0:00:17so and stuff
0:00:20i work at red hat
0:00:22and i've been involved in brno now i think seven years
0:00:26what really draw to be known is the focus on making stuff usable
0:00:31and for me that's the paradox between security and usability there often at once but
0:00:37i like the challenge of making them
0:00:39work together
0:00:41we're the first cover some abstract concepts or some principles
0:00:45that you can apply when writing security features in your software
0:00:53then some
0:00:54examples of how we are implementing in applying those principles
0:00:59or in a cover a bunch a different topics so feel free to interrupt if
0:01:02you want if you want to get your question and while we're on topic i
0:01:05might tell you that it's gonna be answered but no loss there
0:01:16when working with security we have or just in general as developers we often have
0:01:21this abstract concept of the user
0:01:23as mystical being
0:01:26and it as security guys we kind of sometimes
0:01:29shake our heads at the user
0:01:32you know it's clicking on stuff is not supposed to clicking on right installing should
0:01:36be software and falling for fishing and so on and so forth
0:01:41well we kind of failed to remember
0:01:44but the users a human
0:01:47humans are intelligent fun creative crazy
0:01:52but they're usually overwhelmed
0:01:56our lives are full of all sorts of information
0:01:59full of choice in the world today
0:02:02we have to choose between all sorts of little things and then comes
0:02:07no and forces
0:02:10these poor humans to choose between more choices
0:02:15they may be possible they may be capable of learning about security
0:02:21realistically they're not going to
0:02:26this we have to understand the user their nature
0:02:29this is one of the fundamental things we do in our daily lives we filter
0:02:33out extraneous information costly being bombarded by massive amounts of information and just even while
0:02:38doing mundane things work constantly filtering out the stuff we think we don't need
0:02:44we should not be surprised when the user ignores something that we wanted him to
0:02:54there's a lot of discussion about that we've all
0:02:57been involved in this discussion freedom is not people to choice
0:03:03freedom is equal to match the choice
0:03:06freedom is equal to the choice to choose
0:03:10you have to be able to choose the software you run on your computer you
0:03:15have to be able to choose
0:03:17to modify you have to be free to do these things but you definitely don't
0:03:20wanna be
0:03:21micromanaging all the tiny choices that these tools are supposed to be doing for you
0:03:29sometimes users think they want choice probably really want as much a choice
0:03:36if you force the user to be part of a security system
0:03:40they're gonna have a really bad time
0:03:42a as the professionals writing the software whether we feel maybe we know all the
0:03:46details are not we are better equipped to make a security decision for the user
0:03:52then the use of themself
0:03:54and just like a doctor sometimes doctors get frustrating "'cause" they present you all these
0:04:00different possible remedies or possible ways to treat you know let's you might have and
0:04:05there if you see involved make a choice you know it's up to you have
0:04:09to doctor what would you do
0:04:11well it depends on each situation is different and sure there is a sometimes you
0:04:16want to professional
0:04:19to make a decision or to make a strong proposal strong
0:04:24decision you can choose to reject that decision that's about a choice there that you
0:04:30from a professional like one of us
0:04:35in general this should be our goal like in the security feature the user has
0:04:39to identify themselves have to know who they are if we could do that automatically
0:04:42we probably would
0:04:45sadly we're not there yet so you have to use a for password or something
0:04:49to improve that they are
0:04:51right but after that
0:04:54we shouldn't
0:04:55interrupt the user with security questions insecurity decisions
0:04:59now there's a different kind of user profession of
0:05:03these professionals use different tools
0:05:11that is how
0:05:15and so they use different tools
0:05:18they look inhuman when they're doing their job actually
0:05:21professionals have alert how to reject part of humanity essentially to be specialised and do
0:05:27one thing really well
0:05:29but we can't forget that even professionals when they go on to something else
0:05:34they don't wanna micro manage the rest of their lives
0:05:37even someone who drive the fire truck for a living with a massive console full
0:05:41of all the buttons many which you know you have to learn and be trained
0:05:45to use that thing drive home a normal car right and he won't want to
0:05:49draw the firecracker i mean pretty basic stuff
0:05:52so given that
0:05:56one is the worst possible time to ask the user a risky question to make
0:06:00a risky decision
0:06:04when they're trying to do something else
0:06:07that's the worst possible time you're gonna get results that are worse than random chance
0:06:12if it's something is really truly going well let's say someone is attacking the user
0:06:18and something is going wrong and they get a problem
0:06:23the chance of them making the right decision there and not just clicking through and
0:06:26ignoring it or whatever if you just did a fifty you probably be better than
0:06:31what the right so
0:06:33so we just to our first
0:06:35max and problems are dubious
