----BEGIN CLASS---- [13:07] #startclass [13:07] Interesting. batul doesn't like kushal [13:07] anyway, we will debug this later. [13:07] Roll Call [13:07] Kushal Das [13:07] aman [13:07] Saptak S [13:07] Anjali [13:07] Abhishek Dasgupta [13:07] Shivam [13:07] mars [13:07] Jason Braganza [13:07] Sahil Dhiman [13:07] Ritik [13:07] Saransh sood [13:08] Shubham [13:09] Sandeep Choudhary [13:09] Okay, before today's main session, a small reminder about communication. [13:09] Nagarjan [13:09] I wrote an email to the list asking about what Linux distribution you are using. [13:10] No one replied to back to the list, instead 4 people replied to me privately. [13:10] Among them, Nagarajan K & Shivam Soni did nice bottom/in-line reply. [13:11] RITIK SRIVASTAVA & Abhinay Sambherao top posted back to me. [13:11] Anjali replied to me after changing the whole subject line. [13:11] Now, none of these are proper replies. [13:12] You received a mail, you are supposed to reply back to the list. [13:12] Not to the author privately. [13:12] You are not supposed to reply as a top post. [13:12] RITIK SRIVASTAVA & Abhinay Sambherao, are you here? [13:12] I am here [13:12] If yes, then can you please tell us if you had any trouble in doing a bottom/in-line reply? [13:13] We are here to help you. [13:13] Also, I wrote an email to the list, hoping to get back reply there, but Supekar2610 just now PMed me to tell the information. [13:13] That is not effective communication. [13:14] anjali, also, can you please tell us why did you think that you should change the subject line? [13:14] actually, after sending the reply, I remembered that I should have sent inline [13:14] People please answer these questions here, and then only we should move on the today's content. [13:14] ritik, okay, and did you notice that you are replying to me instead of the list? [13:14] yes [13:15] so from next time, please do reply to all and maybe delete the actual author from the reply. [13:15] I thought of sending it to the whole list then I thought that, maybe this information is not meant for everyone so I replied only you [13:16] ritik, ah okay. [13:16] i chose reply instead of reply all. Now i understood, hereafter i will correct it. [13:16] Do anyone else wants to write what went wrong? [13:16] If you don't talk about it here, no way you will remember to do this correctly next time. [13:16] Kushal I thought that it would be better to reply with the new subject instead of using the same subject with Re:. [13:16] Please understand that we all do the same mistakes again and again. [13:17] anjali, ah, but that breaks the email thread. Now, your email is a total new email than becoming part of the thread it should be. [13:17] I think it might be good for everyone to just reply again to the mailing list in the correct way. Just as a practice. And also because only kushal has read your replies and everyone else should also be able to read. [13:17] anjali, if you read back mbuf's session logs and presentations, you will find more details about if you have to change the subject line. [13:18] saptaks, great idea. [13:18] I didn't notice that there is a different button for replying to the list in thunderbird. [13:18] Now, we will wait for 5 minutes, everyone please reply back to the list with proper details. [13:18] shivam, see, now you learned a new thing :) [13:19] And don't worry. I myself have done the mistake of replying to the sender instead of mailing list. Different email clients also make very different UX sometimes that might be confusing. Hence, the learning [13:21] to know what kushal refers to when he says thread, all your replies when you *do* reply to the list get archived in our pretty new mailing list archives [13:21] so see how this thread looks - https://mail.python.org/archives/list/dgplug@python.org/thread/GLT6ELAWPK3WLMJAON2QEWF27SLZA6P2/ [13:22] when every one uses inline/bottom posting and replies to the list, using the same subject, it makes for a really nice reading experience [13:22] I see that circuitl- has replied [13:23] saptaks, feel free to take over the session [13:23] This is how the thread that kushal sent for you all looks like: https://mail.python.org/archives/list/dgplug@python.org/thread/BOZ3QWKDBQOZD5A5C24SLKWN4FXVM5EB/ [13:24] So when you reply correctly, you should be able to see your replies there [13:25] Okay. In case you are not replying now and planning to do it later, I hope everyone here understands what went wrong, and sends a reply before the next session [13:25] anjali, ritik shivam circuitl- are you all back here? [13:25] reply yes [13:25] yes [13:25] yes [13:25] yes [13:26] yes [13:26] yes [13:26] Okay great! [13:26] So talking about emails, let's talk about some Digital Security basics [13:26] I will try to keep it interactive so please do reply. [13:27] I will give breaks in between to ask questions [13:27] So first question: Did all of you watch the "Nothing to