You startups founder has left. He has wipped out all his computer. Now your Cloudprovider is threatening to lock you out unless you authenticate using 2FA
Hopefully in the password store
Or perhaps they no longer work
Contact Helpdesk, Account Manager, Lawyer, Social Media (usually the bigger you are and the more you pay the better you chance)
Sore everything centrally. How do you audit that? , regularly?
Scenario 5
A relative dies. You first step is to login to all their accounts work out what should be kept.
This will take months not years. Sometimes you will only find out the account exists when they email you that your account is about to expire.
Personal Observations
You will not have access to their cellphone
or probably not past the lock screen
Anything they told you that was obvious you will forget
You will not have access to the password store
You may have access to saved passwords in browser
Maybe you need to optimise for family can access stuff not complete lockdown.
Physical notebook with passwords
Consider in advance how you will recover if your 2FA device breaks
How will you convince a helpdesk person that you are you?
Personal Mitigations
Kawaiicon 2019 ” How can I help you” Talk by Laura Bell
You Shall Not Pass by Peter Burnett
Moodle is an open souce Learning Management System.
Legacy System
First developed in 1997
Open Sourced in 2001
New Code is good quality, older stuff not as much
Efforts to improve password policy
Password policy was a bit antiquated
Best policies come from NIST, 2018 version is good.
Don’t force a pattern, Check for compromised passwords, Check for dictionary based and identifying passwords
Look at the “Have I been Pwned” API – takes first 5 characters of the sha of the password.
Dictionary checks – Top 10,000 English words might be enough
Indentifying information – Birthdays, names, cities are things to watch for. Name of the company.
Released as an open source plugin for Moodle
A look at the Authentication Flow
Natively supported LDAP etc.
Lots of extra plugins impliment other methods
Had to put MFA in when people using plugins. Difficult to mix
Added extra hook on “account related” actions, they would check for MFA etc.
Required a bit of work to get merged in.
Implementing MFA
MFA is a superset of 2FA implimentations
Had to do extensible platform
Traditional: TOTP, Email
Non-Traditional: IP verification, Authentication type (might already have MFA)
Design considerations – Keep secure but impact people as little as possible.
Different users: Not required, Optional, Forced Upon . So built in the ability for a range of use across platform.
Learnings
Anything can be used as a factor
delicate balance between secure and usable
When designing, paranoid is the right mindset
Give the least information possible to allow a legit user to authenticate
What can the attacker do if this factor is compromised?
Facebook, Dynamite, Uber, Bombs, and You – Lana Brindley
Herman Hollerith
Created the punch card, introduced for the 1890 US Census
Hollerith leased companies to other people
Hollerith machines and infrastructure used by many Census in Europe.
Countries with better census infrastructure using Hollerith machines tended to use have higher deather rate in The Holocaust
Alfred Nobel
Invented Dynamite and ran weapons company
Otto Hahn
Invented Nuclear Fission
Eugenics
33 US states have sterilization programmes in place
65,000 Americans sterilized as part of programmes
WHO was created as a result.
Thalidomide
Over-the-counter morning sickness treatment
Caused birth defeats
FDA strengthened
Unintended consequences of technology, result was stronger regulation
Volkswagen emission and Uber created Greyball – Volkswagen engineers went to jail, Uber engineers didn’t
Here are some IT innovations that didn’t lead to real change
Medical Devices
Therac-25 was a 1980s machine used for treating cancer with radiation
Control software had race condition that gave people huge radiation overloads
Drive by Wire for Cars
Luxus ES350 sudden acceleration
Toyota replaced floor mats, not software
Car accelerator stuck at full speed and brakes not working
No single cause ever identified
Deep Fake Videos
Killer Robots
South Korean Universities came under pressure to stop research, said they had stopped but not confirmed.
Chinese Surveillance
Checkpoints all though the city, average citizen goes though them many times per day and have phoned scanned, other checks.
Cameras with facial recognition everywhere
Western Surveillance – Palantir and other companies installing elsewhere
Boeing Software – 373 Max
Bad technology should have consequences and until it does people have to avoid things themselves as much as possible and put pressure on governments and companies
The Internet: Protecting Our Democratic Lifeline by Brett Sheffield
Lost of ways technology can protect us (Tor etc) and at the same time plenty of ways technology works against our prevacy.
The UN Declaration of Human Rights Australia is the only major country without a bill of rights.
Ways to contribute – They Work for you type websites – Protesting – Whistleblowers
Democracy Under Threat – Governments blocking the Internet – Netblocks.org – Police harrass journalists (AFC raids ABC in Aus) – Censorship
Large Companies – Gather huge amounts of information – Aim for personalisation and monotisation – Leads to centralisation
Rebuilding the Internet with Multicast – Scalable – Happens at the network layer – Needs to be enabled on all routers in each hop – Currently off by default
Libracast – Aims to get multicast in the hands of developers – Tunnels though non-multicast enabled devices – Messaging Library – Transitional tunneling – Improved routing protocol – Try to enable in other FOSS projects – Ensure new standards ( WebRTC, QUIC) support multicast
Each year I do the majority of my Charity donations in early December (just after my birthday) spread over a few days (so as not to get my credit card suspended). I’m a little late this year due to a new credit card and other stuff distracting me.
I also blog about it to hopefully inspire others. See: 2018, 2017, 2016, 2015
All amounts this year are in $US unless otherwise stated
My main donations was to Givewell (to allocate to projects as they prioritize). Once again I’m happy that Givewell make efficient use of money donated.
I donated $50 each to groups providing infrastructure and advocacy. Wikipedia only got $NZ 50 since they converted to my local currency and I didn’t notice until afterwards
Some Software Projects. Software in the Public Interest provides admin support for many Open Source projects. Mozilla does the Firefox Browser and other stuff. Syncthing is an Open Source Project that works like Dropbox
Finally I’m still listening to Corey Olsen’s Exploring the Lord of the Rings series (3 years in and about 20% of the way though) plus his other material