0:06:39if you are coding a problem for you see a problems looking at you know
0:06:43for yourself are you factoring something there's a problem there regarded with suspicion
0:06:49do you actually need to prompt the user and this goes across the board i
0:06:52mean sure the technology we have sometimes requires that's the problem maybe to save a
0:06:57file or something we really
0:06:59we don't want that like
0:07:02our end goal should be to get rid of yes no problem toward the equivalent
0:07:10but taking a step further security problems are wrong
0:07:16sure sometimes you have to prompt for a password and that's an identification problem right
0:07:20you're asking use it identify themselves and unfortunately passed first is one way we do
0:07:25but in general a question about security like do you want to continue
0:07:31you wanna ignore this bad certificate all those exact all those things will cover some
0:07:36examples later they are wrong almost ninety nine percent the time
0:07:44and if you can the user tries to make that permanent you're adding insult injury
0:07:49basically say okay fine go ahead they can choice alright
0:07:54we're actually doing that forever now ridiculously
0:07:58alright so here's an example
0:08:00we all sing this
0:08:03and the user is really ill equipped to answer this question i mean completely unlike
0:08:09there are very few people
0:08:12you can answer this question correctly
0:08:15there's another example
0:08:19i don't even know what is going on here what's offered be i can't even
0:08:23as a security professional cannot answer this question correctly just gonna
0:08:34here's another example i mean i could go on and on with examples i mean
0:08:37there so many examples
0:08:46so it's just game over you lose
0:08:56alright stop interrupting so what we do instead of interrupting
0:09:00we let the user express their intent
0:09:04what they want to do
0:09:05and then we make a decision based on
0:09:10yours volume you some examples of this to get you thinking
0:09:14there's a principle to apply
0:09:16figure out what the user wants to do design so that he can expresses intent
0:09:22during the task is trying to do and then don't problem with random problems either
0:09:27confirming or whatever right
0:09:30so we heard letter to talk about
0:09:34portals well that's part is that boxing right enforce and this product talk so but
0:09:42our away for some what's application to kind of call of the system
0:09:46and ask the system to do something that i just and what's application but otherwise
0:09:51not be allowed to do now these are right for doing it wrong is are
0:09:56right for problems and actually
0:09:58we're approaching this from a different angle right so the classical example which i think
0:10:03must dimension is if a somewhat suffocation wants to open the file
0:10:09that's not in the sample X
0:10:11ask the system to the portal
0:10:14october the file system for parts of a file chooser user selects the file the
0:10:19user expresses the intent
0:10:21the open the file
0:10:22and then the system allows that security access at no point is the user
0:10:29to with a with a this application wants to access this file in read mode
0:10:35in right now i don't know what and then continue disallow both should not of
0:10:41that right so that's expressing intent make insecure decision based off of it
0:10:46another example this is just a theoretical example
0:10:50you know for the subtext of dot in them
0:10:53you can imagine software that wants to be not within our privacy campaign right you
0:10:57can imagine going to software and checking for this that we don't upload them accidently
0:11:01that we don't think them to public service sick that data to public service
0:11:06so rotten than seeing a problem like this
0:11:10i mean of course the designers can probably
0:11:13we work this but you might we might choose to make the data visible
0:11:18thank you very visible what is the what is in that photo so it
0:11:24this is the sense of data that's in this photo
0:11:27and just like we allow you know rotating photos and stuff you might have a
0:11:30button to clear so it's very clear the user has the data is intent is
0:11:35to take this started here put it online if you doesn't like the data that's
0:11:38here you can change it maybe take out that X of data or whatever i
0:11:44mean well apply the principle is to be applied
0:11:50user can express the intent is in control knows that he wants to do and
0:11:53then that doesn't get these problems to allow or deny access
0:12:01so moving onto concrete some more concrete examples what are we doing to fix this
0:12:08here are some steps and things that i've been working on
0:12:12i'm just one person though
0:12:14and i know security sometimes seems like the dark side
0:12:18but in reality
0:12:21it's it there there's very few people who are actively working on this stuff and
0:12:29so i would encourage your involvement so examples that i'm gonna give one stuff that
0:12:33i've sort of have find out or have worked on already are no means comprehensive
0:12:38solution to this problem
0:12:39and so we need everyone's involvement to try and apply as you're making you software
0:12:46and help fix the stuff so first
0:12:50no more certificate problems
0:13:02i mean this is the details of a certificate i mean i don't include the
0:13:05like binary details that you actually are the ones that you need to verify here
0:13:10barely anyone can actually go through this and double check that you know certificate matches
