Security & PrivacyBecause you’re awfully bad at them...

This talk applies to security in IT, but the main principles should apply everywhere.

Security is protection from harm.

What is security?

● Rules (laws, terms of service, ...)● Trust (web of trust, ...)● Mathematics (redundancy, encryption, ...)

How to accomplish security?

Against whom?● Spying brothers, mothers, collegues,

girlfriends (physical access to computer, knowledge about owner)

● Companies, ISP’s, governments (Men in the Middle)

● Employers, insurance companies, banks, governments (instances we depend on)

● Data “thieves”

Fields● Physical (passphrases, full disk encription,

lockscreens)● Application (logging & monitoring, prepared

sql statements, trust-nothing strategy)● Transportation (end-to-end encryption like

HTTPS, OTR, GPG)● Data (redundancy for data breaches, disk

failures, encryption)

Think about this● Security is not equal to authentication● Passphrase is not equal to password● Use bcrypt for hashes instead of md5 or

sha1 (salt or no salt, easily breakable, fast algorithms)

● Another way for hash storage: User + random salt in user table, hash + dummies in hash table

● Free software is not equal to Open Source software

The freedom to express yourself anonymously or to send someone a private message, without interference of 3rd

parties

What is privacy?

1. Secrecy (your messages can only be understood by intended recipients)

2. Anonymity (the ability to send and receive messages without revealing sender or receiver)

3. Autonomy (avoidance of interference/intervention by people who violated our secrecy or anonymity and are using it to control us)

Privacy can be decomposed into three parts:

What does that mean?Interception of the content of your message breaks your secrecy

Interception of the metadata of your message breaks your anonymity

Threats against secrecy● Total surveillance● Deep Packet Inspection (dpi)● Man In The Middle attacks (mitm)● History (Something that’s secure now doesn’

t necessary stay that way)● Weak protocols (FTP, DNS, ARP, HTTP,

POP3, Wifi, GSM, EDGE, 3G)

Threats against anonymity● Total surveillance● Browser fingerprinting● Persistent cookies● Social media buttons and other third party

inclusions (images, scripts, embeds)● Weak protocols (IP, GSM, EDGE, 3G)● Everything you have to sign up for

Tools to user for● Secrecy: HTTPS, OTR, GPG (best:

public/private-key encryption with ephemeral keys and high bit counts)

● Anonymity: Tor network, I2P, GnuNET● Autonomy: Laws? Civil Disobedience?

Use only Free Software, and know the software you use

Think about this● Do you have nothing to hide?● If I promise you that I’ll keep your every data

secret, would you trust me enough to give it to me? Why would you trust someone you don’t know (and who’s plans you don’t know) over me?

Think about this● What does google, facebook, your ISP, your

government know about you?

Think about this● What does google, facebook, your ISP, your

government know about you?○ Data you gave them○ Your friends and their friends○ Who your employer is (estimately)○ Places you’ve been to, and when you were there○ Where you were at any given time (estimately)○ Conversations between you and your friends (chat, private

message, email, …)○ Things, music, companies, activities, politics, … that you find

important○ How you look○ Your sexual orientation (even before you know it)○ Sites you visit, how long and when you visit them○ ...

Think about this● Do you have nothing to hide?● If I promise you that I’ll keep your every data

secret, would you trust me enough to give it to me? Why would you trust someone you don’t know (and who’s plans you don’t know) over me?

● What does google, facebook, your ISP, your government know about you?

● What about correlation? Tor is not enough.● What about metadata? See quote

Sources● https://en.wikipedia.org/wiki/Security● http://snowdenandthefuture.info● http://opine.me/a-better-way-to-store-password-hashes/● https://prism-break.org/● https://www.eff.org/● https://markopolojarvi.com/privacy.html● https://www.facebook.com/about/privacy/your-info● http://digital-era.net/tor-use-best-practices/● https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle ● http://xkcd.com/936/● https://www.gnu.org/philosophy/free-sw.html ● http://tosdr.org/

Take care!

@tinydroptest2github.com/turanct

bitbucket.org/turanct