 On the website, I think you guys might be familiar with it. This is called haveabinpond.com. I took it, I think, for my previous week's meet-up. So there are around, like, 12 billion Pond accounts. But if you go to the same website, haveabinpond.com now, at least you will see some numbers have increased, which means the credentials are being stolen and pawned every day. It's not decreasing. You see, it's always increasing, which means you can actually give your email address and see whether your account has been part of any of the major vulnerable breached accounts. So not to mention, even Google Dropbox or Onebox Drive, all those things are susceptible to all these attacks. No wonder that small accounts, Google and Facebook, they put all the energy in securing their accounts. But how can you be so sure of some email application, like your e-commerce application, can manage the credentials? Some problem of the passwords, which is still relevant, the problem of passwords is there, like, since the day it was created. One, it was like, it's easily guessable. So if you just go to any, what is the top passwords? I think one password and bit modern they use to release. What is the most common passwords that are being used? It's either easy, like, it's Quarty or some like the first few characters of your keyboard or guest, or sometimes it's password. And you see this Wi-Fi here, right? It's passwordless. I mean, there's no password here. So if you're connecting with the Wi-Fi, which means that you're all connecting to an network account, just not protected with password at all. So we are living in that world. Like, have you been to any other public premises where the password is so complex that you have to type in? Normally, the malls account, right? For example, is a capital square, the password is like, capital one, two, three, right? It's not that complex. So anybody who wants to, you know, attack your account can easily get in. So that's one common thing of passwords that are being easy and guessable. It's sometimes even these passwords are, you know, like when you go to join a new company, normally they write your password in a sticky note and then they give it to you. And then normally I see people putting that on their desk. So anybody who can just get their account and then do it, if they want to do something, breach some of the accounts, they can just impersonate that person and then can be acting as a vulnerability. So the other problem is like, the industry advised that, okay, these passwords are guessable. So let's make an application and tell them that, you know, I think you have seen this, like the password weakness and stuff, right? Like there is a marker that says like, how complex are your passwords? So we try to educate, like shift the burden of the users, tell them like, you know, application demands it. You have to have like 12 characters. You should have a, you know, a complex number or you should have a, you know, character. You have a number on all those combinations that at least you should have. You should have an uppercase letter, lowercase letter. We try to, you know, educate the user and then tell them like, you know, try to create the password credentials that ideas to all these rules. What happened was that most of the time they have to create a password that there's no other choice to use the application. But what they did was like, they came up with one magic password. So it's very difficult for them to remember the password for, you know, for every account. So what they did was like, they tried to use the same password again and again in different accounts. So they use the same password for Facebook, Gmail, Instagram, and yeah, what not. What happens is that it's called credential leakage. It's like kind of stuffing. So then one application got vulnerable and that password is leaked. That means that the people can take that password and then go to different accounts. Be it social, be it your financial account, they can just use it. So that's another problem. So what they came up with another problem is to solve this problem is like getting MFA. I think now people are trying to educate like you have one time password or TOTP, use authenticators. This is still not like phishing resistant. Like anybody can mask your number and then they get their password on your behalf. It's still possible. And there is, in addition to this, there is a user friction. So whenever you have to log into something and they have to look for your mobile and then key in your authenticator, that's very like, it is more friction to log into the account. That means that people are abandoning this account. They don't want to use it. And the other problem is like 80% of the data breaches are happening. This is according to the Verison Data Breach Investigation Report. They release it every year. They refine the pattern of how this normal, the breach are all happening and then they try to study it. And they found was like 80% of the data breaches are happening. One way or the other, due to weak passwords or the passwords are being stolen and there is phishing attack. And then 51% of the passwords are being reused. This is some stat. And if you go to your social account which you normally give a personalized account of login with Gmail or Google and then go and see how many accounts that you have that you have tied to your Gmail account. On an average, they say people have 90 online accounts. So you have like bank accounts. You have your e-commerce accounts. If you're a developer, you have like a couple of developer accounts. So 90 accounts is normal and then it keeps on increasing every day. So they say like some people have like 150 to 180 online accounts. So what's the problem? What does this tell us? This tells us that there is something called secret and that is being shared between you and the application owner. And you trust that application owner. Trusting means that you trust that that application stores your shared credentials safely and that is not open to any attack which is a very hard thing to say even for any company. Whenever you have your data that is transferred over the network that means that it's not always secured. It cannot always assert that the data is never breached. So when something is shared over the credentials you have to trust them, trust the network where you're sending and trust the data who is sending. There are still, even in 2024, there are still accounts who store your passwords in plain text instead of hashing and salting it. Why do you think whenever you go to any account and then say you forgot your password? They never share your password but instead they give you the reset link. That's because they don't have the way of getting a password. They cannot assert it, they cannot find it. Then always encrypt it and hash it and store it in their system which is not reversible but not all the applications are doing it. There are still some applications that store as a plain text which means that your passwords can, if someone is attacking that server, your passwords are already stolen which means that you're already prone to attack. It can be like your email ID and password is there so they can try in any other account. So the solution is pass keys. Pass keys is something like that I mentioned. There are still some credentials but the only thing is it's not shared. So it means that there is no, you don't need to trust the application owner saying that this is my secret key, store it safely. There is no such thing. There is a way to assert that you can create your digital identity without sharing this common shared credentials. So that means you're solving all the problems of shared credentials, breaches, that thing is shared over the network and you still manage to create your own identity. How's this possible? We have been using HTTPS protocol for a long time and we use for, whenever you make any transaction we always tell them make sure your domain is HTTPS at five which means that you have a public key, private key with the HTTPS website which means that someone is warning that, whoever is warning this domain actually verifies their domain authenticity by having their own private key and they always send the public key. So there are two things to it like the public key and private key as the name implies that public key can be public and there is a private key which should be private but you don't have to share the thing with the private. So if you want something like, let's say I want pass keys, if I want something I have to keep it in my own local machine I don't have to share it but these two asymmetric keys these two are asymmetric in nature so whenever you have a message you encrypt with one key you can only decrypt with the other key. So what I do is like I own my machine I own my own account so what I say is like I own my own private key I encrypt it, I send it but the other party knows my public key so they can actually decrypt the information and see whether that particular information is correct or not. I'm just going to show how this encryption and decryption works just in layman terms but this is what it does. Why this is getting popular because it's like Google, Microsoft and Facebook all the major players they see that passwords are no longer the thing they see that there was a lot of time in protecting their passwords that's a lot of money involving in resetting the password putting all the energy in instead of just supplementing with MFA complex rules and stuff they decided to go with pass keys. How many of you have received a notification from Google and saying that you know do you want to try pass keys or you know in GitHub account if you see there is some other option in addition to the social sign in with pass key have you noticed it? Okay, great. Yeah, so that's when the where the industry is going that's why they're trying to say like you know if you have something going on with pass keys so if you see that in no time you'll have Facebook and Google Google is already telling you that you can have multiple pass keys there is one more something called for example pass keys are actually protected by biometric but sometimes you don't have your device that is adhering to you know the biometric so there is also something called security keys this is one of the security key you be key Google has its own key called Titan so you can actually insert it like this is USB supported so you can actually have this key inserted into your device and then create your own credentials and then store it so this is something portable you can carry it the advantages like you can carry it and then I can shift it between different devices I use the same credentials or rather like I can use my laptop which has biometric already so I can directly use it so let's see this is a brief intro that might be going a lot of things going on I just want to show you like how the application can verify the authenticity of whether that particular information is coming from that specific user so as I mentioned I have a message and I have encrypted with a private key I have some secure message with a lock and whoever has the public key can use that message to unlock it and I can read the public key but actually whoever reads the public key have to verify whether this particular message is sent by that particular private key person like whoever is sending it so you cannot just open and read but he has to verify it how does this person