0:13:14what it's supposed to be this is what we're gonna do how should
0:13:19just drop the connection with something is wrong
0:13:22if the user is connecting let's say from a web browser or the thing i
0:13:26am let's and the server's not listening on the right port what do you do
0:13:29we display big dialogue telling him how to change the word for to contact whoever
0:13:34or like some thing know it's in this country it's a problem that's on the
0:13:38server side miss configuration
0:13:41and we're like oops something's broken
0:13:44i mean sure their remedies i can be done for example if i think of
0:13:48someone doesn't pay the D N S for jabber daughter work doesn't pay the domain
0:13:52registration we should we could possibly put up a dialogue this is do you want
0:13:56to send an email to the admin of whatever based on who is information and
0:14:03so why we do it for certificates
0:14:07but i hear these but yes
0:14:11so let's look at the use cases what the users want to do the user
0:14:16well one big class
0:14:19is enterprise the A's enterprise company organisation has their own see a their own anchor
0:14:25right so for those of you fortunate enough not to know how this works
0:14:29there's an anchor
0:14:31which is stored on your system a whole bunch of them right and the website
0:14:35has a certificate
0:14:37that it
0:14:38signs the dollar that's coming from the server with and that certificate has a signature
0:14:43on it by the anchor
0:14:46and so your browser or software is checking that it's signed by one of the
0:14:49anchors on your system
0:14:52so what we need
0:14:54for enterprise see ace is a way to configure it we might have a link
0:14:59that pulls of a help file we might we now we have a way
0:15:04just or anchors
0:15:05this is already in the door and debian you open so we have a way
0:15:09to store anchors across so that by default all the different corpora libraries will use
0:15:18here are some details how it works
0:15:21so you can see that there is kept alive is unfortunate that we have so
0:15:26so what we don't here is this trust or
0:15:30now the trust or
0:15:32basically holds a list of all the anchors and blacklist and everything from file so
0:15:37happens can just put files in a directory there are tools to do this too
0:15:44and assessing can at last read this information through protocol called you can see it's
0:15:48a lot
0:15:50now some of that we haven't yet retrofitted open ssl in java to do the
0:15:57in addition as kind of a concession to getting this working now
0:16:01whenever that restores modified we also expect some bundles
0:16:05so that
0:16:07these kind of a legacy
0:16:09uses of the bundles will still work so the upshot is that and enterprise user
0:16:14or and price admin can how to see a and have it just work so
0:16:18that's all like to on is and tons and tons of the instances of the
0:16:22use cases where you want to
0:16:24use a certificate that your system doesn't trucks
0:16:28and it's not yet done but we once having can only user interface
0:16:34for adding that the a C H your system sure there will be an every
0:16:39application applications that use it it's
0:16:42saw could include a link to help documentation if we want
0:16:49but after dropping the connection of course
0:16:52and then you have
0:16:57that those use cases don't know there's also professionals professional tools right so we're maybe
0:17:02is maybe a developers developing against a system that is
0:17:07just a test system as certificate on it that
0:17:10they just generate a quickly and in production are gonna use a good like a
0:17:14signed certificate
0:17:15or for some other reason you might have a personal server that you just decide
0:17:20to like what self signed certificates on a no okay but you wanna make it
0:17:24work well there is room for
0:17:27professional tools to recognise that to work with that
0:17:31and here's how instead of prompting the user even in professional tools
0:17:35number the professionals are users to they also ignore information a i know i have
0:17:42click throughs also i certificates too many times
0:17:45it's just like
0:17:47so what you do there
0:17:49is there a don't feel like you're tool needs to do this you're a
0:17:54but what you do there is association a certificate with the account
0:18:00as you would let the user specify host name or username or whatever
0:18:04what that does it does two things is that we can be more secure with
0:18:08less security does two things one is that's the user you know not get prompted
0:18:13later and you know use work around the fact that it's a self signed certificate
0:18:18but to it also lets the user do it's called a certificate pinning
0:18:23if the certificate to the server sends does not match that certificate so
0:18:29doesn't work anymore let's really micromanaging secure users
0:18:35double check certificates that they want to use with a given service and
0:18:40and then there and if something changes get notified so
0:18:47not every application has to do this so if you're building special application or something
0:18:51that you imagine these this feature this is how to do it
0:18:55instead of prompting this is how to do it
0:18:59alright want another topic
0:19:01application passive storage
0:19:03so in currently in
0:19:06in brno we have
0:19:08no hearing which is kind of like the central database of all the passwords not
0:19:12application some faster than there and they can get about
0:19:15now this is really surprising to users because it doesn't match their intent their intent
