Description
Overview
No matter if you're a developer, designer, manager or a business owner, you're a person. And these days, being a person on the Internet can be a minefield. Phishing attacks are trying to steal your information and some of your passwords have been published on the internet. But you have to work on the Internet--living off the grid is not an option.
In this session, I will go over some common attacks that you should be aware of. Also, I will highlight some simple, practical ways to protect yourself while browsing the Internet for fun or work. No doubt, some in the room will say, "This is too hard to be secure," and others will say, "This speaker is not paranoid enough." Security is a continuum, and this is meant to be a point for you, the attendee, to evaluate your personal security practices and think about improving them.
Topics Covered
- Is Your Browsing Secure?
- Is Your Communication Secure?
- Backing Up Data
- Examples of Phishing
- Examples of Impersonation
- Two-Factor Authentication
- Password Managers
- Trust No One vs. Cloud Services
My Experience
I am a professional web developer with 13+ years of building, launching and maintaining dozens of websites both freelance and at a design/development agency. While I am not a certified Security/IT expert and do not sell my services as a security professional, I hope that my experience in trying to understand security and keep my personal and professional work secure can be shared with you in this session.
Notes for Session Selection
- This session has been presented last year at Twin Cities Drupal Camp.
- It was presented previously as a 60-minute session, but I could potentially rework it for a 30-minute slot.
Dan Ficker
Sr. Customer Success Engineer @ PantheonDan Ficker has been building websites since 1997, when he wanted to tell the world which rock bands he was a fan of. Since then, he has helped build hundreds of websites, most of them using the PHP programming language. He went to college, learned more about development in Java and Oracle, but still builds websites, these days most often using the Drupal or WordPress content management systems built on top of PHP. In the past 17+ years of professional development, he has built and worked on the PHP code, MySQL queries, HTML output, and performance of hundreds of websites. Dan still gets excited when a band he's a fan of comes to town and enjoys learning about other areas of technology.
all right this is personal internet
security basics just in case you're in
the wrong room
but you've been sitting here for a while
so you're probably not um my let's see
my name oh let's see
my name is Dan thicker I'll talk about
myself in a second first we're gonna
talk about just a little bit of things
that are we're gonna go over just some
ideas just what is security how can you
be more secure in mostly a personal life
but you know some of these things will
also apply do you know what you do so as
a profession as a web developer and
let's see yeah a Crip shin is important
passwords are very important and we're
gonna talk a lot about those and then
you know some other things like
two-factor authentication backups and I
have a thing we're not too much about
that we're gonna at least touch on it so
my name is Dan thicker I'm a customer
success engineer at Pantheon does not
use a fancy on them there that's funny
okay but that's just a little bit about
me sometimes apparently I have a really
long beard and long hair anyway not
today
let's see yeah we're going to talk about
passwords for a lot of the time today
and this is just gonna start first with
a personal story for me back in the day
you know I just kind of used to you know
on the internet 5 10 20 years ago you
know just use the same password for
everything and I've been hearing for a
while like hey that's maybe not the best
way to do it but I do actually have a
fun example um something was wrong about
a year ago I got an email from Netflix
saying hey you changed your email and
I'm like I did I don't remember doing
that and so basically someone someone
basically logged in to my account I
tried to log into Netflix on my phone
and my computer and nothing worked my
email address and password
I usually just didn't work at all I had
to call Netflix and basically talk to
them and say hey someone took over my
account they tried to verify with my
email and the phone number and they're
like
there's no account with that name or
phone number but when I gave him my
credit card they're like oh yeah you are
paying for this this this this account
so we'll give you access back to it so
you know that's that's not something
that you want to have happen if you can
help it and thankfully we'll talk about
later it was just Netflix but you know
what right whatever fully happened was
like earlier that week I got this email
that basically said hey you've got this
password that you put into this iPhone
app that you bought like ten years
before eight nine years before and we
didn't actually store those passwords
very well and so just so you know
they're out on the internet your
password is that on the internet and so
maybe you should do something about that
basically just not use that password
change your password wherever it is and
thankfully at least Netflix was really
the only place I had already change that
password mostly because I'm like if I
change that password then I have two
real aughh into every single thing I
have Netflix on and you know I had a
computer nerd so I have a million
different devices and all do have a
Netflix app and so yeah so I wanted to
see you know yeah so I wanted to see
yeah you know I was just playing this
game game and want to see what my score
was that's why I signed up for an
account turns out they didn't start
