PyCon Italy 2018: Everyday security issues and how to avoid them

Transcript

1. Everyday security issues and how to avoid them PyCon Italy

   2018 / Florence Christian Heimes Senior Software Engineer [email protected] / [email protected] @ChristianHeimes

2. Everyday security issues, PyCon Italy 2018 2 Who am I?

   • from Hamburg/Germany • Linux user since 1997 • Python and C developer • Python core contributor since 2008 • maintainer of ssl and hashlib module • Python security team

3. Everyday security issues, PyCon Italy 2018 3 Professional life •

   Senior Software Engineer at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI • Custodia secrets management

4. Agenda & Goals

5. Everyday security issues, PyCon Italy 2018 5 • Motivation •

   What is security? • Honourable mention • Security bottom-up • Examples • Summary • Q&A Agenda

6. Everyday security issues, PyCon Italy 2018 6 depth breadth

7. Motivation Why should I care?

8. Everyday security issues, PyCon Italy 2018 8 proud craftsman responsible

   engineer

9. Everyday security issues, PyCon Italy 2018 9 Business

10. Everyday security issues, PyCon Italy 2018 10 https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached

11. Everyday security issues, PyCon Italy 2018 11 https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

12. Everyday security issues, PyCon Italy 2018 12 https://nypost.com/2016/10/06/verizon-wants-1b-discount-on-yahoo-deal-after-hacking-reports/ https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/

13. Everyday security issues, PyCon Italy 2018 13

14. Everyday security issues, PyCon Italy 2018 14 Life and Death

15. Everyday security issues, PyCon Italy 2018 15 https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-frmware-update

16. Everyday security issues, PyCon Italy 2018 16 http://news.sky.com/story/gay-people-at-risk-after-ashley-madison-hack-10348710 http://www.bbc.com/news/technology-34044506

17. Everyday security issues, PyCon Italy 2018 17 World laws pertaining

    to homosexual relationships and expression Wikipedia

18. Everyday security issues, PyCon Italy 2018 18 Code of Conduct

    Wikipedia

19. What is information security?

20. Everyday security issues, PyCon Italy 2018 20 Wikipedia defnition Information

    security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.

21. Everyday security issues, PyCon Italy 2018 21 Info Sec •

    prevention • mitigation • auditing • recovery • privacy

22. Everyday security issues, PyCon Italy 2018 22 Why is security

    hard? • complex systems • weakest link causes catastrophic failures • secure is not testable • design issues • multitude of attack vectors • threat analysis

23. Everyday security issues, PyCon Italy 2018 23 https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html

24. Everyday security issues, PyCon Italy 2018 24

25. Everyday security issues, PyCon Italy 2018 25 Amazon Says One

    Engineer's Simple Mistake Brought the Internet Down 2017-02-28

26. Everyday security issues, PyCon Italy 2018 26

27. Everyday security issues, PyCon Italy 2018 27 RSA Key Extraction

    via Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/

28. Everyday security issues, PyCon Italy 2018 28 Compiler and CPU

    optimization char *demo(const char *msg, int msg_len) { char secret[16]; char *output; get_secret_key(secret); output = encrypt(secret, msg, msg_len); /* wipe secret key from memory */ memset(secret, 0x00, sizeof(secret)); return output; } char *demo(const char *msg, int msg_len) { char secret[16]; char *output; get_secret_key(secret); output = encrypt(secret, msg, msg_len); /* wipe secret key from memory */ memset(secret, 0x00, sizeof(secret)); return output; }