Hide" documentary that jasonbraganza had shared in the last session? [13:28] yes [13:28] reply yes or no [13:28] no, i will see after this session [13:29] no [13:29] no [13:29] no [13:29] no, i will see it tonight. [13:29] yes upto 30 mins [13:29] no [13:29] I have seen it earlier but don't remember much [13:29] okay. [13:30] Now, when you all heard today's session is about Digital Security, what came to your mind? What do you think digital security is? [13:31] ! [13:31] keeping our digital footprints intact [13:31] firewall [13:31] next [13:31] mars, and what do you mean by digital footprints? [13:32] after seeing the topic, words popped out of my mind is hacking, cybersecurity, mass suriveillance... [13:32] Digital security is the collective term that describes the resources employed to protect your online identity, data, and other assets. [13:32] from layman's perspective, in day to day life keeping your data in your control [13:32] Safely using the internet without leaking unintended information. [13:32] rishu_raj, seems like someone google searched :P [13:33] :) [13:33] yes. mostly all of you are correct in some sense of the word. [13:33] So Digital Security is the way to protect yourself, your data and any other asset that you have both online and offline. [13:33] So think of it as security practices for human beings. [13:34] They are measure that we employ to prevent human errors, or protect ourselves against human errors. [13:34] Human errors are always more complicated to handle since they are not automatically prevented by "military grade" security tools or softwares. [13:35] It's not like you learn how to prevent let's say SQL injection and use the same code everywhere. No. Digital Security almost has nothing to do with code as such. [13:35] But to help protect yourself and your data [13:36] And honestly for everyone in India, today is a very apt day to be having this session. Because our data protection bill (with arguably many flaws) is getting withdrawn and no clue if we are going to have another data protection bill. [13:36] But that's a discussion for another day [13:38] So, the reason I asked you all to watch the Nothing to Hide documentary was, I have heard that argument millions of times while doing digtal security training [13:39] You all might also be wondering why are we having this session at all? [13:39] Because as much as you like to say "I am an open book, I have nothing to hide" there will always be a scenario where you will need privacy and security. [13:39] It can be in your personal life for personal reasons, it can be for the work you do in company (since a company's digital security is as secure as it's least secure employee), or it can even be for your side projects, research and 1000 other reasons. [13:40] So if tomorrow you write an open source code that is used by millions of other projects, and you don't practice digital security, millions of projects may get affected because of that. [13:40] And if even few 100 of those projects are mission critical to human lives, then the risk is even higher. [13:41] So I hope everyone is on same page with me that digital security is important, and everyone has some data about themselves in today's technological world that they need to protect for whatever reason? [13:42] Any questions till now? [13:42] no [13:42] no [13:42] no [13:42] no [13:43] no [13:43] no [13:43] when no one has any questions, i concur 2 things from it - either you agree and understood everything I said, or you got bored and didn't read through [13:44] Now as much as I hope it's the first one, almost always there should be some disagreement. So I hope you ask more questions through the rest of the session. [13:45] So now that we have established that the idea of nothing to hide is not always true, there is one more important idea that I want to establish. [13:45] one very important thing to remember, and I cannot emphasise it enough, is that everyone's security practices might look very different from everyone else. [13:45] So a solution that works for me, might not be feasible for you. Or some practices that might be enough for me, might not be enough for someone else. [13:46] So I would request everyone to stop thinking like either you are fully secure, or not secure at all. It's not binary. [13:46] To explain why I say that, I would like to introduce a concept called threat modelling or threat assessment [13:47] So what is threat modelling? Threat modelling is a way of assessing the risk posed to you and your assets and who are the ones you are trying to defend against. [13:47] Everyone's threat model might be very different from everyone else [13:48] basically an activist's threat model might be very different from a developer's threat model who is releasing a super important project which lot of large projects depend on. [13:48] Any questions? [13:49] no [13:49] ! [13:49] next [13:49] ! [13:49] Does the threat