0:09 Yeah. Hey, good morning Munich. Awesome.
0:11 And thanks for technology that it's
0:13 working. Good morning. This talk is
0:16 about cyber resilience. My name is is
0:19 Constance. I am a doctor, but you should
0:21 not be taking any medical advice.
0:23 That'll become clear in a second. And I
0:25 am an independent researcher and I'm
0:26 really really grateful for the people
0:28 that make it possible to do this in this
0:30 day and age. Thank you very much. And
0:32 with me is
0:34 Hello everyone. My name is Vadim. I'm um
0:37 one of the maintainers of Harbor and we
0:39 do some business around harbor. So we
0:40 provide support for harbor and
0:44 integration and coding. Um and my part
0:46 will be then on the let's say the the
0:51 other part that's related to OCI here, right?
0:53 right?
0:57 Um so who here knows what sbombs are?
1:00 Yay. Who uses them actively?
1:04 Some. Great. Now I have with me a container
1:06 container
1:10 and let's read the bill of materials.
1:13 All right. So, so 1 g of 1 milligram of
1:24 and a whole lot of chemistry. Um well
1:25 I'm not so I'm somewhat this is an
1:27 allergy medication and I'm somewhat of
1:29 an allergy expert but beyond the first
1:31 active ingredient I wouldn't be able to
1:33 to read this. Now I'm not saying that
1:35 this is not useful what is on this for
1:37 those who understand but so so what do
1:39 you do when you don't know you find some
1:40 medication you don't know what to do
1:43 with it you don't know what it's going
1:46 to do to your body um you don't know if
1:55 exactly so but why why do you read this
1:58 thing because the pharmaceutical company
2:00 that made this right they spent years on
2:02 clinical trials experime experimenting
2:04 with humans. What these meds do to the
2:06 human body, how the medication behaves
2:09 in the human body so that you don't have
2:13 to. Now
2:14 let's talk about different kinds of
2:18 containers and this talk is about can we
2:21 as software vendors do the same thing
2:23 and use that knowledge that we have
2:26 about a software because if I if I
2:28 develop a software I have the should
2:30 should have the knowledge of how that
2:33 thing behaves and can I attach that to a
2:38 container and transfer it to a user so
2:40 that when I as an end user download
2:44 that's saying I I get a description of
2:45 the benign behavior of the expected
2:49 behavior with the software and I can
2:52 also do directly anomaly detection based
2:55 on that and more than that and that's
2:56 actually almost the key point here when
2:59 I then get an update of the software
3:01 with it comes an updated understanding
3:05 of this of the vendor's recommendation
3:08 of how that software should act now IRL
3:12 like it's not like this thing is 100%
3:13 useful, right? In in real life, there's
3:15 so many corner cases. Everybody is
3:17 different. So, it's the same thing going
3:20 to be here. There's so many
3:22 like pets out there, right? It's not
3:24 expected that everything works. So, we
3:25 need to take into account if we make
3:28 this work that people need to uh have
3:30 their own opinions and override the
3:32 settings if they if they are the local
3:36 experts. All right, this talk, so my
3:38 talk is about the runtime part is about
3:39 showing you that this is actually
3:42 possible. And here we start with when
3:44 you normally are an end user, you
3:47 install something. Um, let's say I'm I'm
3:50 looking at um Dinatra one agent. So I'm
3:51 pulling that down as an end user. I'm
3:53 not affiliated with Dinatrace and I'm
3:55 installing it. I have an idea what it
3:57 should do, but I don't have all of their
3:59 expertise of multi-year what that why is
4:08 um of what that thing should do.
4:10 Why is this? Sorry, one second.
4:12 Technical malfunction.
4:13 A timer.
4:16 Yeah, probably like
4:18 it's also showing different things here.