29. Everyday security issues, PyCon Italy 2018 29 Compiler optimization $

    clang -O3 0000000000000000 <demo>: 0: 55 push %rbp 1: 41 56 push %r14 3: 53 push %rbx 4: 48 83 ec 10 sub $0x10,%rsp 8: 89 f5 mov %esi,%ebp a: 48 89 fb mov %rdi,%rbx d: 4c 8d 34 24 lea (%rsp),%r14 11: 4c 89 f7 mov %r14,%rdi 14: e8 00 00 00 00 callq 19 <demo+0x19> 15: R_X86_64_PC32 get_secret_key-0x4 19: 4c 89 f7 mov %r14,%rdi 1c: 48 89 de mov %rbx,%rsi 1f: 89 ea mov %ebp,%edx 21: e8 00 00 00 00 callq 26 <demo+0x26> 22: R_X86_64_PC32 encrypt-0x4 26: 48 83 c4 10 add $0x10,%rsp 2a: 5b pop %rbx 2b: 41 5e pop %r14 2d: 5d pop %rbp 2e: c3 retq $ clang -O0 0000000000000000 <demo>: 0: 55 push %rbp 1: 48 89 e5 mov %rsp,%rbp 4: 48 83 ec 30 sub $0x30,%rsp 8: 48 8d 45 e0 lea -0x20(%rbp),%rax c: 48 89 7d f8 mov %rdi,-0x8(%rbp) 10: 89 75 f4 mov %esi,-0xc(%rbp) 13: 48 89 c7 mov %rax,%rdi 16: e8 00 00 00 00 callq 1b <demo+0x1b> 17: R_X86_64_PC32 get_secret_key-0x4 1b: 48 8d 7d e0 lea -0x20(%rbp),%rdi 1f: 48 8b 75 f8 mov -0x8(%rbp),%rsi 23: 8b 55 f4 mov -0xc(%rbp),%edx 26: 89 45 d4 mov %eax,-0x2c(%rbp) 29: e8 00 00 00 00 callq 2e <demo+0x2e> 2a: R_X86_64_PC32 encrypt-0x4 2e: be af 00 00 00 mov $0x00,%esi 33: 48 ba 10 00 00 00 00 movabs $0x10,%rdx 3a: 00 00 00 3d: 48 8d 7d e0 lea -0x20(%rbp),%rdi 41: 48 89 45 d8 mov %rax,-0x28(%rbp) 45: e8 00 00 00 00 callq 4a <demo+0x4a> 46: R_X86_64_PC32 memset-0x4 4a: 48 8b 45 d8 mov -0x28(%rbp),%rax 4e: 48 83 c4 30 add $0x30,%rsp 52: 5d pop %rbp 53: c3 retq

30. Everyday security issues, PyCon Italy 2018 30 CPU

31. Everyday security issues, PyCon Italy 2018 31 Rowhammer, Spectre, Meltdown

32. Everyday security issues, PyCon Italy 2018 32 'Руthοn' != 'Python'

33. Everyday security issues, PyCon Italy 2018 33 Homoglyph confusion attack

    >>> import unicodedata >>> for c in 'Руthοn': ... print(unicodedata.name(c)) ... CYRILLIC CAPITAL LETTER ER CYRILLIC SMALL LETTER U LATIN SMALL LETTER T LATIN SMALL LETTER H GREEK SMALL LETTER OMICRON LATIN SMALL LETTER N >>> import unicodedata >>> for c in 'Руthοn': ... print(unicodedata.name(c)) ... CYRILLIC CAPITAL LETTER ER CYRILLIC SMALL LETTER U LATIN SMALL LETTER T LATIN SMALL LETTER H GREEK SMALL LETTER OMICRON LATIN SMALL LETTER N

34. Honourable mention

35. Everyday security issues, PyCon Italy 2018 35 Out of scope

    • legal requirements (e.g. EU privacy shield, FISMA) • data centre security • hardware security (e.g. Intel Management Engine) • browser / web security • ransomware • state sponsored actors • cyber war

36. Everyday security issues, PyCon Italy 2018 36 Wikipedia

37. Everyday security issues, PyCon Italy 2018 37 cybersquirrel1.com – attacks

    on power grid http://cybersquirrel1.com/

38. Everyday security issues, PyCon Italy 2018 38 Human factor •

    Social engineer • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfed employees • ignorant management

39. Everyday security issues, PyCon Italy 2018 39 Security vs. Usability

40. Everyday security issues, PyCon Italy 2018 40 IoT – Internet

    of Things The “S” in “IoT” stands for security. The “P” in “IoT” stands for privacy. (Sorry, German humour)

41. Everyday security issues, PyCon Italy 2018 41

42. Security bottom-up

43. Everyday security issues, PyCon Italy 2018 43 Hardware & OS

    • Hardware from trustworthy vendor • validate OS image • UEFI secure boot (protect your MOK) • Firewall • update, update, update • SELinux / AppArmor don't: setenforce 0 do: semanage permissive -a myapp_t

44. Everyday security issues, PyCon Italy 2018 44 Application • don't

    run as root or admin • Restrict and isolate separate user, group systemd: PrivateTmp, Protectsystem, RemoveIPC, CapabilityBoundingSet, … SecComp sandboxing • encrypt in transit (TLS/SSL), encrypt at rest • bind to localhost • strong authentication • update, update, update … and restart!

