----BEGIN CLASS---- [13:30] #startclass [13:30] Roll Call [13:30] Kanay bhandari [13:30] sparsh [13:30] Jagannathan Tiruvallur Eachambadi [13:31] Aniruddha Basak [13:31] Mrinal raj [13:31] Pritam [13:31] Abhay Kaushik [13:31] Nilesh Patra [13:32] vibhor [13:32] so we have a little motley crew [13:32] no one else? [13:32] how many of you read https://summertraining.readthedocs.io/en/latest/opsec.html# [13:33] say me. if not say no [13:33] me [13:33] me [13:33] ok the rest of you please go read it [13:33] o/ [13:33] me [13:33] me [13:33] will be back in 5 [13:33] Roll call Ankur [13:33] me [13:34] me [13:37] ! [13:37] are we all still here? seems like most of you have read it [13:37] questions? [13:37] next [13:38] jasonbraganza: Its written in the link : Do not use Telegram or even have it installed on your phone. [13:38] yes [13:38] why is that so? [13:39] the app has had lots or vulnerabilities [13:39] and at times has pulled in unknown code [13:39] gargantua_kerr[m, look it up on the net [13:39] basically it does not do what it says on the tin [13:39] jasonbraganza: ok. [13:40] it promises secure communication. but it does not deliver on the promise [13:40] questions regarding backup? password managers? privacy plugins? [13:41] what plugins have you folks installed after reading this chapter? [13:41] if you read it before class that is [13:41] disconnect.me [13:41] disconnect.me [13:41] HTTPS everywhere [13:41] ooh nice! [13:42] glad to see you folks picking up bits and pieces [13:42] but then i tried opticlick.eff.org and it still showed fingerprinting possible [13:42] and how many backup your systems regularly? [13:42] But I have privacy badger, ublock origin, https everywhere already installed [13:42] ! [13:42] next [13:42] https everywhere is still relevant? [13:43] why do you think it is irrelevant? [13:43] because most sites have transitioned to https [13:43] and i heard nowadays browsers also try that [13:43] *to connect to https [13:44] iinternaut, so to my mind i'll stick a while longer :) [13:44] nobody answered me on backups [13:44] none of you backup your machines? [13:45] No, I don't keep backups jasonbraganza [13:45] neither do i [13:45] me too [13:45] i mostly code, so i use git and other remaining work is online, which gets synced automatically [13:45] jasonbraganza: I don't backup regularly [13:45] I push most of my work to github or gitlab intsances [13:45] iinternaut, also wrt opticlick, you want to make yourself small. being invisible sadly is not really possible [13:46] gargantua_kerr[m, what about private stuff? [13:46] knownymous_, because you have no data? or because you like living on the edge? [13:46] jasonbraganza: private stuff as in? [13:46] ! [13:47] photos. documents [13:47] ! [13:47] private stuff are mostly in phones so google backup or one drive [13:47] gargantua_kerr[m, if you have your passport scanned, you are not pushing that to github are you? [13:47] swiftkiller, how is that private :) [13:47] next [13:47] jasonbraganza, photos documents are backed up in multiple places for me [13:47] jasonbraganza: No xD [13:48] do you suggest using online backup solutions? [13:48] i meant ggogle drive [13:48] j605, honestly i can tell you what i do [13:48] i don't use online backup. [13:48] but i can see the value in them [13:48] No, I just wasn't much aware of backup but I don't keep anything private on my laptop [13:49] ! [13:49] but to the folks here i honestly cannot recommend online backup [13:49] next [13:49] sorry jasonbraganza , I did not understood "iinternaut, also wrt opticlick, you want to make yourself small. being invisible sadly is not really possible" [13:49] fingerprinting possible :) [13:50] so look at what you are protecting yourself from [13:50] [13:50] Use Pendrive for all important documents and files [13:50] oh! got you :) [13:50] if google/fb, then most of what you do is enough. use tor! [13:50] next [13:51] knownymous_, learn to encrypt them [13:51] use luks [13:51] jasonbraganza: Yes sure now [13:52] from your statements though, you sound like a bunch of confused folk [13:52] you do not backup or backup to google drive :) and then try to avoid fingerprinting :) [13:52] which in turn also means you have not read the threat modelling chapter before that? [13:52] https://summertraining.readthedocs.io/en/latest/threatmodel.html [13:53] who read this? [13:53] me [13:53] me [13:53] me [13:53] me [13:54] so have you'll done a basic threat model on yourself and your data? [13:54] one of you can volunteer if any have done it [13:54] on myself been doing, on data not yet [13:55] iinternaut, so what were the results on yourself? and do you need to do anything? [13:56] yes, i found i keep my laptop unlocked, also external hdd is unencrypted [13:56] ok [13:56] so what will you do? are any changes needed? [13:56] and so i made a list to change this sunday [13:56] and added a calendar event monthly [13:56] what will you change? [13:57] yes, jasonbraganza [13:57] i will encrypt my storages, make a habbt of locking/closing my machine [13:57] iinternaut, question [13:57] now that you encrypt your storage [13:57] if something goes wrong, you lose all your data [13:57] sure [13:57] how do you protect against that? [13:58] I'll encrypt all my thumb drives and external HDD soon [13:58] anyone else has done this kind of thinking? [13:58] I read that we should backup to atleast 2 storages, offline. I currently dont have 2 storage but have a student account on google drive with unlimited storage [13:58] gargantua_kerr[m, same question as the one i posed to iinternaut [13:59] so i was planning on baking up all data to storage too [13:59] yes I will use a password manage to protect that [13:59] iinternaut, so what is your threat model with respect to storage [13:59] jasonbraganza: so have you'll done a basic threat model on yourself and your data? This? [13:59] you don't want friends to read data, but google is ok? [13:59] for data i currently see myself