Speech Transcript - More secure with less "security"

0:00:10	it
0:00:15	or
0:00:17	so and stuff
0:00:20	i work at red hat
0:00:22	and i've been involved in brno now i think seven years
0:00:26	what really draw to be known is the focus on making stuff usable
0:00:31	and for me that's the paradox between security and usability there often at once but
0:00:37	i like the challenge of making them
0:00:39	work together
0:00:41	we're the first cover some abstract concepts or some principles
0:00:45	that you can apply when writing security features in your software
0:00:51	and
0:00:53	then some
0:00:54	examples of how we are implementing in applying those principles
0:00:59	or in a cover a bunch a different topics so feel free to interrupt if
0:01:02	you want if you want to get your question and while we're on topic i
0:01:05	might tell you that it's gonna be answered but no loss there
0:01:11	so
0:01:16	when working with security we have or just in general as developers we often have
0:01:21	this abstract concept of the user
0:01:23	as mystical being
0:01:26	and it as security guys we kind of sometimes
0:01:29	shake our heads at the user
0:01:32	you know it's clicking on stuff is not supposed to clicking on right installing should
0:01:36	be software and falling for fishing and so on and so forth
0:01:41	well we kind of failed to remember
0:01:44	but the users a human
0:01:47	humans are intelligent fun creative crazy
0:01:52	but they're usually overwhelmed
0:01:54	because
0:01:56	our lives are full of all sorts of information
0:01:59	full of choice in the world today
0:02:02	we have to choose between all sorts of little things and then comes
0:02:07	no and forces
0:02:10	these poor humans to choose between more choices
0:02:15	they may be possible they may be capable of learning about security
0:02:20	but
0:02:21	realistically they're not going to
0:02:26	this we have to understand the user their nature
0:02:29	this is one of the fundamental things we do in our daily lives we filter
0:02:33	out extraneous information costly being bombarded by massive amounts of information and just even while
0:02:38	doing mundane things work constantly filtering out the stuff we think we don't need
0:02:44	we should not be surprised when the user ignores something that we wanted him to
0:02:49	see
0:02:54	there's a lot of discussion about that we've all
0:02:57	been involved in this discussion freedom is not people to choice
0:03:03	freedom is equal to match the choice
0:03:06	freedom is equal to the choice to choose
0:03:10	you have to be able to choose the software you run on your computer you
0:03:15	have to be able to choose
0:03:17	to modify you have to be free to do these things but you definitely don't
0:03:20	wanna be
0:03:21	micromanaging all the tiny choices that these tools are supposed to be doing for you
0:03:29	sometimes users think they want choice probably really want as much a choice
0:03:33	so
0:03:36	if you force the user to be part of a security system
0:03:40	they're gonna have a really bad time
0:03:42	a as the professionals writing the software whether we feel maybe we know all the
0:03:46	details are not we are better equipped to make a security decision for the user
0:03:52	then the use of themself
0:03:54	and just like a doctor sometimes doctors get frustrating "'cause" they present you all these
0:04:00	different possible remedies or possible ways to treat you know let's you might have and
0:04:05	there if you see involved make a choice you know it's up to you have
0:04:09	to doctor what would you do
0:04:11	well it depends on each situation is different and sure there is a sometimes you
0:04:16	want to professional
0:04:19	to make a decision or to make a strong proposal strong
0:04:24	decision you can choose to reject that decision that's about a choice there that you
0:04:28	want
0:04:29	that's
0:04:30	from a professional like one of us
0:04:35	in general this should be our goal like in the security feature the user has
0:04:39	to identify themselves have to know who they are if we could do that automatically
0:04:42	we probably would
0:04:44	but
0:04:45	sadly we're not there yet so you have to use a for password or something
0:04:49	to improve that they are
0:04:51	right but after that
0:04:54	we shouldn't
0:04:55	interrupt the user with security questions insecurity decisions
0:04:59	now there's a different kind of user profession of
0:05:03	these professionals use different tools
0:05:07	the
0:05:09	duh
0:05:11	that is how
0:05:15	and so they use different tools
0:05:18	they look inhuman when they're doing their job actually
0:05:21	professionals have alert how to reject part of humanity essentially to be specialised and do
0:05:27	one thing really well
0:05:29	but we can't forget that even professionals when they go on to something else
0:05:34	they don't wanna micro manage the rest of their lives
0:05:37	even someone who drive the fire truck for a living with a massive console full
0:05:41	of all the buttons many which you know you have to learn and be trained
0:05:45	to use that thing drive home a normal car right and he won't want to
0:05:49	draw the firecracker i mean pretty basic stuff
0:05:52	so given that
0:05:56	one is the worst possible time to ask the user a risky question to make
0:06:00	a risky decision
0:06:04	when they're trying to do something else
0:06:07	that's the worst possible time you're gonna get results that are worse than random chance
0:06:12	if it's something is really truly going well let's say someone is attacking the user
0:06:18	and something is going wrong and they get a problem
0:06:23	the chance of them making the right decision there and not just clicking through and
0:06:26	ignoring it or whatever if you just did a fifty you probably be better than
