Alice and Bob want to communicate privately but Eve is spying on them. Alice learns about cryptography at a crypto party and learns how to use tools like PGP and Signal to encrypt her messages. The document discusses challenges with usability and interoperability of encryption tools and lessons learned about user interface design for cryptography from 1992, 1999, and 2015. It provides tips on tools like Pidgin, ChatSecure, and in-browser PGP solutions but also notes continued challenges with adoption of encryption.
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk, Street will show how an attacker views your Web site and employees, and then uses them against you. He will start with how a successful spear-phish is created, by using the information gathered from the company’s own ‘about’ page, as well as scouring social media sites for useful information to exploit employees. The majority of the talk will cover successful counter-measures to help stave off or detect attacks. This discussion will draw on the speaker’s 15 years’ experience of working in the US banking industry on the side of defence. At the same time, he’ll draw on over six years of participating in engagements where he has taken on the role of the attacker.
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
This talk will address a fundamental challenge in information security: Authentication, or how to establish trust between a user and their collection of devices and internet services.
I will start by describing the current state of play: a regular user typically has at least one computer and a smartphone; each individual is then subscribed to tens or sometimes hundreds of Internet services which are accessed using these devices. Even these services are interconnected with trust relations, such as email accounts that receive password reset tokens. Some of these relations are not so obvious...
The complexity of this arrangement is rising so fast that it's getting harder for end users (even power users) to cope with all of its security implications. Most users will not have any strategy to manage their security, using the same password for all services and devices; but even most power users such as infosec professionals make mistakes that can be exploited.
I will illustrate the current scenario with a dissection of the Mat Honan hack and my own experience mapping the interconnections between my own devices and services.
I will then attempt to provide a strategy to schematize and improve the level of trust between users and devices / services, analysing ad-hoc strategies by power users and provide the tools to create a personal strategy.
Finally I’ll look into what the future of authentication, and what this Tangled Web might bring us: mutual authentication between devices, the future of two factor, the role of social networks, location based authentication, behaviour based trust, trust federation.
Root the Box - An Open Source Platform for CTF AdministrationChristopher Grayson
These are the slides presented at Outerz0ne conference in 2014. The contents detail CTF competitions, the Root the Box software platform and competition, and resources for sharpening your CTF and penetration testing skills!
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
A simple PoC shown how insecure random http proxies are. And how easy you can trick people into traps.
Disclaimer: No data collected under the PoC was saved after the presentation, and everything was removed from the user browsers without any harm or stealing of information or any criminal activity at all.
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk, Street will show how an attacker views your Web site and employees, and then uses them against you. He will start with how a successful spear-phish is created, by using the information gathered from the company’s own ‘about’ page, as well as scouring social media sites for useful information to exploit employees. The majority of the talk will cover successful counter-measures to help stave off or detect attacks. This discussion will draw on the speaker’s 15 years’ experience of working in the US banking industry on the side of defence. At the same time, he’ll draw on over six years of participating in engagements where he has taken on the role of the attacker.
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
This talk will address a fundamental challenge in information security: Authentication, or how to establish trust between a user and their collection of devices and internet services.
I will start by describing the current state of play: a regular user typically has at least one computer and a smartphone; each individual is then subscribed to tens or sometimes hundreds of Internet services which are accessed using these devices. Even these services are interconnected with trust relations, such as email accounts that receive password reset tokens. Some of these relations are not so obvious...
The complexity of this arrangement is rising so fast that it's getting harder for end users (even power users) to cope with all of its security implications. Most users will not have any strategy to manage their security, using the same password for all services and devices; but even most power users such as infosec professionals make mistakes that can be exploited.
I will illustrate the current scenario with a dissection of the Mat Honan hack and my own experience mapping the interconnections between my own devices and services.
I will then attempt to provide a strategy to schematize and improve the level of trust between users and devices / services, analysing ad-hoc strategies by power users and provide the tools to create a personal strategy.
Finally I’ll look into what the future of authentication, and what this Tangled Web might bring us: mutual authentication between devices, the future of two factor, the role of social networks, location based authentication, behaviour based trust, trust federation.
Root the Box - An Open Source Platform for CTF AdministrationChristopher Grayson
These are the slides presented at Outerz0ne conference in 2014. The contents detail CTF competitions, the Root the Box software platform and competition, and resources for sharpening your CTF and penetration testing skills!
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
A simple PoC shown how insecure random http proxies are. And how easy you can trick people into traps.
Disclaimer: No data collected under the PoC was saved after the presentation, and everything was removed from the user browsers without any harm or stealing of information or any criminal activity at all.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
Recent trends in 2014-15 in the IT field. Big shots from the major companies, including rumours of shift in focus to car manufacturing. Seamless integration between devices etc.