model always depend on the particular things one does? [13:50] ! [13:51] specbeck, Usually. but not always. It can depend on people you interact with as well. So let's say I am a normal digital security trainer. I don't do anything risky, I don't have any risky data. But let's say as a digital security trainer I teach college students security hygiene. My risks might be very less. But let's say I train activists, then my risks will be super high as well, since I might be a way to get through to them. [13:52] Same goes for coding. If you write websites which are just landing page, versus you make websites which are documenting internet freedom or press freedom [13:52] specbeck, does that answer your questions? [13:52] Yeah, got it. [13:52] next [13:53] saptaks, I got my answer [13:53] great! [13:53] some basic tenets of threat model? how to go thinking about it broadly [13:53] next [13:53] mars, good question. And I was coming to that. [13:53] There are 5 steps of threat modelling, but I won't be going through that. [13:54] I want people to read up on their own as well. So read through https://summertraining.readthedocs.io/en/latest/threatmodel.html and ask any doubts tomorrow or later [13:54] sure [13:54] or even today if you finish reading it today [13:54] ok [13:55] Ok [13:55] If possible, after reading that chapter, think about your own threat model. No need to share with me. But it will give you an idea and suddenly you will realize much more what are the things you need to protect and from whom [13:56] If you have questions about how to protect, that's an interesting way to start some discussion here in this channel. [13:56] Sounds good to everyone? [13:56] yes, great [13:56] yes [13:56] yes [13:56] yes [13:56] awesome! [13:56] yes [13:56] Any other questions? [13:56] no [13:56] no [13:57] ! [13:57] next [13:58] How do we know for certain against whom are we defending our data or assets? [13:59] that may depend on the kind of work you are doing. And that is one of the steps in the threat modelling chapter. So, I can discuss in detail later. But the short answer is, you ask yourself "Who gains the most from compromosing my assets or data" [14:00] s/compomosing/compromising [14:00] Oh, interesting, got it. [14:01] Ok. so now that we have established that everyone has different threat models or risk, there are still some digital security hygiene that almost everyone who uses technology should follow. [14:01] So we are going to go through them. [14:01] Who here has a password which has just 1-2 words, or someone's name, or location, or something you can remember easily? [14:02] o/ [14:02] Hey guys i just popped in to say I'm sorry I missed the last 2 sessions, college just started this week, got stuck on the way back [14:03] emsar046, okay. I hope you went through the logs for last 2 sessions? And we are still going on with today's session, so you can join in. [14:03] just to repeat the question: "Who here has a password which has just 1-2 words, or someone's name, or location, or something you can remember easily?" [14:04] and from the response it would appear that apart from specbeck everyone else has a very strong password [14:04] no, i use passphrase mostly [14:04] I always keep a password that is difficult enough to remember. [14:04] okay. [14:04] circuitl-, abhishek the same password everywhere? [14:05] or a different passphrase/password for every site / context? [14:05] I generate the random string everytime and set as a password [14:05] no, different only [14:05] Okay. for everyone else who are not sure about their passwords, one of the very very very important things to remember is never use password, use passphrases. [14:06] jasonbraganza: no I use different password for each website/app [14:06] Now, what do I (or in this case circuitl- ) mean by a passphrase? [14:06] Unlike password, passphrase is a sequence of words (preferably 6+) [14:07] The advantage of passphrases are since they are a combination of words, they are super long. Even though they are perfectly readable. [14:07] So brute forcing a passphrase is much more difficult [14:07] I hope everyone understands what a passphrase is now? Does anyone have any question? [14:08] ! [14:08] next [14:09] some websites / services doesn't accept passphrases, so how can we make passwords stronger, any tips or tricks? [14:09] circuitl-, example? [14:09] tell us a service which does not. [14:09] nationalised banks [14:09] some indian mutual funds [14:09] like even banks doesn't accept space character [14:09] some life insurance companies [14:09] there are plenty of indian orgs :) [14:10] yes [14:10] so don't use space, and add whatever they are asking to the front or end or in the middle. [14:10] Those are still passphrases. [14:10] circuitl-, jasonbraganza and that is a very very sad reality of India. [14:10] If something takes passwords, then they take passphrases. [14:10] but like kushal said, for