4:20 Okay. Anyway, so usually I get the data
4:22 out in some form. We call it
4:23 observability. And then I do some
4:25 analysis either with humans or with
4:27 machines of whether that was good or
4:30 bad. In order to speed this up, I use
4:32 rules. And they can be very simple or
4:34 you can have real life thread
4:35 intelligence feeds and make it like all
4:37 the way complicated, right? That's your
4:44 are somewhere in the middle. Now, the
4:47 idea here is that it's not me um who
4:49 writes the rules, but that I actually
4:52 let the vendor write them and attach
4:54 them to the to the software. And we call
4:57 that Bob. And I really apologize for my
5:00 malfunctioning PowerPoint. So currently
5:03 it's you. We wanted to be the software
5:05 vendor. And the reason for that is that
5:08 that will achieve an humongous amount of
5:10 scalability. Right? Even if I had all
5:12 the brains of all of the dinos people
5:14 combined in me, it's still just going to
5:17 be one one person that adapts one agent
5:20 to their system. But if they do it and
5:21 ship it to everyone, then that's real
5:23 scale. And that's what we try to to demo
5:27 to you here, right? So, I'm not exactly
5:28 sure what I'm seeing versus what you're
5:30 seeing, but that's the story line. Let's
5:32 go into the details. All right. If
5:34 you've seen Sbombs, there's a spec
5:37 called SPDX. Um, so we can do the same
5:39 thing for runtime profiles. I'm not
5:41 going to go into details. You can uh
5:44 enjoy that yourself. And my reference
5:46 implementation since we had the idea in
5:48 London is going to be using CubeCape.
5:50 CubeCape is an incubating CNCF project
5:52 here represented by Mo. That's the
5:55 little space panda here. And huge thanks
5:57 to the cubescape people. And what it
5:59 does, it wraps amongst other things, it
6:01 does many things. It wraps inspector
6:04 gadget which is an ebpf tool that traces
6:06 out um the runtime behavior of an
6:08 application. And here you can see the
6:10 elements. Maybe you can see them. Um
6:12 there's capabilities, there is events,
6:14 there's network endpoints, there are sys
6:18 calls, um xx and file path file
6:21 descriptors in there. So when if I'm the
6:24 vendor, I need to trace out my behavior
6:27 of my software in this term in these
6:30 terms and that's and the way I achieve
6:33 it is I take the behavior that I have
6:35 like behavioral tests like traffic
6:37 generation load tests whatever tests you
6:40 do um that's it how you should usually
6:43 do your quality assurance I hope um and
6:44 run the profiler while that's happening
6:46 it might take a long while right and
6:49 then you transfer it so I'm giving you a
6:51 live lab and I'll switch to a live lab
6:53 in a second and it will contain the
6:55 vendor aspect. This one takes long and
6:57 it's the the complicated part of the of
6:58 the thing because you need to actually
7:00 understand your your software. You need
7:02 to run those tests, right? So in here
7:04 there will be a sample PHP application
7:06 which is like a oneliner that shows you
7:08 how you could do this. But you're very
7:10 encouraged to take the 20 minutes and
7:13 say, "Well, I I'll do my own app and
7:14 I'll profile it and I'll see for myself
7:17 if how difficult, how easy it is to do
7:19 because the the cubecape configuration
7:20 has to be different for the vendor and
7:23 for the user." But
7:26 PowerPoint works again. Um, now that
7:27 that's one thing, but the crucial part
7:29 that I was also sweating it out really
7:31 until Monday, like Monday night 4 a.m. I
7:32 was still panicking. Does it really
7:34 work? Anyway, so does it transfer?
7:37 That's the big question, right? um and h
7:38 and how far does it not transfer? We
7:40 said IRL there's always going to be
7:42 exceptions, right? And but I wanted to
7:44 understand if they're systematic and we
7:46 can template template them and
7:49 parameterize them away. So source code
7:52 is um so I I run the storm center um for
7:54 open source threat intelligence and one
7:56 of the repos there is called BobCTL and
7:58 there you'll find the source code. Now
8:02 I'm going to switch to the live lab and
8:05 show you how as a user we assume now
8:06 that the vendor has done this right they
8:08 they created this this profile and we're
8:10 on a different infrastructure on a
8:11 different kernel and we're going to
8:14 bring it in and see if we can do anomaly
8:18 detection um and if it works. So now
8:20 first question is if this works. Yeah
8:22 that's good. That's already really good.
