennBeck.com.

Original article