security & privacy on the internet: things you should now
DESCRIPTION
Presentatie over security en privacy op internet, voorgesteld door vrijwilliger Toon op de Werkgroep Websites en Hosting van 7 januari 2014.TRANSCRIPT
Security & PrivacyBecause you’re awfully bad at them...
This talk applies to security in IT, but the main principles should apply everywhere.
Security is protection from harm.
What is security?
● Rules (laws, terms of service, ...)● Trust (web of trust, ...)● Mathematics (redundancy, encryption, ...)
How to accomplish security?
Against whom?● Spying brothers, mothers, collegues,
girlfriends (physical access to computer, knowledge about owner)
● Companies, ISP’s, governments (Men in the Middle)
● Employers, insurance companies, banks, governments (instances we depend on)
● Data “thieves”
Fields● Physical (passphrases, full disk encription,
lockscreens)● Application (logging & monitoring, prepared
sql statements, trust-nothing strategy)● Transportation (end-to-end encryption like
HTTPS, OTR, GPG)● Data (redundancy for data breaches, disk
failures, encryption)
Think about this● Security is not equal to authentication● Passphrase is not equal to password● Use bcrypt for hashes instead of md5 or
sha1 (salt or no salt, easily breakable, fast algorithms)
● Another way for hash storage: User + random salt in user table, hash + dummies in hash table
● Free software is not equal to Open Source software
The freedom to express yourself anonymously or to send someone a private message, without interference of 3rd
parties
What is privacy?
1. Secrecy (your messages can only be understood by intended recipients)
2. Anonymity (the ability to send and receive messages without revealing sender or receiver)
3. Autonomy (avoidance of interference/intervention by people who violated our secrecy or anonymity and are using it to control us)
Privacy can be decomposed into three parts:
What does that mean?Interception of the content of your message breaks your secrecy
Interception of the metadata of your message breaks your anonymity
Threats against secrecy● Total surveillance● Deep Packet Inspection (dpi)● Man In The Middle attacks (mitm)● History (Something that’s secure now doesn’
t necessary stay that way)● Weak protocols (FTP, DNS, ARP, HTTP,
POP3, Wifi, GSM, EDGE, 3G)
Threats against anonymity● Total surveillance● Browser fingerprinting● Persistent cookies● Social media buttons and other third party
inclusions (images, scripts, embeds)● Weak protocols (IP, GSM, EDGE, 3G)● Everything you have to sign up for
Tools to user for● Secrecy: HTTPS, OTR, GPG (best:
public/private-key encryption with ephemeral keys and high bit counts)
● Anonymity: Tor network, I2P, GnuNET● Autonomy: Laws? Civil Disobedience?
Use only Free Software, and know the software you use
Think about this● Do you have nothing to hide?● If I promise you that I’ll keep your every data
secret, would you trust me enough to give it to me? Why would you trust someone you don’t know (and who’s plans you don’t know) over me?
Think about this● What does google, facebook, your ISP, your
government know about you?
Think about this● What does google, facebook, your ISP, your
government know about you?○ Data you gave them○ Your friends and their friends○ Who your employer is (estimately)○ Places you’ve been to, and when you were there○ Where you were at any given time (estimately)○ Conversations between you and your friends (chat, private
message, email, …)○ Things, music, companies, activities, politics, … that you find
important○ How you look○ Your sexual orientation (even before you know it)○ Sites you visit, how long and when you visit them○ ...
Think about this● Do you have nothing to hide?● If I promise you that I’ll keep your every data
secret, would you trust me enough to give it to me? Why would you trust someone you don’t know (and who’s plans you don’t know) over me?
● What does google, facebook, your ISP, your government know about you?
● What about correlation? Tor is not enough.● What about metadata? See quote
Sources● https://en.wikipedia.org/wiki/Security● http://snowdenandthefuture.info● http://opine.me/a-better-way-to-store-password-hashes/● https://prism-break.org/● https://www.eff.org/● https://markopolojarvi.com/privacy.html● https://www.facebook.com/about/privacy/your-info● http://digital-era.net/tor-use-best-practices/● https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle ● http://xkcd.com/936/● https://www.gnu.org/philosophy/free-sw.html ● http://tosdr.org/
Take care!
@tinydroptest2github.com/turanct
bitbucket.org/turanct