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.
Jax Devops 2017 Succeeding in the Cloud – the guidebook of FailSteve Poole
Many have gone before you along this path. Many have failed. A few have succeeded. All have scars. Although the journey is different for everyone there are common aspects to them all. In this talk we will cover our experiences in moving applications into the Cloud. What you must do. What you must not. What matters, what doesn’t.
In moving to the cloud there is no try.
In this talk:
* We’ll cover the core aspects of how the cloud differs from local data centers in terms of application design, runtime characteristics and operational considerations.
* We’ll explain through various real life examples where things worked and where they didnt
* We end with a summary of the key elements to success and the major pitfalls to avoid.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Social Zombies II: Your Friends Need More BrainsTom Eston
In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
Recent trends in 2014-15 in the IT field. Big shots from the major companies, including rumours of shift in focus to car manufacturing. Seamless integration between devices etc.
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.
Jax Devops 2017 Succeeding in the Cloud – the guidebook of FailSteve Poole
Many have gone before you along this path. Many have failed. A few have succeeded. All have scars. Although the journey is different for everyone there are common aspects to them all. In this talk we will cover our experiences in moving applications into the Cloud. What you must do. What you must not. What matters, what doesn’t.
In moving to the cloud there is no try.
In this talk:
* We’ll cover the core aspects of how the cloud differs from local data centers in terms of application design, runtime characteristics and operational considerations.
* We’ll explain through various real life examples where things worked and where they didnt
* We end with a summary of the key elements to success and the major pitfalls to avoid.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Social Zombies II: Your Friends Need More BrainsTom Eston
In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
4. Alice hears about crypto,
goes to a crypto party to
learn how to crypto.
5. Sec in the City
• 24+ Cryptoparties as of July 2015
• Varying communities with varying skill levels
• Hackerspaces (Alpha One Labs, Fat Cat Fab Lab, NYC
Resistor)
• Libraries (Brooklyn Public Library, Verso Books)
• Art Galleries (Calyx Institute, Babycastles)
• Co-working spaces (Harlem Creative Space)
• Universities (CUNY Graduate Center, Columbia)
Photo credit: Roman Kruglov
6. This is Your
New Bible
This is canon, everything
that came after it is slash
fanfic.
7. Key Lessons from 1992
• Modelessness: This is why CAD software is always awful; You
want to limit the modes a user has to remember they’re in. BUT
with a private/un-private set of situations that can’t always be
avoided and should be handled carefully.
• Perceived Stability: Your back-end might be solid but if the
front-end isn’t, people will assume the whole thing is broken
and Seal Team 6 is on their way to bust down your door.
• User Testing: Prototype your software and ask people to try it
out, change design accordingly.
• Metaphors: No one uses a key to unlock a key in the real world.
8. Key Lessons from 2015
• Forgive[less]ness: UX tends to focus on allowing people to undo
things or bring things back to an original state. Mistakes in
crypto are not usually forgivable.
• Too many tools: If a chain of tools has to be installed in a
particular order people will not do that. If too many steps
involved in downloading/verifying/install, multiply by number of
tools and you have a problem.
• False hope: If there’s any chance something could go wrong or
some feature might not be available, warn the user.
• Confusion through curiosity: Even if you perfectly illustrate a
mental model of how something works, the internet will fuck it up.
11. Telegram
• DISCLAIMER: Putin has more
money than you. Roll your own
phat blunts, but don’t roll your
own crypto.
• DISCLAIMER: No out-of-band
verification like in OTR.
• EVERY APP NEEDS THIS THO:
Alerts other party when
screenshot is taken.
• Hard to tell if your chat is
encrypted or not, which is a
problem…
15. Signal
• Mystery blue
button (FIXED).
• Selecting a contact
immediately calls
them (FIXED).
• Non-functional on
iPod Touch despite
lack of need for
phone bits
(FIXED).
16. Signal
• Call button (corded phone
handset icon) still unlabeled,
might be a generational issue
post-Snake People.
• Privacy Settings screen leaves
more mysteries:
• “Screen security”
• I can’t see the whole
fingerprint (and can we stop
calling it that in devices with
fingerprint readers)?
17. Peerio
• Designed to only work end-to-end encrypted, no
other insecure modes to accidentally end up in.
• Human memory is great at memorizing strings of
words, but not if they only type them once and
use a short PIN instead.
• Requires anyone you try to contact to approve
your ability to contact them; UI doesn’t
communicate this (yet; this is being worked on).
21. Interoperability :(
• Axolotl: Used by Signal.
• Minilock: Used by Peerio.
• OTR: Used by a some things.
• PGP: Used by some other things.
