You startups founder has left. He has wipped out all his computer. Now your Cloudprovider is threatening to lock you out unless you authenticate using 2FA
Hopefully in the password store
Or perhaps they no longer work
Contact Helpdesk, Account Manager, Lawyer, Social Media (usually the bigger you are and the more you pay the better you chance)
Sore everything centrally. How do you audit that? , regularly?
Scenario 5
A relative dies. You first step is to login to all their accounts work out what should be kept.
This will take months not years. Sometimes you will only find out the account exists when they email you that your account is about to expire.
Personal Observations
You will not have access to their cellphone
or probably not past the lock screen
Anything they told you that was obvious you will forget
You will not have access to the password store
You may have access to saved passwords in browser
Maybe you need to optimise for family can access stuff not complete lockdown.
Physical notebook with passwords
Consider in advance how you will recover if your 2FA device breaks
How will you convince a helpdesk person that you are you?
Personal Mitigations
Kawaiicon 2019 ” How can I help you” Talk by Laura Bell
You Shall Not Pass by Peter Burnett
Moodle is an open souce Learning Management System.
Legacy System
First developed in 1997
Open Sourced in 2001
New Code is good quality, older stuff not as much
Efforts to improve password policy
Password policy was a bit antiquated
Best policies come from NIST, 2018 version is good.
Don’t force a pattern, Check for compromised passwords, Check for dictionary based and identifying passwords
Look at the “Have I been Pwned” API – takes first 5 characters of the sha of the password.
Dictionary checks – Top 10,000 English words might be enough
Indentifying information – Birthdays, names, cities are things to watch for. Name of the company.
Released as an open source plugin for Moodle
A look at the Authentication Flow
Natively supported LDAP etc.
Lots of extra plugins impliment other methods
Had to put MFA in when people using plugins. Difficult to mix
Added extra hook on “account related” actions, they would check for MFA etc.
Required a bit of work to get merged in.
Implementing MFA
MFA is a superset of 2FA implimentations
Had to do extensible platform
Traditional: TOTP, Email
Non-Traditional: IP verification, Authentication type (might already have MFA)
Design considerations – Keep secure but impact people as little as possible.
Different users: Not required, Optional, Forced Upon . So built in the ability for a range of use across platform.
Learnings
Anything can be used as a factor
delicate balance between secure and usable
When designing, paranoid is the right mindset
Give the least information possible to allow a legit user to authenticate
What can the attacker do if this factor is compromised?
Facebook, Dynamite, Uber, Bombs, and You – Lana Brindley
Herman Hollerith
Created the punch card, introduced for the 1890 US Census
Hollerith leased companies to other people
Hollerith machines and infrastructure used by many Census in Europe.
Countries with better census infrastructure using Hollerith machines tended to use have higher deather rate in The Holocaust
Alfred Nobel
Invented Dynamite and ran weapons company
Otto Hahn
Invented Nuclear Fission
Eugenics
33 US states have sterilization programmes in place
65,000 Americans sterilized as part of programmes
WHO was created as a result.
Thalidomide
Over-the-counter morning sickness treatment
Caused birth defeats
FDA strengthened
Unintended consequences of technology, result was stronger regulation
Volkswagen emission and Uber created Greyball – Volkswagen engineers went to jail, Uber engineers didn’t
Here are some IT innovations that didn’t lead to real change
Medical Devices
Therac-25 was a 1980s machine used for treating cancer with radiation
Control software had race condition that gave people huge radiation overloads
Drive by Wire for Cars
Luxus ES350 sudden acceleration
Toyota replaced floor mats, not software
Car accelerator stuck at full speed and brakes not working
No single cause ever identified
Deep Fake Videos
Killer Robots
South Korean Universities came under pressure to stop research, said they had stopped but not confirmed.
Chinese Surveillance
Checkpoints all though the city, average citizen goes though them many times per day and have phoned scanned, other checks.
Cameras with facial recognition everywhere
Western Surveillance – Palantir and other companies installing elsewhere
Boeing Software – 373 Max
Bad technology should have consequences and until it does people have to avoid things themselves as much as possible and put pressure on governments and companies
The Internet: Protecting Our Democratic Lifeline by Brett Sheffield
Lost of ways technology can protect us (Tor etc) and at the same time plenty of ways technology works against our prevacy.
The UN Declaration of Human Rights Australia is the only major country without a bill of rights.
Ways to contribute – They Work for you type websites – Protesting – Whistleblowers
Democracy Under Threat – Governments blocking the Internet – Netblocks.org – Police harrass journalists (AFC raids ABC in Aus) – Censorship
Large Companies – Gather huge amounts of information – Aim for personalisation and monotisation – Leads to centralisation
Rebuilding the Internet with Multicast – Scalable – Happens at the network layer – Needs to be enabled on all routers in each hop – Currently off by default
Libracast – Aims to get multicast in the hands of developers – Tunnels though non-multicast enabled devices – Messaging Library – Transitional tunneling – Improved routing protocol – Try to enable in other FOSS projects – Ensure new standards ( WebRTC, QUIC) support multicast
Preventing the IoT Dystopia with Copyleft- Bradley M. Kuhn
Bradley M. Kuhn
The S in IoT stands for Security
Many stories of people hacking into baby monitors and home cameras
IoT Devices often phone home to manufactorers website in order that you can access then remotely. “I suppose there are Chinese hackers watching my Dogs all day, I hope they will call me if they need water etc”
Open source people have historically worked to get around problems like this.
1992 – If you wanted Linux, you downloaded the software onto floppies and installed it yourself. And Often had to work hard to make it work.