8:25 All right. So so this lab is now
8:28 listable. If you go labs excemius you'll
8:30 get the link later.com under courses
8:32 you'll find one of the two community
8:35 courses is now the Bob since last night.
8:38 So we assume that we have this wonderful
8:40 web app here. This is a Helm chart. I've
8:42 I've given you different ways of of
8:45 helming this in okay so that you can use
8:47 your usual tools that you hopefully know
8:49 Helm or you've heard of it at least. And
8:52 in this web app I've put a bob.l.
8:55 So this is this um benign behavior
8:56 profile with all the sys calls and
8:58 endpoints and whatnot. I've recorded
9:02 this profile and now I've cloned it
9:04 already. I've already installed it. So
9:06 this is a this is a installation takes
9:07 about 2 three minutes. So I've already
9:10 done that. Um and what it did during the
9:12 installation, it configured Cubescape
9:15 for me such that it will do this um the
9:17 tracing and the anomaly detection and it
9:20 deployed the app in its um as the vendor
9:22 recommended it to me and I had a values
9:25 file to override values if I wanted to.
9:28 All right. So now the first thing is I'm
9:33 going to in the uh right side check if I
9:37 get anything unexpected. So what I'm
9:40 seeing here is CubeCape telling me um
9:42 yeah so this is theuler that was
9:44 happening earlier. So everything um
9:46 Cubescape is monitoring now in my entire
9:48 system. This is a K3S um what are the
9:52 unexpected SIS calls and I will switch
9:55 to a new tab here um and I've got this
9:57 app installed and now I want to have the
10:01 positive test. So that means if I have a
10:03 positive test of the expected behavior
10:05 and I'm running uh anomaly detection on
10:07 the other window. So if I test it now,
10:11 what anomaly should I be seeing?
10:14 Nothing. Exactly correct. 100% correct.
10:24 So theoretically, Helm should do a test.
10:32 Yes. So, so it takes a second to to to
10:34 verify it. Yes, we we saw nothing.
10:37 That's exactly correct. Um, and so if
10:39 you did the full four full logs, you'd
10:41 see some some some scattering, some uh
10:44 it did notice it. Um, and now I'm going
10:46 to do the opposite. I'm going to verify
10:49 that if I sample attack it, don't worry,
10:51 it's not like this is insulated system.
10:52 Uh, sample attack it that I get exactly
10:55 the anomalies that I expect to get. So
10:58 this verifies that my detection is
10:59 working correctly. This is goes even
11:01 further than runtime rules, right? So
11:03 I'm first going to forward my port which
11:06 is going to uh do some funkiness. Okay,
11:11 fine. So good old almost almost make
11:14 forward. So yay. And
11:16 And
11:20 now this is a injection attack.
11:22 So this web app is vulnerable by
11:26 default. And yes, so we should see two
11:28 things. We and if you look into it,
11:30 there was an ls and there was a system
11:33 call. Um these long chasing documents.
11:35 It takes 5 minutes to elapse. It's free
11:37 for 1 hour per day. Try it out yourself.
11:41 Highly encouraged. And the last part is
11:43 so this was just one. Let's do a suite
11:46 of attacks and then count like for
11:48 example you can do this in CI/CD. you
11:50 can say I think it's 14 of them that
11:52 while this you know shit's scrolling by
11:54 um while this goes by I can do an assert
11:56 are these exactly the uh anomalies that
11:58 I was looking for and that's that's
12:00 actually pretty powerful because I
12:02 cannot just have the rules I can also
12:05 check if they're working so that's a lot
12:07 a whole load of chain of things that
12:09 have to be cor configured correctly in
12:12 order for this to work
12:14 that worked so yeah that was actually
12:16 live if I hope you believe that so for
12:18 those of you who are doubtful. Did she
12:19 test all the kernel versions, all the
12:21 Kubernetes versions, all the OS systems,
12:24 all the different whatever not GIPC
12:26 version is also important. Um, not yet.