0:06:31	what the right so
0:06:33	so we just to our first
0:06:35	max and problems are dubious
0:06:39	if you are coding a problem for you see a problems looking at you know
0:06:43	for yourself are you factoring something there's a problem there regarded with suspicion
0:06:49	do you actually need to prompt the user and this goes across the board i
0:06:52	mean sure the technology we have sometimes requires that's the problem maybe to save a
0:06:57	file or something we really
0:06:59	we don't want that like
0:07:02	our end goal should be to get rid of yes no problem toward the equivalent
0:07:07	stuff
0:07:10	but taking a step further security problems are wrong
0:07:16	sure sometimes you have to prompt for a password and that's an identification problem right
0:07:20	you're asking use it identify themselves and unfortunately passed first is one way we do
0:07:25	that
0:07:25	but in general a question about security like do you want to continue
0:07:31	you wanna ignore this bad certificate all those exact all those things will cover some
0:07:36	examples later they are wrong almost ninety nine percent the time
0:07:44	and if you can the user tries to make that permanent you're adding insult injury
0:07:49	basically say okay fine go ahead they can choice alright
0:07:54	we're actually doing that forever now ridiculously
0:07:58	alright so here's an example
0:08:00	we all sing this
0:08:03	and the user is really ill equipped to answer this question i mean completely unlike
0:08:07	what
0:08:09	there are very few people
0:08:12	you can answer this question correctly
0:08:15	there's another example
0:08:19	i don't even know what is going on here what's offered be i can't even
0:08:23	as a security professional cannot answer this question correctly just gonna
0:08:30	exactly
0:08:34	here's another example i mean i could go on and on with examples i mean
0:08:37	there so many examples
0:08:46	so it's just game over you lose
0:08:56	alright stop interrupting so what we do instead of interrupting
0:09:00	we let the user express their intent
0:09:04	what they want to do
0:09:05	and then we make a decision based on
0:09:09	so
0:09:10	yours volume you some examples of this to get you thinking
0:09:14	there's a principle to apply
0:09:16	figure out what the user wants to do design so that he can expresses intent
0:09:22	during the task is trying to do and then don't problem with random problems either
0:09:27	confirming or whatever right
0:09:30	so we heard letter to talk about
0:09:34	portals well that's part is that boxing right enforce and this product talk so but
0:09:40	anyway
0:09:41	portals
0:09:42	our away for some what's application to kind of call of the system
0:09:46	and ask the system to do something that i just and what's application but otherwise
0:09:51	not be allowed to do now these are right for doing it wrong is are
0:09:56	right for problems and actually
0:09:58	we're approaching this from a different angle right so the classical example which i think
0:10:03	must dimension is if a somewhat suffocation wants to open the file
0:10:09	that's not in the sample X
0:10:11	ask the system to the portal
0:10:14	october the file system for parts of a file chooser user selects the file the
0:10:19	user expresses the intent
0:10:21	the open the file
0:10:22	and then the system allows that security access at no point is the user
0:10:27	prompted
0:10:29	to with a with a this application wants to access this file in read mode
0:10:35	in right now i don't know what and then continue disallow both should not of
0:10:41	that right so that's expressing intent make insecure decision based off of it
0:10:46	another example this is just a theoretical example
0:10:50	you know for the subtext of dot in them
0:10:53	you can imagine software that wants to be not within our privacy campaign right you
0:10:57	can imagine going to software and checking for this that we don't upload them accidently
0:11:01	that we don't think them to public service sick that data to public service
0:11:06	so rotten than seeing a problem like this
0:11:10	i mean of course the designers can probably
0:11:13	we work this but you might we might choose to make the data visible
0:11:18	thank you very visible what is the what is in that photo so it
0:11:24	this is the sense of data that's in this photo
0:11:27	and just like we allow you know rotating photos and stuff you might have a
0:11:30	button to clear so it's very clear the user has the data is intent is
0:11:35	to take this started here put it online if you doesn't like the data that's
0:11:38	here you can change it maybe take out that X of data or whatever i
0:11:44	mean well apply the principle is to be applied
0:11:48	that
0:11:50	user can express the intent is in control knows that he wants to do and
0:11:53	then that doesn't get these problems to allow or deny access
0:11:59	so
0:12:01	so moving onto concrete some more concrete examples what are we doing to fix this
0:12:08	here are some steps and things that i've been working on
0:12:12	i'm just one person though
0:12:14	and i know security sometimes seems like the dark side
0:12:18	but in reality
0:12:21	it's it there there's very few people who are actively working on this stuff and
0:12:29	so i would encourage your involvement so examples that i'm gonna give one stuff that
0:12:33	i've sort of have find out or have worked on already are no means comprehensive
0:12:38	solution to this problem
0:12:39	and so we need everyone's involvement to try and apply as you're making you software
0:12:46	and help fix the stuff so first
0:12:50	no more certificate problems
0:13:02	i mean this is the details of a certificate i mean i don't include the