does? so this is my message and my message is sent along with the signature signature is the part where the so this is my message and how this message is prepared is like I'm the signer, I'm the person so I'm putting a message and then what I'm saying is like I hash this message and I create a fixed length digest some unique number like 256 character of this number so I can send an entire Shakespeare poem and then it turns into a 256 character and then I create and I encrypt this digest with my private key and then I put it in the signature so my message is prepared and I'm going to send it across the network and I own this private key it's not shared along I stayed with it stays with me and then the verifier receives this message he knows what's the hashing algorithm it's part of the payload he knows that the message is hashed so he takes this message and then hash it and then what he does is like he has a signature so what he has to do is like he has to decrypt the signature as I mentioned I have the private key encrypted so anybody with the public key can decrypt it so he decrypt with the public key and then gets this message so the original message is the hashed message so now he can verify whether this is equal or not why this person has to verify this he can just open and read it why he has to verify it because someone in the network can tamper the message for example let's say some message is being sent for the person saying that this role is for common user and then someone says like okay delete this data and I'm an admin I can change this data but if someone tamper the data the hashed message does not match because the hashed message is created for the role user and someone tampered it with the role admin so I have to verify it so what does it prove that the message is not tampered like if this matches and the signer if I'm able to open it with my public key which means whoever has signed this message has the private key because that's how it's made possible with the signature but all along we are talking about the public key and private key and all that stuff a common user is not able to capable of creating a complex password how I'm able as a user able to create a keypad so we are actually shifting the burden and we tell them like we're giving you options one if your network is mobile is capable of capturing your biometric with your fingerprint, pin or a pattern or face or like I show the keys so what I have to do is like just plug it into my system and then I'll show you the demo and then it automatically the system will automatically capture that your system is capable of it and then it prompts for a biometric so when it creates a biometric it actually creates something in your key chain or in your secrets so all you have to do is like just press a thumbprint on it to allow the system to create the credentials and once it is done the next time when you log in the system, the browser automatically detects it and then says like hey you know what you have a pass key created for this account do you want to use it or you know you want to use a different account it's up to you so earlier this is capable only in the mobile devices because only the native SDKs of the Android and Swift that's the capturing the biometric part but now we are actually doing it for the Chrome so all major browsers supports the botan protocol which supports the pass keys so this is a simple fighter to application architecture so what happens is like this client is your browser this is a browser so you have the botan API support in the browser so relying party is the website let's say it's Amazon.com so it can actually has a you know multitude of services for example I can demand that only a specific device so this has happened in one of the use cases for a bank they normally try to give the use this PIDO keys because they don't want people to store it in different credentials they wanted to store it in their device so they normally give away so what we can tell them like only this application supports only this device and this signature so my application can verify whether my device is you know capable of creating this credentials and using that particular pass using that particular credentials in specific device so I have my client side JS I have to do this this is my external authenticator it's up to me I can use either internal authenticator or the external authenticator this just a brief overview there are too many things but if you want to learn more about it you can just go to fighter to Alliance they have they are the major players who created this you know specification so CTAP 1 is like client to application platform architecture the protocol so you can either use the external authenticator or the internal authenticator this is just a brief overview it's like what happens during registration let's say this is I'm in the Chrome browser and then the browser supports my botan API so let's say I wanted to log into one of the website like my botan IO and then say there is no password so I just give my username and then the website is just called the relying part here we'll say like okay I accept you use the name so go and create your credentials for me so I'd say like okay when you create the credentials create this only for my account that's another property of this fighter to you're creating credentials for that specific website so anybody who is impersonating or trying to do we cannot use the same credential so it's actually tied to the network so it gets the help of the authenticator and then it creates all the credentials and then send it back to the party the application stores it so next time when they come back they it's a pre-known user the same user so it says like you know what I have your get the challenge for me so this time it actually creates look for the credentials inside the authenticator and then gives it back so now it can actually it's already stored so it can validate the signature it validates the challenge validates all these assertions the signature data, authenticated data and everything and then it blows it so you can go to this website webbottom.io it actually tells you the entire flow like if you can just key in your username whatever I said and then it prompts you from the browser to get your credentials and then registers it so you can complete both the flows whatever I have mentioned in this website there are other playgrounds as well so you can go and search for webbottom playground and then try to get the credentials so that's all I have thank you so much for listening and let me know if you have any questions if not I'll be here let me know if you can and there is another one I think there's only specific I saw Fido 2 architecture they are going to talk deep dive into this so if you really like the session I can stay in that other session also so it might be like you might get more insight into it yeah thank you so much so just trying to be accessible out here if you can't see the presentation on the board just click this QR sign and you can watch it on your mobile or on your laptop wherever you want so we are supposed to start exact at 9 I think so we have 2 more minutes so I said okay we can get this ready and done but I don't think so clicker works I'm not sure you want to say it to no anyone can link it otherwise before that it will be to my organization is access right hello can you hear me okay so welcome to my session Deepa had given a one on password list I'm trying to give a little better how many of you know OIDC OR2 other than Pradeepa O-A-U-T-H 2O but it's not even an acronym and it's not even a word so OR2 OIDC SAML anywhere else SAML over any two percent so I think so what I'm going to do is I'm going to bring it right from how we have come to what we are to password list okay so important so welcome to the session who are you security on the internet more important who am I right now so I am Augustin Korea I'm a Microsoft MVP from India Bombay I'm also an odd zero ambassador preface to this so let's get right what is the internet all about the basic thing is a user you want to access a site or a web app right but guess what the bad guy too wants to surreptitiously get access to that right and even though he's not his thing to own so then we have to make sure is under security right your web app of this now let's get some basics interact some observers because the observer will perceive an identity right assume these words observer an identity in one use case or in one context another observer in another use case will perceive another identity obviously you're not saying what is this guy speaking right now let me give you a concrete example this is a traffic constable in Bombay my identity for him would be my Indian driving license right same for you your Vietnam is driving license you came here that is important right that Indian driving license if you show the Vietnam is police or in order right now when I came to Narbhai airport the Vietnamese immigration wanted to see what my Indian passport he perceives my identity now both these identities belong to this handsome guy the same right there's not a big difference now a long time ago this was all started how do we do that we still wanted passwords to get access but I think every company started building apps there were a lot of apps so there were a lot of passwords right so each app yeah please come in please come in thank you come come come come okay nine and a walk see to this free spot yes please please cool so I think so this ah come come come you can rest in time before I go into the minty okay cool thanks so each each app had their own password credentials right so this led to whole lot of password proliferation which Pratipa also touched upon but we always in the tech world get influenced by what's happening in the physical world so if you know a telephone directory what was it right it was a centralized location for all you don't have to remember each of the telephone numbers or that stuff right for all the different guys your identity and that's what we had a centralized location to access all of this but remember the directory was not actually built for doing authentication it was just a stopgap measures but it became so popular that it became the de facto standard okay in the windows world the enterprise corporate world they came something with two you know because of password fatigue Kerberos now Kerberos is in great mythology for a three-headed dog that used to guard the haters now the three dogs out here user clients the KDC the key distribution center and obviously the network services that you want to access this is the keyword right now there was only one password you have to remember to get access to all instead of the plethora of password that you have to remember remember for each password now that's gone away but the two one thing I want to take from you is this acronym the authentication server because we're going to touch upon this you'll see this pattern getting deep reading the problem with that stuff is we were good right so now we had central management location but the thing was the network infrastructure now stored your identity information so the movement you went out of the network you had no identity right so think about it a big retailer and a big customer wants to keep orders right and a lot of orders kept coming one way to go for this guy to be out here to book it on the other company what would I have to do the easy