1 00:00:10,940 --> 00:00:11,360 it 2 00:00:15,370 --> 00:00:15,480 or 3 00:00:17,730 --> 00:00:19,370 so and stuff 4 00:00:20,030 --> 00:00:21,000 i work at red hat 5 00:00:22,210 --> 00:00:25,450 and i've been involved in brno now i think seven years 6 00:00:26,220 --> 00:00:30,500 what really draw to be known is the focus on making stuff usable 7 00:00:31,140 --> 00:00:37,490 and for me that's the paradox between security and usability there often at once but 8 00:00:37,490 --> 00:00:39,080 i like the challenge of making them 9 00:00:39,680 --> 00:00:40,480 work together 10 00:00:41,010 --> 00:00:45,460 we're the first cover some abstract concepts or some principles 11 00:00:45,800 --> 00:00:50,520 that you can apply when writing security features in your software 12 00:00:51,870 --> 00:00:52,620 and 13 00:00:53,320 --> 00:00:54,360 then some 14 00:00:54,750 --> 00:00:58,710 examples of how we are implementing in applying those principles 15 00:00:59,150 --> 00:01:02,280 or in a cover a bunch a different topics so feel free to interrupt if 16 00:01:02,280 --> 00:01:05,880 you want if you want to get your question and while we're on topic i 17 00:01:05,880 --> 00:01:09,410 might tell you that it's gonna be answered but no loss there 18 00:01:11,690 --> 00:01:12,630 so 19 00:01:16,770 --> 00:01:21,090 when working with security we have or just in general as developers we often have 20 00:01:21,090 --> 00:01:22,930 this abstract concept of the user 21 00:01:23,620 --> 00:01:24,990 as mystical being 22 00:01:26,150 --> 00:01:29,480 and it as security guys we kind of sometimes 23 00:01:29,960 --> 00:01:31,540 shake our heads at the user 24 00:01:32,530 --> 00:01:36,510 you know it's clicking on stuff is not supposed to clicking on right installing should 25 00:01:36,510 --> 00:01:40,450 be software and falling for fishing and so on and so forth 26 00:01:41,440 --> 00:01:43,680 well we kind of failed to remember 27 00:01:44,660 --> 00:01:46,220 but the users a human 28 00:01:47,400 --> 00:01:51,140 humans are intelligent fun creative crazy 29 00:01:52,480 --> 00:01:53,870 but they're usually overwhelmed 30 00:01:54,770 --> 00:01:55,710 because 31 00:01:56,180 --> 00:01:59,480 our lives are full of all sorts of information 32 00:01:59,950 --> 00:02:01,840 full of choice in the world today 33 00:02:02,390 --> 00:02:07,130 we have to choose between all sorts of little things and then comes 34 00:02:07,540 --> 00:02:09,610 no and forces 35 00:02:10,070 --> 00:02:13,030 these poor humans to choose between more choices 36 00:02:15,010 --> 00:02:19,710 they may be possible they may be capable of learning about security 37 00:02:20,320 --> 00:02:20,660 but 38 00:02:21,340 --> 00:02:22,660 realistically they're not going to 39 00:02:26,400 --> 00:02:29,400 this we have to understand the user their nature 40 00:02:29,830 --> 00:02:33,180 this is one of the fundamental things we do in our daily lives we filter 41 00:02:33,180 --> 00:02:38,600 out extraneous information costly being bombarded by massive amounts of information and just even while 42 00:02:38,600 --> 00:02:43,270 doing mundane things work constantly filtering out the stuff we think we don't need 43 00:02:44,690 --> 00:02:49,890 we should not be surprised when the user ignores something that we wanted him to 44 00:02:49,890 --> 00:02:50,480 see 45 00:02:54,240 --> 00:02:57,330 there's a lot of discussion about that we've all 46 00:02:57,690 --> 00:03:01,640 been involved in this discussion freedom is not people to choice 47 00:03:03,280 --> 00:03:05,220 freedom is equal to match the choice 48 00:03:06,410 --> 00:03:10,380 freedom is equal to the choice to choose 49 00:03:10,990 --> 00:03:15,040 you have to be able to choose the software you run on your computer you 50 00:03:15,040 --> 00:03:16,580 have to be able to choose 51 00:03:17,280 --> 00:03:20,700 to modify you have to be free to do these things but you definitely don't 52 00:03:20,700 --> 00:03:21,260 wanna be 53 00:03:21,890 --> 00:03:25,960 micromanaging all the tiny choices that these tools are supposed to be doing for you 54 00:03:29,430 --> 00:03:32,740 sometimes users think they want choice probably really want as much a choice 55 00:03:33,370 --> 00:03:33,980 so 56 00:03:36,130 --> 00:03:39,640 if you force the user to be part of a security system 57 00:03:40,050 --> 00:03:41,720 they're gonna have a really bad time 58 00:03:42,670 --> 00:03:46,650 a as the professionals writing the software whether we feel maybe we know all the 59 00:03:46,650 --> 00:03:51,360 details are not we are better equipped to make a security decision for the user 60 00:03:52,240 --> 00:03:53,310 then the use of themself 61 00:03:54,410 --> 00:04:00,120 and just like a doctor sometimes doctors get frustrating "'cause" they present you all these 62 00:04:00,120 --> 00:04:05,630 different possible remedies or possible ways to treat you know let's you might have and 63 00:04:05,630 --> 00:04:09,210 there if you see involved make a choice you know it's up to you have 64 00:04:09,210 --> 00:04:10,440 to doctor what would you do 65 00:04:11,320 --> 00:04:16,660 well it depends on each situation is different and sure there is a sometimes you 66 00:04:16,660 --> 00:04:18,670 want to professional 67 00:04:19,190 --> 00:04:23,790 to make a decision or to make a strong proposal strong 68 00:04:24,800 --> 00:04:28,460 decision you can choose to reject that decision that's about a choice there that you 69 00:04:28,460 --> 00:04:28,970 want 70 00:04:29,820 --> 00:04:30,430 that's 71 00:04:30,830 --> 00:04:32,840 from a professional like one of us 72 00:04:35,460 --> 00:04:39,730 in general this should be our goal like in the security feature the user has 73 00:04:39,730 --> 00:04:42,720 to identify themselves have to know who they are if we could do that automatically 74 00:04:42,720 --> 00:04:43,600 we probably would 75 00:04:44,170 --> 00:04:44,510 but 76 00:04:45,130 --> 00:04:49,730 sadly we're not there yet so you have to use a for password or something 77 00:04:49,730 --> 00:04:50,800 to improve that they are 78 00:04:51,470 --> 00:04:53,100 right but after that 79 00:04:54,010 --> 00:04:54,990 we shouldn't 80 00:04:55,470 --> 00:04:59,050 interrupt the user with security questions insecurity decisions 81 00:04:59,820 --> 00:05:02,600 now there's a different kind of user profession of 82 00:05:03,860 --> 00:05:06,010 these professionals use different tools 83 00:05:07,660 --> 00:05:08,270 the 84 00:05:09,130 --> 00:05:09,790 duh 85 00:05:11,060 --> 00:05:12,240 that is how 86 00:05:15,590 --> 00:05:17,320 and so they use different tools 87 00:05:18,060 --> 00:05:20,560 they look inhuman when they're doing their job actually 88 00:05:21,320 --> 00:05:27,220 professionals have alert how to reject part of humanity essentially to be specialised and do 89 00:05:27,220 --> 00:05:28,930 one thing really well 90 00:05:29,780 --> 00:05:33,490 but we can't forget that even professionals when they go on to something else 91 00:05:34,690 --> 00:05:36,830 they don't wanna micro manage the rest of their lives 92 00:05:37,860 --> 00:05:41,790 even someone who drive the fire truck for a living with a massive console full 93 00:05:41,790 --> 00:05:45,680 of all the buttons many which you know you have to learn and be trained 94 00:05:45,680 --> 00:05:49,370 to use that thing drive home a normal car right and he won't want to 95 00:05:49,370 --> 00:05:51,820 draw the firecracker i mean pretty basic stuff 96 00:05:52,810 --> 00:05:54,540 so given that 97 00:05:56,240 --> 00:06:00,940 one is the worst possible time to ask the user a risky question to make 98 00:06:00,940 --> 00:06:02,040 a risky decision 99 00:06:04,440 --> 00:06:06,010 when they're trying to do something else 100 00:06:07,260 --> 00:06:12,150 that's the worst possible time you're gonna get results that are worse than random chance 101 00:06:12,990 --> 00:06:17,380 if it's something is really truly going well let's say someone is attacking the user 102 00:06:18,300 --> 00:06:21,880 and something is going wrong and they get a problem 103 00:06:23,430 --> 00:06:26,710 the chance of them making the