## Principles Seminar v0
**Session 3 - Security**
Oskar, 2018-10-10
---
## III. Security
> We don't compromise on security when building features. We use state-of-the-art technologies, and research new security methods and technologies to make strong security guarantees.
---
## Information security
*practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.* (Wikipedia)
---
## Examples
- Private keys and transactions
- End to end encrypted chat
- Darkness (see who is talking to who)
- Cluster uptime
---
## Compromised security?
- Trivial: Can't restore your account (private keys)
- Subtle: Forward secrecy, either you have or don't
- We are responsible for secure defaults
---
## State-of-the-art technologies
- 'Obvious' choices for experts in field
- Chat: Double Ratchet and PFS
- Hardware wallet
- Reproducible builds
---
## Basic security hygiene
- Ex: no password re-use
- Ex: 2FA (without phone recovery)
- Security and privacy week after Prague
---
## Tool: Threat modeling 101
- Pretend to be attacker and follow logic
- Example: House with jewelry (high reward) and open back door (vulnerable) and thief (relevant attack).
---
## Research new security methods
- Magic and crazy
- Be top 1-10% of tech orgs for attention
- Might seem unusual or crazy to some of you
---
## Example research
- Zero knowledge proofs for private transactions
- Darkness, quantum secure, multiparty computation, formal methods...
---
## Tool: Security guarantees
- This might seem hard (it is)
- But you can ask questions and learn!
- Explicit about guarantees
- Simple user stories
---
## Example: E2EE chat
- As a user, I don't want anyone but the person I'm talking to to see my conversations.
- Forward secrecy: If my private key gets compromised another person can't read my historical conversations.
---
## Example: Private transactions and darkness
- As a user, I don't want someone to know who I am talking to except the person I'm talking to.
- As a user, I don't want anyone but recipient to know that I transferred money to them.
---
## (security, inclusivity)
- How do we ensure a secure user experience while being user friendly?
- How do we ensure we provide utility for people and aren't paralyzed by extreme threat models?
E.g. lack of private tx !=> only focus on chat.
- How can we work iteratively on security and communicate clearly what guarantees we make and can't make right now?
---
## Pairing and wall of shame
Up to you.
- Idea Generator 1: List pairings and think about positive and negative interactions.
- Idea Generator 2: Think like adversary - how can Status be attacked?
---
## Thanks
{"metaMigratedAt":"2023-06-14T18:21:53.430Z","metaMigratedFrom":"Content","title":"Untitled","breaks":true,"contributors":"[{\"id\":\"87bf749a-9a51-43dd-8c18-1ff87c4baaab\",\"add\":3698,\"del\":953}]"}