----BEGIN CLASS---- [16:35] #startclass [16:35] micahflee and all you need to do is type next [16:35] ! [16:36] and micah will go [16:36] #startclass [16:36] next [16:36] micahflee, can you please wait. [16:36] like so [16:36] welcome kushal :) [16:36] gimme a sec please [16:36] ! [16:36] next [16:36] Sorry for the confusion, my znc went down. [16:36] there we go [16:36] micahflee, Welcome to the dgplug summer training. [16:36] and now that kushal is also back [16:36] We will do a roll call now. [16:36] Roll Call [16:36] Naman Sharma [16:36] Prabhu Sharan Singh [16:36] over to him [16:36] Priyanka Saggu [16:36] devesh verma [16:36] Prashant Sharma [16:36] Kushal Das [16:36] Pradhvan Bisht [16:36] Rishikesh Bamdale [16:36] Sandeep Kumar Choudhary [16:36] Ratan Kulshreshtha [16:37] Anwesha Das [16:37] Mayank Singhal [16:37] Micah Lee [16:37] Nicholas Tollervey [16:37] Sayan Chowdhury [16:37] Priyam Das [16:37] Bhavin Gandhi [16:37] Jason Braganza [16:37] Anu Kumari Gupta [16:37] Gaurav Sitlani [16:37] Abhilash Raj [16:37] micahflee, feel free to retype/paste those lines once again. [16:37] micahflee, stage is yours. [16:38] Bhavesh Gupta [16:38] My name is Micah Lee. I work as a security engineer, an open source software developer, and a journalist at The Intercept. I'm also one of the founders of Freedom of the Press Foundation. I'm a pretty big nerd and I love teaching people about how computers and technology work. [16:38] I have a unique job. Part of it includes investigative journalism, writing articles often based on leaked documents and working with sources, and I also sometimes write a column where I explain computer security stuff for everyone. You can see my articles at The Intercept here: https://theintercept.com/staff/micah-lee/ [16:38] I also work with other journalists to help them with threat modeling, and to protect their sources and secrets documents. And I make it easier and more secure for whistleblowers to contact journalists. [16:38] I'm also an open source software developer. The biggest project I maintain is called OnionShare. It's written in Python, and it lets you securely and anonymously transfer files to other people using the Tor network. You can check it out here: https://github.com/micahflee/onionshare/blob/develop/README.md [16:38] Ananyo Maiti [16:38] I also maintain and contribute to a bunch of other open source software projects, like GPG Sync, SecureDrop, Tor Browner Launcher. I use Linux a lot and am really excited about the security-focused operating system called Qubes. Recently I gave a talk at Hackers On Planet Earth (HOPE) in NYC about Qubes that you can watch if you're interested: https://livestream.com/internetsociety2/hope/videos/178431606 [16:38] Souvik Haldar [16:39] Ok, so now a little bit about how I got started in all of this. [16:39] It all started with video games. When I was about 13 years old I loved playing PC games, and I started teaching myself to program in C because I knew I wanted to be a video game developer. But by the time I was 18 I spent way more time writing code than I did playing video games. [16:39] Programming is *really fun* once you get the hang of it, and even just some basic programming skills kind of gives you super powers. While other people have to manually do tons of time-consuming work, if you know how to code you can make your computer do it all these things for you, and it's amazing. [16:39] I've also always loved computer security and hacking. I learned by reading a lot of technical books (today I'd probably use way more online resources) that taught me about to do specific things I was interested, going to hacker conferences and watching all of the interesting talks, and of course just jumping in and trying to hack stuff. [16:40] I think the most useful skill for being a hacker is to not be afraid to break things: format your hard drive and test out different versions of Linux. Think something might not secure? Try to prove it's not secure. I also took an offensive security class that helped a lot. I love playing Capture the Flag games, which are basically competitive hacking contests: https://ctftime.org/ctf-wtf/ [16:40] So when I was getting started, in addition to spending my free time programming video games and hacking, I also started developing websites for money, mostly in PHP with MySQL databases. I worked as a web developer all the way up until I landed my dream job at the Electronic Frontier Foundation. (Technically I was still a web developer there to begin with, but eventually I started doing more stuff.) EFF is an amazing non-profit that works to protect [16:40] freedoms on the internet. [16:41] While I was working at EFF, my life changed quite a lot after I got an encrypted email from an anonymous stranger which turned out to be from Edward Snowden. Eventually I wrote up a detailed account of my role in the Snowden leak here: https://theintercept.com/2014/10/28/smuggling-snowden-secrets/ [16:41] So when Laura Poitras, Glenn Greenwald, and Jeremy Scahill got together to start The Intercept, Laura recruited me from EFF to help them work on journalism security there. I wasn't actually planning on becoming a journalist, that sort of happened by accident. But now here I am! [16:42] Sorry about the wall of text! Take your time reading it, but I'm open for questions whenever you have them [16:42] ! [16:42] ! [16:42] ! [16:42] next [16:42] What kind of things did you learn in that offensive security class? [16:43] sitlanigaurav: This was the class, Penetration Testing with Kali https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/ [16:43] Roll call: tabrez khan [16:44] I took it a long time ago so it's been updated quite-a-bit since then. But basically all sorts of network intrusion type stuff. Like, the basics of how an exploit works, and how to write one yourself, and how to scan networks for vulnerabilities [16:44] next [16:44] You mention you love teaching people about computers and that you also taught yourself C. Can you share more information about your approach to teaching, what education means to you and perhaps a "wise story" about something you learned when getting into coding..? Thank you. [16:44] Roll call: Ankit Khandelwal [16:47] ! [16:47] ntoll: I think that everyone is smart enough to write code and do complicated technical