0:19:19is that they type faster than this application the application remembers it
0:19:23what they don't expect is that every other application including their younger brother using C
0:19:28horse go and we all the passwords
0:19:33in addition to create all these problems where we have one set one security domain
0:19:39you would call it for all the applications they can all read each other's passwords
0:19:41and crap
0:19:46really the password is partly account info when you set up a password and i'm
0:19:49the or whatever really is part of the account why don't we store today count
0:19:54well because most people agree that putting up password on encrypted on a laptop disk
0:20:00is that practise i mean there are certain store just where you can write actually
0:20:04clear tax like an encrypted this maybe a phone where you can well some sort
0:20:09of phones where you cannot read this wrong about the wrong this for sandbox applications
0:20:15so we likely need to use some for sort of encryption
0:20:23and starbucks applications really thrown a wrench into this because if you have the more
0:20:28sharing their passwords right in the central database you have all these like all this
0:20:32but this that wants to read this past where the not all these weird if
0:20:37the prompts or situations that problems are likely to appear so instead what we wanna
0:20:44have a session key in the kernel keyring the kerdock eerie it's kind of it's
0:20:50kind of like know keyring of that but it's volatile and only
0:20:54stays around on for one
0:20:57for the brooded life for the computer i guess or
0:21:01well it's on
0:21:03and we really want applications to store the passwords in their account information so they
0:21:10use the library to access the kernel keyring
0:21:13and ask for session key with which they can use to encrypted password so they
0:21:17can store the right there and they pass it through
0:21:21store the result in the account information and the colonel keyring if it's not if
0:21:25we don't yet have a session keyring
0:21:27their little house
0:21:30but that's not the secret service or whatever to be the prompt the user or
0:21:34get a notice i think hearing based on the user's market
0:21:38this actually lets you do some really interesting things where you can have policy
0:21:44like that the whole scheme let's you have policy where different applications
0:21:49you could you could tell them this application i want to never to store passwords
0:21:53and so the kernel clearing always refuses to have a session a master session key
0:21:59for that and respects that doesn't write a password or you could say and M
0:22:05T P mean store in clear text
0:22:08then you can have either propagation or for the whole system away for
0:22:12to indicate the applications just put that lay down in your in your account information
0:22:18in clear text don't want to bother with encryption here
0:22:21so again another example modelling the user intent when we're keeping the password in the
0:22:26account data
0:22:30again you have more secure because you can you can model all these different things
0:22:35you don't have maps
0:22:36interacting with each other to sam box office apps especially to retrieve the past for
0:22:42from somewhere of course unless the case where apps want to share an accountant from
0:22:47account right and we do that is through can a lot line accounts or service
0:22:51like that
0:22:52more sound what's applications there should be part of for that
0:22:59and i related use case that someone actually brought up just the other day so
0:23:03i would mention it is people like to look up the past with that they
0:23:06use in an archive our back so
0:23:09we might also have a portal or something for that to kind of say i'd
0:23:13use this password
0:23:15if the user wants be reminded of it later story but we but after just
0:23:19don't necessarily use that look up stuff the user for looks up stuff there he
0:23:23wants to use it somewhere else and if an application you put and
0:23:30so another topic
0:23:33when you login to your you know that start using fingerprints are all the login
0:23:40or anything about a passer morgan to get this problem which is really stupid because
0:23:44it's a password right so users pleasantly chose not to login password you get this
0:23:55no the reason for that is because although we can authenticate the user
0:24:00we can make a guess no decision based on his identity who he is
0:24:04we cannot we don't have any
0:24:06secret data like a master password or anything but which to decrypt the stuff on
0:24:10the best so we can open his password store and so on
0:24:14so known keyring stubbornly puts at this prompt
0:24:18that's really unusable
0:24:21users intent is to monologue in for example just have a static be accessible
0:24:27right actually ask for fingerprint the ask for although its kind of secure to make
0:24:33is donna accessible based on the fingerprint that he's leaving all over the place
0:24:37right so really
0:24:40the user has way to secure at the a decision already that says i want
0:24:44to be less than
0:24:46a hundred percent or less than password secure and i want to
0:24:53i don't care this point
0:24:57so this is how we're gonna solve this
0:25:02so again for those of you fortunate enough not to understand how power works
0:25:07have the stack of modules
0:25:10and one of the modules what usually more the early ones in the stock will
0:25:14prompt the user for a password