store my account information very well
yeah and you know I just those back in
use my email address and that normal
password I use for everything except for
my bank and turns out not the best idea
so the big lesson here really is just
don't use the same password for
everything and we'll talk about some
good ways to do that yeah dude okay yeah
sorry yeah it means you have to change
your passwords on lots of stuff and and
to kind of have some way to manage all
those passwords and what we'll talk
about some solutions to do that here but
yeah the other thing I think your to
take away from this story really is that
your password just won't stay secret at
some point if it's a password that
somebody can either easily guess or
spend a bunch of time you know trying a
bunch of passwords on the computers you
know the later thing will figure out hey
your password was you know monkey 1 2 3
or something like that if it's something
easy let's see there's a great website
if you haven't been there yet you can
totally pull it up it's just called have
I been home pwn Edie have I been poned
calm and you can just put in your email
address or even your password into a
webpage there and it will just look up
in these databases of lots of leaked
information this is actually the results
of what I put when I put my email
address in there it says yes my
additional is an Adobe account it was in
these kind of other breaches of just
aggregate data from a lot of different
other places I had a big Lee account the
Dropbox account that were all
compromised at some point it tells even
like these your name your password and
some other things might also be on the
internet so it's nice to be aware of
this I think I heard you could actually
put your email address in there and any
time your email address you could sign
up for an email notification so any kind
they add some new hacked information on
your email address shows up in there I
definitely on another page in there
there's a password section and I
definitely put in that one password that
I had on my Netflix account until about
a year ago and it definitely said yes
that password it does exist in the store
of passwords so you can also try some
other passwords that you might use and
be like oh good nobody knows exactly
what this password is or at least nobody
has post it on the internet that this
person has aggregated so this is a just
the security researcher who says I found
these stores of passwords being shared
around on the dark web and so you kind
of you know anonymizes that data to the
point where you can't actually just look
up you know exactly you know read
through the whole thing maybe you can
download it somewhere but just let's
let's you look through or find your
information in there find if your
information is there basically so yeah
your email address and your passwords
might be password for some account is
probably in there if you pop in your
information and this means that hackers
might be having it too and one thing
that will I mean one thing that really
is going on now is it used to be they
just try to try to you know guess a
bunch of passwords guess where in words
guess kind of things and now they're
actually with all this information that
they have the hackers are kind of saying
hey let's actually guess the most common
passwords on these lists or let's guess
you know all the passwords we can guess
which might be more against more results
in my case actually - they probably also
said oh he has this email address and
this password let's just try it on any
other thing we can so they probably
tried logging into Gmail with it they
probably tried to log into Apple with it
and thankfully again I didn't have the
same password everywhere so it was not
too much of a problem
yeah so we're gonna talk about I think
ways to do better passwords these are
pretty basic but you know they should
probably have alpha alphanumeric
characters even some special characters
I'd say they should be really random
because if it's just a bunch of words or
you know I word and then a couple
numbers that's pretty easy to guess the
idea is that if you have really long
random passwords and once yes a long 20
or 30 characters and if they're unique
for each site then if the password gets
out it says oh hey Dan's password is
this really long random thing then it
can't they can't try it on other
websites if it's this if it's different
for each website and even according to
this government recommendation from the
National Institute of Standards from
you don't if you if everyone is using
these long random passwords and some
sort of system to manage those and keep
track of them then you probably don't
even need to change your password every
couple months or but you know maybe
that's also a good idea to do from time
to time as well to change it just
because if it does if it does get out
there then then every once in while
you're changing it that would keep
someone out of there we're going to get
into a little bit of an aside not
talking about passwords for a minute but
talk about encryption because the
encryption is also important to keeping
your data secure so
yeah so basically anything on the
internet when the internet started it
was just a list of like public
information you know just lists of you
know resources on the web
encryption basically is a different
number of different types of kind of
secret codes that you say hey I'm going
to change everything into this certain
secret code that no one else knows but I
already told you about it so you can
then decrypt that information there's a
couple different types of encryption the
first one is kind of one-way encryption
or hashing basically even here on the
right I have you know put password one
into I think it's a sha-1 algorithm and
it came out with this very random