work, and the biggest problems people have when they're learning is they feel like they're not smart enough and have mental blocks. So I like to basically just treat everyone like they're smart even if they don't already know stuff, and go over everything in detail without dumbing it down. I think being very accurate is also important. Like, a diceware passphrase [16:47] isn't _impossible_ for someone to guess, it's just _unfeasible_ [16:47] <__inovizz__> Roll call: Sanchit [16:47] ! [16:48] +1 [16:48] Hmm a wise story about coding? Well, I think the wisest story is that the internet is your friend. No programmer has memorized everything and just knows how to do everything off the top of their head. The most experienced programmers still spend half the day reading answers on stackoverflow :) [16:48] next [16:48] Micah, how did you find your niche? Are you happy here? Or do you always look for the next horizon ala Sparrow? :) [16:48] Did you always know, you would end up here? Or was it a process of gradual self discovery, serendipity and skill stacking? [16:48] Also, favorite book that shook your world views? [16:48] micahflee: "without dumbing it down" +1 [16:48] [16:50] I've always been interested in tech and journalism -- a decade ago I helped start a local Indymedia branch, a collectively run news website basically. But I definitely didn't plan my trajectory, or really expect to do this kind of work [16:52] The favorite book part of the question is hard! I'm not sure if it's the best answer, but I really loved Neal Stephenson's Cryptonomicon -- it's what introduced me to Alan Turing and one of the things that got me excited to dive deep into studying cryptography [16:52] next [16:52] micahflee, I was reading an article on MashableIndia, about you which told about the first day you worked for Greenwald, you got access to the air-tight computer system, so then you installed Linux and did a lot of security boosting operations. I would love to know more on those security checks and steps you took. [16:53] jeet__: I still use air-gapped computers all the time for work, and so do others who work with sensitive documents at the Intercept. The first step is to open up the case and physically unplug the wifi/bluetooth card. This way if somehow malware gets on the computer, it will have a harder time exfiltrating the secrets that are on it [16:54] Another thing that's important is to do some of the security steps that really you should do on all computers. Set up full disk encryption with a strong passphrase, make sure any guest accounts are disabled, things like that. Beyond that it really depends on what you're using the computer for [16:55] Would you like to refer any article on this, authored by you. [16:55] Would love to read [16:56] jeet__: oh good question. I actually haven't written an article directly about setting up air-gapped computers, but maybe I will! One thing is that Tails , the linux distro you put on a USB stick, has a lot of nice properties for using on air-gapped computers [16:56] next [16:56] ! [16:56] Did you ever met Edward Snowden in person? Were you scared that the NSA would get to you when you were helping him? [16:57] ! [16:58] prabhuss: Yes I did meet him in person once! I traveled to Moscow and interviewed him for this article https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/ [16:58] But before that, I totally hung out with his robot, where there's a Snowden head on a robot body he can control :) [16:58] XD [16:59] amazing :O [16:59] XD [16:59] Before my role in the Snowden leak was public, I was definitely scared that NSA -- or actually really the FBI -- would figure it out. There were a few months where I was paranoid every night that the FBI might raid my house. I had an encrypted Tails USB stick with all of my encryption keys that I used to talk with Ed, and I never let it leave my sight [16:59] next [17:00] Did you ever get into some issue while learning pen testing? :P [17:02] souvikhaldar: ha, like legal trouble? No I haven't. So one thing that's super useful is if you think maybe a specific wordpress plugin has a vulnerability or something, you can install wordpress and that plugin on your own localhost, or on a VPS, and then try writing an exploit for it there. That's totally legal to hack your own labs that you set up for that purpose. Also, friends might be happy to let you scan their wifi networks, try to hack their [17:02] websites, etc., with their consent [17:03] But I've definitely done a whole lot of setting up my own labs so I could try to hack them. And playing CTF games! They're very fun [17:03] next [17:03] So, You was hired to make sure that the Snowden Documents Aren't Hacked, Can you share with us, How difficult it was for you to actually work with that responsibility in a nation whose supremes were wholly scrutinizing Snowden? [17:03] ! [17:04] priyankasaggu119: I can't go into a lot of detail about how we protect Snowden documents. But one interesting thing is that the US government really isn't our biggest adversary. The Five Eyes (US, UK, CA, AU, NZ) already have access to this data -- the biggest adversary is the governments that don't have access and really want it, like Russia, China, Iran for example [17:04] next [17:05] Thank you micahflee. [17:05] Can you briefly explain about how CTF challenges are like? Is it only Cryptography problems or you need to do some pen testing stuff ? [17:05] ! [17:06] ! [17:06] ! [17:06] ! [17:08] So there is a wide variety of CTF challenges, and normally they're separated into different categories like forensics, web hacking, and binary reversing. A forensics challenge might be like, "hey you, I recorded all this wifi traffic but now I don't know what to do with it. can you find the flag?" and then you download a pcap file, which is a dump of network traffic. Then you need to open it in wireshark and might notice that it's an IRC session, and [17:08] someone uses DCC to send a file, and so you have to figure out how to extract the file from the pcap file, and inside it's a PDF that includes the flag. Or something :) [17:10] Ok so is it aligned to real world problems ? [17:10] And a web challenge might be a custom website setup where you can post comments and report comments, and when you post a comment you might discover that you can put