0:25:16usually it pam unix although it could be the S T component have S as
0:25:21and so one
0:25:25so what we really want is that password to come from somewhere else
0:25:29first of all
0:25:30we want all the counts to have a password
0:25:33but then the user can choose not to use that us
0:25:38when configuring fingerprint on or auto login or pay login even
0:25:45users password is written to a file
0:25:49and ideally that file would be secured via something on the hardware like a T
0:25:55P M trip or pretend and be ram or something but if not we written
0:26:00in clear text and this is the users explicit choice
0:26:07in addition we wanna fix the case where
0:26:10you i'll you unlock your disk encryption and then you have to like the same
0:26:13password again when you login
0:26:16so both of these data into the kernel keyring
0:26:20the colonel keyring contain is the users
0:26:24login password in these cases this can a login fingerprint
0:26:31and then when the login starts
0:26:34there is no authentication token there's no password that they call it
0:26:38so the first thing in the stock looks and check so the kernel keyring
0:26:43do you have the user's login password can i just use it
0:26:46and if you didn't this time
0:26:48at the top
0:26:50and then the underlying component see there's already one there tries to use it
0:26:55and if it works then know product
0:26:58and on we go down the bottom can known keyring is also able to use
0:27:02that how sort to unlock the users passwords or to provide like it's in the
0:27:06last that master session keys for us on what their own past
0:27:11so we got
0:27:14are usable login experience that models users intense and in fact
0:27:19you get ability to use more secure stuff which is your just encryptions smoothly
0:27:26so those are the things that i
0:27:30sort of have scheme than this area but
0:27:34there is so much more if you're if you want to join in on any
0:27:38of these tasks i can break them down we can we can work together i'd
0:27:42love that i'm this is not my job to work on this stuff i work
0:27:47part time on it
0:27:51and if you see other places where you want to apply the principles i talked
0:27:56about that by all means don't be afraid of join in the
0:28:00darkside the security bring us back from the dark side we have cookies
0:28:08who's your comment
0:28:11terminate security problems with extreme prejudice
0:28:17and this is really interesting about this the other day
0:28:22for every keystroke or click that the user has to use to use a security
0:28:27or crypto feature user base declines by you can imagine how that goes
0:28:33alright any questions
0:28:43are you very the if you so the web browser example we back that we
0:28:48just gonna draw connections if the certificates mismatching there are some sites that they're gonna
0:28:53practise that you can take people want to go to them
0:28:56do you think you just gonna find you know like more extreme measures of disabling
0:29:00the security system so that they can get what they want
0:29:04and that will match user intent
0:29:08like i find with someone who's crazy or someone who is a it is come
0:29:14used to living on the extreme going in disabling have to secure this but if
0:29:18like user intent is i want to see this site and then you force them
0:29:22into like and disabling all security validation or something like that
0:29:27that's a possibility but i think we've also made it possible for the user to
0:29:32fix that situation
0:29:34in a straightforward secure way without getting a problem interrupting them so not only are
0:29:39we taking something away but we given them the ability to fix it really it's
0:29:43been hopeless so far right
0:29:45you try to trust some see a or something like see a start for example
0:29:50i was like what you have to figure and every application that's not so we're
0:29:54trying to do is really solve the problem that the users are actually facing and
0:29:58they're always be some
0:30:01who want to ignore that stuff or totally valid you serious want ignore that stuff
0:30:08and verify minutes open source they can going modify they can we can figure it
0:30:12they can change it but we don't necessarily have to present that to all these
0:30:16is that option to all the users
0:30:19did you have a question
0:30:26there we go
0:30:28so with the decline of the passwords this is secure mission to the contention relates
0:30:37to the ultimate just a user can remember is for below the amount of that
0:30:43is that compute complete for some half an hour
0:30:46the two
0:30:49and with the jan on the availability of the two factor authentication right
0:30:56what can we do to fix the problem
0:30:59a lot of lot of research unless the sure that it
0:31:03i don't have an amazing response to that i mean if and if
0:31:07if someone wants to work on you authentication methods or implementing
0:31:13ones that are in research that certainly interesting work that
0:31:18we can do i mean
0:31:20but we have established stuff we could try implementing in to go but
0:31:24i don't be shy when exploring the stuff there's definitely a need for something better
0:31:29but we don't have
0:31:55or the
0:31:58i think it's a good approach to try to catch the use intents but it's
0:32:01at the same time very far as it is hard i mean
0:32:06it's security
0:32:08i don't know it might be very different see what you know the uses and
0:32:12ten E it's
0:32:14there's no doubt that
0:32:17and that's one reason i wanted to get this talk is we're on the verge