way would be like copy paste right we all copy paste code that's what we call shadow accounts so I would create my own account into this shadow stuff what is the problem with that what is the problem copied by variable in programming huh duplicate means if you make a changer that doesn't get reflected there so suppose I was an employee of this and I'm no more than employee my account would still be there I could still order hey 10,000 TikToks or something something like that right from that not a good thing right you do want to avoid that because now you don't have a single source of truth so what these guys the big industry folks got together and came up with a standard the standard is called SAML okay security acts assertion markup language so what was this all about it was this that if I signed into this that would be only required for me to authenticate out here right I won't have to create another account or try to make myself another second time so the first time I make a request to this web app it will pass you something called as a SAML middleware which will intercept it and it says hey dude you're not authenticated right nothing is there I don't know you so it says go back go back and get this so if you notice one thing there has to be a trust now trust is a very common English word but in an identity it has a special connotation right it means this person or this domain trust or will believe whatever the identity provider out here in terms of claims so if this person the identity provider says I am Augustine Correa my name is Augustine Correa and I can make these orders this domain will trust that right are you clear on that trust is important out here I mean just not in relationship but even in the security problem so the next time it goes to this middleware and it gets it to token okay because this middleware knows me it's my domain right he knows who I am he knows I'm Augustine I can make this call he gives us okay token which is now again intercepted again by the SAML middleware the SAML middleware says oh I know you yeah have a cookie right remember this now you're seeing the cookies come in the first time in the corporate world this is where it first came in the previous Kerberos what was the I mean improvement on the previous LDAP was encryption everything was encrypted before LDAPs and all they were not encrypted okay this is because everything was the same perimeter it was all across right they didn't do anything about that but now when you're crossing your domains obviously they have to be encrypted otherwise anybody can snippet this is your letter right you put an open postcard anybody's gonna read it hey right so this is how you want to do it but now the single sign on remember the single sign on right but now the single sign on that can cross domain cross domain SSO is federation give you this word okay this is important the federation happened why only five minutes okay so what's the difference with authentication authorization authentication finds in who am I right obviously is trying to identify you but you got some proof authorization is what I can access or what I can perform do you know the same thing happens here you have this right who are you and can you enter here you as attendees can be there IS speaker can be here right this is the authenticity authorization part now how does this happen so they all came about a standard to do this now suppose before ORR2-0 came about if I was about to hey I attended for safe here I want to put on LinkedIn and I want to send mail to everyone all right so what happens I'll have to give LinkedIn my gmail email and password right so they just sent out a mail that's not a good thing like you don't want to give LinkedIn your gmail and password because you can do anything with that whatever you can do then LinkedIn can do you only want to do things you have on LinkedIn right because I think that happens there so that's what they want so the guys came up they just you folks okay let's hire a way to in this you send it into this and that's what ORR2 is about let's look at how ORR2 go or what it's called denigrate or whatever you want to do that any at the browser LinkedIn but that's now a redirection okay redirection remember the thing about KS authentication server now we are KS but this is the authorization it's going to be too important authorization important this authorization goes to the browser and sends in the ORR2 okay I'm already sending my credentials for this it's in the ORR2 the ORR2 will give you the authorization to LinkedIn now LinkedIn will send that to the token endpoint now because it's going to knows the author has sent to it it's verified okay and this is all under encryption and signature so this it sends the token and that token is then made up also this is how it happens on the ORR2 so if you're going to build an app they say hey login and secure this is what's happening at then now this important thing that is not shown out here is this so you have something called a scope right you still what it should authorize so whenever you've said right sign in with gmail or sign in with github or this it says do you want to give you know the which repo do you want to give this so those are the scope you're not giving the full gmail email password right now you're trying to say okay this is what the app can do or what cannot do clear next come hey we're already using the we're already using the what so the guys said okay we're already using authorization why don't we piggyback and use the to get the id right authentication part who am I working through and this was another instance style the only change that was out here is now just sending the access token it also sends you an id token right now the difference between year access token and id token the access token was sent to the api but the id token is only for that so whenever you say hey august in korea when you have the login you know and after you authenticate it and you get the round and you get the avatar and your name that's what the id token is it has all that the claims the names about you as well as the designation or whatever so the other aspect about it have you heard of course cost origin request remain the bad guys can intercept yours so when you made a request and you're sending a credential back that cookie goes now if you have an other sense and it sends back the request you send another request that cookie is sent with it and guess what the server sends it back successfully because the important thing is you all are in the same origin so you know what is origin when you put the URL http fosasia.com 80 that is the whole origin and it has to be exact now within why we had this problem is because a internet can have problems with it and mobile right LVF you have a mobile but is your mobile on the same domain or same origin it's on android it's on apple right they don't belong to you you don't have that dna so there will be most probably and the IPA economy right you create a separate economy so not only your website can use the other websites can use right the Gmail API was used by LinkedIn or anybody else or you can use make app and we call that API but and that's a good reason but this time that secret token cannot work through because it's only this apple happened because you can't do that now let me pick on this the new service come it's called defined optimization so the different types of operation are easy easy you know what is easy you are a group attending that's your role you can be here Maya has a role as speaker I can be here she has lift it up and that's her role but there's a problem right how can she shows her boss can also say and pick that up and say you can't get that with rule right because her manager will say be that same role and do that this is why because we have a relationship so the word the open FGA is known as part of RE BASY relationship based access control the previous was RBAC role based access control or ABAC active based access control so the thing that we come is is some okay what are the different types this is the authorization form and this is built by google docs so why think about this situation you have a folder that parent can have a folder is parent going to have a folder now if we had only roles I would say only this folder would I couldn't do that right it would be a lot of convolution with but if I gave the relationship this parent can hold this and this just with that one authorization model I can satisfy that instead of making it very convoluted right the relationship aspects takes about this I want to bring this flow this is now the latest with password list going on the authentication open FGA for the authorizing part and here's the kicker not this kicker RE BASY is the super set of RBAC so you can implement a much more sophisticated form of RBAC with the RBAC and the last one I want to leave to is this this is the person who likes to see is in my guide and all the real good guy is Mr. Thurth he died this past year but he is the doin of identity and he had a lot of passion to get this and that's my talk thank you thank you thank you very master for the presentation like we will have the password list authentication with the speaker Mitras and Anisha Goss welcome now please welcome okay hi everybody I'm Roger Dingeldine from the tour project and I'm going to I'm going to try to talk to you about many different topics today and I don't have enough time to talk about all of them in detail so hopefully there will be something exciting for you somewhere in what I talk about so tour is a privacy project we're a nonprofit we're free software open source one of the fun things about tour is the community of people all around the world who are working on tour every city that I go to has a university research group that is writing research papers about tour understanding security privacy things like that we have some number of users between two million and eight million daily users it's a privacy system so it's a bit hard to know quite how many users we have and also we're part of larger ecosystems like the free software world the anonymity research world the censorship resistance world internet freedom and so on okay so the first question from a security side is what's your threat model what are you worried about what can the attacker do so we have Alice over here and she's trying to browse the web or something to some website bob and the question is where can the attacker be maybe the attacker is watching the local network maybe they're watching the wi-fi in this room right now maybe it's the monopoly telephone company that gets to observe everything that everybody does in that country or maybe the attacker is somewhere in the middle of the network maybe it's Deutsche Telekom or AT&T or some major telephone company and maybe they collaborate with their local government AT&T is known to send data to NSA for example so maybe there's an attacker that observes some of the some of the network or maybe the attacker is watching the connection to the website maybe Alice is trying to talk to WikiLeaks and leaks some important documents and the and some government is watching WikiLeaks to decide who's talking to them so they know who the whistleblowers are and maybe the attacker is the website maybe it's cnn.com and they want to know who all their users are so they can advertise to them better so there are a lot of different places where we worry that somebody is able to