0:13:05	like binary details that you actually are the ones that you need to verify here
0:13:08	but
0:13:10	barely anyone can actually go through this and double check that you know certificate matches
0:13:14	what it's supposed to be this is what we're gonna do how should
0:13:19	just drop the connection with something is wrong
0:13:22	if the user is connecting let's say from a web browser or the thing i
0:13:26	am let's and the server's not listening on the right port what do you do
0:13:29	we display big dialogue telling him how to change the word for to contact whoever
0:13:34	or like some thing know it's in this country it's a problem that's on the
0:13:38	server side miss configuration
0:13:41	and we're like oops something's broken
0:13:44	i mean sure their remedies i can be done for example if i think of
0:13:48	someone doesn't pay the D N S for jabber daughter work doesn't pay the domain
0:13:52	registration we should we could possibly put up a dialogue this is do you want
0:13:56	to send an email to the admin of whatever based on who is information and
0:14:02	like
0:14:03	so why we do it for certificates
0:14:07	but i hear these but yes
0:14:11	so let's look at the use cases what the users want to do the user
0:14:14	intent
0:14:16	well one big class
0:14:19	is enterprise the A's enterprise company organisation has their own see a their own anchor
0:14:25	right so for those of you fortunate enough not to know how this works
0:14:29	there's an anchor
0:14:31	which is stored on your system a whole bunch of them right and the website
0:14:35	has a certificate
0:14:37	that it
0:14:38	signs the dollar that's coming from the server with and that certificate has a signature
0:14:43	on it by the anchor
0:14:46	and so your browser or software is checking that it's signed by one of the
0:14:49	anchors on your system
0:14:52	so what we need
0:14:54	for enterprise see ace is a way to configure it we might have a link
0:14:59	that pulls of a help file we might we now we have a way
0:15:04	just or anchors
0:15:05	this is already in the door and debian you open so we have a way
0:15:09	to store anchors across so that by default all the different corpora libraries will use
0:15:14	them
0:15:16	and
0:15:18	here are some details how it works
0:15:21	so you can see that there is kept alive is unfortunate that we have so
0:15:24	many
0:15:26	so what we don't here is this trust or
0:15:30	now the trust or
0:15:32	basically holds a list of all the anchors and blacklist and everything from file so
0:15:37	happens can just put files in a directory there are tools to do this too
0:15:42	and
0:15:44	and assessing can at last read this information through protocol called you can see it's
0:15:48	a lot
0:15:50	now some of that we haven't yet retrofitted open ssl in java to do the
0:15:54	same
0:15:55	so
0:15:57	in addition as kind of a concession to getting this working now
0:16:01	whenever that restores modified we also expect some bundles
0:16:05	so that
0:16:07	these kind of a legacy
0:16:09	uses of the bundles will still work so the upshot is that and enterprise user
0:16:14	or and price admin can how to see a and have it just work so
0:16:18	that's all like to on is and tons and tons of the instances of the
0:16:22	use cases where you want to
0:16:24	use a certificate that your system doesn't trucks
0:16:28	and it's not yet done but we once having can only user interface
0:16:34	for adding that the a C H your system sure there will be an every
0:16:39	application applications that use it it's
0:16:42	saw could include a link to help documentation if we want
0:16:49	but after dropping the connection of course
0:16:52	and then you have
0:16:55	your
0:16:57	that those use cases don't know there's also professionals professional tools right so we're maybe
0:17:02	is maybe a developers developing against a system that is
0:17:07	just a test system as certificate on it that
0:17:10	they just generate a quickly and in production are gonna use a good like a
0:17:14	signed certificate
0:17:15	or for some other reason you might have a personal server that you just decide
0:17:20	to like what self signed certificates on a no okay but you wanna make it
0:17:24	work well there is room for
0:17:27	professional tools to recognise that to work with that
0:17:31	and here's how instead of prompting the user even in professional tools
0:17:35	number the professionals are users to they also ignore information a i know i have
0:17:42	click throughs also i certificates too many times
0:17:45	it's just like
0:17:47	so what you do there
0:17:49	is there a don't feel like you're tool needs to do this you're a
0:17:54	but what you do there is association a certificate with the account
0:18:00	as you would let the user specify host name or username or whatever
0:18:04	what that does it does two things is that we can be more secure with
0:18:08	less security does two things one is that's the user you know not get prompted
0:18:13	later and you know use work around the fact that it's a self signed certificate
0:18:18	but to it also lets the user do it's called a certificate pinning
0:18:22	where
0:18:23	if the certificate to the server sends does not match that certificate so
0:18:29	doesn't work anymore let's really micromanaging secure users
0:18:35	double check certificates that they want to use with a given service and
0:18:40	and then there and if something changes get notified so
0:18:45	but
0:18:47	not every application has to do this so if you're building special application or something
0:18:51	that you imagine these this feature this is how to do it
0:18:55	instead of prompting this is how to do it
0:18:59	alright want another topic
0:19:01	application passive storage
0:19:03	so in currently in
0:19:06	in brno we have