0:32:21of design in this
0:32:22somewhat applications and it would be so easy
0:32:26the fall into the trap of getting more problems
0:32:29so easy and i agree it is hard
0:32:31is really hard like for example do you want to share your location yes no
0:32:37what is the answer to that
0:32:39what if you what if you i mean this is just spit balling here but
0:32:43what if you were displaying and say select your location share but
0:32:47like a user clicks it takes the share button it has a web at and
0:32:50you get some i guess like of course under his current location and all and
0:32:54it kind of modelling some attached to do rather than a permission i mean i
0:32:59realise it's hard
0:33:01and no i don't think any of us have like this ingenious solution for each
0:33:05and every problem i mean each one it's going to be a child
0:33:08but we really not just fall into the trap of prompting users that just makes
0:33:14like i mean showing transit are just going to be click through when you kind
0:33:17of get in the habit of just picking to
0:33:22i think it is useful to make a distinction between props that or like would
0:33:26you like to share your location yes-no versus parts that are more like would you
0:33:31like me to do what will allow you to do what you're trying to do
0:33:34so i mean equipment industry choice that's
0:33:38later you know if i'm clicking no i don't get what i want verses okay
0:33:41this is really a preference and then i can proceed writing there's a you want
0:33:45to do your task like exactly and then the ability to of course stop it
0:33:49if it was a surprise that somehow this thing popped up so saying that all
0:33:52yes we know choices are only back i'm not sure that that's true
0:33:57that's why i said problems are dubious and i understand a your point
0:34:03but we need to react
0:34:05when we see if we as developers we to react when we see problem and
0:34:08really think hard is this really necessary and i guess that's my point
0:34:12so we've been so used to just generating problem
0:34:16so after that extreme here
0:34:20and there are exceptions
0:34:21but it really should be part of our first reaction to think hey this is
0:34:26the problem what are we doing here can we can we change this there were
0:34:30actually matching what the user wants to do or presenting a like part of the
0:34:33flow or somehow let me show isn't and or something like that
0:34:40just for the
0:34:49so continuing rinds question before i think which is absolutely terrible has had invalid sort
0:34:55of the certificate for five years and i don't see any fixed that
0:35:01that i mean you i know i is they bought my credit card your like
0:35:05any money right now a but i mean it's just sort of i mean i
0:35:10sort of agree with brian sentiment that it's like there's a valid
0:35:13certificate websites all over the place like just sorta children actually and he obviously the
0:35:21right now like it's very bad by record choose you like
0:35:26but like i would do that as you were on your fish will be use
0:35:30like we could do i wanna do i get my money's
0:35:35so it's just like i understand your point with like
0:35:39i don't use any for just terrible websites or so i probably not use their
0:35:44online banking system but
0:35:46i'm gonna return anecdote in time and that is on them as a that bugs
0:35:51a lot about our website where people file bugs about firefox
0:35:55there are and number of bugs the people that exact same thing hey you guys
0:35:59suck you do not recognizer certificate five bank i keep getting prompted and blah and
0:36:04then similar looks and the details and they are in fact being that in the
0:36:07middle someone is attacking that and they have enough knowledge to go and post like
0:36:11certificate details and all that stuff on for example so you're how many people are
0:36:16just ignoring the i mean my factor of thousand more right so
0:36:21i realise there's a trade off here but i think this is completely the right
0:36:25approach and there are ways to get up to obviously we haven't totally ignore the
0:36:30fact that all certificates automatically validate and there are ways to do it so someone
0:36:34might make a browser plug in for you or you might make it that says
0:36:37hey when i go to this bookmark
0:36:39always check to make sure it's the certificate no matter outdated or whatever in the
0:36:44certificate to the bookmark and there you go
0:36:47the other question i have we think about this you linux
0:36:55the reaction i was expecting thank you know i think i think that i think
0:36:58there's a lot of good use cases for it and i just think many of
0:37:02much of what we try to do with it now is to find great so
0:37:05it's again that the chairman E of small decisions
0:37:09we need to and there there's definitely working done on this i'm not trying to
0:37:13not get we need to use it at a higher level more like for example
0:37:19with a marxist that's kind of the abstraction we containers or with virtual machines that's
0:37:24kind of the level like you're talking about rather than the something i wanna micro
0:37:28manage and sassy the next always support that i think we take it to the
0:37:31next level now and by removing all those tiny little incipiency intricate decisions and micromanaging
0:37:38every detail you sort of have these bigger bar bigger security domains where stuff in
0:37:43their interacts fine
0:37:45but when it once interactive something outside there only to find ways for to do
0:38:01so i two questions the first one was
