----BEGIN CLASS---- [13:30] #startclass [13:30] Rahul Jha [13:30] Roll Call [13:30] Jason Braganza [13:30] Gajendra Saraswat [13:30] Devesh Verma [13:30] Ashish Kumar Mishra [13:30] sahil [13:30] tabrez khan [13:30] Mayank Singhal [13:30] Jitendra Kumar Tripathi [13:30] Kumar Vipin Yadav [13:30] Naman Sharma [13:30] Jagannathan Tiruvallur Eachambadi [13:30] Kushal Das [13:30] Pawan [13:30] Shruti Dash [13:30] Shaikh_Farhan. [13:30] Aditya Patil [13:30] Vivek Shukla [13:30] Vaibhav kaushik [13:30] shamik nandi [13:30] Shiva Saxena [13:30] Pradhvan Bisht [13:30] Anu Kumari Gupta [13:30] Priyanka Saggu [13:30] Utkarsh Gupta [13:30] Aditya Deshpande [13:30] Shubham Sharma [13:30] muhammad Zeeshan qazi [13:30] Prabhu Sharan Singh [13:30] Janifa M [13:30] Karan Pray [13:30] Robin Schubert [13:30] *pratap [13:30] Shital Mule [13:30] awesome [13:31] sulakhe pooja [13:31] Rakshit Airani [13:31] harlo[m], welcome to dgplug once again. [13:31] Manjeet mehta [13:31] Siddharth Sahoo [13:31] harlo[m], we will wait for another few seconds. [13:31] Good Morning harlo[m] :) [13:32] Piyush Aggarwal [13:32] We can start now. [13:32] thanks! [13:32] good morning all [13:32] harlo[m], the stage is yours, if people have questions, they will type ! and wait for the turn. [13:33] ok! [13:33] so... hi! thanks for having me here [13:33] roll call: Shivam Bansal [13:33] Its good to have you [13:33] i'm harlo, and i'm the director of newsroom digital security at freedom of the press foundation [13:34] where i count kushal as one of my esteemed colleagues [13:34] i'm sure you're aware, but we bill ourselves as "a 21st century organization offering 21st century support to journalism" [13:34] i'm based in new york city (brooklyn, to be exact) [13:35] where i head up a team of digital security mavens [13:35] day to day activities include... [13:36] Rollcall: Umesh Sharnagat [13:36] training jounalists o how to use the latest tools for securing their communications [13:36] Roll Call Rohan Vivek [13:36] (although only a very small few are on irc!!!!) [13:37] Roll call: Siddhant N Trivedi [13:37] ! [13:37] helping journalists work on more sensitive investigations [13:37] Roll Call: Aman Garcha [13:37] Roll Call: Ankur Vishwakarma [13:37] often those that involve whistleblowers [13:37] ! [13:37] Roll Call: Vishal Kushwaha [13:37] Sourabh Pruthi [13:38] advising large newsrooms on how to implement broader recommendations regarding secure communications [13:38] and performing trainings on a variety of topics [13:39] we also spend a fair amount of time playing with tools [13:39] (so we know them as intimately as possible) [13:39] because, as i always say, "if you don't use it, you can't teach it!" [13:39] ...i guess i'll take a question before continuing [13:39] next [13:39] harlo[m]: Error: "..i" is not a valid command. [13:40] do you also handle gravely sensitive news that could have otherwise could not have been published? [13:40] we do not! [13:40] we're supposed to be a neutral resource that stands to advise [13:40] ! [13:40] there are 2 reasons why: [13:40] first, it's a confidentiality issue [13:41] ! [13:41] it wouldn't be appropriate for us to know what stories two competing newspapers are working on [13:41] and two, it's just a bandwidth issue :) [13:42] we are a small organization; we don't have the resources to support actual investigations [13:42] although, from time-to-time, individual reporters might ask for more specific advice [13:42] oh! thanks harlo[m] ! [13:42] and we try to maintain that impartiality while being as useful as possible [13:42] next [13:43] ! [13:43] what kind of tools you use ? [13:44] i loooove talking about my gear! [13:44] (quite frankly, one of the reasons i got into this type of work is because, I LOVE GEAR) [13:44] right now, i use a souped-up thinkpad running the Qubes operating system [13:45] and my daily phone is just an iphone which has heavy restrictions on it, making it absolutely no fun [13:45] no snapchat for me 😆 [13:46] Qubes, that sounds something new for us Sir. Could you please tell something on it [13:46] i usually carry a bunch of "live CDs" on me in case i need to drop down into kali or tails [13:47] romeo_, we do not call anyone sir or madam here, please follow rules. [13:47] sometimes i travel with a chromebook, but i have to revisit my set-up there. i really liked using