0:19:08	no hearing which is kind of like the central database of all the passwords not
0:19:12	application some faster than there and they can get about
0:19:15	now this is really surprising to users because it doesn't match their intent their intent
0:19:19	is that they type faster than this application the application remembers it
0:19:23	what they don't expect is that every other application including their younger brother using C
0:19:28	horse go and we all the passwords
0:19:31	and
0:19:33	in addition to create all these problems where we have one set one security domain
0:19:39	you would call it for all the applications they can all read each other's passwords
0:19:41	and crap
0:19:43	so
0:19:46	really the password is partly account info when you set up a password and i'm
0:19:49	the or whatever really is part of the account why don't we store today count
0:19:54	well because most people agree that putting up password on encrypted on a laptop disk
0:20:00	is that practise i mean there are certain store just where you can write actually
0:20:04	clear tax like an encrypted this maybe a phone where you can well some sort
0:20:09	of phones where you cannot read this wrong about the wrong this for sandbox applications
0:20:15	so we likely need to use some for sort of encryption
0:20:22	but
0:20:23	and starbucks applications really thrown a wrench into this because if you have the more
0:20:28	sharing their passwords right in the central database you have all these like all this
0:20:32	but this that wants to read this past where the not all these weird if
0:20:37	the prompts or situations that problems are likely to appear so instead what we wanna
0:20:41	do
0:20:43	is
0:20:44	have a session key in the kernel keyring the kerdock eerie it's kind of it's
0:20:50	kind of like know keyring of that but it's volatile and only
0:20:54	stays around on for one
0:20:57	for the brooded life for the computer i guess or
0:21:01	well it's on
0:21:03	and we really want applications to store the passwords in their account information so they
0:21:10	use the library to access the kernel keyring
0:21:13	and ask for session key with which they can use to encrypted password so they
0:21:17	can store the right there and they pass it through
0:21:20	and
0:21:21	store the result in the account information and the colonel keyring if it's not if
0:21:25	we don't yet have a session keyring
0:21:27	their little house
0:21:30	but that's not the secret service or whatever to be the prompt the user or
0:21:34	get a notice i think hearing based on the user's market
0:21:38	this actually lets you do some really interesting things where you can have policy
0:21:44	like that the whole scheme let's you have policy where different applications
0:21:49	you could you could tell them this application i want to never to store passwords
0:21:53	and so the kernel clearing always refuses to have a session a master session key
0:21:59	for that and respects that doesn't write a password or you could say and M
0:22:05	T P mean store in clear text
0:22:08	then you can have either propagation or for the whole system away for
0:22:12	to indicate the applications just put that lay down in your in your account information
0:22:18	in clear text don't want to bother with encryption here
0:22:21	so again another example modelling the user intent when we're keeping the password in the
0:22:26	account data
0:22:28	and
0:22:30	again you have more secure because you can you can model all these different things
0:22:35	you don't have maps
0:22:36	interacting with each other to sam box office apps especially to retrieve the past for
0:22:42	from somewhere of course unless the case where apps want to share an accountant from
0:22:47	account right and we do that is through can a lot line accounts or service
0:22:51	like that
0:22:52	more sound what's applications there should be part of for that
0:22:58	and
0:22:59	and i related use case that someone actually brought up just the other day so
0:23:03	i would mention it is people like to look up the past with that they
0:23:06	use in an archive our back so
0:23:09	we might also have a portal or something for that to kind of say i'd
0:23:13	use this password
0:23:15	if the user wants be reminded of it later story but we but after just
0:23:19	don't necessarily use that look up stuff the user for looks up stuff there he
0:23:23	wants to use it somewhere else and if an application you put and
0:23:30	so another topic
0:23:33	when you login to your you know that start using fingerprints are all the login
0:23:40	or anything about a passer morgan to get this problem which is really stupid because
0:23:44	it's a password right so users pleasantly chose not to login password you get this
0:23:55	no the reason for that is because although we can authenticate the user
0:24:00	we can make a guess no decision based on his identity who he is
0:24:04	we cannot we don't have any
0:24:06	secret data like a master password or anything but which to decrypt the stuff on
0:24:10	the best so we can open his password store and so on
0:24:14	so known keyring stubbornly puts at this prompt
0:24:18	that's really unusable
0:24:21	users intent is to monologue in for example just have a static be accessible
0:24:27	right actually ask for fingerprint the ask for although its kind of secure to make
0:24:33	is donna accessible based on the fingerprint that he's leaving all over the place
0:24:37	right so really
0:24:40	the user has way to secure at the a decision already that says i want
0:24:44	to be less than
0:24:46	a hundred percent or less than password secure and i want to
0:24:53	i don't care this point
0:24:57	so this is how we're gonna solve this
0:25:02	so again for those of you fortunate enough not to understand how power works