12:28 Not yet, but I'm working on it. Okay.
12:30 So, KCD Sophia in two months, uh, I'll
12:32 update you on the full parameter study.
12:34 Currently, you can find here a link in
12:36 all the profiles of the differences. So,
12:38 if you see, now switching back to
12:40 PowerPoint. If you see differences, um,
12:42 are they expected? So, is it all going
12:45 to match? No, it's not all going to
12:46 match. Mostly in the SIS calls you will
12:49 see small but systematic differences and
12:51 they are mostly related to the chipsy
12:52 version that is baked into operating
12:55 systems or it is the kernel because
12:59 since 4.4 4 to now we are 6.11 maybe um
13:00 that's just a huge range and the kernel
13:04 did change um so but in general it is
13:06 predictable but there are differences
13:09 and I will be looking into you know how
13:11 to exactly make this nice in the UX but
13:14 at this point I hope that I have given
13:16 you also a tool to convince yourself
13:17 that I'm not lying to you that's
13:20 important to me I don't want to you know
13:22 um but now the question is so okay I've
13:24 I've hacked this up since London right
13:28 use cubecape inspect gadget ebpf etc etc
13:29 how can we how can we make this into the
13:31 OCI standard you've worked with harbor
13:32 for a long time
13:34 so the the question now that we
13:37 basically or constants proof that is
13:39 working and now we need to make this
13:42 next step that out of the lab in into a
13:44 product in a stand into product into a
13:47 standard and into the community so that
13:51 it can be used right and one of the the
13:54 steps now to to make it productized is
13:55 to you
13:58 from the consumer perspective because
14:01 from the from the vendor perspective um
14:03 things going to be probably quite
14:04 similar as they are currently already.
14:08 So the vendor has to do bit of a work
14:11 and to to create those profile. But from
14:13 the consumer perspective, we of course
14:15 want to make it super easy for the
14:19 consumer to um to use these profiles and
14:21 install them into their clusters and
14:23 just use them, right? And um this is
14:26 where we follow the same principle or
14:28 try to follow the same principle because
14:30 the naming is similar sbop sbomb and
14:32 also that we want to attach the profiles
14:35 uh attach the profiles to the OCI image,
14:39 right? And then we need to to have some
14:41 um an operator on the cluster. We call
14:45 it Bob demon, right? Because uh why not?
14:49 And so Bob demon is the the the operator
14:51 that will fetch the profile from the
14:54 image and it will have an
14:56 like in the future. Currently there is
14:59 basically just one one solution that is
15:02 working with this bit of profile is
15:04 cubecape. So currently it's only
15:06 possible to use cubescape because
15:07 there's just one solution that does
15:12 this. But hopefully in the future when
15:15 the the profile becomes more common
15:17 there will be other vendors to provide
15:20 the solution. So the Bob demon is design
15:23 is designed in a way that um is vendor
15:26 agnostic. So they can create a profile
15:28 and then Bob Demon is also the one who
15:30 is has an understanding about the
15:32 Kubernetes cluster right so he has
15:33 understanding about the Kubernetes
15:36 cluster the the kernel versions the the
15:39 all this aspect that might vary between
15:42 between the profiles and it will then be
15:44 able to create the profile or adapt the
15:46 profile that comes from the vendor to
15:49 the specific cluster right so because if
15:51 some Kubernetes version does not do this
15:54 call we can you know strike it out and
15:55 and Bob demon will be able to do this
15:57 and it will of course you know watch for
16:00 the resources find profile and apply
16:03 those manifests right so this is work in
16:04 progress and that's why it's called
16:06 funding so we need people who can
16:08 implement this right so it's an operator
16:10 it has some interfaces
16:14 and so we're looking for people who will
16:18 work on that or fund it in in any way
16:21 and this will be then the next step to
16:24 bring it out of the lab into real life
16:28 or a real product space.