right decision there and not just clicking through and 104 00:06:26,710 --> 00:06:31,270 ignoring it or whatever if you just did a fifty you probably be better than 105 00:06:31,270 --> 00:06:32,030 what the right so 106 00:06:33,830 --> 00:06:35,490 so we just to our first 107 00:06:35,970 --> 00:06:38,610 max and problems are dubious 108 00:06:39,570 --> 00:06:43,930 if you are coding a problem for you see a problems looking at you know 109 00:06:43,930 --> 00:06:48,490 for yourself are you factoring something there's a problem there regarded with suspicion 110 00:06:49,010 --> 00:06:52,620 do you actually need to prompt the user and this goes across the board i 111 00:06:52,620 --> 00:06:57,360 mean sure the technology we have sometimes requires that's the problem maybe to save a 112 00:06:57,360 --> 00:06:59,240 file or something we really 113 00:06:59,900 --> 00:07:01,620 we don't want that like 114 00:07:02,420 --> 00:07:07,260 our end goal should be to get rid of yes no problem toward the equivalent 115 00:07:07,260 --> 00:07:07,810 stuff 116 00:07:10,360 --> 00:07:14,750 but taking a step further security problems are wrong 117 00:07:16,270 --> 00:07:20,550 sure sometimes you have to prompt for a password and that's an identification problem right 118 00:07:20,550 --> 00:07:25,020 you're asking use it identify themselves and unfortunately passed first is one way we do 119 00:07:25,020 --> 00:07:25,480 that 120 00:07:25,860 --> 00:07:30,310 but in general a question about security like do you want to continue 121 00:07:31,130 --> 00:07:36,080 you wanna ignore this bad certificate all those exact all those things will cover some 122 00:07:36,080 --> 00:07:40,500 examples later they are wrong almost ninety nine percent the time 123 00:07:44,720 --> 00:07:48,680 and if you can the user tries to make that permanent you're adding insult injury 124 00:07:49,930 --> 00:07:52,930 basically say okay fine go ahead they can choice alright 125 00:07:54,390 --> 00:07:57,270 we're actually doing that forever now ridiculously 126 00:07:58,240 --> 00:07:59,770 alright so here's an example 127 00:08:00,780 --> 00:08:01,740 we all sing this 128 00:08:03,310 --> 00:08:07,660 and the user is really ill equipped to answer this question i mean completely unlike 129 00:08:07,660 --> 00:08:07,960 what 130 00:08:09,480 --> 00:08:11,370 there are very few people 131 00:08:12,460 --> 00:08:14,050 you can answer this question correctly 132 00:08:15,320 --> 00:08:16,440 there's another example 133 00:08:19,620 --> 00:08:23,730 i don't even know what is going on here what's offered be i can't even 134 00:08:23,730 --> 00:08:27,210 as a security professional cannot answer this question correctly just gonna 135 00:08:30,510 --> 00:08:31,400 exactly 136 00:08:34,400 --> 00:08:37,360 here's another example i mean i could go on and on with examples i mean 137 00:08:37,360 --> 00:08:38,800 there so many examples 138 00:08:46,090 --> 00:08:48,470 so it's just game over you lose 139 00:08:56,600 --> 00:08:59,980 alright stop interrupting so what we do instead of interrupting 140 00:09:00,860 --> 00:09:03,690 we let the user express their intent 141 00:09:04,090 --> 00:09:05,320 what they want to do 142 00:09:05,880 --> 00:09:08,400 and then we make a decision based on 143 00:09:09,330 --> 00:09:10,050 so 144 00:09:10,670 --> 00:09:13,540 yours volume you some examples of this to get you thinking 145 00:09:14,230 --> 00:09:15,870 there's a principle to apply 146 00:09:16,710 --> 00:09:22,600 figure out what the user wants to do design so that he can expresses intent 147 00:09:22,600 --> 00:09:27,010 during the task is trying to do and then don't problem with random problems either 148 00:09:27,010 --> 00:09:29,560 confirming or whatever right 149 00:09:30,670 --> 00:09:34,110 so we heard letter to talk about 150 00:09:34,730 --> 00:09:40,400 portals well that's part is that boxing right enforce and this product talk so but 151 00:09:40,400 --> 00:09:40,740 anyway 152 00:09:41,330 --> 00:09:42,090 portals 153 00:09:42,530 --> 00:09:45,840 our away for some what's application to kind of call of the system 154 00:09:46,410 --> 00:09:51,970 and ask the system to do something that i just and what's application but otherwise 155 00:09:51,970 --> 00:09:56,060 not be allowed to do now these are right for doing it wrong is are 156 00:09:56,060 --> 00:09:57,980 right for problems and actually 157 00:09:58,420 --> 00:10:03,920 we're approaching this from a different angle right so the classical example which i think 158 00:10:03,920 --> 00:10:09,000 must dimension is if a somewhat suffocation wants to open the file 159 00:10:09,450 --> 00:10:10,670 that's not in the sample X 160 00:10:11,450 --> 00:10:12,870 ask the system to the portal 161 00:10:14,330 --> 00:10:19,160 october the file system for parts of a file chooser user selects the file the 162 00:10:19,160 --> 00:10:20,610 user expresses the intent 163 00:10:21,360 --> 00:10:22,500 the open the file 164 00:10:22,960 --> 00:10:26,720 and then the system allows that security access at no point is the user 165 00:10:27,230 --> 00:10:28,260 prompted 166 00:10:29,150 --> 00:10:35,120 to with a with a this application wants to access this file in read mode 167 00:10:35,120 --> 00:10:41,370 in right now i don't know what and then continue disallow both should not of 168 00:10:41,370 --> 00:10:45,450 that right so that's expressing intent make insecure decision based off of it 169 00:10:46,440 --> 00:10:49,290 another example this is just a theoretical example 170 00:10:50,460 --> 00:10:52,830 you know for the subtext of dot in them 171 00:10:53,510 --> 00:10:57,640 you can imagine software that wants to be not within our privacy campaign right you 172 00:10:57,640 --> 00:11:01,890 can imagine going to software and checking for this that we don't upload them accidently 173 00:11:01,890 --> 00:11:05,880 that we don't think them to public service sick that data to public service 174 00:11:06,350 --> 00:11:09,000 so rotten than seeing a problem like this 175 00:11:10,380 --> 00:11:12,900 i mean of course the designers can probably 176 00:11:13,760 --> 00:11:17,620 we work this but you might we might choose to make the data visible 177 00:11:18,490 --> 00:11:22,960 thank you very visible what is the what is in that photo so it 178 00:11:24,070 --> 00:11:26,200 this is the sense of data that's in this photo 179 00:11:27,000 --> 00:11:30,090 and just like we allow you know rotating photos and stuff you might have a 180 00:11:30,090 --> 00:11:35,210 button to clear so it's very clear the user has the data is intent is 181 00:11:35,210 --> 00:11:38,890 to take this started here put it online if you doesn't like the data that's 182 00:11:38,890 --> 00:11:44,100 here you can change it maybe take out that X of data or whatever i 183 00:11:44,100 --> 00:11:48,270 mean well apply the principle is to be applied 184 00:11:48,780 --> 00:11:49,220 that 185 00:11:50,030 --> 00:11:53,990 user can express the intent is in control knows that he wants to do and 186 00:11:53,990 --> 00:11:57,670 then that doesn't get these problems to allow or deny access 187 00:11:59,530 --> 00:12:00,070 so 188 00:12:01,470 --> 00:12:06,280 so moving onto concrete some more concrete examples what are we doing to fix this 189 00:12:08,910 --> 00:12:11,330 here are some steps and things that i've been working on 190 00:12:12,270 --> 00:12:13,780 i'm just one person though 191 00:12:14,660 --> 00:12:17,940 and i know security sometimes seems like the dark side 192 00:12:18,930 --> 00:12:20,370 but in reality 193 00:12:21,320 --> 00:12:29,130 it's it there there's very few people who are actively working on this stuff and 194 00:12:29,130 --> 00:12:33,940 so i would encourage your involvement so examples that i'm gonna give one stuff that 195 00:12:33,940 --> 00:12:38,020 i've sort of have find out or have worked on already are no means comprehensive 196 00:12:38,020 --> 00:12:39,140 solution to this problem 197 00:12:39,930 --> 00:12:45,490 and so we need everyone's involvement to try and apply as you're making you software 198 00:12:46,070 --> 00:12:49,660 