0:38:05i mean you were mentioning some alternative plan for the take to be able to
0:38:09still access is websites planning and strategic it's to some sourced or something
0:38:15like is percent like just an I them and then have like a you why
0:38:20that you didn't really specify so okay so that's this is the infrastructure i've been
0:38:24working on actually it's already done the infrastructure
0:38:28and this is just or is that what you're talking about and the trust or
0:38:32is basically
0:38:34stuff in these two directories so right now and your food or nineteen your debian
0:38:38testing or your opens is the back to re think
0:38:42you can put
0:38:44your see a certificate in that one of these direction for jack that because i
0:38:48think some of them change the directory to be compatible with their old stuff you
0:38:52can put it in there and suddenly everything will respect
0:38:55obviously user interface is very important and i wish i was really hoping to have
0:39:01that done by quack
0:39:03unfortunately a lot of other stuff conspired against me
0:39:06there are tools command line tools now that's very new to do that so you
0:39:10don't have to like manually place files it'll just take a adding a listing and
0:39:14stuff like that
0:39:15and then there are
0:39:18based on those tools we have to build a you why for example to see
0:39:22orthodox can reference because i understand that not everyone has an admin even in enterprise
0:39:28not everyone has an admin caring about their every you know need any them don't
0:39:32care that you on the next so
0:39:34by having the documentation how to do this we can guide the user through these
0:39:38that if they really have to
0:39:40okay and the question the i'm really interested in is you mentioned like encrypted hard
0:39:46disks but like when you installed or it doesn't give you like
0:39:51langford lot checked by default so will it be saying that you like to see
0:39:57say linux distributions gently like pushing for people drink their drives
0:40:02but there's a lot of discussion about that problem is password recovery right unless you
0:40:07can provide the user really same way of recovering that password
0:40:11checking a by default is very
0:40:14"'cause" i'm just from a developers so i i'm i totally would love to see
0:40:20it check right before but we have to have a good passer just got password
0:40:23recovery mechanism
0:40:29you talk about you would support sort of like advanced interface repenting what's your opinion
0:40:34on this idea a certificate pending by default on first years so that you know
0:40:40when i go and access my bank you can all the suddenly like you know
0:40:43by the way your bank is now authorised by a russian certificate it's already are
0:40:48you sure that that's really what you intend right so there's a lot of work
0:40:53being done on how to solve the see a problem because C As or
0:40:58that's pretty much a recipe for corruption right basically get money for
0:41:03doing the right thing and more money for doing the wrong thing you know so
0:41:07there's a lot of work on this and some proposals like tack have a way
0:41:12pinna finicky to a website and the first time you see a first time user
0:41:16you can make a leap of faith
0:41:18and thereafter you kind of build trust and because you keep seeing the same thing
0:41:21there's a way to migrate to new keys a not necessary you will ever really
0:41:25do that again
0:41:27and it's a interesting approach and but it needs more work from the user interface
0:41:31perspective because
0:41:34it really depends on the use case if the user is logging onto for example
0:41:40it really makes sense in the case of social networking
0:41:44if you were creating account that's a with facebook
0:41:47the first time you're creating that account
0:41:50you wanna know that later when you connect and add more your personal information that
0:41:54you're going back to the same website and also works very well for ad hoc
0:41:59communication between people the first time i met you i have no idea we were
0:42:03and whether you trustworthy or not and the same thing works with pinning right
0:42:08the first time i kinda make a leap of faith or kind of i there's
0:42:11not much at stake but over time you wanna be sure you're going back to
0:42:15the same place
0:42:16as far as the leap of faith when you're connecting to someone you that you
0:42:20like your bank that you have to know is the right party from the beginning
0:42:24that is kind of more unsolved problem
0:42:27you in this like you have your labial the weighted keys in user sure if
0:42:32i don't trust them from the files and it's that or is it strictly additive
0:42:36know there's also black listing so you should be able to take a certificate i
0:42:40never use this certificate again now not all of those libraries support it and assesses
0:42:46the only one that supports well i mean so that i can just right get
0:42:49out of the trust shortly you can do that it's from that see
0:42:55and see okay like i don't if you want to provide actually the last
0:43:00we have a way to do that i can basically you market as untrusted for
0:43:04any use each of those anchors are trusted for various uses like web or you
0:43:09know someone and the tool would unmark the to tool does on market for any
0:43:15use when you disable it and crystal there but can't really be
0:43:19i wanna say that this slide like i love you for because this is gonna
0:43:23disasters and i don't have to really like a lot better