0:25:07	have the stack of modules
0:25:10	and one of the modules what usually more the early ones in the stock will
0:25:14	prompt the user for a password
0:25:16	usually it pam unix although it could be the S T component have S as
0:25:21	and so one
0:25:25	so what we really want is that password to come from somewhere else
0:25:29	first of all
0:25:30	we want all the counts to have a password
0:25:33	but then the user can choose not to use that us
0:25:36	so
0:25:38	when configuring fingerprint on or auto login or pay login even
0:25:45	users password is written to a file
0:25:49	and ideally that file would be secured via something on the hardware like a T
0:25:55	P M trip or pretend and be ram or something but if not we written
0:26:00	in clear text and this is the users explicit choice
0:26:07	in addition we wanna fix the case where
0:26:10	you i'll you unlock your disk encryption and then you have to like the same
0:26:13	password again when you login
0:26:16	so both of these data into the kernel keyring
0:26:20	the colonel keyring contain is the users
0:26:24	login password in these cases this can a login fingerprint
0:26:30	authentication
0:26:31	and then when the login starts
0:26:34	there is no authentication token there's no password that they call it
0:26:38	so the first thing in the stock looks and check so the kernel keyring
0:26:43	do you have the user's login password can i just use it
0:26:46	and if you didn't this time
0:26:48	at the top
0:26:50	and then the underlying component see there's already one there tries to use it
0:26:55	and if it works then know product
0:26:58	and on we go down the bottom can known keyring is also able to use
0:27:02	that how sort to unlock the users passwords or to provide like it's in the
0:27:06	last that master session keys for us on what their own past
0:27:11	so we got
0:27:14	are usable login experience that models users intense and in fact
0:27:19	you get ability to use more secure stuff which is your just encryptions smoothly
0:27:26	so those are the things that i
0:27:30	sort of have scheme than this area but
0:27:34	there is so much more if you're if you want to join in on any
0:27:38	of these tasks i can break them down we can we can work together i'd
0:27:42	love that i'm this is not my job to work on this stuff i work
0:27:47	part time on it
0:27:51	and if you see other places where you want to apply the principles i talked
0:27:56	about that by all means don't be afraid of join in the
0:28:00	darkside the security bring us back from the dark side we have cookies
0:28:06	so
0:28:08	who's your comment
0:28:11	terminate security problems with extreme prejudice
0:28:17	and this is really interesting about this the other day
0:28:22	for every keystroke or click that the user has to use to use a security
0:28:27	or crypto feature user base declines by you can imagine how that goes
0:28:33	alright any questions
0:28:37	yes
0:28:43	are you very the if you so the web browser example we back that we
0:28:48	just gonna draw connections if the certificates mismatching there are some sites that they're gonna
0:28:53	practise that you can take people want to go to them
0:28:56	do you think you just gonna find you know like more extreme measures of disabling
0:29:00	the security system so that they can get what they want
0:29:04	and that will match user intent
0:29:08	like i find with someone who's crazy or someone who is a it is come
0:29:14	used to living on the extreme going in disabling have to secure this but if
0:29:18	like user intent is i want to see this site and then you force them
0:29:22	into like and disabling all security validation or something like that
0:29:27	that's a possibility but i think we've also made it possible for the user to
0:29:32	fix that situation
0:29:34	in a straightforward secure way without getting a problem interrupting them so not only are
0:29:39	we taking something away but we given them the ability to fix it really it's
0:29:43	been hopeless so far right
0:29:45	you try to trust some see a or something like see a start for example
0:29:50	i was like what you have to figure and every application that's not so we're
0:29:54	trying to do is really solve the problem that the users are actually facing and
0:29:58	they're always be some
0:30:00	weirdos
0:30:01	who want to ignore that stuff or totally valid you serious want ignore that stuff
0:30:08	and verify minutes open source they can going modify they can we can figure it
0:30:12	they can change it but we don't necessarily have to present that to all these
0:30:16	is that option to all the users
0:30:19	did you have a question
0:30:26	there we go
0:30:28	so with the decline of the passwords this is secure mission to the contention relates
0:30:37	to the ultimate just a user can remember is for below the amount of that
0:30:43	is that compute complete for some half an hour
0:30:46	the two
0:30:49	and with the jan on the availability of the two factor authentication right
0:30:56	what can we do to fix the problem
0:30:59	a lot of lot of research unless the sure that it
0:31:03	i don't have an amazing response to that i mean if and if
0:31:07	if someone wants to work on you authentication methods or implementing
0:31:13	ones that are in research that certainly interesting work that
0:31:18	we can do i mean
0:31:20	but we have established stuff we could try implementing in to go but
0:31:24	i don't be shy when exploring the stuff there's definitely a need for something better
0:31:29	but we don't have
0:31:40	sure
0:31:55	or the
0:31:58	i think it's a good approach to try to catch the use intents but it's
0:32:01	at the same time very far as it is hard i mean
0:32:06	it's security
0:32:08	i don't know it might be very different see what you know the uses and