cruton (which allows you to run linux apps in a chroot environment) [13:47] kushal, okay it won't happen again [13:48] but i think google released an upgrade to the OS that now allows for doing that safer than i was doing... [13:48] it's on my to-do list! [13:48] > <@freenode_romeo_:matrix.org> kushal, okay it won't happen again [13:48] thanks! no worries 🙂 [13:48] but, back to Qubes! [13:49] ! [13:49] harlo, did you mean crouton? [13:49] qubes is this new-ish operating system (https://qubes-os.org) [13:49] exit() [13:49] (and also has a channel on freenode) [13:49] that allows you to use applications in individual virtual machines [13:50] they call them "domains" [13:50] > <@freenode_rohanvivek:matrix.org> harlo, did you mean crouton? [13:50] yes! [13:51] each virtual machine is highly compartmentalized and isolated from one another [13:51] ! [13:51] so if you encounter something nasty in one domain, it won't (ideally!) propagate across other domains [13:51] this is great if you want to open up a suspicious document in one, untrusted, space [13:51] harlo[m]: wow Qubes does look nice and modern-ish too! [13:52] and be secure in the fact that some malware won't jump into your web browser... [13:52] or whathaveyou [13:52] next [13:52] what do most newsrooms currently use for internal communication; encrypted email, secure chat like signal or threema or just texts? [13:53] > <@freenode_brute4s99:matrix.org> harlo[m]: wow Qubes does look nice and modern-ish too! [13:53] i am absolutely enamored of it [13:53] it's also really good for things like metadata analysis and reverse engineering [13:53] or testing stuff like ansible scripts [13:54] another aspect of qubes is, you can create different types of "disposable virtual machines" [13:54] so, say you want to step through some breakpoints on an executable; [13:54] you just fire up a disposable VM that has a debugger, load in your exe, do your work, and then when you close the window [13:54] *poof it is gone [13:56] ! [13:56] ! [13:56] next [13:57] harlo[m]: you missed my question :( [13:57] ah, ok! [13:57] scrolling up.... [13:58] > <@freenode_j605:matrix.org> what do most newsrooms currently use for internal communication; encrypted email, secure chat like signal or threema or just texts? [13:58] good question! [13:59] ...also, would love to talk about specific tools/apps with you all [13:59] harlo[m]: Error: "..also," is not a valid command. [13:59] harlo[m] i had same Qs as j605 [14:00] great [14:01] so, general trends are: [14:01] people use GPG but are increasingly bad at it! [14:01] (encrypted email) [14:01] but on the brighter side, people do tend to use Signal and WhatsApp [14:01] if you asked me this question last year, i'd feel uniquivocably positive about this [14:02] now, i realize it's much more nuanced [14:02] it depends on the regional context, but in the US, Canada, and EU, we are starting to see cases when, after a story has been published [14:02] lawyers tend to look upon use of such apps as suspicious [14:02] in a way that can further jeopardize a source [14:03] even though the technology behind the app is sound [14:03] this is why it is important to advocate for these technologies in everyone's daily lives [14:04] privacy should not be something that you just decide you need if you're going to do something potentially groundbreaking! [14:04] privacy is something we should all demand, as regular citizens [14:05] i think this is an interesting perspective, because this has always been the modus operandi of groups like those behind signal, and OTR, and PGP [14:05] their M.O. was never: hey here's a tool you can use to leak to the press! [14:05] it's just started to be co-opted in this way, without people appreciating the long road of advocacy work these groups have done *alongside pushing really great code [14:06] whatsapp is pretty much the norm in India and Europe so in that case it has succeeded somewhat although it would've been nice to have a FOSS solution succeed [14:06] let's see... what else do journos use nowadays... [14:07] a few use threema and wickr [14:07] but i mostly see that in europe, and not in the states [14:07] no one is using XMPP with OMEMO, which is too bad-- i think it's a great protocol [14:07] but the implementations are so crappy 😆 [14:08] > <@freenode_j605:matrix.org> whatsapp is pretty much the norm