intro to digital security Florencia Herra-Vega (@flohdot) CTO, Peerio (peerio.com) Concordia Student Union, March 2017 

what are you protecting? Against whom? a.k.a. “Threat Modelling” 

Case Study #1 Amy is an aid worker coordinating a number of colleagues and volunteers in an area that is recovering from a natural disaster, which has a number of sensitive resource/land disputes. She gathers some information in the field that could be of interest to local businesspeople, politicians, and police. 

Case Study #2 Roger is a teenager in a tightly knit, extremely conservative community. He lives at home with his tech-savvy parents and brother. He thinks he might be gay. 

Case Study #3 Marie is a journalist working on a big scoop about police and construction industry corruption. She has anonymous sources, and she needs to discuss some aspects of the case with colleagues and experts. 

where is your data? who owns it? how is it secured? who does it share its data with? what can it see about you? who owns it? who can access it? how is it secured? 

where is your data? who owns it? how is it secured? who does it share its data with? what can it see about you? who owns it? who can access it? how is it secured? who owns it? how is it secured? who does it share its data with? what can it see about you? what data are you sending? 

where is your data? who owns it? how is it secured? who does it share its data with? what can it see about you? who owns it? who can access it? how is it secured? who owns it? how is it secured? who does it share its data with? what can it see about you? what metadata are you sending? 

who’s between you and your data? wi-fi network corporate network ISPs wi-fi network corporate network ISPs 

where’s the crypto? “at rest” disk encryption ? ? 

where’s the crypto? “at rest” disk/database encryption ? ? 

where’s the crypto? “in transit” TLS/HTTPS ? ? ? ? 

where’s the crypto? “in transit” TLS/HTTPS 

where’s the crypto? “in transit” TLS/HTTPS 

where’s the crypto? “end to end” (sometimes “zero knowledge”) 

why isn’t everything end-to-end encrypted? 1. someone is making money off your data 

why isn’t everything end-to-end encrypted? 1. someone is making money off your data 2. encryption is (REALLY) hard 

why isn’t everything end-to-end encrypted? 1. someone is making money off your data 2. encryption is (REALLY) hard You have a secret you can’t share and can’t lose. 

why isn’t everything end-to-end encrypted? 1. someone is making money off your data 2. encryption is (REALLY) hard You have to verify other people’s “identity” through math. 

how do i pick my tools? 

how do i pick my tools? do they protect the right things? 

how do i pick my tools? are they worth the time + money? 

how do i pick my tools? are they worth the hassle and rage? 

You control your own computer (so keep it clean!) • update your operating system (mobile & desktop) • update applications • browse securely with extensions: uBlock origin (adblocker) & privacy badger (tracking blocker) & https everywhere • disk encryption (FileVault & Bitlocker) or file encryption (Veracrypt) 

Use good passwords • don’t repeat them everywhere • long is better than complicated • use a password manager • two-factor authentication 

last tips • your security is only as good as your weakest endpoint • don’t forget about physical security • think about economics • create solutions you & your friends/ colleagues will actually use