to watch what's going on that's the threat model we'll get back to that in a bit but one of the important pieces here encryption is not the same as what I'm talking about today you should use encryption encryption is important but even when you're using encryption to talk to somebody on the internet somebody watching your encrypted conversation learns who you're talking to when you're talking to them how much you're talking to them and that metadata is is one is what is what various organizations use to try to attack users who want privacy on the internet so as one example if you're the US Secret Service or CIA or something and you're trying to discover what people are doing on the internet everybody uses encryption so nobody tries to break the encryption anymore it's all about building the social graph of who is talking to who and then you look for the person in the middle of the social graph and you break into their house at night and steal their laptop and change things on it so encryption is good but encryption is not enough and one example here does anybody recognize creepy NSA guy from 10 years ago this was back when Snowden was talking about illegal activities that the NSA and England and Europe were doing and the guy running the NSA said we kill people based on metadata so it's again it's not about encryption it's about knowing who you're talking to knowing who's talking to who and building the social graph of who is interesting and it's not just about metadata there's a bigger fight going on in the world about whether Facebook should be allowed to add end to end encryption to messenger and Instagram and other tools like that so we have major law enforcement groups in the US and here's so that was 2019 this is just a few months ago when England was asking for the same thing so there are major governments out there trying to prevent these big companies from actually providing real safety to their users and the the yeah we'll get back to that okay so I actually only use the word anonymity when I'm talking to researchers when I'm talking to my parents and my friends I tell them I'm working on a privacy system because anonymity not really sure if that's good for society but privacy is definitely good for society and then when I'm talking to then when I'm talking to companies like Google and Walmart and so on I work on communication security because Oracle said privacy is dead no company wants privacy but companies do want security they want to be able to buy things from the internet without their competitors watching what they're thinking about buying and then when I talk to governments and militaries I work on traffic analysis resistant communication networks and again it's the same system it's the same security properties it's just about how you frame it for them so if you go to a government and say I have a privacy tool they say oh we don't need privacy we're a government but then if you go to a government and say I have a tool where you can send your diplomat to Israel and when your diplomat checks their email from the hotel room nobody realizes which country the diplomat is from nobody knows what that diplomat is doing what her affiliation is and so on so that's they look at it as as providing privacy from other governments who are trying to track what they're doing and then there's a fourth category which is the reachability side there are people in the world who can't go to bbc.com and some people use Tor to be able to reach websites that they can't get to directly and the important part here is all of these kinds of users need to be in the same anonymity system in order to blend together if you had a privacy tool only for people who have cancer and they're trying to talk to each other about cancer then the fact that you installed it would tell people too much about why you installed it so we need journalists military ordinary facebook users and so on all in the same system so that the fact that you have installed Tor doesn't tell people about why you installed Tor okay so how do you build one of these the easy answer is some centralized system like a VPN where all the users connect to the center and ask for various web pages and it fetches the web pages for them and sends them back and there are a few problems with this the first problem is what if your VPN company is secretly lying to you and they're actually collecting data and it always starts with I promise I'm not looking at any of your data okay actually we do look at all of your data but I promise I won't log anything I promise I won't write it down okay actually we do write everything down but I promise I won't give it to somebody else okay actually sometimes we do give it to other people but we promise we're going to keep you safe so the challenge there is the architecture it's the fact that there's a center and it knows all the data it knows who all the users are and what they all do and it could screw you and it promises not to and there's no way for you to know there's no way for you to check whether it's following through with that promise or not so it's even worse than that imagine your VPN company is perfectly honest and they really do want to keep you safe it's still one computer somewhere in Switzerland or wherever it is and anybody who can watch the connections into that computer and the connections out can do traffic analysis to match up and say this flow that looked like this matches to this flow that looks the same so yes it's encrypted but now I know that this user went to that website so even if the VPN company is perfect you're still not going to be protected the way you want because it's too centralized there's a point that can know what everybody is doing so the answer for Torah the approach that we take is distributed trust or decentralized where you route your traffic through three different relays and no single point in the network knows both who you are and where you're going so now it's not a question of I have the data and I promise I won't tell somebody now it's because of the architecture because of privacy by design there is no point that there's no place in the network that knows both of those pieces of information so that means R1 the first relay they know that Alice is using Torah but they don't know what she's doing and R3 the last relay they know somebody is talking to Bob but they don't know who is talking to Bob so the goal of Torah is to separate these so that there's no place that learns both who the user is and what they're doing on the Torah network makes sense so far great okay and we've done some social science studies to ask various people why they use Torah around the world and I have a few examples that have been anonymized one of them is I'm a political activist in my younger years I entered the public debate openly as a result I started getting harassed by government agencies I later tried to obfuscate my identity but it turns out my government is good at watching things so I use Torah freedom to publish my message to the world without being personally persecuted as another example there's another person who gave us their story of I'm a doctor in a very political town you can imagine Washington DC or Brussels or something like that I have patients who work on legislation that can mean billions of dollars to major telecom social media and Google and so on and when this doctor sees senators who maybe are controlling a lot of money and maybe companies want to influence them imagine the senator has cancer or some embarrassing disease the doctor uses Torah to preserve the privacy of the patients so a similar situation happens for lawyers if you go to a lawyer the job of the lawyer is to keep your case private but then the lawyer starts sending emails to everybody and searching on the web suddenly that web activity can reveal what the legal case is about so those are two examples to keep in mind a couple more recent examples a couple of weeks ago there was a story where apparently the FBI wanted to catch some criminal so they sent them a YouTube link and then they went to Google and said tell us every IP address that has ever loaded that YouTube link and I don't know if Google answered but that's pretty scary Google has the data they promise they won't give it up except actually if governments ask the right way they will give it up so Google knows every YouTube page you've ever gone to and they're trying to make money they don't care about you so maybe Google didn't answer in this case but the problem is we don't know they could answer they could choose when to answer when not to answer another example from the US side a few I think this was a couple of months ago there was somebody in Nebraska in the United States who was 17 years old and she wanted an abortion and she talked to her mother on Facebook and Facebook turned over the messages to the local law enforcement and now she's been arrested and they're prosecuting her for wanting an abortion and Facebook provided the data that they're using to prosecute her so this is another example where maybe you want privacy in order to discuss your own personal life even though there are bad laws that are trying to make what you're trying to do illegal okay so there's another talk which is performance of Torah this is a graph of the the bluish greenish line I'm not sure what color that is bluish line is the load on the Torah network over the past 10 years or so and the red line is the capacity of the Torah network so it's been been growing one of the important things here is the difference between these two lines is how much extra capacity there is in Torah and we need more people running relays around the world volunteering as relays in order to have more capacity to handle more users okay so from a security side we're in the security track so let's think about security how do you how do you decide how safe Torah is how do you what what metric do you use for measuring how safe Torah is there are two two answers that that we should think about today one of them is the diversity of where the relays are so as imagine a Torah network that's only running in Hanoi so there are there are a bunch of relays and you're bouncing through three of them but they're all in one city in that case it would be pretty easy to watch all of the relays and then be able to learn who all the users are and what they're doing so instead imagine a Torah network that is all around the world we've got relays in Europe and North America South America Africa Asia and at that point the set of attackers who are in a position to watch enough traffic going into Torah and going out of Torah becomes very small maybe the NSA can watch some of it maybe GCHQ British Intelligence could watch some of it but smaller countries like France probably aren't in a position to see enough internet traffic to try to break it so that's one definition diversity of relays another definition imagine there are 50,000 people in Iran using Torah right now and I think there's more than that today if they were all political dissidents trying to change their government then it would be bad that they had installed Torah and the government would look for people who installed Torah and arrest them but the reason why almost everybody in Iran is using Torah is because Iran blocked Facebook so they're using it to get around the block to read their web comics and their pictures of kittens and whatever people do on Facebook so that ordinariness is an important