in India and Europe so in that case it has succeeded somewhat although it would've been nice to have a FOSS solution succeed [14:08] indeed! [14:08] one of my online acquitance still uses xmpp and develops a xmpp server [14:08] we definitely advise people to use whatsapp because it's so ubiquitous [14:08] but this brings up two interesting points [14:08] the one you already raised about FOSS [14:09] remember; whatsapp uses the signal protocol [14:09] but it's bundled into a proprietary app [14:10] and so, we in FOSS have to ask ourselves: is this how we achieve sustainability? [14:11] enterprise developers already have a horrible track record taking their open-source components/libraries for granted [14:11] and 2: as with any enterprise product [14:12] you're not paying for it; you're still the product! [14:12] what's the metadata story within whatsapp (owned by facebook) that could make using this app for this purpose more risky? [14:12] for instance, by default on iOS, whatsapp attempts to back up your chat history to your icloud [14:13] they already upload all contacts to fb so it can be shared with the broader universe as they call it? I opted out but my friends probably didn't so fb knows my number eventhough I have never uploaded it [14:13] (whatsapp doesn't do it because they want to harm the press' relationship with confidential sources, btw! they do it because their main userbase-- your friends and family-- want to have access to the chat history wherever they go!) [14:13] with that in mind, another key point we teach journalists when they're using these technologies is to weigh these imperfections [14:14] and understand that their source is probably not going to be as prepared as they are [14:14] nex [14:14] next [14:18] harlo[m], seems like callowidealist is not there. [14:18] ! [14:19] harlo[m], feel free to move to the next person [14:19] sooooo.... what are some projects in FOSS you're excited about? [14:19] next [14:20] > <@freenode_j605:matrix.org> they already upload all contacts to fb so it can be shared with the broader universe as they call it? I opted out but my friends probably didn't so fb knows my number eventhough I have never uploaded it [14:20] yep! [14:22] there are ways to have a "dark phone" if you need to use an app like signal or whatsapp or threema but that takes a lot of preparation. [14:22] sometimes i consult on how to do this, but in general, journalists do not practice type of deep opsec [14:22] shall i skip to the next one? [14:22] please [14:23] they can requeue if they connect again. They might have lost connection [14:23] j605, right. [14:23] next [14:23] Do you plan to continue funding Signal now that it is well funded? Also, how common do you find govt related organizations trying to fingerprint documents to find whistleblowers? [14:25] good questions! [14:25] we don't fund signal directly, but we are a fiscal sponsor [14:26] so this means individuals can send signal donations through us [14:26] we will probably continue this, even though the Signal Foundation is starting up [14:27] as for your 2nd question, it has ALWAYS been the case that someone will attempt to fingerprint a document once it leaks to the press [14:27] there are myriad ways of doing this, and it depends on the agency as well as the medium they have the document in [14:28] i wrote an article about this: https://freedom.press/training/everything-you-wanted-know-about-media-metadata-were-afraid-ask/ [14:28] there's a section in it that details all the caveats here [14:29] tl;dr even if you scrub all the metadata, there are some sly tricks an investigator can use to fingerprint a source [14:29] next [14:29] How did stared with programming? , what inspired you the most? as I read on linkedin, you did not go through a traditional computer science course, rather you picked up a literature for your undergrad. [14:29] ! [14:31] true! i did comparative literature in undergrad and a communications degree in grad school [14:31] i've been programming since i was young, though [14:31] i thought i was going to go into technical theatre, actually [14:32] i ended up reading a lot about code as power; which i thought was very similar to what i learned in comparative literature-- only the languages were different! [14:33] for example, in complit you learn a lot about the english language as a colonizing