0:32:12	ten E it's
0:32:14	there's no doubt that
0:32:17	and that's one reason i wanted to get this talk is we're on the verge
0:32:21	of design in this
0:32:22	somewhat applications and it would be so easy
0:32:26	the fall into the trap of getting more problems
0:32:29	so easy and i agree it is hard
0:32:31	is really hard like for example do you want to share your location yes no
0:32:37	what is the answer to that
0:32:39	what if you what if you i mean this is just spit balling here but
0:32:43	what if you were displaying and say select your location share but
0:32:47	like a user clicks it takes the share button it has a web at and
0:32:50	you get some i guess like of course under his current location and all and
0:32:54	it kind of modelling some attached to do rather than a permission i mean i
0:32:59	realise it's hard
0:33:01	and no i don't think any of us have like this ingenious solution for each
0:33:05	and every problem i mean each one it's going to be a child
0:33:08	but we really not just fall into the trap of prompting users that just makes
0:33:14	like i mean showing transit are just going to be click through when you kind
0:33:17	of get in the habit of just picking to
0:33:22	i think it is useful to make a distinction between props that or like would
0:33:26	you like to share your location yes-no versus parts that are more like would you
0:33:31	like me to do what will allow you to do what you're trying to do
0:33:34	so i mean equipment industry choice that's
0:33:38	later you know if i'm clicking no i don't get what i want verses okay
0:33:41	this is really a preference and then i can proceed writing there's a you want
0:33:45	to do your task like exactly and then the ability to of course stop it
0:33:49	if it was a surprise that somehow this thing popped up so saying that all
0:33:52	yes we know choices are only back i'm not sure that that's true
0:33:57	that's why i said problems are dubious and i understand a your point
0:34:03	but we need to react
0:34:05	when we see if we as developers we to react when we see problem and
0:34:08	really think hard is this really necessary and i guess that's my point
0:34:12	so we've been so used to just generating problem
0:34:16	so after that extreme here
0:34:20	and there are exceptions
0:34:21	but it really should be part of our first reaction to think hey this is
0:34:26	the problem what are we doing here can we can we change this there were
0:34:30	actually matching what the user wants to do or presenting a like part of the
0:34:33	flow or somehow let me show isn't and or something like that
0:34:40	just for the
0:34:49	so continuing rinds question before i think which is absolutely terrible has had invalid sort
0:34:55	of the certificate for five years and i don't see any fixed that
0:35:01	that i mean you i know i is they bought my credit card your like
0:35:05	any money right now a but i mean it's just sort of i mean i
0:35:10	sort of agree with brian sentiment that it's like there's a valid
0:35:13	certificate websites all over the place like just sorta children actually and he obviously the
0:35:21	right now like it's very bad by record choose you like
0:35:26	but like i would do that as you were on your fish will be use
0:35:30	like we could do i wanna do i get my money's
0:35:35	so it's just like i understand your point with like
0:35:39	i don't use any for just terrible websites or so i probably not use their
0:35:44	online banking system but
0:35:46	i'm gonna return anecdote in time and that is on them as a that bugs
0:35:51	a lot about our website where people file bugs about firefox
0:35:55	there are and number of bugs the people that exact same thing hey you guys
0:35:59	suck you do not recognizer certificate five bank i keep getting prompted and blah and
0:36:04	then similar looks and the details and they are in fact being that in the
0:36:07	middle someone is attacking that and they have enough knowledge to go and post like
0:36:11	certificate details and all that stuff on for example so you're how many people are
0:36:16	just ignoring the i mean my factor of thousand more right so
0:36:21	i realise there's a trade off here but i think this is completely the right
0:36:25	approach and there are ways to get up to obviously we haven't totally ignore the
0:36:30	fact that all certificates automatically validate and there are ways to do it so someone
0:36:34	might make a browser plug in for you or you might make it that says
0:36:37	hey when i go to this bookmark
0:36:39	always check to make sure it's the certificate no matter outdated or whatever in the
0:36:44	certificate to the bookmark and there you go
0:36:47	the other question i have we think about this you linux
0:36:55	the reaction i was expecting thank you know i think i think that i think
0:36:58	there's a lot of good use cases for it and i just think many of
0:37:02	much of what we try to do with it now is to find great so
0:37:05	it's again that the chairman E of small decisions
0:37:09	we need to and there there's definitely working done on this i'm not trying to
0:37:13	not get we need to use it at a higher level more like for example
0:37:19	with a marxist that's kind of the abstraction we containers or with virtual machines that's
0:37:24	kind of the level like you're talking about rather than the something i wanna micro
0:37:28	manage and sassy the next always support that i think we take it to the
0:37:31	next level now and by removing all those tiny little incipiency intricate decisions and micromanaging
0:37:38	every detail you sort of have these bigger bar bigger security domains where stuff in
0:37:43	their interacts fine
0:37:45	but when it once interactive something outside there only to find ways for to do
0:37:49	that