security property most people around the world are using Torah just like ordinary internet users to do what people do on the internet and the fact that most people are normal people is important for security for the much smaller set of people who need safety against whatever adversary they're worried about so those are two ideas to think about in terms of security let's talk more about the Torah software ecosystem so I talked to you earlier about the program called Torah which is a proxy it takes care of hiding your IP address and hiding which IP addresses you're connecting to there's another layer that we have to deal with also which is the browser layer originally we said here is Torah it's your problem to find a browser that's safe to use but there weren't any browsers that are safe to use so we ended up building Torah browser which is based on Firefox and fixes a bunch of privacy issues at the browser level so you all know about cookies but there are a bunch of other tracking mechanisms like which fonts you have installed what languages you prefer which versions of of JavaScript you have how many pixels by how many pixels your browser window is all of these are ways to recognize you even if Torah is hiding your IP address they can still say oh that's that guy who prefers Korean and then English and then Japanese there aren't that many of them using Torah today so we need to to deal with all the browser level privacy things also and one important thing to keep in mind here how many people here have heard of incognito mode or private browsing mode I see some hands great so many people think private browsing mode protects you against the websites you're going to or against the ISP that you're using private browsing mode only protects somebody looking at your hard drive after you've been browsing so Google gets to watch everything you're doing your internet provider gets to watch everything you're doing you think you're in private browsing mode but it's not private in the way that that you hoped it would be and duck.go did a study of of what people think private browsing mode is and most of them think that it's what Torah browser does so we need to find a way to scale up to handle all of that and here's a either funny or depressing webcomic that I found that explains it pretty well where we've got the big chrome overlord saying which website would you like to see and we've got the shy user saying I don't want you to know and then chrome puts up a sock puppet and says why don't you tell the hand and then the user is like okay great yes I'm happy to do that now now that you say I have privacy so the the it's sort of depressing and sort of funny at the same time but hopefully it gets the point across that that incognito mode and private browsing mode are not actually keeping you safe from most of the things that you that you would want to to have privacy from okay so another key thing to think about Torah is free software open source that's important but it's not enough we also need to give you the specifications the rfc style descriptions of what we think we built so that you can compare the source code to what we say we built and we need to give you the design documents and research papers and and all the the hard thinking about what we tried to build so you can compare the the design documents to the the specifications to the source code and help us find bugs at every level and we are publicly identified hi I'm Roger I wrote Torah and that transparency is really important for building community and building trust to the fact that I'm here and happy to answer questions about Torah helps make sure that you can trust what we've built and there's always somebody in the audience who says oh ha ha the privacy people are talking about transparency that's a contradiction it's not a contradiction because privacy is about choice privacy is about choosing who gets to learn things and we choose to be transparent in order to build a stronger community in order to be able to educate people about how privacy works and we've had some interesting high-profile users over the years for example Ed Snowden used Torah in order to stay safe while he was talking to journalists until he chose when he wanted to reveal himself and there are some other whistleblowers who've done that and there are some others who are still safe and have successfully told the world about corruption that's happening and they and they have chosen not to identify themselves okay so another topic for us to think about a lot of people look at tools like Torah and they say oh it's a two-edged sword there you can use it for good things but you can also use it for bad things it's like an automobile or a hammer it's a dual-use technology you have to accept the bad with the good and to some extent that's true but the next step that people say is technology is neutral it's how you use it that changes that really matters and I don't think that's true I think that the way that you build the tools reflects what changes you're trying to make in society so for example if you were building Google Docs it's centralized they get all the data they get all the documents they have built it in a way where they keep control whereas Torah is built in a decentralized way where we try to give control privacy power to the users so that they get to choose who gets to learn what they're doing on the internet so that decentralization is inherent in the design it's built into how we design Torah and that means that first of all Torah is more useful for people who have less power so if you're a military you've got other options but if you're a journalist you don't have as many options so the LGBTQ community or journalists or something like that they need Torah more than governments need Torah and the other side to think about there is if you don't think about the social impacts of the tools that you're building you're going to end up accidentally reinforcing the existing power structures you're going to end up helping the militaries more than you help the journalists so think about who your tools are for and make sure that you build that power dynamic into the tools that you write okay another topic in the Torah software ecosystem is a project called UNI the Open Observatory for Network Interference it is now its own nonprofit but it started off in Torah and it's still well connected to Torah and the idea for UNI is it's a framework for measuring what websites work where in the world and they now have billions of data points from people running the UNI software all around the world and testing which websites work which protocols work and uploading those to a big public database and the goal of that is to learn there are many different goals but one of them is I want to know if bbc.com works in Syria today and if it stopped working today I want to know if it worked yesterday and it's not just BBC I want to know if HTTPS the protocol works in Syria today because Torah tries to look like HTTPS because who would block HTTPS turns out that Syria did block HTTPS for six months back during the Arab Spring so understanding what protocols work where is really important to understanding how the internet works and there's an easy Android and iOS version of UNI that you should install and play with and maybe contribute to so this is the Torah website from various countries in the Middle East and it doesn't look like the website that I wrote here's a block page saying this website is not accessible in the UAE sorry the requested page is unavailable site blocked oops we've censored you so one of the challenges here is that some countries not Vietnam Vietnam works fine for Torah but some countries don't want you to be able to reach the Torah website and they start the first step is that they block the Torah website and that doesn't stop Torah from working the Torah software still works fine but you have to get the Torah software from a mirror or something like that and then the next step is they try to block connections into the Torah network so for example Russia and Iran have been taking steps to try to make it hard for your Torah client to reach the Torah relays and the solution that we have for that is a design called Plugable Transports the idea is that the Torah software takes care of your privacy anonymity traffic analysis resistance and the transport that you plug in transforms your Torah traffic into some protocol that the sensor is willing to let through and to some IP address that they haven't chosen to block yet so one popular version of Plugable Transports lately is a tool called Snowflake it transforms your Torah traffic into WebRTC which is the protocol that Skype and Zoom and Jitsi and so on use so your Torah traffic looks like you're doing a video chat with somebody but it's actually going to a volunteer running a Snowflake extension and from there into the Torah network and the great thing about WebRTC is that it's built into browsers so the Snowflake extension is just a browser extension and now you're one of the hundreds of thousands of volunteers who are proxying traffic from a censored place through their browser into the Torah network and one example right before Russia invaded Ukraine Russia blocked a bunch of different pieces of the Torah infrastructure and here's a graph of thousands of people started using Snowflake in Russia in order to get around that censorship and I was looking at this graph and saying wow 6,000 people that's awesome we helped a lot of people turns out that that's here and that the whole Russia thing was just a trial run where we were learning about bottlenecks and fixing it and then hundreds of thousands of people were using Snowflake in Iran later that year because of the protests that were happening there okay so that was the censorship side of things now let's talk about the onion service side of things so I talked before about how you can build a Torah circuit through three hops and the goal is that nobody knows both who you are and where you're going now let's take that three relay circuit building block and glue two of them together so now Alice is going to talk into the Torah network and Bob is going to talk into the Torah network and they'll be able to talk to each other but Alice doesn't know where Bob is Bob doesn't know where Alice is yet they can talk to each other inside the Torah network and that design is called the onion service design and it gives you some really cool security properties you get end-to-end encryption you get end-to-end authentication you can run your onion service behind a firewall behind a NAT so you don't need an an incoming internet connection in order to be an onion service so they're a bunch of cool properties many people know this onion service thing not by the name onion service but by the name the dark web and again it's the same sort of security properties we were talking about before but there are a bunch of journalists out there who are excited to sell their newspaper articles and if you put a picture of the iceberg and you tell people there are 99 other internets out there and they've never heard of the you can't get to them except through Torah it's mostly nonsense the dark web thing is just made up to sell magazine articles it isn't whatever you've been told it has been so I'm happy to talk more about that but what do you think the biggest website on the dark web is you've maybe read some articles about somebody selling some weird things