and help fix the stuff so first 199 00:12:50,110 --> 00:12:52,270 no more certificate problems 200 00:13:02,020 --> 00:13:05,080 i mean this is the details of a certificate i mean i don't include the 201 00:13:05,080 --> 00:13:08,740 like binary details that you actually are the ones that you need to verify here 202 00:13:08,740 --> 00:13:09,150 but 203 00:13:10,360 --> 00:13:14,460 barely anyone can actually go through this and double check that you know certificate matches 204 00:13:14,460 --> 00:13:18,270 what it's supposed to be this is what we're gonna do how should 205 00:13:19,010 --> 00:13:21,230 just drop the connection with something is wrong 206 00:13:22,190 --> 00:13:26,400 if the user is connecting let's say from a web browser or the thing i 207 00:13:26,400 --> 00:13:29,980 am let's and the server's not listening on the right port what do you do 208 00:13:29,980 --> 00:13:34,890 we display big dialogue telling him how to change the word for to contact whoever 209 00:13:34,890 --> 00:13:38,460 or like some thing know it's in this country it's a problem that's on the 210 00:13:38,460 --> 00:13:40,410 server side miss configuration 211 00:13:41,210 --> 00:13:43,770 and we're like oops something's broken 212 00:13:44,520 --> 00:13:48,210 i mean sure their remedies i can be done for example if i think of 213 00:13:48,210 --> 00:13:52,660 someone doesn't pay the D N S for jabber daughter work doesn't pay the domain 214 00:13:52,660 --> 00:13:56,930 registration we should we could possibly put up a dialogue this is do you want 215 00:13:56,930 --> 00:14:02,610 to send an email to the admin of whatever based on who is information and 216 00:14:02,610 --> 00:14:02,940 like 217 00:14:03,500 --> 00:14:05,460 so why we do it for certificates 218 00:14:07,840 --> 00:14:10,880 but i hear these but yes 219 00:14:11,610 --> 00:14:14,460 so let's look at the use cases what the users want to do the user 220 00:14:14,460 --> 00:14:15,150 intent 221 00:14:16,380 --> 00:14:18,460 well one big class 222 00:14:19,220 --> 00:14:25,990 is enterprise the A's enterprise company organisation has their own see a their own anchor 223 00:14:25,990 --> 00:14:29,430 right so for those of you fortunate enough not to know how this works 224 00:14:29,870 --> 00:14:30,960 there's an anchor 225 00:14:31,820 --> 00:14:35,730 which is stored on your system a whole bunch of them right and the website 226 00:14:35,730 --> 00:14:36,710 has a certificate 227 00:14:37,240 --> 00:14:37,940 that it 228 00:14:38,210 --> 00:14:43,980 signs the dollar that's coming from the server with and that certificate has a signature 229 00:14:43,980 --> 00:14:45,260 on it by the anchor 230 00:14:46,010 --> 00:14:49,990 and so your browser or software is checking that it's signed by one of the 231 00:14:49,990 --> 00:14:51,110 anchors on your system 232 00:14:52,190 --> 00:14:53,180 so what we need 233 00:14:54,130 --> 00:14:59,070 for enterprise see ace is a way to configure it we might have a link 234 00:14:59,470 --> 00:15:03,110 that pulls of a help file we might we now we have a way 235 00:15:04,310 --> 00:15:05,370 just or anchors 236 00:15:05,730 --> 00:15:09,500 this is already in the door and debian you open so we have a way 237 00:15:09,500 --> 00:15:14,410 to store anchors across so that by default all the different corpora libraries will use 238 00:15:14,410 --> 00:15:14,670 them 239 00:15:16,270 --> 00:15:16,710 and 240 00:15:18,380 --> 00:15:21,140 here are some details how it works 241 00:15:21,690 --> 00:15:24,420 so you can see that there is kept alive is unfortunate that we have so 242 00:15:24,420 --> 00:15:24,950 many 243 00:15:26,440 --> 00:15:29,730 so what we don't here is this trust or 244 00:15:30,580 --> 00:15:31,870 now the trust or 245 00:15:32,690 --> 00:15:37,440 basically holds a list of all the anchors and blacklist and everything from file so 246 00:15:37,440 --> 00:15:41,070 happens can just put files in a directory there are tools to do this too 247 00:15:42,980 --> 00:15:43,760 and 248 00:15:44,230 --> 00:15:48,190 and assessing can at last read this information through protocol called you can see it's 249 00:15:48,190 --> 00:15:48,560 a lot 250 00:15:50,570 --> 00:15:54,210 now some of that we haven't yet retrofitted open ssl in java to do the 251 00:15:54,210 --> 00:15:54,890 same 252 00:15:55,390 --> 00:15:56,340 so 253 00:15:57,380 --> 00:16:01,360 in addition as kind of a concession to getting this working now 254 00:16:01,980 --> 00:16:05,020 whenever that restores modified we also expect some bundles 255 00:16:05,710 --> 00:16:06,520 so that 256 00:16:07,200 --> 00:16:09,020 these kind of a legacy 257 00:16:09,690 --> 00:16:14,680 uses of the bundles will still work so the upshot is that and enterprise user 258 00:16:14,680 --> 00:16:18,510 or and price admin can how to see a and have it just work so 259 00:16:18,510 --> 00:16:22,480 that's all like to on is and tons and tons of the instances of the 260 00:16:22,480 --> 00:16:23,830 use cases where you want to 261 00:16:24,310 --> 00:16:27,730 use a certificate that your system doesn't trucks 262 00:16:28,460 --> 00:16:33,310 and it's not yet done but we once having can only user interface 263 00:16:34,140 --> 00:16:39,630 for adding that the a C H your system sure there will be an every 264 00:16:39,630 --> 00:16:42,120 application applications that use it it's 265 00:16:42,820 --> 00:16:48,530 saw could include a link to help documentation if we want 266 00:16:49,440 --> 00:16:51,650 but after dropping the connection of course 267 00:16:52,890 --> 00:16:54,410 and then you have 268 00:16:55,020 --> 00:16:55,760 your 269 00:16:57,570 --> 00:17:02,840 that those use cases don't know there's also professionals professional tools right so we're maybe 270 00:17:02,840 --> 00:17:07,050 is maybe a developers developing against a system that is 271 00:17:07,650 --> 00:17:10,190 just a test system as certificate on it that 272 00:17:10,760 --> 00:17:14,250 they just generate a quickly and in production are gonna use a good like a 273 00:17:14,250 --> 00:17:15,070 signed certificate 274 00:17:15,810 --> 00:17:20,480 or for some other reason you might have a personal server that you just decide 275 00:17:20,480 --> 00:17:24,530 to like what self signed certificates on a no okay but you wanna make it 276 00:17:24,530 --> 00:17:26,510 work well there is room for 277 00:17:27,010 --> 00:17:30,230 professional tools to recognise that to work with that 278 00:17:31,160 --> 00:17:34,980 and here's how instead of prompting the user even in professional tools 279 00:17:35,790 --> 00:17:42,670 number the professionals are users to they also ignore information a i know i have 280 00:17:42,670 --> 00:17:44,930 click throughs also i certificates too many times 281 00:17:45,440 --> 00:17:46,510 it's just like 282 00:17:47,140 --> 00:17:49,190 so what you do there 283 00:17:49,770 --> 00:17:53,920 is there a don't feel like you're tool needs to do this you're a 284 00:17:54,750 --> 00:17:59,440 but what you do there is association a certificate with the account 285 00:18:00,060 --> 00:18:03,660 as you would let the user specify host name or username or whatever 286 00:18:04,580 --> 00:18:08,240 what that does it does two things is that we can be more secure with 287 00:18:08,240 --> 00:18:13,570 less security does two things one is that's the user you know not get prompted 288 00:18:13,570 --> 00:18:18,180 later and you know use work around the fact that it's a self signed certificate 289 00:18:18,180 --> 00:18:22,230 but to it also lets the user do it's called a certificate pinning 290 00:18:22,740 --> 00:18:23,520 where 291 00:18:23,920 --> 00:18:29,180 if the certificate to the server sends does not match that certificate so 292 00:18:29,740 --> 00:18:34,100 doesn't work anymore let's really micromanaging secure users 293 00:18:35,230 --> 00:18:39,690 double check certificates that they want to use with a given service and 294 00:18:40,160 --> 00:18:43,820 and then there and if something changes get notified so 295 00:18:45,280 --> 00:18:45,730 but 296 00:18:47,180 --> 00:18:51,580 not every application