0:43:43so that's all that's great
0:43:45stick what concerns me right now
0:43:48is that there's a lot of us on a lot there are some of us
0:43:50in our community the reading harassed as we go through T S A check
0:43:55like that part i don't have that were like going to T S A checkpoints
0:44:00we raster resize get take in the get image
0:44:04what are we doing to prevent things like lee keen
0:44:09you know are keys in memory
0:44:11i shut my laptop what just happened to make sure they are actually going to
0:44:16you know a lot of the service stuff goes to you bustling application once you
0:44:21get a password securing a makeover debusk we have no control over D but zero
0:44:25we not the memory that contains my password well nor do necessarily zero the password
0:44:31before free need in the applications that what are we gonna do about conventions how
0:44:35can we deal with that to make sure that our applications or protecting us even
0:44:39when we were right so there's various aspects that question and what are the interesting
0:44:46things is like this distinction between privacy and security some was telling me
0:44:52yesterday and it was really good point that security is off and the implementation of
0:44:55privacy right so we have this privacy campaign what i've talked here today it was
0:45:00a lot about security
0:45:02and our privacy campaign we should be examining
0:45:05those various use cases especially if are community is already run into these problems
0:45:10and a bunch of us were having a disk and how hard discussion about it
0:45:15but we need to start christa lighting what we're going to do for that privacy
0:45:18right i mean i'm certainly not running it but so
0:45:24if you have any ideas though i'd be happy to andreas or to be us
0:45:30or holland or myself we can start a discussion on that like what task do
0:45:36we want to do obviously twenty K is not gonna solve the world's problems but
0:45:40right you can actually start to tackle some of those things as far as the
0:45:43security side ask doing their security
0:45:46that is a problem and i hope that
0:45:49part of that is all by this
0:45:52we have a much more
0:45:54secure infrastructure for
0:45:58after that passed around the system although currently a list not hearing doesn't after password
0:46:04over developed by in here the number that at least
0:46:07presumably that the colonel hearing area is gonna be unlocked memory so when you shut
0:46:13it no chance of
0:46:16this so i mean we do need to take some steps when you when you
0:46:20suspend your computer to clear the kerdock hearing and then unlock use that unlock password
0:46:27to we populate that master section
0:46:34as far as point the second thing is concerns a right now i'm still gathering
0:46:41what we
0:46:42we won't be community a knowledge and see what we gonna be using the money
0:46:48full it's very possible that will end up having just like to produce the nation's
0:46:54in previous campaigns that will just add
0:46:57one company working on a particular set of tasks but it's also very possible that
0:47:03will and of speeding up the
0:47:06the problems into small pieces some of codes of P W
0:47:12participants can
0:47:15can use that we can even make some of the stuff into going on goals
0:47:18right is a week you page on which we have a really point is ready
0:47:23and we need to flesh that out we need to figure out what's the most
0:47:27important in the short term
0:47:32i just one comment on the privacy campaign is what as we accept bids from
0:47:38companies are ideas of things we need to secure is such a broad topic i
0:47:42mean it means something different to everyone so i think we need to focus as
0:47:47we are more on privacy i think especially i think yes exactly so if we
0:47:53excepted three companies we're gonna get a lot of security stuff as well we have
0:47:57and you know bundled them down to privacy
0:48:04and do this regime where account service their applications are storing passwords as account information
0:48:09inside and sells presumably and all sorts of different ways that the system doesn't really
0:48:14have any awareness of the if i want to change the this key that's a
0:48:19marking all of the is that it seems that i really can't do that yes
0:48:23that's a good point and i didn't covered in the slide but you might as
0:48:26there's a little to here
0:48:29what that does is when you ask
0:48:32the kerdock hearing for
0:48:34to unlock a password that you've stored previously you also pastor identifier
0:48:40that's all the which has certainly used to market previously when you're doing it for
0:48:45the first time well when you're storing capacity use the current identifier and you tag
0:48:49in into your value you pass a back so that allows for migration between see
0:48:54so using the ski i mean there may be more holes and i'd love to
0:48:58the details make sure we have it all right if this can you have a
0:49:01lot of the protocol the whole model has a lot of flexibility a lot of
0:49:05power not necessary that we have to expose all that in the default install but
0:49:09you have that
0:49:11does the protocol you an opportunity to say it's you requesting like a generation to
0:49:16did you know there's a generation three would you like three include no i would
0:49:20suggest personally
0:49:21that we always have the out just have a well known place to retrieve the
0:49:26currently when they're storing a password
0:49:28just use that
0:49:32great stuff
0:49:39more question
0:49:45thank you much
0:49:50and then