the biggest website on the dark web is Facebook and this is because Facebook looked at their own internal users and did a study of how many people were connecting using Torah to get to Facebook and they found that in April I think it was April of 2016 more than a million people connected to their Facebook accounts over Torah and that's because there was I think Iran was censoring Facebook so a lot of people were using Torah to get around the censorship to get to Facebook and Facebook looked at this and realized our users want actual security we should set up an onion service so that they can get to our website and know that it's really our website as another example BBC did the same thing they set up an onion service because they want people to be able to reach their website and do it safely and know that it's really BBC that they're reaching another example cloudflare set up an onion service so whenever you visit any website that cloudflare hosts which is 20% of the internet these days cloudflare hosts a lot of the web every time you go to a cloudflare site in the back end in Torah browser it's going to one of cloudflare's onion services so you get automatic end-to-end encryption the URL bar doesn't change it still says fbi.gov in the URL bar but on the back end you're going to cloudflare's onion service and getting better security by default without even knowing that it's happening so in a way that's cool on the other hand if cloudflare hosts 20% of the internet does that mean 20% of the web is in the dark web what does that even mean and cloudflare hosts fbi.gov so fbi.gov is in the dark web what this phrase doesn't mean anything at this point so it's another way to get good encryption and good security when you're using the internet and let me give you two interesting software examples of what you can do once you have a tool like onion services so this one's called onion share and it's built by the people at the Intercept which is a newspaper company in the US and the idea is let's say you're a journalist and somebody just sent you a bunch of interesting government documents and you want to write about them and you want to send them to the journalist next to you sitting next to you how do you send these documents safely do you send them over Gmail Google's watching they're probably going to sell them or data mine them or advertise do you put them on Dropbox I don't know what Dropbox's business model is but I think it's looking at all the files you upload do you put them on a USB key and hand them over we've all been taught that USB keys are scary and maybe you shouldn't be trading USB keys like that maybe you've set up an FTP server and then the other person FTP is over that's great if you know what FTP servers are nobody does anymore so the answer that the journalist came up with is a tool called onion share where you this tool spins up a local web server and a Tor onion service and it gives you a URL like this and you send that URL over signal or WhatsApp or telegram to the journalist who then launches their Tor browser puts in the URL their Tor browser connects to your web server over Tor downloads the file and then everything goes away then the web server is gone there's no center there's no middle there's no place to break into and get all the data there's no place to send a subpoena there's no place to attack and that's how file transfer should be done safely on the internet these days so this is an example of the right way not just with encryption but also protecting metadata but also protecting who you're downloading the files from who you're sending them and so on so that was one example another example is a tool called ricochet which is an instant messaging tool how many people here use iMessage or WhatsApp or signal or telegram or I see good I see quite a few hands because I tried to list most of the popular ones maybe Google chat is in there all of those tools are centralized they know who all their users are they know who you're talking to if they provide encryption which is great they can't read what you say but they know when you say it all of that centralization scares me so the idea for ricochet is that every user is their own onion address I don't have to know where you are but I can reach you over the Tor network and I don't I don't have to know who you are but I can still talk to you and there's no middle each of these connections is going over a separate onion service tunnel and there's no central point that has a list of users or a list of who's talking to who and so on so this is maybe the the smarter metadata secure way of doing instant messaging so the the tool itself needs some work there's a forked version of it that I think is doing better now called ricochet refresh if you want to check it out and with that a couple of last thoughts so here are four ways the Tor can fail Tor is not perfect it's not going to keep everybody safe in all situations and I tried to order them by by most frequent problem the biggest problem by far is upset mistakes operational security you tried to you did a blog post you accidentally put your name at the bottom because you forgot to delete it and now Tor is going to anonymously post your blog post with your name at the bottom and that that there are a bunch of other examples where you maybe you use a phrase that only certain people from your city know and that helps people guess where you're coming from the second problem is browser metadata fingerprints so we try to make all the Tor browser users look the same as all the other Tor browser users but every week there's some new JavaScript API coming out that can be used to track people Google had one a while ago where the remote website can learn all the details about your device's battery how big it is how far through your power you are how quickly it's using the power and the goal of that is the website can change what it sends you if you're low on battery but it's a tracking mechanism that we needed to stop and another example of that a while ago I think Chrome was trying to help people use the Chrome browser as an Xbox controller the idea is you plug your Xbox controller into your computer and then Chrome controls everything and that meant they have a JavaScript API for enumerating all of the attached USB devices and their unique IDs so that was another thing that we had to to stop or there would be another way to track users even though they're using Tor and Tor browser and then the third problem is browser exploits browser vulnerabilities now these cost hundreds of thousands of dollars so I mean it's not easy but if you're an intelligence agency you part of your job is to buy browser bugs that you can use to break into people's computers so you trick them into going to your website and you send them some web page that breaks into their local computer and yes they're using Tor but that's not enough and then the fourth problem that is mostly more theoretical because most organizations aren't in a position to do this sort of attack is what if they can see enough traffic on the internet in order to be able to match up which Tor users did which things and I think most organizations aren't able to do this but we don't know the Electronic Frontier Foundation EFF.org is running a campaign to get more people to run Tor relays at universities so if you're connected to a university they have printed these awesome shiny coins that I'm happy to show you later and you too can get one of these awesome shiny coins if you run a relay at your university talk to me afterwards and I'd be happy to help answer questions about that and I've got a couple of minutes for questions and we've got I think we the next talk in here is at 11 so I'm happy to answer a few questions now and we'll take it from there thank you who who wants to have a question in public versus a question yep great thank you for the great session I am okay a disclaimer I'm a conventional security person who's trying to find all these anomalies some things that's happening so so this is like imagining that something like who's trying to use star as a normal person who's trying to use Facebook and BBC is deprived of access in their country for political reasons or whatever what if this gets into the hands of the wrong guys because there's a common human trafficking that gets posted in Facebook right like there are people like terrorist groups who's trying to sell weapons through the normal social so how we identify with the pattern so I work for security solutions and I try to find a pattern of people coming from a specific IP address trying to you know like how you mentioned the social graph trying to find it I know this is with a good bill like trying to you know address 99% of people who's doing good things but what about it gets into their hands of the wrong person yeah so that's a complicated topic the one answer is law enforcement has all of the traditional approaches that they used to have where you make a list of suspects and you do actual police work to try to find the criminals another answer is there are places in the world like Russia where the criminals are coordinating with the police and they're doing just fine so and those organized crime groups have plenty of other options besides Torah because you can't actually arrest them like there are so many stories of people finding botnet operators in Russia and then coordinating with the Russian police to go arrest them and nobody's there because they paid the police to tell them when the arrest was going to happen so people who have power already have other options besides Torah and if you want to buy drugs on the internet you go to drugs.ru and there they are you can just buy them from an ordinary website so the problem is that the bad guys are doing great they have a lot of power but the ordinary people who want protection against companies watching them and building data sets like Google and Facebook and so on they don't have as many options so that's the very short version of the answer that part of that it's something that we think a lot about because we want to make sure that that Torah is more useful for the people who need it more the Torah is more useful for the vulnerable people who don't have other options and it's yes the other bad guys can use it but it's not necessarily their only option I don't think I have a question for you but as I would like to say I totally agree with you that in nowadays we don't care about the encryption anymore we care about the metadata so I'm from New Zealand so I totally agree with you that in New Zealand technology cream in a co-operated with the New Zealand police and telecom so that's why I experienced with the situation Chrome Google and also all of the browser have been broken as the front end by the signal attack so I already worked with a lot of police in New Zealand so I totally agree that all of the web browser already under attack so all of the front end from all of the application can be easily under attack so front end has been broken easily so today I learned about you so I think I will use it but my question maybe my question for you is that could you tell me a little bit more about the decentralization design so it says that you can all of the web browser can easily capture some metadata and understand about me so can your website top website browser reach me I don't care about privacy but I care about my safety so when you reach me it means that you can attack on my