has to do this so if you're building special application or something 297 00:18:51,580 --> 00:18:54,360 that you imagine these this feature this is how to do it 298 00:18:55,220 --> 00:18:57,450 instead of prompting this is how to do it 299 00:18:59,170 --> 00:19:00,640 alright want another topic 300 00:19:01,430 --> 00:19:02,970 application passive storage 301 00:19:03,800 --> 00:19:05,230 so in currently in 302 00:19:06,470 --> 00:19:07,960 in brno we have 303 00:19:08,540 --> 00:19:12,600 no hearing which is kind of like the central database of all the passwords not 304 00:19:12,600 --> 00:19:15,070 application some faster than there and they can get about 305 00:19:15,470 --> 00:19:19,630 now this is really surprising to users because it doesn't match their intent their intent 306 00:19:19,630 --> 00:19:22,760 is that they type faster than this application the application remembers it 307 00:19:23,720 --> 00:19:28,190 what they don't expect is that every other application including their younger brother using C 308 00:19:28,190 --> 00:19:29,750 horse go and we all the passwords 309 00:19:31,680 --> 00:19:32,450 and 310 00:19:33,150 --> 00:19:39,020 in addition to create all these problems where we have one set one security domain 311 00:19:39,020 --> 00:19:41,990 you would call it for all the applications they can all read each other's passwords 312 00:19:41,990 --> 00:19:42,390 and crap 313 00:19:43,300 --> 00:19:44,120 so 314 00:19:46,540 --> 00:19:49,770 really the password is partly account info when you set up a password and i'm 315 00:19:49,770 --> 00:19:54,300 the or whatever really is part of the account why don't we store today count 316 00:19:54,300 --> 00:19:59,900 well because most people agree that putting up password on encrypted on a laptop disk 317 00:20:00,490 --> 00:20:04,930 is that practise i mean there are certain store just where you can write actually 318 00:20:04,930 --> 00:20:09,380 clear tax like an encrypted this maybe a phone where you can well some sort 319 00:20:09,380 --> 00:20:14,170 of phones where you cannot read this wrong about the wrong this for sandbox applications 320 00:20:15,270 --> 00:20:18,630 so we likely need to use some for sort of encryption 321 00:20:22,040 --> 00:20:22,470 but 322 00:20:23,080 --> 00:20:28,300 and starbucks applications really thrown a wrench into this because if you have the more 323 00:20:28,300 --> 00:20:32,760 sharing their passwords right in the central database you have all these like all this 324 00:20:32,760 --> 00:20:37,050 but this that wants to read this past where the not all these weird if 325 00:20:37,050 --> 00:20:41,570 the prompts or situations that problems are likely to appear so instead what we wanna 326 00:20:41,570 --> 00:20:42,210 do 327 00:20:43,630 --> 00:20:44,150 is 328 00:20:44,790 --> 00:20:50,250 have a session key in the kernel keyring the kerdock eerie it's kind of it's 329 00:20:50,250 --> 00:20:53,840 kind of like know keyring of that but it's volatile and only 330 00:20:54,390 --> 00:20:57,480 stays around on for one 331 00:20:57,960 --> 00:21:00,740 for the brooded life for the computer i guess or 332 00:21:01,280 --> 00:21:02,700 well it's on 333 00:21:03,850 --> 00:21:10,000 and we really want applications to store the passwords in their account information so they 334 00:21:10,000 --> 00:21:12,120 use the library to access the kernel keyring 335 00:21:13,560 --> 00:21:17,360 and ask for session key with which they can use to encrypted password so they 336 00:21:17,360 --> 00:21:19,290 can store the right there and they pass it through 337 00:21:20,490 --> 00:21:21,020 and 338 00:21:21,840 --> 00:21:25,750 store the result in the account information and the colonel keyring if it's not if 339 00:21:25,750 --> 00:21:27,230 we don't yet have a session keyring 340 00:21:27,930 --> 00:21:29,490 their little house 341 00:21:30,190 --> 00:21:34,400 but that's not the secret service or whatever to be the prompt the user or 342 00:21:34,400 --> 00:21:36,950 get a notice i think hearing based on the user's market 343 00:21:38,740 --> 00:21:44,060 this actually lets you do some really interesting things where you can have policy 344 00:21:44,970 --> 00:21:48,740 like that the whole scheme let's you have policy where different applications 345 00:21:49,390 --> 00:21:53,700 you could you could tell them this application i want to never to store passwords 346 00:21:53,700 --> 00:21:59,140 and so the kernel clearing always refuses to have a session a master session key 347 00:21:59,140 --> 00:22:05,020 for that and respects that doesn't write a password or you could say and M 348 00:22:05,020 --> 00:22:07,300 T P mean store in clear text 349 00:22:08,050 --> 00:22:12,220 then you can have either propagation or for the whole system away for 350 00:22:12,490 --> 00:22:18,000 to indicate the applications just put that lay down in your in your account information 351 00:22:18,000 --> 00:22:20,070 in clear text don't want to bother with encryption here 352 00:22:21,670 --> 00:22:26,910 so again another example modelling the user intent when we're keeping the password in the 353 00:22:26,910 --> 00:22:27,780 account data 354 00:22:28,960 --> 00:22:29,740 and 355 00:22:30,520 --> 00:22:35,440 again you have more secure because you can you can model all these different things 356 00:22:35,440 --> 00:22:36,350 you don't have maps 357 00:22:36,990 --> 00:22:42,890 interacting with each other to sam box office apps especially to retrieve the past for 358 00:22:42,890 --> 00:22:47,410 from somewhere of course unless the case where apps want to share an accountant from 359 00:22:47,410 --> 00:22:51,340 account right and we do that is through can a lot line accounts or service 360 00:22:51,340 --> 00:22:51,970 like that 361 00:22:52,720 --> 00:22:55,390 more sound what's applications there should be part of for that 362 00:22:58,290 --> 00:22:58,930 and 363 00:22:59,470 --> 00:23:03,730 and i related use case that someone actually brought up just the other day so 364 00:23:03,730 --> 00:23:06,420 i would mention it is people like to look up the past with that they 365 00:23:06,420 --> 00:23:09,190 use in an archive our back so 366 00:23:09,860 --> 00:23:13,740 we might also have a portal or something for that to kind of say i'd 367 00:23:13,740 --> 00:23:14,920 use this password 368 00:23:15,690 --> 00:23:19,690 if the user wants be reminded of it later story but we but after just 369 00:23:19,690 --> 00:23:23,200 don't necessarily use that look up stuff the user for looks up stuff there he 370 00:23:23,200 --> 00:23:26,100 wants to use it somewhere else and if an application you put and 371 00:23:30,390 --> 00:23:31,480 so another topic 372 00:23:33,430 --> 00:23:40,640 when you login to your you know that start using fingerprints are all the login 373 00:23:40,640 --> 00:23:44,970 or anything about a passer morgan to get this problem which is really stupid because 374 00:23:44,970 --> 00:23:51,080 it's a password right so users pleasantly chose not to login password you get this 375 00:23:55,020 --> 00:23:59,360 no the reason for that is because although we can authenticate the user 376 00:24:00,140 --> 00:24:03,520 we can make a guess no decision based on his identity who he is 377 00:24:04,610 --> 00:24:06,150 we cannot we don't have any 378 00:24:06,890 --> 00:24:10,850 secret data like a master password or anything but which to decrypt the stuff on 379 00:24:10,850 --> 00:24:13,990 the best so we can open his password store and so on 380 00:24:14,850 --> 00:24:17,860 so known keyring stubbornly puts at this prompt 381 00:24:18,580 --> 00:24:20,170 that's really unusable 382 00:24:21,500 --> 00:24:26,920 users intent is to monologue in for example just have a static be accessible 383 00:24:27,810 --> 00:24:33,430 right actually ask for fingerprint the ask for although its kind of secure to make 384 00:24:33,430 --> 00:24:36,950 is donna accessible based on the fingerprint that he's leaving all over the place 385 00:24:37,600 --> 00:24:40,280 right so really 386 00:24:40,720 --> 00:24:44,780 the user has way to secure at the a decision