Difference between revisions of "Security Overview"

Jump to navigation Jump to search
326 bytes added ,  13:36, 17 December 2013
→‎Fingerprinting: link to tor bug tracker
(→‎Endpoints: clean up, expand a little bit)
(→‎Fingerprinting: link to tor bug tracker)
 
(3 intermediate revisions by the same user not shown)
Line 21: Line 21:


=Endpoints=
=Endpoints=
* nonfree software (microsoft, apple, google: all evil)
early security: mainframes, protecting users from each other
* security updates: package managers are the only way
* app stores add complications: paywalls, "permission creep"
* how exploits work: backdoors, CVEs, black market, foxacid
* hall of shame: skype, silverlight, flash are all evil
* early security: mainframes, protecting users from each other
* how a computer works
* how a computer works
** picture a vast table of index cards - that is memory, it is addressable
** picture a vast table of index cards - that is memory, it is addressable
Line 62: Line 57:
** botnets: send spam, mine bitcoin, steal your identity
** botnets: send spam, mine bitcoin, steal your identity
** black market for pwnd computers, amazon accounts, etc
** black market for pwnd computers, amazon accounts, etc
** backdoors, CVEs, foxacid
** because exploits are valuable, they use sparingly to avoid discovery
** because exploits are valuable, they use sparingly to avoid discovery
** updates
*** always update!
*** package managers are the only way
*** app stores add complications: paywalls, "permission creep"
** nonfree software
*** microsoft, apple, google: all evil
*** hall of shame: skype, silverlight, flash are all evil
*** http://www.wired.co.uk/news/archive/2013-10/21/googles-iron-grip-on-android
* defense in depth
* defense in depth
** antivirus
** antivirus
Line 131: Line 135:


* SSL
* SSL
** show example of site that sells SSL certs (namecheap.com)
** example of site that sells SSL certs: https://www.namecheap.com/ssl-certificates.aspx
** show directory with certs your OS trusts
** example of who an OS trusts (Arch Linux uses Mozilla's cert list): https://www.archlinux.org/packages/core/any/ca-certificates/
** any of these orgs can impersonate any website
** any of these orgs can impersonate any website
** cert authorities don't solve mitm, just narrows down who can do it
** cert authorities don't solve mitm, just narrows down who can do it
Line 180: Line 184:
* https://panopticlick.eff.org/
* https://panopticlick.eff.org/
* http://browserspy.dk
* http://browserspy.dk
* tor bug tracker is always thinking of new problems https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting
* https reduces attack surface but does not solve
* https reduces attack surface but does not solve
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE
** with http you are vulnerable to fingerprinting from EVERYONE EVERYWHERE

Navigation menu