passphrase, you can just omit the space [14:10] ok, i get it now kushal: [14:10] the issue is usually not the space, the issue often becomes is the length of the password. [14:11] ^^ exactly [14:11] or use other characters like hyphens. or capitalise the beginning of every word [14:11] And I have complained about it too many times and still have no clue why they think they are using millitary grade security by allowing only 16 characters in password field [14:12] yeah some allow limited characters only [14:12] Well what I try their always is to at least hit the maximum limit. [14:12] yeah ok [14:13] And maybe flag about this in social medias if you are into activism. [14:13] but that's a topic for another day I guess [14:13] anyone else has any doubts about passphrases? [14:14] no [14:14] reply yes or no [14:14] no [14:14] no [14:14] No [14:14] No [14:14] no [14:15] no [14:15] Okay, circuitl- and abhishek has already answered the next question. Who else here uses the same password/passphrase in all or some of websites or services? [14:16] So let's say I know your passphrase for facebook, what are the chances I can login with the same passphrase to your instagram/twitter? [14:16] zero [14:16] I use the same thing everywhere [14:16] 0.1% [14:17] 50% [14:17] saptaks: i used to use the same password long ago but then I came to know that my password got leaked in a data breach. [14:17] ritik, well it's never zero :P I might have other tools up my sleeve that you don't know about :P [14:17] saptaks, hehe [14:17] yea, but you cannot use ritik’s password :) [14:18] jasonbraganza, :) [14:18] true. and that's good. [14:18] But many others might be using same or similar passphrases in multiple different services if not everywhere [14:19] And usually the reason for that is how do I remember million different passwords. [14:19] And now by saying "Use passphrase" I have asked you to remember even longer random texts. [14:19] So how do you do that? [14:19] The answer is, you don't [14:19] You use something called a password manager. [14:20] can use forgot password everytime [14:20] A password manager is a tool, that helps you store all your different passwords encrypted with a master password. [14:21] For the rest of the session when I say password, i mean passphrases. Sadly that terminology has not caught up with all tooling and explanations. [14:21] You can use something like https://bitwarden.com/ or something much more bare-bone like https://www.passwordstore.org/ [14:22] like we said in the beginning of the session. Digital security is all about minimizing and protecting against human errors. [14:22] ! [14:22] And password manager is a super important tool for that. [14:22] I had an incident where I even forgot the master password [14:23] ! [14:23] So the next thing I want all of you to do after today's session is start using a password manager and at least change some not-so-important web service's password to a passphrase and store them in password manager. [14:23] most password managers will have a passphrase generator that will help you [14:24] And exactly for the reason specbeck just said, i want you to start with some not-so-important web services. And start getting into the habit [14:24] Digital security is all about creating habits, so that they start getting into your muscle memory [14:24] okay question time [14:24] next [14:24] Isn't there a chance that the websites or password managers you mentioned for passwords are itself hacked by someone and might be saving the passwords that they are generating so that they can use it at the time of attacking [14:26] So most of the well known password manager tools and teams will have the best security code that you and me may not have on their side since they are providing password manager as a service. [14:26] But yes, that threat is there [14:26] And hence coming back to my point of threat modelling [14:26] okay [14:26] If your threat model needs you to think of that, you can use an offline password manager [14:27] there are offline password managers like https://keepassxc.org/ [14:27] But then you need to consider if your threat model now includes you to be super careful about your own laptop [14:27] okay [14:27] because what if your laptop gets hacked [14:28] and so on and so forth [14:28] so it will all depend on your threat model. [14:28] And that's why you should never say since it's not fully 100% secure, that means it's not worth using. Because almost nothing is 100% secure. [14:28] okay? [14:28] yeah [14:29] next [14:29] nothing is secure [14:29] ! [14:29] next [14:29] any service recommendations, who do the password management well? [14:29] other than you mentioned [14:31] I usually like the 3 that I mentioned. Those 3 serve very different audiences so you can chose which suits you and your threat model. If you will be using the password in multiple devices and among multiple team members, etc. then bitwarden is pretty