The document discusses the importance of security and privacy, emphasizing the need for protection against various threats such as surveillance and data breaches. It defines security as protection from harm through rules, trust, and mathematics, while privacy is described as the ability to express oneself anonymously without third-party interference. The document also highlights methods for ensuring secrecy, anonymity, and autonomy, encouraging the use of secure technologies and the awareness of what data large companies and governments may know about individuals.

1. Security & Privacy
Because you’re awfully bad at them...

3. This talk applies to security in IT, but the main principles
should apply everywhere.

4. What is security?
Security is protection from harm.

5. How to accomplish security?
● Rules (laws, terms of service, ...)
● Trust (web of trust, ...)
● Mathematics (redundancy, encryption, ...)

7. Against whom?
● Spying brothers, mothers, collegues,
girlfriends (physical access to computer,
knowledge about owner)
● Companies, ISP’s, governments (Men in the
Middle)
● Employers, insurance companies, banks,
governments (instances we depend on)
● Data “thieves”

8. Fields
● Physical (passphrases, full disk encription,
lockscreens)
● Application (logging & monitoring, prepared
sql statements, trust-nothing strategy)
● Transportation (end-to-end encryption like
HTTPS, OTR, GPG)
● Data (redundancy for data breaches, disk
failures, encryption)

10. Think about this
● Security is not equal to authentication
● Passphrase is not equal to password
● Use bcrypt for hashes instead of md5 or
sha1 (salt or no salt, easily breakable, fast
algorithms)
● Another way for hash storage: User +
random salt in user table, hash + dummies
in hash table
● Free software is not equal to Open Source
software

12. What is privacy?
The freedom to express yourself anonymously or to send
someone a private message, without interference of 3rd
parties

14. Privacy can be decomposed
into three parts:
1. Secrecy (your messages can only be
understood by intended recipients)
2. Anonymity (the ability to send and receive
messages without revealing sender or
receiver)
3. Autonomy (avoidance of
interference/intervention by people who
violated our secrecy or anonymity and are
using it to control us)

15. What does that mean?
Interception of the content of your message
breaks your secrecy
Interception of the metadata of your message
breaks your anonymity

17. Threats against secrecy
●
●
●
●
Total surveillance
Deep Packet Inspection (dpi)
Man In The Middle attacks (mitm)
History (Something that’s secure now doesn’
t necessary stay that way)
● Weak protocols (FTP, DNS, ARP, HTTP,
POP3, Wifi, GSM, EDGE, 3G)

18. Threats against anonymity
●
●
●
●
Total surveillance
Browser fingerprinting
Persistent cookies
Social media buttons and other third party
inclusions (images, scripts, embeds)
● Weak protocols (IP, GSM, EDGE, 3G)
● Everything you have to sign up for

20. Tools to user for
● Secrecy: HTTPS, OTR, GPG (best:
public/private-key encryption with
ephemeral keys and high bit counts)
● Anonymity: Tor network, I2P, GnuNET
● Autonomy: Laws? Civil Disobedience?

21. Use only Free Software, and know the software you use

22. Think about this
● Do you have nothing to hide?
● If I promise you that I’ll keep your every data
secret, would you trust me enough to give it
to me? Why would you trust someone you
don’t know (and who’s plans you don’t
know) over me?

23. Think about this
● What does google, facebook, your ISP, your
government know about you?

24. Think about this
● What does google, facebook, your ISP, your
government know about you?
○
○
○
○
○
○
○
○
○
○
○
Data you gave them
Your friends and their friends
Who your employer is (estimately)
Places you’ve been to, and when you were there
Where you were at any given time (estimately)
Conversations between you and your friends (chat, private
message, email, …)
Things, music, companies, activities, politics, … that you find
important
How you look
Your sexual orientation (even before you know it)
Sites you visit, how long and when you visit them
...

25. Think about this
● Do you have nothing to hide?
● If I promise you that I’ll keep your every data
secret, would you trust me enough to give it
to me? Why would you trust someone you
don’t know (and who’s plans you don’t
know) over me?
● What does google, facebook, your ISP, your
government know about you?
● What about correlation? Tor is not enough.
● What about metadata? See quote

26. Sources
●
●
●
●
●
●
●
●
●
●
●
●
https://en.wikipedia.org/wiki/Security
http://snowdenandthefuture.info
http://opine.me/a-better-way-to-store-password-hashes/
https://prism-break.org/
https://www.eff.org/
https://markopolojarvi.com/privacy.html
https://www.facebook.com/about/privacy/your-info
http://digital-era.net/tor-use-best-practices/
https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
http://xkcd.com/936/
https://www.gnu.org/philosophy/free-sw.html
http://tosdr.org/

27. @tinydroptest2
github.com/turanct
bitbucket.org/turanct
Take care!