Today only a small percentage of laptops sold have Linux on it.
But Linux is commonly installed on IoT devices – 90% odd
But
No [easy] way to reinstall it yourself
Much worse than laptops
GPL includes “The scripts used to control the compilation and install of the executable”
“Freedom to Study” is not enough
Linksys Wifi router
OpenWRT Project
Release forced from Linksys and Cisco
“Source as received from Linksys from GPL enforcement”
Is OpenWRT a Unicorn
Few projects with serious alternative firmware project
Still sold new after 20 years
BusyBox Lawsuits
Before IoT was even a term
At least one model of Samsung TV -> samygo.tv
“Baffles me as to why do the manufactorers want us to buy more hardware”
Linux focuses to much on big corp users and ignores hobbyist users
Kernel peopel only care about the .c files. Don’t care about the install scripts etc.
People at top of Linux now got their start hacking on the devices in front of them.
The next generation of developers will be those hackers not from IBM and other big companies
You didn’t need anything but a computer and an internet connection to become and upstream developer in those days. This is becoming less true.
If the only thing you can install Linux on is a rackmount server, a cloud server or maybe a laptop and none of the IoT devices around you then things don’t look good….
Linux was successful because users could install it on their own devices
Linux won’t remain the most important GPL program if users can’t install their modifications. Tinkering is what makes Free software great.
Upstream matters of course, but downstream matters more.
There may be 1000s of Linux developers
Put 2 billion people have Linux on their phone – Which is locked down and they can’t reinstall
We don’t need a revolution to liberate IoT devices
because the words are already there in the GPL
We just have to take up our rights
What you can do.
Request Linux sources on every device you own – Companies have figured out people almost never ask
Try to build and install them. If you can’t ask a friend or ask Conservancy for help
If it doesn’t build/install it is a GPL violation, report it Conservancy
Step up as a leader of a project devices that matter to you.
Why this will work
The problem seems insurmountable now, only because we have been led astray
First and absolutely necessary step towards privacy and scurity on those devices
When the user controls the OS again, the balance of power can be restored
Questions
Best way to ask for source code? Try email, the manual should say.
How to get the new code on the device? Needs some push onto industry
What if writing requires expensive equipment? Fairly rare, many devices allow over-the-air upgrades, we should be able to go the same way.
Is there a list of compliant devices? – Proposed in past. Want to go softly at first in many cases
Am I exposed to liability if I modify and distribute code I receive? – Almost certainly note, contact Conservatory if you are threatened.
Web Security 2019 – James Bromberger
James Bromberger
History of browser
No images
Images
Netscape with crappy ‘International Security”
https takeup is growing
Chrome is hitting 60-70%
82% of browser are “modern”, crossover of chrome users to new version is about 3 months.
PCI
Remove early TLS in mid 2018
TLS 1.1 and higher allowed
The legacy browser has gone in the real world
Some envs still behind, but moving ahead
What can we do with as little changes as possible?
0. Don’t use http, use https
Use letsencrypt
Stds reducing max length of certs from 5 years
1. TLS protocols
7 versions out there (old ones SSL).
Most over 10+ years old
Only 6 in the wild
3 not-known to be comprimised ( 1.1 1.2 1.3 )
Very few clients only support 1.1 and not 1.2 (small gap in 2006-2008 ). IE supports 1.2. So maybe disable 1.1
Log the protocol being used so you have data on your users
OTOH not much supports 1.3 yet
Use 1.2 and 1.3
Turn off on the Browsers to
Looks at which libraries you are using in code that makes https connections
2. Cypher Suite Optimisation
New EC certs for key exchange
New certs getting changed to ECDSA
AES is standard for bulk encryption. GCM mode is best although windows 9 can’t do (Upgrade to 10!)
Hung around a bunch of top guys in Linux talked about added SMP to Linux
Talk on porting Linux to Sparc by David Miller & Miguel de Icaza. Going into improvements and showing how Linux port to sparc bet Solaris in the Lmbench benchmarks on same hardware.
Relaized lived in a world where students could create and port OS that bet the original OS from the vendor
1997 – 1998
Wrote (with another guy) and got ipchains added to Linux
“I woke up one morning and I was kernel firewall maintainer”
Got job people paid to work on Linux firewall code
1998
Decided needed an Australian Linux conference
Oct-Nov visited a bunch of LUGS to invite people and find person to collect money.
People not sure what they wanted to go to a Linux conference ( $380 bucks)
Invited John Maddog Hall
Created and ran a slashdot ad
Created card got into $14k negative
Last session of the 3rd day, reran the 3 best talks
Three stories from 1998
Tutorial Books for each of the tutorials- Couldn’t get photocopies from commercial facility, so had to make 400 copies of books via 4 coin operated photocopiers
Tridge bought up a triple-CD burner. People ran it in relays
Somebody said. “I can’t believe you don’t have conference tshirts”. He bought white tshirts, got them screen printed and sold them.
End of conference Tridge organised a gift from the Speakers to Rusty. Pewter Beer mug
Linux.conf.au after 1999
2001 scheduled 3 talks from Rusty. At the same time
Met Tridge at LCA – Moved to Canberra they did AusLabs
How Great Projects
Smart and Capable enough to complete them
They are Dumb enough to try
When somebody tells you about a project?
That sounds Great, Tell me more
What can I do to help
Enable people’s enthusiasms
Collaboration is a super Power
Get along with people is a skill
“Constructive absenteeism”
Headwinds to collaboration
Signs are welcoming to some people
Other people get signs that they are not so welcoming
Good are seeing them when they are aimed at them, not so good are even seeing they exist when they are not aimed at them.