unprepared. I need a better approach [14:00] gargantua_kerr[m, no. once you encrypt your drives are you ok with the chance of data loss? if not what do you do to prevent it? [14:00] so this thinking is what i need you folks to do [14:00] not to just blindly do things [14:01] here's a slightly controversial way i'd do it [14:01] i am a student [14:01] so what is my data [14:01] jasonbraganza: I have read and even talked with people from google that they value customer privacy, so they do not let the data get away. [14:01] code and personal stuff [14:01] I'm not fine with loosing my data though [14:02] so i'm ok with code being public and i sync it to github [14:02] i'm not ok with personal data, but that is small. [14:02] so i save it on *2* encrypted pen drives [14:03] i do not use google drive at all to sync any personal data, except for stuff that i do not mind being public [14:03] does this make sense to you people? [14:04] it all depends on how much money i have. [14:04] yes [14:04] yes [14:04] and who am i protecting my data from [14:04] yes [14:04] please take some time out this weekend and do the same [14:04] ! [14:04] backups are really important [14:05] work story, i have had a client pay 35,000 rupees to retrieve one word file from a crashed hard drive [14:06] because it was a book she was working on for 2 years and she had no backups [14:06] jasonbraganza: But what if those pen drives get stolen? [14:06] ! [14:06] yes [14:06] gargantua_kerr[m, which is why they are encrypted? the chances of you losing 2 pen drives and crashing your drive are miniscule no? :) [14:06] next [14:07] ! [14:08] the question apparently is struggling to escape the black hole :P [14:08] next [14:08] jasonbraganza: why dont you use google drive? Do you consider it could be hacked? [14:08] jasonbraganza: I perhaps misunderstood. You meant I should backup the same data onto the two drives? [14:08] jasonbraganza: :P [14:09] iinternaut, my data is my data. if i put it on google drive, google can see it. and there are untold cases of google leaking data. so now others can see it. [14:09] why would i do that? [14:09] no what if i upload encrypted data? [14:09] gargantua_kerr[m, yes same data. on two drives. my photos. my precious photos, are on 4 drives. [14:10] next [14:10] Are there any secure remote backup services? The ease of access for cloud storage is the huge advantage. Or else I would have to carry the pendrives wherever I go. [14:11] zarnigma, that is what kushal meant when he wrote about threat modelling. if it has to go online, honestly after 20 years in the business i can assure you there is no foolproof system [14:11] And how do we guarentee that a service is secure. After all it has centralized control. The owners of the servers can manipulate my data if they want [14:11] okay got it [14:11] zarnigma, exactly [14:11] you could encrypt your data and sync your encrypted data [14:12] but that adds a layer of complexity which you may or may not want [14:12] so if you want to expose your data to the net, be intentional about the consequences of them leaking [14:12] next [14:12] ! [14:12] next [14:12] ! [14:12] let me clear out one thing that can we consider the tor browser as a search engine? [14:13] no SSahid [14:13] but why? [14:13] SSahid, do you consider firefox to be a search engine? [14:13] no [14:13] but why? [14:15] actually i thought because its providing the things like a search engine [14:15] SSahid, no it is not :) [14:15] it is a browser that uses an alternate protocol and a private obfuscated way of routing :) [14:16] ! [14:16] next [14:16] then it is just a web browser [14:16] jasonbraganza: what backup software/model do you use and recommend? [14:16] ? [14:16] iinternaut, do your threat model over the weekend and ask me this on monday [14:16] ohh, ok [14:16] SSahid: yes [14:16] ok [14:16] okay jasonbraganza :) [14:17] SSahid search engine is an entirely different thing . [14:17] SSahid, did you not attend kushal's session? [14:17] password managers? who frequently uses them? [14:17] yes, i attend but there is a little bit confusion, that's why [14:17] me [14:18] SSahid, then come around in the day and ask. i loaf about here all day :) don't wait for a session :) [14:18] only iinternaut is a good guy? [14:18] not password manager but I use 2FA frequently [14:18] how you folks keep track of your passwords then? [14:19] Me [14:19] jasonbraganza: This might sound stupid. Apologies. But should password managers be trusted? I mean are they secure? [14:19] aniruddhab, that is like saying, i am not at home, but i have a webcam to see who broke in [14:19] gargantua_kerr[m, not stupid at all [14:19] :p [14:20] aniruddhab, better to lock the door too :) [14:20] yes [14:20] gargantua_kerr[m, i use 1password. kushal strongly disagrees with me as to its business model [14:20] gargantua_kerr[m, but what is my alternative? [14:20] gargantua_kerr[m, now we have many [14:21] so there is no excuse not to use one, no? :) [14:21] gargantua_kerr[m, if you do not use something like keepassxc, what will you do? [14:21] gargantua_kerr[m: you can use one that is completely local like https://www.passwordstore.org/ .it is open source and depends only on gpg [14:22] j605: That seems nice, :) [14:22] i have been using a password manager for 12 years now and 1password for all its faults has been a good steward [14:22] i can recommend them to others [14:22] but folks here have better, more secure alternatives [14:23] local password manager seems yo be a good option [14:23] gargantua_kerr[m, but pleas don't tell me you have just three passwords or a easily guessable algorithm :) [14:24] next [14:24] jasonbraganza: I won't reeal that xD [14:24] hahahahahahahahahaha [14:24] so lets call it a night [14:24] Roll Call [14:24] Pallav Bhalla [14:24] vibhor [14:25] Nilesh Patra [14:25] Aniruddha Basak [14:25] Ritwiz Sinha [14:25] sparsh [14:25] Sk Sahidullah [14:25] Jagannathan Tiruvallur Eachambadi ----END CLASS----