tool [14:33] ! [14:34] but in "digital complit" (i'm making this up, lol!) what about how when DeCSS make bootlegging movies easier in the carribean [14:35] i got kind of obsessed with these ideas, and then i found myself in a class where i could marry all those ideas to the coding i was already doing [14:36] my professor, who is the head of The Guardian Project (orbot, for example) gave me a job and here i still am 😇 [14:36] next [14:37] have you evaluated jails/zones in freebsd/illumos. They seem to be more lightweight and have been in use for quite a long time [14:37] for the purpose of isolation (I don't how it compares to qubes-os wrt security) [14:38] i've used jails in freebsd before but i am still very much a n00b in that regard! [14:39] there is a very active freebsd community here, though, and they say this to me all the time [14:39] my irc is actually in a illumos zone that I get from joyent :) [14:40] next [14:40] Any tips for a Security Researcher who is a begginer ?? [14:41] > <@freenode_j605:matrix.org> my irc is actually in a illumos zone that I get from joyent :) [14:41] that rocks! i also enjoy stretching my infrastructure in that way. just because i can, and it's FUN! [14:42] other than lurking on blogs and medium posts, i recommend trying CTFs [14:42] you don't even have to complete them, or compete [14:42] just check out a few problems, and work on them at your own pace [14:43] find a language that you can be nimble with, so you can sketch out ideas as quickly as possible [14:43] i like that kushal and co have made such a great space for people to feel free to ask questions [14:43] that is super important [14:44] and, take the opportunity to "LARP" at being paranoid [14:44] and should i focus on tools to learn ,like a OS like kali linux [14:44] or i should focus on learning python and trying to build my own tools [14:44] like... setting up IRC in a jail, behind 7 proxies and a dog or whatever! [14:44] do it just because it's fun, and because you'll know what that looks like when the time comes [14:45] there are some evergreen tools within kali that i recommend [14:45] like binwalk, the airo suite, and nmap [14:46] but maybe it depends on what kind of security research you want to do [14:46] kali is primarily for pentesting, and it encourages you to be a generalist, i think [14:48] and that's totally ok! but ultimately, you're going to want to focus on a certain area [14:48] while still knowing what the range of topics are [14:49] is there anything still enqueued? [14:49] i'll try [14:49] next [14:49] one last question, Do certification like CEH really work in real world or they are just waste of money? [14:50] Like Hacker is a one who is self taught,but still do get jobs in corporate world do we need certifications apart from knowledge ? [14:50] i couldn't say first-hand! [14:50] ! [14:50] it depends on the hiring culture where you are [14:51] some companies are super clueless (and trying to avoid liability) so they'll value certs even though they're not really that useful in real-world scenarios [14:51] ! [14:51] so, you might find yourself having to get the cert even though you know it's just a "piece of paper" [14:52] i know some people who complete cert courses just for fun! and if you have the means and the time... why not! [14:52] next [14:52] I HAVE NO CERTS BTW [14:52] since you linked a post on metadata, I wanted to know if you publish often on the site or do you have blog I can follow along? [14:52] okay thanks :) [14:53] except for a certificate i got in the 4th grade for being the best at BASIC lol [14:53] ! [14:53] that's cool ... [14:54] we are starting to publish more, actually. i hope to maintain momentum on our training page [14:54] i would absolutely love to hear your suggestions for new topics! please keep in touch :) [14:54] next [14:54] Most of the participants here will be working for some company in future. Do you want to tell them something about the ethics they should keep in mind while work in big organizations? [14:54] s/while work/while working [14:56] it's been a very long time since i've worked at a big company! [14:56] but i do remember a few important things from my time in the private sector [14:57] it may be tempting, especially as a junior employee, to steal people's ideas [14:57] don't do that [14:57] it will bite you in the