16:30 Exactly. So, we need people that that
16:32 give us feedback and of course also
16:35 vendors that that test it out and I
16:36 literally if you even if you have a
16:40 small app and just contact us on any uh
16:42 you know chat medium or so or PR of
16:45 course is always or issues or not you
16:47 try it out you trace out your app does
16:50 it work for your thing. So I've recorded
16:52 in in the sample repo there is like a
16:54 simple web application there's reddis
16:55 and there's I was even interested so as
16:58 a stateful set and I am working on
17:00 tetragonon as that was kind of funny to
17:03 to with ebpf trace and ebpf agent and
17:06 see if I can even transfer that um
17:07 because it's really really deep down I
17:09 wanted to see what kind of applications
17:10 can be covered by this are there you
17:13 know one thing is front end like this
17:15 web app is like you know has an API but
17:17 what what about the the deeper more
17:18 nested things that are deep down in
17:21 clusters and but of course very few
17:22 people cannot cover the parameter space
17:24 so it needs to be a community effort
17:28 here um and also putting it into CI/CD
17:30 and the the labs are really practical
17:32 right so the like there are two labs one
17:34 is from the consumer perspective and one
17:36 is from the vendor perspective they're
17:40 really approachable and um like when you
17:41 run the lab you get all the results and
17:43 then you can study the results and
17:45 analyze and see how it is behaving and
17:46 you get a better understanding how
17:48 things are behaving and and what is the
17:50 outcome of this whole thing. Uh yeah,
17:52 that's uh I recommend for for the vendor
17:54 side and also for the consumer side to
17:57 try out the the labs and see what
17:58 results you will get because the
18:00 profiles are really powerful. So you can
18:02 really cover a lot of things with you
18:05 can you can really analyze the behavior
18:08 of your application uh in in in in quite
18:09 granular way.
18:11 Exactly. And if you know any templating
18:14 language so I used Helm because I did a
18:16 survey and it was 80 something% of you
18:18 use Helm. So but if you have you know
18:20 customize Argo whatever flux what you
18:22 know you're not going saying I'm pretty
18:23 sure it also works in that language I
18:25 just use the maturity language for for
18:27 reference and yeah if you don't want to
18:29 remember this um this link uh navigate
18:31 to the main page and then under
18:33 community content in courses you'll find
18:36 it um if you are a researcher or student
18:40 and you want to do um anything here just
18:41 reach out I'm also writing funding
18:44 proposals of course for this and at this
18:46 point I think we conclude
18:48 um because we hope that you have some
18:51 some questions and some discussion. Um
18:52 yeah, so we call it the uh container
18:55 bypuck settle. Um and for those who
18:57 don't know how to pronounce that word,
19:00 Bob, um
19:02 yeah, thank you so much and I hope that
19:12 Yeah. So we have quite some time for
19:15 questions. So if you have questions
19:18 just keep the mic. Okay.
19:24 And thanks so much for Lind. Super quick
19:26 shout out for the ones that that have
19:27 trusted me since the beginning and give
19:29 me their medal just to use without any
19:31 expectation in return. That's that's a
19:33 huge thing. Um yeah go ahead.
19:36 Yeah. Uh really cool presentation and
19:38 cool topic. I was wondering you
19:41 mentioned earlier that probably in some
19:43 environments there are special things
19:46 which are expected different behavior
19:49 and have you already looked into how for
19:51 example if I deploy that a bit of
19:54 behavior into my own cluster how can I
19:58 tell it okay in this environment it's
20:01 expected that you call a specific URL or whatever
20:01 whatever
20:06 yeah so um so you can I'm not sure if
20:08 Let's see if we can do a making this
20:11 bigger thing
20:14 somewhere here. All right. So, yeah, I
20:17 have for example here. Um
20:18 Um
20:20 I think it still shows the presentation.