already that says i want 387 00:24:44,780 --> 00:24:46,020 to be less than 388 00:24:46,800 --> 00:24:51,050 a hundred percent or less than password secure and i want to 389 00:24:53,060 --> 00:24:54,430 i don't care this point 390 00:24:57,230 --> 00:24:59,300 so this is how we're gonna solve this 391 00:25:02,290 --> 00:25:06,000 so again for those of you fortunate enough not to understand how power works 392 00:25:07,320 --> 00:25:09,250 have the stack of modules 393 00:25:10,000 --> 00:25:14,320 and one of the modules what usually more the early ones in the stock will 394 00:25:14,320 --> 00:25:15,880 prompt the user for a password 395 00:25:16,700 --> 00:25:20,950 usually it pam unix although it could be the S T component have S as 396 00:25:21,430 --> 00:25:22,270 and so one 397 00:25:25,680 --> 00:25:28,740 so what we really want is that password to come from somewhere else 398 00:25:29,440 --> 00:25:30,270 first of all 399 00:25:30,840 --> 00:25:32,760 we want all the counts to have a password 400 00:25:33,400 --> 00:25:35,640 but then the user can choose not to use that us 401 00:25:36,670 --> 00:25:37,120 so 402 00:25:38,990 --> 00:25:44,300 when configuring fingerprint on or auto login or pay login even 403 00:25:45,200 --> 00:25:48,290 users password is written to a file 404 00:25:49,450 --> 00:25:55,460 and ideally that file would be secured via something on the hardware like a T 405 00:25:55,460 --> 00:26:00,690 P M trip or pretend and be ram or something but if not we written 406 00:26:00,690 --> 00:26:04,650 in clear text and this is the users explicit choice 407 00:26:07,040 --> 00:26:10,200 in addition we wanna fix the case where 408 00:26:10,490 --> 00:26:13,830 you i'll you unlock your disk encryption and then you have to like the same 409 00:26:13,830 --> 00:26:15,290 password again when you login 410 00:26:16,520 --> 00:26:19,980 so both of these data into the kernel keyring 411 00:26:20,890 --> 00:26:23,380 the colonel keyring contain is the users 412 00:26:24,040 --> 00:26:29,230 login password in these cases this can a login fingerprint 413 00:26:30,070 --> 00:26:31,020 authentication 414 00:26:31,650 --> 00:26:33,870 and then when the login starts 415 00:26:34,420 --> 00:26:38,250 there is no authentication token there's no password that they call it 416 00:26:38,910 --> 00:26:41,990 so the first thing in the stock looks and check so the kernel keyring 417 00:26:43,350 --> 00:26:46,000 do you have the user's login password can i just use it 418 00:26:46,940 --> 00:26:48,250 and if you didn't this time 419 00:26:48,820 --> 00:26:49,450 at the top 420 00:26:50,070 --> 00:26:53,980 and then the underlying component see there's already one there tries to use it 421 00:26:55,490 --> 00:26:57,560 and if it works then know product 422 00:26:58,380 --> 00:27:02,010 and on we go down the bottom can known keyring is also able to use 423 00:27:02,010 --> 00:27:06,010 that how sort to unlock the users passwords or to provide like it's in the 424 00:27:06,010 --> 00:27:10,340 last that master session keys for us on what their own past 425 00:27:11,720 --> 00:27:12,840 so we got 426 00:27:14,010 --> 00:27:19,030 are usable login experience that models users intense and in fact 427 00:27:19,600 --> 00:27:24,030 you get ability to use more secure stuff which is your just encryptions smoothly 428 00:27:26,860 --> 00:27:29,420 so those are the things that i 429 00:27:30,710 --> 00:27:33,840 sort of have scheme than this area but 430 00:27:34,710 --> 00:27:38,640 there is so much more if you're if you want to join in on any 431 00:27:38,640 --> 00:27:42,510 of these tasks i can break them down we can we can work together i'd 432 00:27:42,510 --> 00:27:47,210 love that i'm this is not my job to work on this stuff i work 433 00:27:47,210 --> 00:27:48,200 part time on it 434 00:27:51,290 --> 00:27:56,170 and if you see other places where you want to apply the principles i talked 435 00:27:56,170 --> 00:27:59,850 about that by all means don't be afraid of join in the 436 00:28:00,560 --> 00:28:04,980 darkside the security bring us back from the dark side we have cookies 437 00:28:06,670 --> 00:28:07,410 so 438 00:28:08,820 --> 00:28:09,950 who's your comment 439 00:28:11,930 --> 00:28:15,260 terminate security problems with extreme prejudice 440 00:28:17,330 --> 00:28:19,570 and this is really interesting about this the other day 441 00:28:22,600 --> 00:28:27,360 for every keystroke or click that the user has to use to use a security 442 00:28:27,360 --> 00:28:32,090 or crypto feature user base declines by you can imagine how that goes 443 00:28:33,970 --> 00:28:35,700 alright any questions 444 00:28:37,210 --> 00:28:37,680 yes 445 00:28:43,700 --> 00:28:48,580 are you very the if you so the web browser example we back that we 446 00:28:48,580 --> 00:28:53,870 just gonna draw connections if the certificates mismatching there are some sites that they're gonna 447 00:28:53,870 --> 00:28:56,440 practise that you can take people want to go to them 448 00:28:56,910 --> 00:29:00,930 do you think you just gonna find you know like more extreme measures of disabling 449 00:29:00,930 --> 00:29:03,220 the security system so that they can get what they want 450 00:29:04,980 --> 00:29:07,840 and that will match user intent 451 00:29:08,460 --> 00:29:14,390 like i find with someone who's crazy or someone who is a it is come 452 00:29:14,390 --> 00:29:18,400 used to living on the extreme going in disabling have to secure this but if 453 00:29:18,400 --> 00:29:22,000 like user intent is i want to see this site and then you force them 454 00:29:22,000 --> 00:29:25,640 into like and disabling all security validation or something like that 455 00:29:27,890 --> 00:29:32,490 that's a possibility but i think we've also made it possible for the user to 456 00:29:32,490 --> 00:29:33,940 fix that situation 457 00:29:34,720 --> 00:29:39,810 in a straightforward secure way without getting a problem interrupting them so not only are 458 00:29:39,810 --> 00:29:43,240 we taking something away but we given them the ability to fix it really it's 459 00:29:43,240 --> 00:29:44,570 been hopeless so far right 460 00:29:45,010 --> 00:29:50,040 you try to trust some see a or something like see a start for example 461 00:29:50,040 --> 00:29:54,550 i was like what you have to figure and every application that's not so we're 462 00:29:54,550 --> 00:29:58,240 trying to do is really solve the problem that the users are actually facing and 463 00:29:58,240 --> 00:29:59,440 they're always be some 464 00:30:00,250 --> 00:30:01,110 weirdos 465 00:30:01,650 --> 00:30:08,770 who want to ignore that stuff or totally valid you serious want ignore that stuff 466 00:30:08,770 --> 00:30:12,770 and verify minutes open source they can going modify they can we can figure it 467 00:30:12,770 --> 00:30:16,380 they can change it but we don't necessarily have to present that to all these 468 00:30:16,380 --> 00:30:17,820 is that option to all the users 469 00:30:19,930 --> 00:30:20,790 did you have a question 470 00:30:26,770 --> 00:30:27,540 there we go 471 00:30:28,370 --> 00:30:37,820 so with the decline of the passwords this is secure mission to the contention relates 472 00:30:37,820 --> 00:30:43,700 to the ultimate just a user can remember is for below the amount of that 473 00:30:43,700 --> 00:30:46,100 is that compute complete for some half an hour 474 00:30:46,960 --> 00:30:48,040 the two 475 00:30:49,250 --> 00:30:55,780 and with the jan on the availability of the two factor authentication right 476 00:30:56,550 --> 00:30:58,410 what can we do to fix the problem 477 00:30:59,570 --> 00:31:02,610 a lot of lot of research unless the sure that it 478 00:31:03,190 --> 00:31:06,930 i don't have an amazing response to that i mean if and if 479 00:31:07,630 --> 00:31:12,660 if someone wants to work on you authentication methods or implementing 480 00:31:13,190 --> 00:31:17,530 ones that are in research that certainly interesting work that 481 00:31:18,480 --> 00:31:19,410 we can do i mean 482 00:31:20,060 --> 00:31:23,420 but we have established stuff we could try implementing in