Untitled - HackMD

Principles Seminar v0

Session 3 - Security

Oskar, 2018-10-10

III. Security

We don't compromise on security when building features. We use state-of-the-art technologies, and research new security methods and technologies to make strong security guarantees.

Information security

practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. (Wikipedia)

Examples

Private keys and transactions
End to end encrypted chat
Darkness (see who is talking to who)
Cluster uptime

Compromised security?

Trivial: Can't restore your account (private keys)
Subtle: Forward secrecy, either you have or don't
We are responsible for secure defaults

State-of-the-art technologies

'Obvious' choices for experts in field
Chat: Double Ratchet and PFS
Hardware wallet
Reproducible builds

Basic security hygiene

Ex: no password re-use
Ex: 2FA (without phone recovery)
Security and privacy week after Prague

Tool: Threat modeling 101

Pretend to be attacker and follow logic
Example: House with jewelry (high reward) and open back door (vulnerable) and thief (relevant attack).

Research new security methods

Magic and crazy
Be top 1-10% of tech orgs for attention
Might seem unusual or crazy to some of you

Example research

Zero knowledge proofs for private transactions
Darkness, quantum secure, multiparty computation, formal methods…

Tool: Security guarantees

This might seem hard (it is)
But you can ask questions and learn!
Explicit about guarantees
Simple user stories

Example: E2EE chat

As a user, I don't want anyone but the person I'm talking to to see my conversations.
Forward secrecy: If my private key gets compromised another person can't read my historical conversations.

Example: Private transactions and darkness

As a user, I don't want someone to know who I am talking to except the person I'm talking to.
As a user, I don't want anyone but recipient to know that I transferred money to them.

(security, inclusivity)

How do we ensure a secure user experience while being user friendly?
How do we ensure we provide utility for people and aren't paralyzed by extreme threat models?
E.g. lack of private tx !=> only focus on chat.
How can we work iteratively on security and communicate clearly what guarantees we make and can't make right now?

Pairing and wall of shame

Up to you.

Idea Generator 1: List pairings and think about positive and negative interactions.
Idea Generator 2: Think like adversary - how can Status be attacked?

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.