20:22 Thank you very much for pointing that
20:25 out to me. Um no, no, literally because
20:29 um so let's I hope this is big enough.
20:30 So, for example, here you have an
20:32 endpoint direction endpoint port 8080.
20:34 Do you see this? And then with Helm,
20:37 this is like host. Um, I'm inside the
20:40 cluster. I'm using the DNS resolution
20:42 and I'm trying to make this bigger. One
20:44 sec. So you can actually read it. Does
20:45 it sort of answer your question while
20:56 Yeah. No, that's that's it exactly here. So
20:58 So
21:00 um you see that this is this you can
21:04 basically edit it by hand. Um so so this
21:05 is a network endpoint to add you can
21:07 also do so cubescape also has different
21:09 CRDs where you actually literally have
21:12 known network no or known endpoint but
21:14 then you use a different CRD. Okay.
21:14 Okay.
21:18 Yeah. So two two options. Yeah.
21:20 The other the other use cases that you
21:21 mentioned is that what are the
21:23 difference like there are some
21:25 differences in the operating systems
21:26 right so that some operations do some
21:28 sys calls and some other operating
21:29 systems don't do some sys calls and you
21:31 will see that in the profiles right and
21:35 then hopefully in like with the demon it
21:37 will be able to figure out which sys are
21:39 related to which version and then it can
21:41 filter out and create a profile for your
21:44 specific environment then so that those
21:48 differences can be covered
21:50 Right. So yeah, there is in the CI/CD
21:53 pipeline there's a large matrix of tests
21:55 um and for the sys calls is probably a
21:57 superset and we we imagine that um there
21:58 is a demons or two-step installation
22:01 that queries which yeah all of these
22:03 parameters from the cluster and also
22:05 gets you maybe the the end points like
22:08 which C is your master um your
22:09 Kubernetes master installed and and
22:11 parses that into the template at
22:13 installation time. as a vendor you need
22:16 to test your application. I mean you
22:18 should anyway right you should anyway
22:19 test your application different
22:25 environment and yeah so commercial
22:28 shape doing this version whatever 31 35 33
22:31 33
22:33 so it should not be a surprise
22:35 and and the other thing is that you can
22:37 use globber so here you see this these
22:39 are placeholder languages here there's
22:40 there's an asterisk and there you see
22:43 the three dot um so as a as a vendor you
22:44 have to substitute because a lot of
22:47 tokens or mount slices, uh, cublet
22:49 slices, they have these UU ids,
22:51 typically date and some nonsense, um,
22:53 that you need to substitute out because
22:55 they Yeah, but this is, I think,
22:57 relatively, uh, yeah, self-explanatory,
23:01 but you have to do it.
23:09 How's the notification working? How do
23:11 you get notified when something is is blocked?
23:13 blocked?
23:14 So this is a cube this is the cubecape
23:17 implementation. If we go to the first
23:20 part of the lab here
23:22 um so they have a picture of the
23:24 architecture. So this is a part that is
23:26 not part of the bob. I'm just um
23:28 piggybacking on the shoulders of giants.
23:30 So this is node agents architecture
23:33 internally. It diffs. So it puts that
23:36 CRD into CD and so it diffs each time
23:39 the Spectre gadget there's a certain
23:42 time frame in which it it reads what are
23:44 the actual uh Cisco file scripts etc
23:47 versus what is stored and that diffing
23:49 goes into alerts which you then can put
23:51 into alert manager. So this is a part of
23:55 cubecape's um architecture on top of the
23:57 tracing itself that we're making use of here.
23:58 here.
24:00 Okay. So no events for instance like a
24:04 cubectl event or something
24:05 would be handy maybe.