to go but 483 00:31:24,860 --> 00:31:29,480 i don't be shy when exploring the stuff there's definitely a need for something better 484 00:31:29,900 --> 00:31:30,630 but we don't have 485 00:31:40,980 --> 00:31:41,310 sure 486 00:31:55,620 --> 00:31:56,180 or the 487 00:31:58,110 --> 00:32:01,980 i think it's a good approach to try to catch the use intents but it's 488 00:32:01,980 --> 00:32:05,920 at the same time very far as it is hard i mean 489 00:32:06,890 --> 00:32:07,910 it's security 490 00:32:08,820 --> 00:32:12,570 i don't know it might be very different see what you know the uses and 491 00:32:12,570 --> 00:32:13,980 ten E it's 492 00:32:14,350 --> 00:32:15,370 there's no doubt that 493 00:32:17,320 --> 00:32:21,580 and that's one reason i wanted to get this talk is we're on the verge 494 00:32:21,580 --> 00:32:22,500 of design in this 495 00:32:22,860 --> 00:32:26,090 somewhat applications and it would be so easy 496 00:32:26,470 --> 00:32:28,540 the fall into the trap of getting more problems 497 00:32:29,140 --> 00:32:31,430 so easy and i agree it is hard 498 00:32:31,880 --> 00:32:35,620 is really hard like for example do you want to share your location yes no 499 00:32:37,530 --> 00:32:38,830 what is the answer to that 500 00:32:39,670 --> 00:32:43,220 what if you what if you i mean this is just spit balling here but 501 00:32:43,220 --> 00:32:46,520 what if you were displaying and say select your location share but 502 00:32:47,120 --> 00:32:50,400 like a user clicks it takes the share button it has a web at and 503 00:32:50,400 --> 00:32:54,340 you get some i guess like of course under his current location and all and 504 00:32:54,340 --> 00:32:59,310 it kind of modelling some attached to do rather than a permission i mean i 505 00:32:59,310 --> 00:33:00,570 realise it's hard 506 00:33:01,210 --> 00:33:05,490 and no i don't think any of us have like this ingenious solution for each 507 00:33:05,490 --> 00:33:08,280 and every problem i mean each one it's going to be a child 508 00:33:08,860 --> 00:33:14,210 but we really not just fall into the trap of prompting users that just makes 509 00:33:14,210 --> 00:33:17,060 like i mean showing transit are just going to be click through when you kind 510 00:33:17,060 --> 00:33:18,450 of get in the habit of just picking to 511 00:33:22,020 --> 00:33:26,760 i think it is useful to make a distinction between props that or like would 512 00:33:26,760 --> 00:33:31,240 you like to share your location yes-no versus parts that are more like would you 513 00:33:31,240 --> 00:33:34,970 like me to do what will allow you to do what you're trying to do 514 00:33:34,970 --> 00:33:37,610 so i mean equipment industry choice that's 515 00:33:38,060 --> 00:33:41,810 later you know if i'm clicking no i don't get what i want verses okay 516 00:33:41,810 --> 00:33:45,640 this is really a preference and then i can proceed writing there's a you want 517 00:33:45,640 --> 00:33:49,510 to do your task like exactly and then the ability to of course stop it 518 00:33:49,510 --> 00:33:52,980 if it was a surprise that somehow this thing popped up so saying that all 519 00:33:52,980 --> 00:33:55,960 yes we know choices are only back i'm not sure that that's true 520 00:33:57,120 --> 00:34:02,700 that's why i said problems are dubious and i understand a your point 521 00:34:03,170 --> 00:34:05,600 but we need to react 522 00:34:05,990 --> 00:34:08,940 when we see if we as developers we to react when we see problem and 523 00:34:08,940 --> 00:34:11,960 really think hard is this really necessary and i guess that's my point 524 00:34:12,540 --> 00:34:15,910 so we've been so used to just generating problem 525 00:34:16,650 --> 00:34:19,280 so after that extreme here 526 00:34:20,170 --> 00:34:21,440 and there are exceptions 527 00:34:21,980 --> 00:34:26,990 but it really should be part of our first reaction to think hey this is 528 00:34:26,990 --> 00:34:30,150 the problem what are we doing here can we can we change this there were 529 00:34:30,150 --> 00:34:33,900 actually matching what the user wants to do or presenting a like part of the 530 00:34:33,900 --> 00:34:37,670 flow or somehow let me show isn't and or something like that 531 00:34:40,980 --> 00:34:41,830 just for the 532 00:34:49,560 --> 00:34:55,840 so continuing rinds question before i think which is absolutely terrible has had invalid sort 533 00:34:55,840 --> 00:35:00,460 of the certificate for five years and i don't see any fixed that 534 00:35:01,540 --> 00:35:05,990 that i mean you i know i is they bought my credit card your like 535 00:35:05,990 --> 00:35:10,240 any money right now a but i mean it's just sort of i mean i 536 00:35:10,240 --> 00:35:13,200 sort of agree with brian sentiment that it's like there's a valid 537 00:35:13,650 --> 00:35:21,460 certificate websites all over the place like just sorta children actually and he obviously the 538 00:35:21,460 --> 00:35:25,280 right now like it's very bad by record choose you like 539 00:35:26,010 --> 00:35:30,900 but like i would do that as you were on your fish will be use 540 00:35:30,900 --> 00:35:34,430 like we could do i wanna do i get my money's 541 00:35:35,890 --> 00:35:39,410 so it's just like i understand your point with like 542 00:35:39,760 --> 00:35:44,860 i don't use any for just terrible websites or so i probably not use their 543 00:35:44,860 --> 00:35:45,980 online banking system but 544 00:35:46,780 --> 00:35:51,530 i'm gonna return anecdote in time and that is on them as a that bugs 545 00:35:51,530 --> 00:35:55,070 a lot about our website where people file bugs about firefox 546 00:35:55,510 --> 00:35:59,640 there are and number of bugs the people that exact same thing hey you guys 547 00:35:59,640 --> 00:36:04,670 suck you do not recognizer certificate five bank i keep getting prompted and blah and 548 00:36:04,670 --> 00:36:07,190 then similar looks and the details and they are in fact being that in the 549 00:36:07,190 --> 00:36:11,290 middle someone is attacking that and they have enough knowledge to go and post like 550 00:36:11,290 --> 00:36:16,040 certificate details and all that stuff on for example so you're how many people are 551 00:36:16,040 --> 00:36:20,000 just ignoring the i mean my factor of thousand more right so 552 00:36:21,050 --> 00:36:25,130 i realise there's a trade off here but i think this is completely the right 553 00:36:25,130 --> 00:36:30,270 approach and there are ways to get up to obviously we haven't totally ignore the 554 00:36:30,270 --> 00:36:34,370 fact that all certificates automatically validate and there are ways to do it so someone 555 00:36:34,370 --> 00:36:37,680 might make a browser plug in for you or you might make it that says 556 00:36:37,680 --> 00:36:39,370 hey when i go to this bookmark 557 00:36:39,860 --> 00:36:44,320 always check to make sure it's the certificate no matter outdated or whatever in the 558 00:36:44,320 --> 00:36:46,640 certificate to the bookmark and there you go 559 00:36:47,950 --> 00:36:51,260 the other question i have we think about this you linux 560 00:36:55,000 --> 00:36:58,620 the reaction i was expecting thank you know i think i think that i think 561 00:36:58,620 --> 00:37:02,530 there's a lot of good use cases for it and i just think many of 562 00:37:02,530 --> 00:37:05,740 much of what we try to do with it now is to find great so 563 00:37:05,740 --> 00:37:09,020 it's again that the chairman E of small decisions 564 00:37:09,930 --> 00:37:13,640 we need to and there there's definitely working done on this i'm not trying to 565 00:37:13,640 --> 00:37:19,180 not get we need to use it at a higher level more like for example 566 00:37:19,180 --> 00:37:24,790 with a marxist that's kind of the abstraction we containers or with virtual machines that's 567 00:37:24,790 --> 00:37:28,170 kind of the level like you're talking about rather than the something i wanna micro 568 00:37:28,170 --> 00:37:31,300 manage and sassy the next always support that i think we take it to the 569 00:37:31,300 --> 00:37:38,450 next level now and by removing all those tiny little incipiency intricate decisions