Red October

This talk is about the creation of a new security tool, Red October. Red October can be used to enforce the two-person rule for access to critical data, helping keep company data protected from insider threats.

The security industry tends to be less open about the details of how their software works than other parts of the software industry. This project was created to tackle the practical challenges of traditional security compliance, but inspired by an open source mentality. By taking a vague set of regulatory requirements we devised a user-friendly tool that solves a broader problem that is an issue for many small organizations.

This talk will teach people about cryptography and division of responsibility in key management, a very important consideration when moving a business to the cloud. It will also help show where to draw the line between using existing cryptographic and security mechanisms, and building your own.

The points I will cover include:
- The problem we were trying to solve (protecting secrets from insiders)
- An examination of naive approaches and why they failed
- An overview of what the server can and cannot do
- An explanation of the cryptographic design of the project
- Examples of how it can be used
- The advantages and pitfalls of developing the tool with a newer programming language like Go
- Design decisions for the interface
- The steps to open source the project
- Community reaction and implementation


Ars Technica

July 2014