45. Everyday security issues, PyCon Italy 2018 45 Mitigation: Defence in

    depth

46. Everyday security issues, PyCon Italy 2018 46 Update!

47. Python

48. Everyday security issues, PyCon Italy 2018 48 High level, memory

    safe languages

49. Everyday security issues, PyCon Italy 2018 50 Dangerous Python features

    • exec() • eval() • import, __import__() • pickle, marshal • ctypes

50. API Design

51. Everyday security issues, PyCon Italy 2018 52 Secure should be

    easy, obvious, and default • consistent error reporting • production-friendly defaults / “developer mode" • require authentication (MongoDB) • verify certs (Python) • logging

52. Files I/O

53. Everyday security issues, PyCon Italy 2018 54 Directory traversal attack

    BASE = '/var/lib/files' @app.route('/download/<filename>') def download(filename): absname = os.path.join(BASE, filename) with open(absname) as f: return f.read() BASE = '/var/lib/files' @app.route('/download/<filename>') def download(filename): absname = os.path.join(BASE, filename) with open(absname) as f: return f.read() /download/image.jpg /download/image.jpg

54. Everyday security issues, PyCon Italy 2018 55 Directory traversal attack

    /download/private/image.jpg /download/../etc/passwd /download/../../etc/passwd /download/../../../etc/passwd /download/../../../etc/httpd/server.key /download/private/image.jpg /download/../etc/passwd /download/../../etc/passwd /download/../../../etc/passwd /download/../../../etc/httpd/server.key

55. Everyday security issues, PyCon Italy 2018 56 TOCTOU / race

    condition if not os.path.isfile(filename): with open(filename, 'wb') as f: f.write(b'data') os.chmod(filename, 0o755) if not os.path.isfile(filename): with open(filename, 'wb') as f: f.write(b'data') os.chmod(filename, 0o755) with open(filename, 'xb') as f: # O_EXCL | O_CREAT f.write(b'data') os.fchmod(f.fileno(), 0o755) with open(filename, 'xb') as f: # O_EXCL | O_CREAT f.write(b'data') os.fchmod(f.fileno(), 0o755)

56. Everyday security issues, PyCon Italy 2018 57 temporary fles /

    directories • don't write to /tmp directly • use secure temporary fle API (tempfile module) • consider a private temporary directory

57. Parsing

58. Everyday security issues, PyCon Italy 2018 59 HTTP – RFC

    822 header content-type: text/html; charset=utf-8 content-length: 47446 x-clacks-overhead: GNU Terry Pratchett <html> <head> ... content-type: text/html; charset=utf-8 content-length: 47446 x-clacks-overhead: GNU Terry Pratchett <html> <head> ...

59. Everyday security issues, PyCon Italy 2018 60 HTTP header parsing

    sock = create_connection(('host', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ... sock = create_connection(('host', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ...

60. Everyday security issues, PyCon Italy 2018 61 HTTP header parsing

    DoS sock = create_connection(('host', 80)) f = sock.makefile() for line in f: # DoS vulnerability name, value = line.split(':', 1) ... sock = create_connection(('host', 80)) f = sock.makefile() for line in f: # DoS vulnerability name, value = line.split(':', 1) ...

61. Everyday security issues, PyCon Italy 2018 62 CVE-2013-1752 fx MAX_LENGTH

    = 1024 while True: line = f.readline(MAX_LENGTH + 1) if len(line) > MAX_LENGTH: raise ValueError ... MAX_LENGTH = 1024 while True: line = f.readline(MAX_LENGTH + 1) if len(line) > MAX_LENGTH: raise ValueError ...

62. Everyday security issues, PyCon Italy 2018 63 XML <xml> <tag

    attribute=”value”>text</tag> </xml> <xml> <tag attribute=”value”>text</tag> </xml>

63. Everyday security issues, PyCon Italy 2018 64 XML entities <!DOCTYPE

    example [ <!ENTITY title "My title" > ]> <xml> <tag attribute=”value”>&title;</tag> </xml> <!DOCTYPE example [ <!ENTITY title "My title" > ]> <xml> <tag attribute=”value”>&title;</tag> </xml>

64. Everyday security issues, PyCon Italy 2018 65 XML entities expansion

    attack <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb> <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb>

65. Everyday security issues, PyCon Italy 2018 66 XML network /

    fle access <!DOCTYPE external [ <!ENTITY remote SYSTEM "http://www.python.org/some.xml"> <!ENTITY local SYSTEM "file:///etc/passwd"> ]> <xml> <url>&remote;</url> <file>&local;</file> </xml> <!DOCTYPE external [ <!ENTITY remote SYSTEM "http://www.python.org/some.xml"> <!ENTITY local SYSTEM "file:///etc/passwd"> ]> <xml> <url>&remote;</url> <file>&local;</file> </xml>