good. If you are worried like ritik and want to store everything offline, then keepass. If you don't like GUI and want everything to be in terminal and controlled by you and love gpg encryption, then the [14:31] pass tool that i linked [14:31] There is also 1password which is ood [14:31] s/ood/good [14:32] And lastpass is also there [14:32] thanks [14:32] I usually recommend bitwarden because it is open source [14:32] any other questions? [14:32] ! [14:32] next [14:33] Background story: My friend is studying Information and cybersecurity. He is planning on builing a new PC for his cybersecurity study. I am helping him with the spec for the PC. We are looking for Graphics card which will be helping him for testing in cracking passwords strenghts. I have searched the internet and found hashcat tool benchmarking is used by some people. [14:33] Is there any other benchmarking standard we can refer for selecting graphics card for this kind of purpose? Or which parameter should I look that can tell me the performance of the graphics card in cracking passwords ? [14:34] stark20236, wrong question for this session. [14:34] stark20236, we can talk about it after the session. [14:34] any other question? [14:34] no [14:34] okay [14:35] So now I am going to go through a few more best practices which might make me sound condescending, but they are important! [14:36] Firstly, never keep your computer unlocked. Whether that be at your office desk, or in a starbucks, or even at a friendly gathering or party [14:36] Secondly, if possible, never click on a link. But that's difficult since I myself pasted links in today's session. [14:37] So a better suggestion is don't click on random links. So whether it be a facebook random person, or an email from bank, never click on the link. Also, don't click on a link but copy paste a link. If there is no link visible, but just a HTML button looking element, then avoid clicking on that. turn off html and then copy the link. Or even better is to go to the particular web service and check if you got some related notification there. [14:38] Thirdly, don't download random software, or documents. This is similar to the before. [14:38] Fourth, don't plug random USB into your device. Also, don't use your USB charger on random ports. [14:38] Sixth, update your softwares and OS regularly [14:39] s/Sixth/Fifth [14:39] Seems like my brain forgot counting [14:39] lastly, don't use incognito mode browser and expect privacy. [14:39] ! [14:40] I know I sound patronizing and you may think like who doesn't know all these, and these are very small things, no one in real world gets attacked by these. [14:40] But that's not true. Here's an example from 2 days back: https://twitter.com/0xdf_/status/1554152068327276547 [14:40] Any questions from all the points that I just mentioned? [14:40] next [14:40] is tor browser same as a normal chrome incognito, or is there a difference [14:41] ritik, there's a huge difference. kushal will tell in detail about tor browser in a later session [14:41] okay [14:42] But in short, tor makes your data anonymous. So it helps you stay anonymous without sharing much identity about you in the internet [14:42] incognito mode does nothing [14:42] ! [14:43] the only thing incognito mode is good for is if you have guilty pleasure songs that you love listening, but don't want to come up on your search bar when presenting in office, that's the only time incognito mode makes sense [14:43] but you internet provider, the web service, any surveillance org will still know about your guilty pleasure though [14:44] So, yeah, incognito mode in any browser doesn't provide any protection or privacy [14:44] next [14:44] saptaks just answered it [14:44] somehow I am answering questions even before they are asked. :P [14:45] Any other questions [14:45] I just told 6 points, so I feel there should be many more questions [14:46] no questions, but the link you shared, similar incident happened to me as well [14:46] ! [14:46] next [14:47] saptaks talked about an html button instead of a link and turning it off, I don't know anything about HTML so whats my way around the issue ? [14:48] Aah. So what I meant there is if you are using an email client like gmail website for example, many times you will see emails that have a button saying "Click here" and no visible link [14:48] So an email can be sent in 2 formats - HTML format (which means it can be stylized,etc.) and plaintext format [14:49] Most of the web services like to send HTML email because they look beautiful [14:50] So if you use an email client that doesn't support HTML emails, or in clients like gmail and others usually have some way or trick to see the email in plaintext. So once you do that, you will see a bunch of random HTML code from where you can copy the link. [14:50] Now that might be just too complicated [14:51] hence the suggestion of avoiding clicking on link, or opening the website