and micromanaging 570 00:37:38,450 --> 00:37:43,350 every detail you sort of have these bigger bar bigger security domains where stuff in 571 00:37:43,350 --> 00:37:44,870 their interacts fine 572 00:37:45,240 --> 00:37:49,180 but when it once interactive something outside there only to find ways for to do 573 00:37:49,180 --> 00:37:49,450 that 574 00:38:01,720 --> 00:38:04,540 so i two questions the first one was 575 00:38:05,000 --> 00:38:09,240 i mean you were mentioning some alternative plan for the take to be able to 576 00:38:09,240 --> 00:38:15,010 still access is websites planning and strategic it's to some sourced or something 577 00:38:15,450 --> 00:38:20,150 like is percent like just an I them and then have like a you why 578 00:38:20,150 --> 00:38:24,720 that you didn't really specify so okay so that's this is the infrastructure i've been 579 00:38:24,720 --> 00:38:27,330 working on actually it's already done the infrastructure 580 00:38:28,240 --> 00:38:32,470 and this is just or is that what you're talking about and the trust or 581 00:38:32,470 --> 00:38:33,730 is basically 582 00:38:34,590 --> 00:38:38,700 stuff in these two directories so right now and your food or nineteen your debian 583 00:38:38,700 --> 00:38:42,380 testing or your opens is the back to re think 584 00:38:42,890 --> 00:38:43,660 you can put 585 00:38:44,250 --> 00:38:48,760 your see a certificate in that one of these direction for jack that because i 586 00:38:48,760 --> 00:38:52,380 think some of them change the directory to be compatible with their old stuff you 587 00:38:52,380 --> 00:38:54,710 can put it in there and suddenly everything will respect 588 00:38:55,300 --> 00:39:01,180 obviously user interface is very important and i wish i was really hoping to have 589 00:39:01,180 --> 00:39:02,270 that done by quack 590 00:39:03,010 --> 00:39:06,380 unfortunately a lot of other stuff conspired against me 591 00:39:06,870 --> 00:39:10,780 there are tools command line tools now that's very new to do that so you 592 00:39:10,780 --> 00:39:14,610 don't have to like manually place files it'll just take a adding a listing and 593 00:39:14,610 --> 00:39:15,250 stuff like that 594 00:39:15,900 --> 00:39:17,130 and then there are 595 00:39:18,700 --> 00:39:22,120 based on those tools we have to build a you why for example to see 596 00:39:22,120 --> 00:39:28,270 orthodox can reference because i understand that not everyone has an admin even in enterprise 597 00:39:28,270 --> 00:39:32,370 not everyone has an admin caring about their every you know need any them don't 598 00:39:32,370 --> 00:39:33,890 care that you on the next so 599 00:39:34,620 --> 00:39:38,990 by having the documentation how to do this we can guide the user through these 600 00:39:38,990 --> 00:39:40,190 that if they really have to 601 00:39:40,810 --> 00:39:46,140 okay and the question the i'm really interested in is you mentioned like encrypted hard 602 00:39:46,140 --> 00:39:50,540 disks but like when you installed or it doesn't give you like 603 00:39:51,180 --> 00:39:56,690 langford lot checked by default so will it be saying that you like to see 604 00:39:56,690 --> 00:39:57,180 like 605 00:39:57,460 --> 00:40:02,210 say linux distributions gently like pushing for people drink their drives 606 00:40:02,910 --> 00:40:07,180 but there's a lot of discussion about that problem is password recovery right unless you 607 00:40:07,180 --> 00:40:10,630 can provide the user really same way of recovering that password 608 00:40:11,100 --> 00:40:13,800 checking a by default is very 609 00:40:14,910 --> 00:40:20,170 "'cause" i'm just from a developers so i i'm i totally would love to see 610 00:40:20,170 --> 00:40:23,090 it check right before but we have to have a good passer just got password 611 00:40:23,090 --> 00:40:24,840 recovery mechanism 612 00:40:29,660 --> 00:40:34,940 you talk about you would support sort of like advanced interface repenting what's your opinion 613 00:40:34,940 --> 00:40:40,220 on this idea a certificate pending by default on first years so that you know 614 00:40:40,220 --> 00:40:43,750 when i go and access my bank you can all the suddenly like you know 615 00:40:43,750 --> 00:40:48,320 by the way your bank is now authorised by a russian certificate it's already are 616 00:40:48,320 --> 00:40:53,220 you sure that that's really what you intend right so there's a lot of work 617 00:40:53,220 --> 00:40:58,170 being done on how to solve the see a problem because C As or 618 00:40:58,770 --> 00:41:02,750 that's pretty much a recipe for corruption right basically get money for 619 00:41:03,150 --> 00:41:06,370 doing the right thing and more money for doing the wrong thing you know so 620 00:41:07,410 --> 00:41:11,380 there's a lot of work on this and some proposals like tack have a way 621 00:41:11,380 --> 00:41:12,050 to 622 00:41:12,440 --> 00:41:16,410 pinna finicky to a website and the first time you see a first time user 623 00:41:16,410 --> 00:41:17,910 you can make a leap of faith 624 00:41:18,380 --> 00:41:21,680 and thereafter you kind of build trust and because you keep seeing the same thing 625 00:41:21,680 --> 00:41:25,660 there's a way to migrate to new keys a not necessary you will ever really 626 00:41:25,660 --> 00:41:26,610 do that again 627 00:41:27,170 --> 00:41:31,970 and it's a interesting approach and but it needs more work from the user interface 628 00:41:31,970 --> 00:41:33,490 perspective because 629 00:41:34,380 --> 00:41:39,180 it really depends on the use case if the user is logging onto for example 630 00:41:40,620 --> 00:41:43,720 it really makes sense in the case of social networking 631 00:41:44,520 --> 00:41:47,240 if you were creating account that's a with facebook 632 00:41:47,470 --> 00:41:49,880 the first time you're creating that account 633 00:41:50,650 --> 00:41:54,960 you wanna know that later when you connect and add more your personal information that 634 00:41:54,960 --> 00:41:59,500 you're going back to the same website and also works very well for ad hoc 635 00:41:59,500 --> 00:42:03,230 communication between people the first time i met you i have no idea we were 636 00:42:03,230 --> 00:42:07,950 and whether you trustworthy or not and the same thing works with pinning right 637 00:42:08,510 --> 00:42:11,460 the first time i kinda make a leap of faith or kind of i there's 638 00:42:11,460 --> 00:42:15,320 not much at stake but over time you wanna be sure you're going back to 639 00:42:15,320 --> 00:42:16,170 the same place 640 00:42:16,810 --> 00:42:20,290 as far as the leap of faith when you're connecting to someone you that you 641 00:42:20,290 --> 00:42:23,700 like your bank that you have to know is the right party from the beginning 642 00:42:24,440 --> 00:42:26,820 that is kind of more unsolved problem 643 00:42:27,790 --> 00:42:32,720 you in this like you have your labial the weighted keys in user sure if 644 00:42:32,720 --> 00:42:36,030 i don't trust them from the files and it's that or is it strictly additive 645 00:42:36,030 --> 00:42:39,670 know there's also black listing so you should be able to take a certificate i 646 00:42:39,670 --> 00:42:40,050 say 647 00:42:40,620 --> 00:42:46,360 never use this certificate again now not all of those libraries support it and assesses 648 00:42:46,360 --> 00:42:49,220 the only one that supports well i mean so that i can just right get 649 00:42:49,220 --> 00:42:52,950 out of the trust shortly you can do that it's from that see 650 00:42:55,430 --> 00:43:00,560 and see okay like i don't if you want to provide actually the last 651 00:43:00,840 --> 00:43:04,590 we have a way to do that i can basically you market as untrusted for 652 00:43:04,590 --> 00:43:09,680 any use each of those anchors are trusted for various uses like web or you 653 00:43:09,680 --> 00:43:15,180 know someone and the tool would unmark the to tool does on market for any 654 00:43:15,180 --> 00:43:18,300 use when you disable it and crystal there but can't really be 655 00:43:19,360 --> 00:43:23,460 i wanna say that this slide like i love you for because this is gonna 656 00:43:23,460 --> 00:43:27,730 