24:08 I don't think it I um
24:09 um
24:11 no no there there are no events like you
24:13 might also be flooding because what has
24:14 happened is a lot of duplication
24:17 happening and I've done this myself and
24:19 you get flooded so quickly. So I'm not
24:21 sure if I be careful with going for just interesting.
24:22 interesting.
24:25 Yeah. Yeah. No. Um, this is also why I
24:26 piggybacked on an existing system and
24:28 didn't try to implement this myself
24:30 because it's hard to do this whole dedu
24:32 behind the scenes. Thanks for the
24:36 question. Good question. Yeah.
24:46 Thanks.
24:49 Um there are already so many methods
24:52 with which uh let's say Helmchart vendor
24:55 could add sec profiles SE Linux and so
24:58 on to the app. What makes you optimistic
25:01 that vendors will publish a bop instead
25:04 of just adding these hard controls?
25:08 Well they are different right? Um so the
25:10 so if I do a sec comp profile that's
25:14 enforcing whereas this is alerting um
25:18 and it does anomaly detection so a sec
25:20 and I mean the other question is how
25:23 many do really publish seccom profiles
25:26 um and especially as I have not seen a
25:27 single and show me a single SC Linux
25:29 profile that comes with a helm chat that
25:33 works um sorry I I like SC Linux but I
25:36 know how much work it is Um whereas this
25:39 the thing that convinced me was um that
25:41 I think one week after we had the idea I
25:43 had a prototype that was essentially
25:45 this and it it just I didn't have to do
25:47 much. Okay. There's there's some like
25:49 nonsense with template hashes that are
25:51 annoying but you know details whereas
25:54 yeah see Linux I'd be careful in sec and
25:56 enforcing mode.
25:58 Yeah especially because the sys calls differers.
26:00 differers.
26:02 I haven't seen anyone supersetting the
26:06 sis calls systematically. Yeah.
26:08 But but you still would need to do that
26:11 for uh publishing like recommended
26:13 profiles, right?
26:15 Either you superset them. Yeah. Or you
26:19 um uh as as the Bob demon uh basically
26:20 read out which kernel version is it and
26:22 if that kernel version was uh well in
26:24 combination with the chipsy um if you
26:26 have that combo already. But pro it's so
26:29 it looks like it's already plus minus 10
26:31 calls typically that differ mostly. So
26:33 but I'll be careful. Thanks.
26:34 Thanks.
26:36 Yeah. So why nobody is doing it? I think
26:38 because at the risk of breaking it and
26:40 also because we have no standard. So
26:42 lots of vendors have individual tools
26:45 that can do this. Lot like almost
26:46 everybody can can trace it out. That's
26:48 not the magic. The magic is the transfer.
26:56 Um great talk. Uh I have another remark.
26:58 Um we talk now a lot about the security
27:01 part of it which is great of course. Um
27:02 what you mentioned was that you have to
27:04 profile your app to basically know what
27:07 kind of behavior it has. I would even
27:10 turn it around because test coverage is
27:12 a really hard problem too. So you could
27:15 even I won't say abuse it like leverage
27:18 it to increase a lot your your test
27:20 coverage of your realtime application
27:23 because this is a big problem too. So
27:24 yeah I really really see a lot of
27:25 potential there.
27:26 You can also do per performance
27:28 profiling. Now, I'm not in the
27:29 performance space, but for example, why
27:31 does my app not work on my open shift,
27:34 but it works on the GKU just fine. And I
27:38 I just it's an indicator. Um, and since
27:39 yeah, it's it's one step further to a
27:41 flame graph, but you at least you see
27:43 the objects that are loaded here and
27:45 then maybe it's one of them. Gives you
27:46 an indication maybe.
27:48 Yeah, absolutely. Thanks.
27:50 So, you can use it for debugging too
27:52 actually. Totally. Yeah, totally did that.
27:54 that.
27:58 Yeah. Any other questions? More
28:01 questions? No. All right. Um, then thank
Chrome Extension