GoTo MeetUp: Security by Default
Information security is important ; However, this knowledge helps very few people. The number of general-purpose connected computers (== complexity) grows every day, very real incidents occur from Heart or Cloudbleed to Stuxnet or problems with the on-board computer Toyota ( when the car does not stop ) and the situation does not get better by itself. It gets worse because the “Internet of things” is startups that make the physical infrastructure like bulbs or door locks (SCADA developers cry with bloody tears). Because a huge amount of code is written in memory-unsafe languages. Because the education of developers is, as a rule, either about features (projects / etotprototype), or about fundamental algorithms (which does not help understanding that the system does not work in a vacuum).
It seems that there are two main roots of the problem: these are unsafe tools - for example, PL (C / C ++) and libraries (OpenSSL), and people. People forget about information security, think "let go of something, and then we figure it out," the tradeoffs of their tools do not understand (the fact that "C is fast," everyone knows, but about memory unsafety and the scale of UB are few) etc. The first problem is now being solved by the community: safe languages like Rust and simple, clear libraries like TweetNaCl are being developed. The second remains (after all, good tools must also be taught, as well as appropriate thinking).
Therefore, we conduct a mitap on information security Security by Default.
We say "SbD" instead of "IB" because the latter is often associated with (1) evil security guards, who seem to exist only to ruin the lives of an ordinary developer and (2) with CTFs and hacking culture.
We are talking more about security by default: as tools (a machine that can itself slow down before an imminent collision, turned on after installing the firewall OS, a language with memory safety), and in people's thinking (thinking about non-post-factum).
We divided the program into several blocks:
(see also ideas for reports at the end)
Industry: here experienced experts from large companies will talk about their experiences with fakaps (and look at the industry), and how corporations induce security in their projects. We will also discuss tools that make the development of (more) safe: from fuzzing to strong type systems.
Examples of topics for discussion:- Stuxnet , a malware that destroyed 20% of Iran’s nuclear centrifuges via SCADA
- Compromise of the entire database (name, photo, financial data, etc.) Ashley Madison , dating site for married men
- Remote Code Execution on Pornhub
- Fuzzing dnsmasq with finding a useful stack overflow
- How does "fearless concurrency" Rust work in practice
- How to prepare cryptography
- Designing secure interfaces: from the browser to the messenger
Personal security: let's talk about how to control your data (Digital Fingerprint), discuss the legal issue (how to sue for abuse) and the question "I realized the problem, what to do?".
Examples of topics for discussion:- How incomplete implementation of e2e encryption Whatsapp makes it useless
- IoT-garage lock is blocked after a bad review of its owner on the manufacturer's forum
- How CCC can produce fingerprints from a photo
- Is there any hope for desktop security?
- What is wrong with Telegram?
- Security in small projects: analyze the cases of participants and listen to experienced start-ups. Discuss simple risk reduction strategies.
Mitap will be held on May 18 at the Boiling Point . Come. It will be safe (you need a passport to enter).
We also welcome reports in the Lightning Talk format and longer. In addition, we will be happy to discuss the courses planned this summer in the framework of the visiting schools with everyone.
(If you want to come with a report - write to school@goto.msk.ru or wldhx in BOS .)
User
- Interface Design Problems
- Dark patterns
- Green HTTPS lock
- Therac-25
- Lufthansa 2904
Architect
Cryptography / trust
- Identity. What is the root of trust and source of user identity?
- Decentralization identity. Lessons learned from PKI and WOT. Keybase What's next?
Dangerous data processing practices (privacy, ethics)
- Alexa / Ok Google / Siri
- Storing passwords / tokens, etc.
- Using more data than necessary
Availability, fault tolerance (Centralization)
- No backups
- "The cloud does not fall"
- Died S3 - died on the Internet
- Cloudbleed (and generally "Cloud TLS")
Irresponsible Engineering
- Attempts to solve the problem of abstractions with new abstractions (feature creep backward compatibility, time spent on non-features wasted)
- Hyper backward compatibility (MS, Java, OpenSSL, TLS)
- ... and incompatibility (Linux ABI)
- X11: global input
Network security
- IoT (tesla powerwall, thermostats, excavators, tractors) - controlled through the cloud
- Gapps is a remote-controlled rootkit tied to a person.
- Baseband
Physical compromise
- Badusb
- Thunderstrike
- Evilmaid
- realtek encryption keys
- Intel ME
Developer
Curved algorithms + dangerous coding practices
- Unsafe programming languages (without memory safety + sane defaults (immutability ...))
- Lack of reasonable testing and code review
- "It seems like it works."
- Complex Interfaces for Developers (OpenSSL) - source of errors
- Heartbleed shellshock
- Languages with UB (C, C ++)
- Management, requiring features at the expense of everything else: features> * / move fast, break things
- Galaxy Note 7 Explosive
- Perverse incentives / economic sense: it is easier to release a new non-boring product every% d than to engineer a good-fit
If you are already interested in information security, often find yourself consulting people about it and even get pleasure from it - we would be happy to see you as a mentor: a person who can discuss problems and share his experience without unnecessary TLA.
Just write in the registration form "I want to be a mentor", and we will communicate with you. (You can also write to school@goto.msk.ru or wldhx in BOS .)
')
Source: https://habr.com/ru/post/326764/
All Articles