disasters and i don't have to really like a lot better 657 00:43:43,050 --> 00:43:44,630 so that's all that's great 658 00:43:45,230 --> 00:43:47,880 stick what concerns me right now 659 00:43:48,550 --> 00:43:50,880 is that there's a lot of us on a lot there are some of us 660 00:43:50,880 --> 00:43:54,710 in our community the reading harassed as we go through T S A check 661 00:43:55,380 --> 00:44:00,130 like that part i don't have that were like going to T S A checkpoints 662 00:44:00,130 --> 00:44:03,340 we raster resize get take in the get image 663 00:44:04,150 --> 00:44:08,710 what are we doing to prevent things like lee keen 664 00:44:09,200 --> 00:44:11,160 you know are keys in memory 665 00:44:11,670 --> 00:44:15,200 i shut my laptop what just happened to make sure they are actually going to 666 00:44:15,200 --> 00:44:15,730 this 667 00:44:16,840 --> 00:44:21,350 you know a lot of the service stuff goes to you bustling application once you 668 00:44:21,350 --> 00:44:25,810 get a password securing a makeover debusk we have no control over D but zero 669 00:44:25,810 --> 00:44:31,100 we not the memory that contains my password well nor do necessarily zero the password 670 00:44:31,100 --> 00:44:35,290 before free need in the applications that what are we gonna do about conventions how 671 00:44:35,290 --> 00:44:39,790 can we deal with that to make sure that our applications or protecting us even 672 00:44:39,790 --> 00:44:46,620 when we were right so there's various aspects that question and what are the interesting 673 00:44:46,620 --> 00:44:51,660 things is like this distinction between privacy and security some was telling me 674 00:44:52,250 --> 00:44:55,950 yesterday and it was really good point that security is off and the implementation of 675 00:44:55,950 --> 00:45:00,210 privacy right so we have this privacy campaign what i've talked here today it was 676 00:45:00,210 --> 00:45:01,320 a lot about security 677 00:45:02,070 --> 00:45:04,900 and our privacy campaign we should be examining 678 00:45:05,380 --> 00:45:09,940 those various use cases especially if are community is already run into these problems 679 00:45:10,440 --> 00:45:14,240 and a bunch of us were having a disk and how hard discussion about it 680 00:45:15,410 --> 00:45:18,960 but we need to start christa lighting what we're going to do for that privacy 681 00:45:18,960 --> 00:45:22,530 right i mean i'm certainly not running it but so 682 00:45:24,770 --> 00:45:30,770 if you have any ideas though i'd be happy to andreas or to be us 683 00:45:30,770 --> 00:45:36,450 or holland or myself we can start a discussion on that like what task do 684 00:45:36,450 --> 00:45:40,620 we want to do obviously twenty K is not gonna solve the world's problems but 685 00:45:40,620 --> 00:45:43,430 right you can actually start to tackle some of those things as far as the 686 00:45:43,430 --> 00:45:46,090 security side ask doing their security 687 00:45:46,460 --> 00:45:48,630 that is a problem and i hope that 688 00:45:49,680 --> 00:45:51,390 part of that is all by this 689 00:45:52,870 --> 00:45:54,290 we have a much more 690 00:45:54,710 --> 00:45:57,610 secure infrastructure for 691 00:45:58,540 --> 00:46:04,110 after that passed around the system although currently a list not hearing doesn't after password 692 00:46:04,110 --> 00:46:06,680 over developed by in here the number that at least 693 00:46:07,980 --> 00:46:13,530 presumably that the colonel hearing area is gonna be unlocked memory so when you shut 694 00:46:13,530 --> 00:46:15,260 it no chance of 695 00:46:16,240 --> 00:46:20,980 this so i mean we do need to take some steps when you when you 696 00:46:20,980 --> 00:46:27,330 suspend your computer to clear the kerdock hearing and then unlock use that unlock password 697 00:46:27,330 --> 00:46:30,700 to we populate that master section 698 00:46:34,560 --> 00:46:41,040 as far as point the second thing is concerns a right now i'm still gathering 699 00:46:41,040 --> 00:46:41,590 what we 700 00:46:42,350 --> 00:46:48,260 we won't be community a knowledge and see what we gonna be using the money 701 00:46:48,260 --> 00:46:54,770 full it's very possible that will end up having just like to produce the nation's 702 00:46:54,770 --> 00:46:56,790 in previous campaigns that will just add 703 00:46:57,330 --> 00:47:03,070 one company working on a particular set of tasks but it's also very possible that 704 00:47:03,070 --> 00:47:05,190 will and of speeding up the 705 00:47:06,460 --> 00:47:11,870 the problems into small pieces some of codes of P W 706 00:47:12,370 --> 00:47:13,860 participants can 707 00:47:15,030 --> 00:47:18,610 can use that we can even make some of the stuff into going on goals 708 00:47:18,610 --> 00:47:23,790 right is a week you page on which we have a really point is ready 709 00:47:23,790 --> 00:47:27,680 and we need to flesh that out we need to figure out what's the most 710 00:47:27,680 --> 00:47:29,400 important in the short term 711 00:47:30,780 --> 00:47:31,360 cool 712 00:47:32,100 --> 00:47:38,530 i just one comment on the privacy campaign is what as we accept bids from 713 00:47:38,530 --> 00:47:42,670 companies are ideas of things we need to secure is such a broad topic i 714 00:47:42,670 --> 00:47:47,670 mean it means something different to everyone so i think we need to focus as 715 00:47:47,670 --> 00:47:53,920 we are more on privacy i think especially i think yes exactly so if we 716 00:47:53,920 --> 00:47:57,300 excepted three companies we're gonna get a lot of security stuff as well we have 717 00:47:57,300 --> 00:47:58,960 and you know bundled them down to privacy 718 00:48:04,380 --> 00:48:09,990 and do this regime where account service their applications are storing passwords as account information 719 00:48:09,990 --> 00:48:14,690 inside and sells presumably and all sorts of different ways that the system doesn't really 720 00:48:14,690 --> 00:48:19,450 have any awareness of the if i want to change the this key that's a 721 00:48:19,450 --> 00:48:23,460 marking all of the is that it seems that i really can't do that yes 722 00:48:23,460 --> 00:48:26,800 that's a good point and i didn't covered in the slide but you might as 723 00:48:26,800 --> 00:48:27,740 there's a little to here 724 00:48:28,680 --> 00:48:29,190 okay 725 00:48:29,850 --> 00:48:31,650 what that does is when you ask 726 00:48:32,310 --> 00:48:34,340 the kerdock hearing for 727 00:48:34,910 --> 00:48:39,180 to unlock a password that you've stored previously you also pastor identifier 728 00:48:40,420 --> 00:48:45,650 that's all the which has certainly used to market previously when you're doing it for 729 00:48:45,650 --> 00:48:49,970 the first time well when you're storing capacity use the current identifier and you tag 730 00:48:49,970 --> 00:48:54,300 in into your value you pass a back so that allows for migration between see 731 00:48:54,300 --> 00:48:57,380 so using the ski i mean there may be more holes and i'd love to 732 00:48:57,380 --> 00:48:58,120 discuss 733 00:48:58,610 --> 00:49:01,750 the details make sure we have it all right if this can you have a 734 00:49:01,750 --> 00:49:05,730 lot of the protocol the whole model has a lot of flexibility a lot of 735 00:49:05,730 --> 00:49:09,550 power not necessary that we have to expose all that in the default install but 736 00:49:09,550 --> 00:49:10,370 you have that 737 00:49:11,270 --> 00:49:16,440 does the protocol you an opportunity to say it's you requesting like a generation to 738 00:49:16,440 --> 00:49:20,020 did you know there's a generation three would you like three include no i would 739 00:49:20,020 --> 00:49:21,350 suggest personally 740 00:49:21,900 --> 00:49:26,470 that we always have the out just have a well known place to retrieve the 741 00:49:26,470 --> 00:49:28,230 currently when they're storing a password 742 00:49:28,840 --> 00:49:29,560 just use that 743 00:49:32,250 --> 00:49:32,840 great stuff 744 00:49:39,980 --> 00:49:40,820 more question 745 00:49:45,690 --> 00:49:46,590 thank you much 746 00:49:48,680 --> 00:49:48,940 right 747 00:49:50,230 --> 00:49:50,600 and then