directly, and checking your notifications there [14:51] ! [14:51] Okay, thanks saptaks [14:51] next [14:51] ! [14:52] next [14:52] if we have a html button, can we just right click and get the link or if its a shortened link we can unshort it by using any service right [14:53] yes. you can right click and get a link. [14:53] ! [14:53] usually I advice never to click on a shortened link at all. [14:54] ok thanks [14:54] You can definitely unshorten and check, but probably just avoid fully [14:54] next [14:54] more commonly faced, any recommended practices around mobile? app download, permissions, communication channels etc. [14:54] mars that's a great question. Thanks for asking! let me answer them one by one [14:55] app download: There are few practices around this. [14:55] 1. go to the official website for the app, click the app download link in the official website and then download. [14:56] The reason for this is there are many fake, malware filled apps in both play store and app store with the same or similar name as other apps. So searching might sometime be a bad idea [14:56] So always go to the official website and download via there [14:57] 2. if for some reason you have to search, verify the author of the app. This will need you to know for sure who the author is. So like instagram should have something like Facebook inc. or something in author. [14:57] 3. Never ever install a random .apk [14:58] ! [14:59] Now permissions: this will depend highly on your threat model and kind of apps you have on your phone. usually I turn off location service for everything, also never give permission to camera or file storage (apart from maybe your camera app and video calling app). Always always always read the privacy policy of an app to understand how they use the data you are permitting them to use. [14:59] Because mobile permissions are one of the things that can leak a lot of metadata about you [15:00] especially if you like having 100s of app installed in your phone [15:00] Also, related to that, reduce the number of apps in your phone as much as you can. [15:01] The more the number of apps, the more paths a security attacker has to get into your phone. [15:01] And lastly about communication channels, that's the last part I will discuss in this session so coming to it in a bit [15:01] does that answer all your questions mars? [15:02] pretty much [15:02] next [15:02] saptaks also talked about not downloading random software, I like producing music so I often need to download plugins, but they're so expensive I can't possibly buy them, so I look for pirated versions, is it possible to find sources that give this pirated software malware-free or a way of checking if I'm unknowingly malware, or should I avoid [15:02] this altogether [15:03] You should avoid this altogether [15:04] The only possible solution to that is look for an open source alternative for those plugins or software if you can [15:04] That's the only option for paying the money. [15:05] But else there is nothing guaranteeing that a pirated software doesn't have malware. [15:05] So if you still need to download, you have to think of your threat model, maybe get a separate computer that doesn't matter if it gets compromised, etc. etc [15:05] So the simple solution is avoid and try finding an open source alternative [15:06] or ask around in the communities and channels if they want to share subscription somehow [15:06] you never know [15:06] Right, thanks [15:06] any other question [15:07] answer in yes or no, so I know that some people are still there and didn't get bored and left [15:07] no [15:07] no questions [15:07] no [15:08] no [15:08] Okay. Some people are still there, great! [15:08] ! [15:08] next [15:09] tell us about fdroid, so people here might know [15:09] s/might/will [15:10] Sorry, I lost the connection in between. [15:10] Okay. F-droid is an android app repository of mostly FOSS apps. https://f-droid.org/ But most of the time I will recommend not to just go and search. So follow the same practice like before and only try to download an app from f-droid if a link for that is provided in the official website [15:11] We can discuss more about it after the session since not directly related to today's topic [15:11] Okay, guys, I'm gonna have to leave, my german classes have started, ill go through today's logs to see what I've missed, and hopefully ill be back home in time the next day, to join the session on time [15:11] thank you [15:12] Okay. So I will go through the very last few points. And then end the class to discuss more things freely [15:12] So few communication best practices I want to mention, which is something mars had asked I think as well. [15:13] Try using an end-to-end encrypted, non-data collecting app for communications like Signal [15:13] Use privacy extensions like privacy badger, etc with your browsers to avoid advertisement trackings while browsing the web [15:13]