66. Everyday security issues, PyCon Italy 2018 67 XML attacks –

    defusexml • billion laughs / exponential entity expansion • quadratic blowup entity expansion • DTD & external entity expansion (remote and local) • attribute blowup / attribute hash collision attack • decompression bomb (gzip) • XPath injection attacks • XInclude <xi:include /> • XMLSchema-Import <xs:import /> • XSLT features wie xalan/redirect, xalan/java

67. Everyday security issues, PyCon Italy 2018 68 gettext translation msgid

    "" msgstr "" "Project-Id-Version: 2.0\n" "PO-Revision-Date: 2003-04-11 12:42-0400\n" "Last-Translator: Barry A. WArsaw <[email protected]>\n" "Language-Team: XX <[email protected]>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 7bit\n" "Generated-By: manually\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" msgid "" msgstr "" "Project-Id-Version: 2.0\n" "PO-Revision-Date: 2003-04-11 12:42-0400\n" "Last-Translator: Barry A. WArsaw <[email protected]>\n" "Language-Team: XX <[email protected]>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 7bit\n" "Generated-By: manually\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n"

68. Everyday security issues, PyCon Italy 2018 69 gettext plural forms

    • English, Italian, German: nplurals=2; plural=n != 1; • French: nplurals=2; plural=n > 1; • Celtic: nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2; • Russian: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n %10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2; • Denial-Of-Service: nplurals=2; plural=n ** 1000 ** 1000 ** 1000 ** 1000; issue #18317, #28563

69. Everyday security issues, PyCon Italy 2018 70 catastrophic backtracking in

    regular expression (CVE-2018-1060 / 1061) commit 0e6c8ee2358a2e23117501826c008842acb835ac Author: Jamie Davis <[email protected]> Date: Sun Mar 4 00:33:32 2018 -0500 bpo-32981: Fix catastrophic backtracking vulns (#5955) ... Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. ... Co-authored-by: Tim Peters <[email protected]> Co-authored-by: Christian Heimes <[email protected]> --- a/Lib/difflib.py +++ b/Lib/difflib.py -def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match): +def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match): commit 0e6c8ee2358a2e23117501826c008842acb835ac Author: Jamie Davis <[email protected]> Date: Sun Mar 4 00:33:32 2018 -0500 bpo-32981: Fix catastrophic backtracking vulns (#5955) ... Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. ... Co-authored-by: Tim Peters <[email protected]> Co-authored-by: Christian Heimes <[email protected]> --- a/Lib/difflib.py +++ b/Lib/difflib.py -def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match): +def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):

70. Everyday security issues, PyCon Italy 2018 71 https://www.theguardian.com/technology/2017/aug/11/hacking-computer-dna-university-of-washington-lab

71. Input validation & sanitization

72. Everyday security issues, PyCon Italy 2018 73 SQL injection attack

    SELECT * FROM users WHERE username='%s' AND password='%s' SELECT * FROM users WHERE username='%s' AND password='%s' query = select_user % (username, password) query = select_user % (username, password)

73. Everyday security issues, PyCon Italy 2018 74 SQL injection attack

    SELECT * FROM users WHERE username='1' OR '1' = '1' AND password='1' OR '1' = '1' SELECT * FROM users WHERE username='1' OR '1' = '1' AND password='1' OR '1' = '1' username = "1' or '1' = '1" password = "1' or '1' = '1" username = "1' or '1' = '1" password = "1' or '1' = '1"

74. Everyday security issues, PyCon Italy 2018 75 subprocess shell=True run_command("myfile;

    rm -rf *") run_command("myfile; rm -rf *") def run_command(filename): return subprocess.check_call( "command {}".format(filename), shell=True) def run_command(filename): return subprocess.check_call( "command {}".format(filename), shell=True)

75. Everyday security issues, PyCon Italy 2018 76 More injection attacks

    • SQL • shell • LDAP • XPath / XQuery • NoSQL databases • ASN.1 • JSON

76. TLS / SSL

77. Everyday security issues, PyCon Italy 2018 78 TLS/SSL certifcate validation

    • ssl.create_default_context() • verify_mode = ssl.CERT_REQUIRED • check_hostname = True • requests.get(…, verify=True) # default

78. Everyday security issues, PyCon Italy 2018 79

79. Everyday security issues, PyCon Italy 2018 80 Don't roll your

    own cert validation • > 6 bugs in Python's hostname verifcation code • CVE-2013-2099, #12000, #17997, #17305, #30141 • Python 3.7 uses X509_VERIFY_PARAM_set1_host() OpenSSL 1.0.2+ / LibreSSL 2.7.0 • https://github.com/libressl-portable/portable/issues/381

80. Everyday security issues, PyCon Italy 2018 81

81. Cryptography

82. Everyday security issues, PyCon Italy 2018 85 The frst rule

    of cryptography: Don't implement your own crypto!