0:38:01	so i two questions the first one was
0:38:05	i mean you were mentioning some alternative plan for the take to be able to
0:38:09	still access is websites planning and strategic it's to some sourced or something
0:38:15	like is percent like just an I them and then have like a you why
0:38:20	that you didn't really specify so okay so that's this is the infrastructure i've been
0:38:24	working on actually it's already done the infrastructure
0:38:28	and this is just or is that what you're talking about and the trust or
0:38:32	is basically
0:38:34	stuff in these two directories so right now and your food or nineteen your debian
0:38:38	testing or your opens is the back to re think
0:38:42	you can put
0:38:44	your see a certificate in that one of these direction for jack that because i
0:38:48	think some of them change the directory to be compatible with their old stuff you
0:38:52	can put it in there and suddenly everything will respect
0:38:55	obviously user interface is very important and i wish i was really hoping to have
0:39:01	that done by quack
0:39:03	unfortunately a lot of other stuff conspired against me
0:39:06	there are tools command line tools now that's very new to do that so you
0:39:10	don't have to like manually place files it'll just take a adding a listing and
0:39:14	stuff like that
0:39:15	and then there are
0:39:18	based on those tools we have to build a you why for example to see
0:39:22	orthodox can reference because i understand that not everyone has an admin even in enterprise
0:39:28	not everyone has an admin caring about their every you know need any them don't
0:39:32	care that you on the next so
0:39:34	by having the documentation how to do this we can guide the user through these
0:39:38	that if they really have to
0:39:40	okay and the question the i'm really interested in is you mentioned like encrypted hard
0:39:46	disks but like when you installed or it doesn't give you like
0:39:51	langford lot checked by default so will it be saying that you like to see
0:39:56	like
0:39:57	say linux distributions gently like pushing for people drink their drives
0:40:02	but there's a lot of discussion about that problem is password recovery right unless you
0:40:07	can provide the user really same way of recovering that password
0:40:11	checking a by default is very
0:40:14	"'cause" i'm just from a developers so i i'm i totally would love to see
0:40:20	it check right before but we have to have a good passer just got password
0:40:23	recovery mechanism
0:40:29	you talk about you would support sort of like advanced interface repenting what's your opinion
0:40:34	on this idea a certificate pending by default on first years so that you know
0:40:40	when i go and access my bank you can all the suddenly like you know
0:40:43	by the way your bank is now authorised by a russian certificate it's already are
0:40:48	you sure that that's really what you intend right so there's a lot of work
0:40:53	being done on how to solve the see a problem because C As or
0:40:58	that's pretty much a recipe for corruption right basically get money for
0:41:03	doing the right thing and more money for doing the wrong thing you know so
0:41:07	there's a lot of work on this and some proposals like tack have a way
0:41:11	to
0:41:12	pinna finicky to a website and the first time you see a first time user
0:41:16	you can make a leap of faith
0:41:18	and thereafter you kind of build trust and because you keep seeing the same thing
0:41:21	there's a way to migrate to new keys a not necessary you will ever really
0:41:25	do that again
0:41:27	and it's a interesting approach and but it needs more work from the user interface
0:41:31	perspective because
0:41:34	it really depends on the use case if the user is logging onto for example
0:41:40	it really makes sense in the case of social networking
0:41:44	if you were creating account that's a with facebook
0:41:47	the first time you're creating that account
0:41:50	you wanna know that later when you connect and add more your personal information that
0:41:54	you're going back to the same website and also works very well for ad hoc
0:41:59	communication between people the first time i met you i have no idea we were
0:42:03	and whether you trustworthy or not and the same thing works with pinning right
0:42:08	the first time i kinda make a leap of faith or kind of i there's
0:42:11	not much at stake but over time you wanna be sure you're going back to
0:42:15	the same place
0:42:16	as far as the leap of faith when you're connecting to someone you that you
0:42:20	like your bank that you have to know is the right party from the beginning
0:42:24	that is kind of more unsolved problem
0:42:27	you in this like you have your labial the weighted keys in user sure if
0:42:32	i don't trust them from the files and it's that or is it strictly additive
0:42:36	know there's also black listing so you should be able to take a certificate i
0:42:39	say
0:42:40	never use this certificate again now not all of those libraries support it and assesses
0:42:46	the only one that supports well i mean so that i can just right get
0:42:49	out of the trust shortly you can do that it's from that see
0:42:55	and see okay like i don't if you want to provide actually the last
0:43:00	we have a way to do that i can basically you market as untrusted for
0:43:04	any use each of those anchors are trusted for various uses like web or you
0:43:09	know someone and the tool would unmark the to tool does on market for any
0:43:15	use when you disable it and crystal there but can't really be
0:43:19	i wanna say that this slide like i love you for because this is gonna
0:43:23	disasters and i don't have to really like a lot better
0:43:43	so that's all that's great