looking hexadecimal string down at the
bottom there's something like that no
actually itself only where extreme but
yeah so basically I came up with that
and that's it's this is a one-way
encryption function so if you have that
string at the bottom you can't actually
find out that the password is password 1
by anybody needs means but but when you
go into a website and type in your
password and type in password password 1
it can do the same sort of an in one-way
encryption thing it's like do these
things match and so that's actually how
Drupal does store your password
information it does a couple extra
things to kind of add some more
randomness to just your password but
basically when you type in your password
and say hey I think this is my password
it will actually do that same encryption
encryption algorithm and then just RIT
and then just see do those things match
does this match the one that's in the
database and if it says no you don't get
in it says yes then it says ok
to login to your Drupal site so yeah
yeah so I think I covered all that but
that doesn't this type of encryption
doesn't work for everything because
sometimes you're not just verifying that
that you that you know the right thing
you're actually trying to to keep that
information and get it back somehow so
that's where we come to public key
encryption
yeah so in public key encryption you
have a public key and a private key and
I have a little diagram on the next
slide the public key is something that
can be given out to everyone and it it's
an encryption system that basically you
could encrypt or decrypt things made
with the private key so the private key
that you keep very very very secret
because if anybody gets it them they can
basically impersonate you so let's see
yeah and this is this is how a lot of
the information is transmitted across
the internet so on computer one have an
encrypted data unencrypted data and a
computer - we also have an encrypted
data so you can read it if you just
transmitted that over the Internet
basically anybody who is listening or is
kind of watching the traffic go by on
the internet you know any like actually
right now there's a good example so
right now if you're on the Wi-Fi at the
University here any any website you
visit I probably anyone else in the room
with a radio could actually look and go
hey oh you're that computer is visiting
that web site make any sort of you know
antenna on the computer because it is
not encrypted at all and so they could
at least tell which websites you're
visiting what kind of traffic is coming
in out
Computers and that's that's maybe not
that bad if you're just visiting the mid
campsite but if you're if you want to do
more encrypted information there's a
number of different ways you can encrypt
it with data but I will mention that
later but also on Wi-Fi networks that
actually have a password there's usually
more encryption although sometimes it's
not the best encryption anyway but yeah
so don't want to just send sensitive
data just across the internet
unencrypted so what you actually do is
both you group both ends agree let's
encrypt the data and the let's see
actually this would not be a proud this
wouldn't yeah I wrote this wrong look at
that this would be the server would have
a private key that no one would know but
the server would then give the public
key to any other computer and so it
wouldn't the information with this
private key and then any public person
with the public key could then decrypt
it
so basically yet it could also the
person with the public key then can also
say hey I'm going to encrypt this
information send it through the
encryption algorithm and then send it
across the internet when it's encrypted
and the other computer with the private
key can then decrypt that information I
hope that makes some sense but yeah
so yeah that's basically when when you
have encryption happening this kind of
public/private key encryption this kind
of this two-way encryption it basically
looks like kind of random data just
transmitting across the internet and so
he's like I don't know what that is it
just looks like a bunch of randomness
that I can't read and so that that's a
good thing because no no one else is
reading what you're sending across and
this is actually yeah we'll talk about
it what types of ways are you using
encryption already or not so a big one
is if you're visiting a website even
like the mid camp website I believe most
websites these days do have HTTPS is a
version of transmitting websites over
SSL encryption so yeah HTTPS I think the
SX it does stands for secure but I could
be wrong with that but yes so whenever
you see that padlock or that you know
message that says you're using a secure
certificate and a valid certificate
between your browser and the server its
agreeing we know these kind of secret
things and we're sending encrypted and
the good thing is these days in the last
year a couple years almost every website
is starting to use HTTPS and this this
protects you a number of things this
verifies that you're getting actually
what you get what you expect from the
server your internet service provider or
anybody that's kind of passing the
traffic along and in the middle could if
you don't have HTTPS
they could be adding adding or modifying
information
and mostly it's been Google and some
other companies that have said hey we
want we think everyone should be using
HTTPS let's encrypt in some other
companies for all their websites all the
websites on the Internet and the most
part I think that's a good thing just
because you then know that you're
getting the information you're looking
for and not some modified information
it's this is a little bit changing let
the browser's show a padlock next to the
that's the thing usually there's some