interaction with my web browser so it it will make me hard to work with the browser at front end so for example it's easy when I click into the text box or drop down it's not working anymore so can you reach me and attack me with top web browser yeah so that's also a complicated question the when I was talking about the safety of using web browsers on the internet and and who can watch what I'm not so worried about the company Google and and Mozilla and so on I'm worried about the intro the places on the internet that your traffic goes through so let's say I'm sitting in this room I'm using the Wi-Fi I control my own laptop I control my own browser but as soon as I connect to the Wi-Fi here I'm sending traffic up to the university here and then it goes out to some telephone company and then from there it goes to some backbone ISP maybe it goes to Japan and then it goes through the Pacific Ocean or something each of those points is a surveillance spot that I'm worried about so I I control my own browser you're right that browsers are not perfect but I'm more worried about surveillance on the network side of things but that said yes if you if you go to a website using tour browser and the website sends you something that tries to attack your computer that's why we need browsers to be as safe as as they can be and with that I am out of time officially so thank you again and I'm happy to stand around and answer your questions inside or outside until you have no more questions thank you okay we have a couple more folks coming in yes please come in join the abandoned notebook over there is mine so that's where I intend to sit after my talk please keep that seat for me otherwise feel free to sit anywhere cool yes thank you all righty thank you everyone for showing up to my talk I'm gonna be talking about threat modeling for a little bit very soft introduction to the topic before we get started a few words about myself so I'm Simon I'm not gonna make your pronounce my last name it is a very German last name so if you find me afterwards just call me Simon we're fine right a couple of things that I do in my life one I volunteer for the free software foundation Europe we have a booth here it's right across the hall so you walk out the door through the little you talk to all the other great folks that are there guardian project great project right in front of us alma linux and then all the way back there you will find us free software foundation Europe so if you have any questions later today or tomorrow that is very likely where you will find me apart from my work with the free software foundation Europe I work as a consultant so I help organizations solve hard problems that is what I love about this job right you meet different organizations and you help them solve hard problems if you have boring problems to solve you can find someone else that will do it for you you can come to me if you have like really hard problems to solve some of these hard problems include questions like how can we use free and open source software to run our business more efficiently or how can we build strong teams and strong communities to make sure we build the best possible software for our users mostly these days I solve hard cybersecurity problems and that's probably what you want to hear about right we're in a security track here at fos asia we want to talk security so what are some of the cyber security problems that we will be talking about today one of the questions is what can go wrong in our software how are people using our software what can go wrong what can fail and are we doing a good job to protect the users of our software right so I'm going to be talking primarily about these topics in the context of software and software development there are lots of things to say also about like our infrastructure about our organizations to make our teams more resilient and our companies and non-for-profit organizations more resilient but today I'm talking specifically about software and one of the very hard problems that we have to solve across all the different organizations and teams is how much security is enough security right in an ideal world I would tell you to like threat model everything right and protect everything and do all all the security things right that would be I would love to tell you that but we live in the real world and I don't know how it is here around Asia I mostly operate in Europe and in Europe security people are hard to come by software developers are a bit hard to come by we have very limited resources and we have to spend these resources very carefully so we need to have a very good idea what are the problems that are really meaningful to solve and how can we use our resources efficiently to actually make a good difference and that's why I want to talk about threat modeling because in my opinion threat modeling is one tool that you can have in your tool belt to answer or start answering some of these questions it's only going to be 20 minutes today between of us right so I'm going to scratching the surface here but I think it's enough to get you started and get the ball rolling and have more conversations later between yourselves or with me if you want to now I mentioned one key word here already which is opinion right in my opinion threat modeling isn't that this is going to be an opinionated talk if you talk to Simon you should be prepared to hear opinions right I make it a point that all my opinions or most of my opinions are well researched and steeped in like years of experience of working with people and cybersecurity both in my personal life and professionally but still you have to keep in mind these reflect my experiences in my opinions your situation may be might be different your community might be different your product might be a little bit different and it's always important to keep these differences in mind so that's when we go back to the hard problems which I really like to like get the nitty gritty of it but unfortunately cannot cover and do justice in just a 20 minute talk one fun fact about myself or one thing that makes me quite lucky is I've recently started my own company so I can now go on stage and say opinions of this talk are my own but also that of my employer right and that is a very comfortable situation I can say whatever the hell I want here on stage and not get fired hey so keep that in mind okay enough about myself enough about cracking jokes and stuff let's get to the nitty gritty we want to talk about threat modeling who here has never heard about threat modeling so anybody here who's first time to hear this a few folks okay cool that is good because it's going to be an introductory talk we're doing threat modeling at least in my opinion the most important three things why we do threat modeling is one we want to understand what can go wrong in our software right so that is the view that we want to take we want to understand the security stakes of both the environment that we are intended to be used in and of our users right so we're going to talk about security stakes and security promises and lastly I think why threat modeling is a very good tool and a very important tool is we want to communicate what we have defined and what we have found out to our users and our team right and I'm going to mention that when we look at some examples that I've brought here and one of the examples I'm going to mention is a security messenger right so you want to make sure that everybody who is developing your secure communication software understands the stakes of our users what does it mean if we make a mistake what can the impact be for our users and are we doing a good job at protecting them and also you want to communicate it to users so they know when you use my software what are you like when I use your software what are you promising me right are you promising me that this is like this fun little thing that you did that might go away tomorrow or are you promising me to like do the damnedest that you can do to keep my communication secure getting started in threat modeling and starting to answer these questions is really easy right and I take inspiration here from a great author on the topic Adam Shostak if you haven't heard of him look him up he does great things on YouTube on the topic as well and what he says or one of the things that he says is to get started on threat modeling you really have to just ask yourself four questions right question number one what are we working on so what is the software that we're building and what are the users that are going to use them number two you're going to hear this a lot throughout this talk what can go wrong right we're talking about security so we want to take this adversarial mindset what could somebody do if they want to abuse our software and naturally we don't want to just admire the problem right ideally we want to fix some problems so the third important question is what can we do about it right are there what steps are we taking to protect our users and to meet the security promises that we're making and lastly we want to do a good job right so did we do a good job are we done with threat modeling are we done with our security concept is there something we might have messed are there more experts that we can talk to to bring in new opinions and new experiences and make sure that we are doing a good job in protecting and doing the work that we do I want to spend the rest of the talk walking you through some very high level examples I've taken two that I hope everybody in this conference can relate to one is we're going to look at a security focused messenger right something like signal or telegram that hopefully a lot of you are using already and the other one we want to look at or I'm going to look at very high level on an online event management platform right so something like open event which is the software that runs event yay which hopefully many of you used to register for this event and that the great folks at FOS Asia are developing and maintaining for this conference and we want to take both these examples to highlight some key differences right so going back to the four questions that we ask number one what are we working on when we look at the security focused messenger and if you think of something like signal and what they are doing and what they are trying to achieve I think the sentence that covers it best is we are developing or they are developing a communications app to facilitate secure communication in a hostile environment what does this mean right so what what are the promises that we are making we envision and we I'm not a signal developer disclaimer right so if I say we it's like I'm putting myself in there in their view and I'm talking as if I was doing their threat model what promises are we trying to make we want to promise politically exposed people like dissidents or journalists investigative journalists that they can use our app safely in a hostile environment now these are some very high security stakes right so worst case scenario we're talking about people who have to fear for their life and safety if our app does not do what it is promised right they might go to jail or face even worse punishments if you think of events like the Arab Spring where a lot of free software communication was used to organize the groups and the stuff that was going on right now if we contrast that to the online event management platform here we are talking