0:43:45	stick what concerns me right now
0:43:48	is that there's a lot of us on a lot there are some of us
0:43:50	in our community the reading harassed as we go through T S A check
0:43:55	like that part i don't have that were like going to T S A checkpoints
0:44:00	we raster resize get take in the get image
0:44:04	what are we doing to prevent things like lee keen
0:44:09	you know are keys in memory
0:44:11	i shut my laptop what just happened to make sure they are actually going to
0:44:15	this
0:44:16	you know a lot of the service stuff goes to you bustling application once you
0:44:21	get a password securing a makeover debusk we have no control over D but zero
0:44:25	we not the memory that contains my password well nor do necessarily zero the password
0:44:31	before free need in the applications that what are we gonna do about conventions how
0:44:35	can we deal with that to make sure that our applications or protecting us even
0:44:39	when we were right so there's various aspects that question and what are the interesting
0:44:46	things is like this distinction between privacy and security some was telling me
0:44:52	yesterday and it was really good point that security is off and the implementation of
0:44:55	privacy right so we have this privacy campaign what i've talked here today it was
0:45:00	a lot about security
0:45:02	and our privacy campaign we should be examining
0:45:05	those various use cases especially if are community is already run into these problems
0:45:10	and a bunch of us were having a disk and how hard discussion about it
0:45:15	but we need to start christa lighting what we're going to do for that privacy
0:45:18	right i mean i'm certainly not running it but so
0:45:24	if you have any ideas though i'd be happy to andreas or to be us
0:45:30	or holland or myself we can start a discussion on that like what task do
0:45:36	we want to do obviously twenty K is not gonna solve the world's problems but
0:45:40	right you can actually start to tackle some of those things as far as the
0:45:43	security side ask doing their security
0:45:46	that is a problem and i hope that
0:45:49	part of that is all by this
0:45:52	we have a much more
0:45:54	secure infrastructure for
0:45:58	after that passed around the system although currently a list not hearing doesn't after password
0:46:04	over developed by in here the number that at least
0:46:07	presumably that the colonel hearing area is gonna be unlocked memory so when you shut
0:46:13	it no chance of
0:46:16	this so i mean we do need to take some steps when you when you
0:46:20	suspend your computer to clear the kerdock hearing and then unlock use that unlock password
0:46:27	to we populate that master section
0:46:34	as far as point the second thing is concerns a right now i'm still gathering
0:46:41	what we
0:46:42	we won't be community a knowledge and see what we gonna be using the money
0:46:48	full it's very possible that will end up having just like to produce the nation's
0:46:54	in previous campaigns that will just add
0:46:57	one company working on a particular set of tasks but it's also very possible that
0:47:03	will and of speeding up the
0:47:06	the problems into small pieces some of codes of P W
0:47:12	participants can
0:47:15	can use that we can even make some of the stuff into going on goals
0:47:18	right is a week you page on which we have a really point is ready
0:47:23	and we need to flesh that out we need to figure out what's the most
0:47:27	important in the short term
0:47:30	cool
0:47:32	i just one comment on the privacy campaign is what as we accept bids from
0:47:38	companies are ideas of things we need to secure is such a broad topic i
0:47:42	mean it means something different to everyone so i think we need to focus as
0:47:47	we are more on privacy i think especially i think yes exactly so if we
0:47:53	excepted three companies we're gonna get a lot of security stuff as well we have
0:47:57	and you know bundled them down to privacy
0:48:04	and do this regime where account service their applications are storing passwords as account information
0:48:09	inside and sells presumably and all sorts of different ways that the system doesn't really
0:48:14	have any awareness of the if i want to change the this key that's a
0:48:19	marking all of the is that it seems that i really can't do that yes
0:48:23	that's a good point and i didn't covered in the slide but you might as
0:48:26	there's a little to here
0:48:28	okay
0:48:29	what that does is when you ask
0:48:32	the kerdock hearing for
0:48:34	to unlock a password that you've stored previously you also pastor identifier
0:48:40	that's all the which has certainly used to market previously when you're doing it for
0:48:45	the first time well when you're storing capacity use the current identifier and you tag
0:48:49	in into your value you pass a back so that allows for migration between see
0:48:54	so using the ski i mean there may be more holes and i'd love to
0:48:57	discuss
0:48:58	the details make sure we have it all right if this can you have a
0:49:01	lot of the protocol the whole model has a lot of flexibility a lot of
0:49:05	power not necessary that we have to expose all that in the default install but
0:49:09	you have that
0:49:11	does the protocol you an opportunity to say it's you requesting like a generation to
0:49:16	did you know there's a generation three would you like three include no i would
0:49:20	suggest personally
0:49:21	that we always have the out just have a well known place to retrieve the
0:49:26	currently when they're storing a password
0:49:28	just use that
0:49:32	great stuff
0:49:39	more question
0:49:45	thank you much
0:49:48	right
0:49:50	and then

More secure with less "security"

Developer Experience Track

Stef Walter