I saw a robotic coffee company that was started up by people from Uber. So I think you’re going to see a lot of that. Th

Well, I got married in 2018, so I was 45. So I waited until late in life. I had my first kid, my daughter, on February 7 right before shit hit the fan. So since then, I’ve been an adoring dad and there for every milestone. Like everyone else, when I’m doing business calls advising companies or doing my board meetings; I’m on Zoom all the time. I’m trying now to move to half Zoom and half audio, just so I can pace a little bit and not have the… It gets super exhausting to look at someone’s face on Zoom all day, every day.

Lyft is an AWS shop, and AWS’ access control mechanism is called IAM. It determines which Principals (e.g. users, groups, and roles) may perform which Actions on which Resources(e.g. storage buckets, compute instances, etc). IAM is powerful, highly customizable, and can work across account boundaries. IAM can be easy to configure incorrectly, and mistakes here can enable adversaries to easily move around and perform malicious actions in your environment.

As a motivating example, we wanted to quickly see which principals had root or “root-like” privileges in our environment. An IAM policy like this allows the equivalent of root privileges to all principals it is attached to because it allows any action to be performed on any resource:

The result can look something like this. If you try this yourself, you might be in for an unpleasant surprise if you aren’t expecting any principals to be highly privileged:

I live in Miami Beach, and I live on an island connected to the main part of Miami beach. I have a car, the car I got from California, which I never got rid of. I bought another one when we had the kid so we could have a baby seat and so on. So I’ve not been in Uber in the last few months, for sure. I haven’t needed to, because mostly, we’ve been quarantined. And then when we go out, we’re taking our daughter to a pediatrician or something. It’s much more convenient to have your own baby seat, to be honest.

If you stare at the query long enough, it makes sense: we look for PolicyStatements that are attached to AWSPolicy nodes that are attached to AWSPrincipals where * is set as both a Resource and an Action.

Last year in March (this was 2019 in case you forgot; doesn’t that feel like forever ago?), we open sourced Cartography, our Python tool that consolidates technical assets and the relationships between them in a graph database.

Using graphs helps us visualize and reason about security problems in a very powerful way. One such problem is understanding cloud permissions relationships: we needed an answer to the question “who has permission to read and write to my sensitive data resources?”

With all of this data in the graph, earlier in April of this year we thought that it’d be a great idea to evaluate IAM policies offline so that we could determine a given principal’s resulting accesses (for those familiar with Windows security, this calculation might remind you a bit of RSOP). We called this feature Resource Permission Relationships.

AWS roles, users, and groups have policies attached to them, which determine the Actions they are allowed to perform or not perform against a defined set of Resources. IAM can get very complicated: you can specify advanced clauses like NotAction (which determine what a Resource can’t do) or NotResource (which determine the resources this statement does not apply to). Further, you can use the * character to have a policy apply to objects that match a given text string. A principal’s resulting access is determined by all the policy statements mapped to it.

I live in Miami Beach, and I live on an island connected to the main part of Miami beach. I have a car, the car I got from California, which I never got rid of. I bought another one when we had the kid so we could have a baby seat and so on. So I’ve not been in Uber in the last few months, for sure. I haven’t needed to, because mostly, we’ve been quarantined. And then when we go out, we’re taking our daughter to a pediatrician or something. It’s much more convenient to have your own baby seat, to be honest.

MATCH (stat:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal) WHERE stat.effect = 'Allow' AND any(x IN stat.resource WHERE x='*') AND any(x IN stat.action WHERE x='*' ) RETURN *

It’s great that we have the data, but it’s cumbersome to need to remember all the rules of IAM policy evaluation to answer this question. It would save us a lot of time to be able to simply ask “who has permission to read from my storage buckets?” or “who has permission to run queries on my DynamoDB tables?”

http://news24.gruposio.es/ydd/video-CSKA-Moscow-Baskonia-v-en-gb-1efn30122020-20.php

http://news7.totssants.com/zwo/Video-bragantino-v-sao-paulo-v-pt-br-1iwm2-24.php

http://news7.totssants.com/zwo/videos-bragantino-v-sao-paulo-v-pt-br-1qxf2-6.php

https://assifonte.org/media/hvc/videos-dusseldorfer-v-iserlohn-roosters-v-de-de-1gmo-8.php

http://news7.totssants.com/zwo/v-ideos-Bragantino-Sao-Paulo-v-en-gb-1xpw-.php

http://news24.gruposio.es/ydd/videos-cska-moscow-v-saski-baskonia-v-es-es-1grq-12.php

http://news24.gruposio.es/ydd/v-ideos-cska-moscow-v-saski-baskonia-v-es-es-1ysi-29.php

http://go.negronicocktailbar.com/npt/videos-LA-Clippers-Golden-State-Warriors-v-en-us-1tac-2.php

http://news24.gruposio.es/ydd/video-cska-moscow-v-saski-baskonia-v-es-es-1ncx-14.php

http://go.negronicocktailbar.com/npt/video-Chicago-Bulls-Kings-v-en-us-1nca30122020-.php

http://news24.gruposio.es/ydd/video-cska-moscow-v-saski-baskonia-v-es-es-1kep-10.php

http://news24.gruposio.es/ydd/videos-Valencia-Basket-Barca-Lassa-v-en-gb-1eze-.php

http://news7.totssants.com/zwo/Video-Bragantino-Sao-Paulo-v-en-gb-1emh30122020-5.php

http://news24.gruposio.es/ydd/videos-Valencia-Basket-Barca-Lassa-v-en-gb-1mkl30122020-4.php

http://go.negronicocktailbar.com/npt/videos-Chicago-Bulls-Kings-v-en-us-1gvh-23.php

http://news24.gruposio.es/ydd/v-ideos-Valencia-Basket-Barca-Lassa-v-en-gb-1dth-8.php

http://go.negronicocktailbar.com/npt/Video-Chicago-Bulls-Kings-v-en-us-1ywh-8.php

http://news7.totssants.com/zwo/video-Bragantino-Sao-Paulo-v-en-gb-1igu-1.php

http://go.negronicocktailbar.com/npt/videos-Fasil-Kenema-Sidama-Bunna-v-en-gb-1qua30122020-.php

http://news7.totssants.com/zwo/Video-barnechea-v-nublense-v-es-cl-1hag-22.php

nce that the Founding Fathers thought twice about owning other human beings. (While Thomas Jefferson publicly condemned slavery, he nevertheless enslaved hundreds of people). In other words, the man who wrote “All men are created equal” did his part to make sure they weren’t. As such, many Black people, consider racism as enshrined in the core documents of American democracy — and cannot see the people who created them redeemable.

I want to ask you one last question, which is going to bring it all full circle. I’d love to know a little bit about your personal habits right now in the middle of the pandemic. Are you taking Uber? Did you buy a car? What is your personal relationship to the technology that you help build?