Clair Tolan - Passwords for the clouds
-
Upload
open-labs-albania -
Category
Technology
-
view
34 -
download
4
Transcript of Clair Tolan - Passwords for the clouds
Open Source Conference Albania
Tactical Technology Collective10 May 2015
PASSWORDS FOR THE CLOUD
Password
YOU DATA
A BRIEF (PRE)HISTORY OF THE PASSWORD AND THE INTERFACES IT UNLOCKED
https://spchumanities.files.wordpress.com/2012/11/05-12_aahqwsw0.jpg
Fernando Corbató MIT CTSSTime-sharing computerMid-1960s
http://www.wired.com/2012/01/computer-password/
Storage
Bryan Pearson, Storage Garage 5Elliott Brown - Exercise Machines - Coventry
Usevs
Zarko Drincic - Master Key
Linus Bohman - Keys.
Mike - Key
Richard G. - Keys
Keys
vs
Words
TANGENTIAL PSA: NEVER STORE PLAINTEXT PASSWORDS
PASSWORD RECOVERY : CASE STUDIES
And the failure thereof x 1…
And the failure thereof x 2…
SO: exploits are going to happen.
What can you DO as a user?
What should you DEMAND as a user?
Elias Bizannes - Authenticity Required. Password?
Do: PICK A GOOD PASSWORD
:( :( :( :(
Visual cuesAcrosticsPassphrases
!CuwmnW@uB1? - 12 charsAreYouAlive?ITouchYou. - 22 chars
1C0v3rY0uW!thMyN3t - 18 charsWh@t@r3Y0uB@nd3d1? - 18 chars
Or make a password “MEMORY PALACE”
Do:Use different passwords for different “types” of accounts...
Do:Use a password manager
Do:Activate Two-Factor Auth when possible
SECURINGTHE CLOUD
MUD PUDDLE TEST OF SECURITY
Josh Sullivan - Mud Puddle
MTSOFan - Cell Phone Shots
Do: Encrypt your sensitive files prior to uploading
MOST IMPORTANTLY:
DO educate yourself
What is the cloud?
What is encryption?
-> ALLOWS YOU TO DECIDE:
What is important for YOU re security, privacy
But wait!
This is NOT all on the user.
Try this:
DEMAND to know what files are being automatically uploaded to cloud servers.
DEMAND correct password storage (hashes, salts, peppers (!))
REFUSE to naturalize remote cloud storage as the “logical”
end of owning or
generating data
(and while you’re at it, refuse the same thing for every internet service)
A brief history of remote “cloud” storage
Antony Antony - 20090728-142038-1103
WHAT IS THE FUTURE -> NOT OF THE CLOUD AS WE KNOW IT <-BUT OF STORAGE?
Uwe Hermann - Organized
CASE STUDY 1: TAHOE-LAFS
**SECURE DISTRIBUTED STORAGE**
Tahoe-LAFS is a Free and Open decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security.
https://tahoe-lafs.org/trac/tahoe-lafs
Case Study 2: Freedom Box
What is FreedomBox?
● Email and telecommunications that protects privacy and resists eavesdropping
● A publishing platform that resists oppression and censorship.
● An organizing tool for democratic activists in hostile regimes.
● An emergency communication network in times of crisis.
●
http://freedomboxfoundation.org/learn/
Case Study 3: Occupy Here
Each Occupy.here router is a LAN island in an archipelago of affiliated
websites.
Anyone within range of an Occupy.here wifi router, with a web-capable smartphone or laptop, can join the
network “OCCUPY.HERE,” load the locally-hosted website http://occupy.here, and use the message board to
connect with other users nearby. The open source forum software offers a simple, mobile-friendly
interface where users can share messages and files.
http://occupyhere.org/
Case Study 4: Guifi.net
guifi.net is a telecommunications network, is open, free and neutral because is built through a peer to peer agreement where everyone can join the network by providing his connection, and therefore, extending the network and gaining connectivity to all.
https://guifi.net/en
Case Study 5: Saravá & Espiv
- Political tech group working in Brasil & Greece- Run autonomous servers in universities, teaches students and academics how to write projects that require -- and sometimes even getfunding to pay for -- autonomous servers
https://wiki.sarava.org/Estudos/Estudos?from=Main.HomePage
https://espiv.net/
Case Study 6: Riseup and
Autistici/Inventati
Collectives providing email and VPN services to activists.
Models do not involve remote storage due to server limitations, but in the future this is an arrangement that could be imagined.
https://help.riseup.net/
http://www.autistici.org/en/index.html
CASE STUDY 7 : URBITThe user of the future will fly her own computer. She will own and control her own identity and
her own data. She will even host her own apps. She will not be part of someone else's Big Data.
She will be her own Little Data. Unless she's a really severe geek, she will pay some service to
store and execute her Urbit ship - but she can move it anywhere else, anytime, for the cost of
the bandwidth.
A user can't manage a general-purpose computer unless she basically understands what it's doing.
She may not be a programmer, but she needs at least a rough mental model of her computer's
state.
A personal computer has to be a *simple* computer. This is why we built a new system software
stack from scratch, with the goal of bringing it in under 10,000 lines of code. Urbit is about
50% over this complexity budget, but nobody's perfect.
http://doc.urbit.org/
Natalie Schmid - Into the Future
Questions?