end! [14:57] ! [14:57] don't use your access to meddle in fellow employee's personal lives! [14:57] ! [14:57] (a actually saw that once, it was really gross!) [14:58] harlo[m]: , I have a question [14:58] stand up for yourself, and ask for what you think you deserve [14:58] brute4s99: get in the queue [14:58] it may not always be money, but more responsibilities, or access to a project you'd really like to join [14:58] next [14:59] What upcoming technology are excited / looking forward to ? [14:59] ! [15:00] right now, i'm interested in shifting attitudes towards DNS [15:01] everyone's very excited about dns-privacy, dns-over-tls, dns-over-https [15:01] i'm psyched to see how clients are going to roll out with new ways of accomodating that [15:01] and how we can patch old clients, especially mobile [15:01] next [15:01] do we need alliterative names like Trevor Timm or Harlo Holmes to work at the FPF? :P [15:02] harlo[m]: I just use dnscrypt-proxy in the laptop. If my router had more space I would install it in the router so all devices can take advantage of it [15:02] ahh, so what do you think about cloudflare's DNS ? [15:02] haaaaaaa! no! come as you are 😆 [15:03] > <@freenode_j605:matrix.org> harlo[m]: I just use dnscrypt-proxy in the laptop. If my router had more space I would install it in the router so all devices can take advantage of it [15:03] yep! that's a good one. but just one example of how we have a long way to go for most other clients [15:03] good question re: cloudflare [15:04] one one hand, i think it's cool [15:04] on the other hand, i wonder if it's a powerplay on cloudflare's part to put themselves in direct competition with google [15:04] and in which case, there's a gif of michael jackson eating popcorn that's very appropriate here! [15:05] i also think that, while "cute", PR ploys like dns-over-twitter give people the absolute WRONG idea about dns privacy [15:05] https://giphy.com/gifs/michael-jackson-comments-popcorn-pUeXcg80cO8I8 [15:06] and so, while i'm not going to publicly shame cloudflare about it, it makes me skeptical about their marketing [15:06] next [15:06] there might be some cases when we have to use someone's code in our projects. So, are companies totally cool with it or still counted as coping of ideas? I like many usually do that as why to reinvent the wheel if you can use it to built a car. [15:06] haha, I do think it is, I also think google is becoming the microsoft of IE days , by pushing amp [15:07] nice one! [15:07] i hate amp [15:07] it un-does years of anti-phishing teaching [15:08] we actually have seen that used in-the-wild [15:09] next [15:09] I don't understand, why did you join private sector in the first place? Also, may we know why did you switch to the project? Honestly I don't understand the 'industrial' world yet, so please correct me if I seem stupid. [15:10] this is old, but an example of what i mean [15:10] https://www.aidanwoods.com/blog/faulty-login-pages [15:11] i didn't really make any particular decision! it just turned out that way [15:11] i started out in the private sector because i didn't have any job experience at all, though. [15:11] when i got older, i started to be more selective about what i wanted to do [15:12] next [15:12] i see. [15:12] although, i think my computer is about to die!!! [15:13] (without a cord right now...) [15:13] roll call: Bhavesh Gupta [15:13] another one, please! Is there any advice you wish you got when you were 20 ? [15:14] it was really great chatting with you today! please keep in touch [15:14] i'm harlo on twitter (and other things) [15:14] harlo[m], thank *you* [15:14] harlo[m]: thanks for the session! [15:14] harlo[m], Thank you for this amazing session. [15:14] harlo[m]: ! [15:14] Roll Call [15:14] harlo[m], thanks for the session [15:14] Jason Braganza [15:14] Aditya Patil [15:14] Bhavin Gandhi [15:14] Manjeet Mehta [15:14] Jagannathan Tiruvallur Eachambadi [15:14] Piyush Aggarwal [15:15] Rakshit Airani [15:15] Thank you for this great session [15:15] Sehenaz Parvin [15:15] Naman Sharma [15:15] Shubham Sharma [15:15] Ashish Kumar Mishra [15:15] Shiva Saxena [15:15] Priyanka Saggu [15:15] Anu Kumari Gupta [15:15] Mayank Singhal [15:15] Aditya Deshpande [15:15] Shivam Bansal [15:15] Rajat Gupta [15:15] Pradhvan Bisht [15:15] Thanks harlo [15:15] tabrez khan [15:15] Shital Mule ----END CLASS----