22. “OTR”
• Really “Pidgin or Adium for
desktops, with the OTR add-on
or plugin but ChatSecure if
you’re on Android and also you
need a Jabber or mid-90s
startup IM account from
somewhere unspecified. Also
it’ll be called XMPP instead of
Jabber in Pidgin.”
• XMPP accounts end up coming
from the CCC and their
unsigned certificate. Unsigned
certificates scare everyone.
24. Pidgin
• Unlike Thunderbird w/
gandi.net, Pidgin lacks an on-
boarding process for creating
an account, just the ability to
add a pre-existing account.
• People will call it Jabber,
Pidgin will call it XMPP.
• Weird “Create this new
account” checkbox always
needs explanation.
25. Pidgin
• After creating an account
using text box, the option is
still there for some reason.
• No noticeable way to change
existing (lol six char) account
password.
• “New mail notifications.” At
this point, Pidgin knows
nothing about my email
account.
26. Pidgin
• SSL/TLS encryption not
differentiated from OTR
encryption in UI.
• OTR settings are buried in
plugin config options.
• Seriously though, axe the
Create the new account
checkbox.
27. Pidgin
• Process of installing OTR
varies between Windows and
Linux and between Linux
distros (well, package
systems).
• Plan to have OTR in Pidgin
installed by default began in
2013. Slated as issue for
Pidgin 3.0 milestone, 55% of
milestone issues complete as
of July 2015: https://
developer.pidgin.im/ticket/
15513.
31. Lessons from 1999
• Add to your reading list: Why Johnny Can’t
Encrypt by Alma Whitten, J.D. Tiger
• Users in 1999 user testing ran into some of the
same problems at Cryptoparties in 2015
Photo credit: K W Reinsch
32. Implementation Problems
• Too Many Tools: Fully open-source install on OS
X cocktail is GPG Tools, Thunderbird, Enigmail.
• Too Many Different Tools: In [NYC]
Cryptoparties, more people know about running
PGP in OpenBSD than using pgp4win for
Windows.
• Order of installation has to be explained
explicitly.
33. Implementation Problems
• New (after Hotmail/Yahoo/Gmail) Internet users
have never used email outside a website.
• People have decades+ old email accounts now,
Thunderbird chokes on loading email via IMAP,
slowing down everything to postone-to-never
point.
• The way POP mail works in the age of multiple
devices scares everyone.
34. Implementation Problems
• Latest Thunderbird updates are mostly bug fixes,
basically abandonware from a design perspective.
• Tiny Thunderbird text is tiny and getting tinier as
hi-res screens grow.
• PGP and S/MIME settings both using the same
verbs to describe what each do in the same
window.
• Nothing to indicate the subject line is encrypted.
37. PGP in the Browser
• Yahoo End-to-End: Browser extension, adds
PGP functionality on top of webmail.
• Google End-to-End: ^ See above.
• WhiteoutMail: ^ Ditto.
• Mailvelope: ^ Yup.
38. In-browser PGP Advantages
• User is already working in a familiar interface
and workflow.
• Everyone has a web browser installed already.
• Chromebooks now the fastest-growing segment
of PC market, The Register - http://
www.theregister.co.uk/2013/07/11/
chromebooks_fastest_growing_pc_market/
40. Sensible Design For 1991
• Private keys as files: One user, one computer, inside a
locked house. No automatic cloud backup software. No
constant/fast internet connection between attacker and OS.
• Key servers: No https-encrypted sites to post public key to.
No variety of https-encrypted social media to transmit
public key. No other encrypted communication basically at
all.
• RSA-based keys: Public keys long enough to pass tl;dr
threshold, fingerprints—err, key IDs used for verification.
Encryption ran slowly, but bearably in C. ECC still
experimental, unvetted.
41. Challenging Design For
2015
• Private keys as files: Backup software means your private key
may accidentally get copied to cloud. Laptops get lost/stolen.
Migrating keys from one machine to the next is not a thought-out
process. Browser plugins holding private keys is concerning.
• Key servers: Many use cases for PGP now involve sending email
to a person only known by a Twitter/social media account, w/o
the possibility of in-person signing. Directories like Keybase
provide a contemporary use case for verifying identity.
• RSA-based keys: In-browser PGP means JavaScript PGP.
Performance is significantly lower than ECC-based alternatives
like NaCL, because math, idk. Slowness == users rage quit.
42. Following Up
• Twitters: @huertanix and @cryptopartynyc
• Web: http://www.davidhuerta.me
• Peerio: huertanix
• PGP Public Key ID (aka fingerprint): 1482 F3BF
3F16 6BD4 3525 D55E 35D7 26BD AE09 F328
• In person at the next NYC cryptoparty!