## Principles Seminar v0
**Session 3 - Security**
## III. Security
> We don't compromise on security when building features. We use state-of-the-art technologies, and research new security methods and technologies to make strong security guarantees.
## Information security
*practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.* (Wikipedia)
- Private keys and transactions
- End to end encrypted chat
- Darkness (see who is talking to who)
- Cluster uptime
## Compromised security?
- Trivial: Can't restore your account (private keys)
- Subtle: Forward secrecy, either you have or don't
- We are responsible for secure defaults
## State-of-the-art technologies
- 'Obvious' choices for experts in field
- Chat: Double Ratchet and PFS
- Hardware wallet
- Reproducible builds
## Basic security hygiene
- Ex: no password re-use
- Ex: 2FA (without phone recovery)
- Security and privacy week after Prague
## Tool: Threat modeling 101
- Pretend to be attacker and follow logic
- Example: House with jewelry (high reward) and open back door (vulnerable) and thief (relevant attack).
## Research new security methods
- Magic and crazy
- Be top 1-10% of tech orgs for attention
- Might seem unusual or crazy to some of you
## Example research
- Zero knowledge proofs for private transactions
- Darkness, quantum secure, multiparty computation, formal methods...
## Tool: Security guarantees
- This might seem hard (it is)
- But you can ask questions and learn!
- Explicit about guarantees
- Simple user stories
## Example: E2EE chat
- As a user, I don't want anyone but the person I'm talking to to see my conversations.
- Forward secrecy: If my private key gets compromised another person can't read my historical conversations.
## Example: Private transactions and darkness
- As a user, I don't want someone to know who I am talking to except the person I'm talking to.
- As a user, I don't want anyone but recipient to know that I transferred money to them.
## (security, inclusivity)
- How do we ensure a secure user experience while being user friendly?
- How do we ensure we provide utility for people and aren't paralyzed by extreme threat models?
E.g. lack of private tx !=> only focus on chat.
- How can we work iteratively on security and communicate clearly what guarantees we make and can't make right now?
## Pairing and wall of shame
Up to you.
- Idea Generator 1: List pairings and think about positive and negative interactions.
- Idea Generator 2: Think like adversary - how can Status be attacked?