83. Everyday security issues, PyCon Italy 2018 86 34C3: Squeezing a

    key through a carry bit • Attack by Filippo Valsorda from Cloudfare Google • Bug on Go's P-256 elliptic curve implementation • Misplaced carry bit in 0.00000003% • CVE-2017-8932

84. Everyday security issues, PyCon Italy 2018 87 The second rule

    of cryptography: Implement your own crypto, but never use it in production!

85. Everyday security issues, PyCon Italy 2018 88 Random number generator

    (CSPRNG) • tokens • password salt • key material • session cookies os.urandom() crypt/rand int getrandom(void *buf, size_t bufen, unsigned int fags);

86. Everyday security issues, PyCon Italy 2018 89 Passwords Salted key

    derivation and key stretching function • argon2 • scrypt • bcrypt • PBKDF2 • Constant timing comparison operator! hmac.compare_digest()

87. Everyday security issues, PyCon Italy 2018 90 Social Login, SSO,

    Kerberos

88. Everyday security issues, PyCon Italy 2018 91 AES and RSA

    are mathematical artifacts.

89. Everyday security issues, PyCon Italy 2018 92 AES ECB mode

90. Everyday security issues, PyCon Italy 2018 93 AES ECB mode

91. Everyday security issues, PyCon Italy 2018 94

92. Everyday security issues, PyCon Italy 2018 95 Malleability malleable encryption

    algorithm

93. Everyday security issues, PyCon Italy 2018 96 Hashing: Length extension

    attack # bad hashlib.sha256(data + secret_token) # bad hashlib.sha256(data + secret_token) # correct hmac.HMAC(secret_token, data, 'sha256') hashlib.blake2b(data, key=secret_token) # correct hmac.HMAC(secret_token, data, 'sha256') hashlib.blake2b(data, key=secret_token)

94. Everyday security issues, PyCon Italy 2018 97 Authenticated encryption AES-GCM

    def encrypt_image(payload, key, nonce, add_data): encryptor = Cipher( algorithms.AES(key), modes.GCM(nonce), backend=default_backend() ).encryptor() encryptor.authenticate_additional_data(add_data) ciphertext = encryptor.update(payload) ciphertext += encryptor.finalize() return ciphertext, encryptor.tag def encrypt_image(payload, key, nonce, add_data): encryptor = Cipher( algorithms.AES(key), modes.GCM(nonce), backend=default_backend() ).encryptor() encryptor.authenticate_additional_data(add_data) ciphertext = encryptor.update(payload) ciphertext += encryptor.finalize() return ciphertext, encryptor.tag

95. Everyday security issues, PyCon Italy 2018 98 XOR Encrypted with

    same nonce and same key

96. Everyday security issues, PyCon Italy 2018 99 Nonce collision

97. Everyday security issues, PyCon Italy 2018 100 Bad Crypto /

    Good Crypto Bad • MD5 • SHA-1 • DES / 3DES • RC4 • PKCS#1 v1.5 (JWE, JWT) • pycrypto package Good • AES • ChaCha20 - Poly1305 • SHA2 family (256, 384, 512) • blake2 • PyCA cryptography • libsodium (NaCl)

98. Everyday security issues, PyCon Italy 2018 101 Secrets (tokens, keys)

    Bad • env vars • command line • git • plain fles Good • Kernel keyring (except in containers) • vault • encrypted at rest • HSM, TPM

99. Everyday security issues, PyCon Italy 2018 102

100. Summary

101. Everyday security issues, PyCon Italy 2018 104 Summary • educate

     • reuse • restrict • encrypt • update • privacy

102. Everyday security issues, PyCon Italy 2018 105 Get in touch

     • @ChristianHeimes • [email protected] / [email protected]

103. THANK YOU plus.google.com/+RedHat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews linkedin.com/company/red-hat