about managing events right selling probably selling tickets and offer a good event experience to our attendees this shows to highlight like probably the secure messenger will take more work and more focus to to facilitate securely but also the event platform is not irrelevant right what are the promises that we're making for the event platform here we want event organizers to recover costs by selling tickets securely but you can imagine an event like this it does take some money and effort to facilitate and they want to recover some of these costs by selling tickets so if somebody was able to just give tickets away for free this conference could be in trouble the second important thing is we want to promise the attendees that they can like register for events purchase tickets securely without having their data stolen every time we talk about a large user base and people signing up giving us their information giving us email addresses phone calls maybe payment data depending on what we talk about selling tickets we want to make a good job of keeping that data secure right that's like the least we can do for the people who pay to attend our conference now we have looked very roughly at the thing we want to build not a question second question what can go wrong and this is where we start looking and bringing in some of the vocabulary of threat modeling right so I'm going to show you for each of the examples one example threat or threat scenario and talk a little bit about that we've talked about the secure messenger right secure communication and hostile environments so the very basic the most high level threat that we're talking about here is an oppressive regime monitors all internet communication and tries to identify political dissidents based on messages they exchange and I want to like just think about that statement for a bit right we already noticed stakes high value stakes but let's just look at like the the pattern and the vocabulary of what is going on here because these are things that you will see when you start doing threat modeling more and more usually we will start what we call a threat actor right so we assume somebody is actively doing something here we have the oppressive regime and they are doing something to do something to achieve something next you will find at least a mention of something that we consider a vulnerability right so threat actor abuses a vulnerability to do something in this case the vulnerability is very high level right if you like understand how network communication works you know that for a large scale like a government or a large internet service provider it is actually fairly easy to just look at all the traffic that is going around and just look at the data and try to collect information about the stuff that is being sent back and forth which is why secure communication is going to be important in a minute and finally we have some consequence or some impact that we describe if this threat scenario were to manifest so I have kept it here to the level of identify political dissidents you could think of actually putting in the consequence for their user right so resulting in a threat to their life and safety for example but that is like the pattern that you will see every time if you start formulating threats and threat scenarios as you progress throughout the threat model now let's look at an example threat for the online event management platform again we will see the threat actor in this case a malicious user abuses a vulnerability in our software to generate free tickets for a paid event this goes back to the security promises that we make also for our users right so you want we want you to be able to recover the cost of running a big scale event so we want to make sure that no malicious user can just give away free tickets again we have the threat actor again something when we're talking cyber security we always assume malicious intent to some degree right that is we're always looking at like an adversarial relationship from a potential attack towards your software fortunately most people that will use your software are like nice and trustworthy right unfortunately some of them aren't and it is the job of us as cyber security experts to assume this role and think okay what can go wrong assuming somebody's actively trying to do something bad again we have a very generic high-level vulnerability there is something that I completely skipped in the interest of time for this talk is to talk about the difference between like threat modeling risk assessment and vulnerability assessment if you're interested in that come talk to me later I think it's important at this stage to keep in mind in my opinion when we're doing threat modeling it is not we're not doing a vulnerability assessment we're not doing a risk assessment at this point we're focusing on the big picture to get an understanding and communicate it to our developers and our users another potential threat that we can look at for the online event management platform is a malicious attendee abuses a vulnerability in our software to access private information about the other attendees right so it's again where I talked about keeping the data of our users secure so this is another threat scenario that we could formulate and take a look at when we look at this next question and this next question question number three as I said we don't just want to admire the problem right we know oh okay we have rogue governments we have people in fear of their life people that have their data stolen why are we even doing this right why are you talking about this we are talking about this because we want to understand what can we do about it right and in the case of the messenger now we are looking at potential again at this stage high level countermeasures countermeasures that we're taking to protect our users so base security promise that we're going to make with our messenger is our messenger will implement secure and authenticated end-to-end encryption between all users to protect them right so very that is like the most basic thing that signal and telegram do here's another thing though something that at least no signal focuses on very heavily that we might not even be aware is an important thing for their threat model and that is our messenger will be easy to use for the general public so adoption is widespread and not in and of itself suspicious and if you were listening in to the conversation that was going on after the tour talk one of the things that was spoken about by tour is we really need to increase the adoption for two things right one of this we have bad users that keep using it for bad stuff and we want to increase the level of good users just to have a better reputation and not be associated mostly with this few bad users that we have but the other thing is imagine if only people that needed to use signal in order to protect their life would use signal if that was the case it would be fairly easy to identify them right because they're the only ones using signal so if you want to help right one of the things you can do is start using something like signal for your day to day communication because we want to spread adoption and that is why things like stickers reactions give implementations right where as a cyber security person we would say come on signal what are you doing right and what they are doing is making it easy for the general public to use it so adoption can get more widespread when we look at the event management platform the things that we can do here is we can focus on security sign best practices and I've just been given the five minute warning so I need to speed up a little bit and we want to undergo regular vulnerability assessment to find and fix vulnerabilities right so again at this point we're at a high level what does security sign best practices even mean we can have a good conversation about that there are good resources out there but they are like very basic security hygiene that you want to do make sure you minimize the risk of easy to exploit vulnerabilities and regularly have experts check it right I talked about quickly security assessments and risk assessments and that we are not doing that right now but what we are doing is we are identifying the need that we should probably do this in the future and this is just a starting point right what I want to do here is I give you a few questions and how what state of mind do you want to go in to start this conversation if you you want to like iterate upon it right you want to make it more concrete you can look at specific interfaces of your software specific parts of your software and refine your threat model based on that so that is going to answer the last question right did we do a good job well not yet right this was only the start but it's a good start it's very easy to get started find a bunch of people sketch out the thing that you're building ask these four questions and then start iterating upon that I want to close this talk with pointing out a few free software tools that you can use to help you with that process most of them are fairly advanced so I'm a big fan of in the beginning just start with like a whiteboard or pencil and paper and start sketching and building your threat model that way but one of the things that can help you very early in that process that I use a ton is diagrams.net right formerly drawio it's a great little free tool to just do diagrams and workflows it can be used to sketch out or digitize your sketched out software architecture dataflow diagrams which are all good documentation pieces about the thing that you want to build and finally we have three more advanced tools so I want to mention PyTM which is a pythonic framework to put your threat modeling code that is like once you have done a couple of iterations you can start putting threats and threats scenarios into code which I mean coders love code right so anything that we can do to take the conversation that we have and put it in plain text check it into a Git repository and have it as code can only be a good thing in my book so but again keep in mind this is really where it goes down to the nitty gritty on the other hand we have two like UI tools one and I want to mention even the project so the open web application security project OWASP they have a ton of resources on security one of the things that they do is called the threat dragon which you can use to build out your threat model and the other thing that I want to mention which is not OWASP is Threatile right also UI tool that you can use for these last two just personally I have to say I'm not the biggest fan of tools that are specifically developed to develop your threat model because I think you get lost in the tool rather than thinking about the things right but that's just me right I love pencil paper whiteboard if you want to take it to the next level if you're the kind of person that can benefit from a good tool that will help you along through the process these are some things that you can look at and with that I think I'm just on time if you have questions just find me outside or talk to me at the FSVE booth I'm here all the way until tomorrow evening even at the like I'm here a couple of days so if you want to reach out Thursday I'm still in Hanoi thank you for attending this talk have great fun with the rest of your sessions bye everyone the like the like presentation will start at 11 so we wait for a few minutes