sort of padlock it's it's more actually
now changing to if you don't have a SSL
certificate they give you a big message
that next to the browser URL that says
like not secure or something like that
so but I'm giving you more and more
warnings if you're submitting
information over a non secure connection
yeah yeah I think I covered a couple of
these things as well
anything be copied yet yep and yeah so
one thing that's important to remember
too as a Drupal developer is if you are
a lot logging into a website over eight
over an on HTTP connection like most the
people could be actually seeing your
password as you submit it mm-hmm
or at least getting it in a pretty easy
way and most likely there's nobody you
know well I guess especially if you're
at home on your ISP or at your office
most likely there's no one in your
Internet Service Providers company
that's looking at this traffic and
saving a copy and saying what kind of
information can you look through for
this maybe at a coffee shop
or you know a large university campus
maybe I don't know maybe there are some
more nefarious people that want to
actually get some of the information and
say oh what can I do with this and so
that's maybe another place to kind of
decide do I want to use encryption yes
and ma am I you know am I ready am I
actually sending my information
encrypted or not yeah as I've mentioned
before a little bit if you I like on the
iPhones and iPads now if you look in the
Wi-Fi settings it actually does give you
a big warning saying hey this this Wi-Fi
network does not have encryption and so
your information could be all right you
know if it's not encrypted in another
format another place than it is actually
being sent in the clear over the
Internet um that's one thing that's a
little hard to tell you know on these
days with phones and apps and stuff like
that many of them and I think most of
the app stores these days do recommend
or almost require that data is sent over
HTTP or some sort of encryption but it's
hard to tell to if that actually is
happening because there's usually no
there's no standard for a little padlock
that's happening up
but I think in general you can trust
events happening yeah I would just also
note a couple things the email protocol
is really not that secure either I think
companies like Google and things if
you're just sending it between Google
and Google you know that they have a
pretty secure system if you're sending
it from Google to you know hotmail or
something like that it's it's possible
that I think I don't understand all the
email protocols these days but I know
back in the day it was probably not send
over an encrypted connection and I don't
think there's a been a change to the
email protocol that requires everything
to be encrypted so generally if you're
sending something over the email yeah
again maybe no one's actually looking at
it because it's just a bunch of you know
there's a millions of emails that go
everywhere every day and nobody's really
like looking through all that
potentially but they could be another
one FTP is a pretty popular way to kind
of move files around and that again also
is not encrypted that's why you know
like we at Pantheon will only really let
you connect it via SFTP which is an SSH
encryption encrypted connection where
you can then upload and download files
so they're just a number of places where
encryption is or isn't being used and
maybe maybe find other ways to use
things that could be a little bit more
encrypted if you're using some of those
tools a big one here we're getting back
to passwords is a password manager and
so what is the password manager it's
basically just a piece of software that
is a store a data store of all your
passwords and generally it encrypts that
on your computer and a lot of these
services I'm going to talk about will
actually put that encrypted store of
data up on the internet so that you can
easily access it from all your devices
another thing that's you know very
helpful that we'll get to to is these
things like help you generate kind of
random passwords and also help you log
in to all your websites so the idea is
kind of you have maybe one password or
you know just yeah just one major
password that gets you access to all of
your other passwords a larger store of
passwords
so yeah the the here's a just a number
of see you know I said okay yeah Wow
yeah there's a couple different things
and they all have pretty much the same
features one that I use is called
LastPass and they do have a version of
it that's free I think on desktops and
maybe you have to pay for a premium to
use it on some phone features or
something I I do actually paying for the
premium I think even maybe I don't have
to because I also like to support the
people that provide the software for me
and you know twenty twenty seven bucks a
year it's really not the most expensive
way to deal with this these prices were
I think I haven't updated them too
recently I've maybe about a year ago or
nine months ago that's what I thought
the prices were if you use a lot of
Apple devices there is iCloud keychain
is kind of a system for syncing all that
and then also keep ass ke e pass pas s
is an open source open source project
that you can download and and you know
provide your own cloud basically and
somehow sync this information between
all your devices but then keep it in an
encrypted store so yeah like I said I
use LastPass one password to mostly
start on a Mac but I think now they have
more and more apps for all the different
devices both the LastPass and one
password at least do have you know
browser plug-ins for all the major
browsers even some desktop apps to
parent or desktop apps for like Mac and
you can also login to their website and
view any of the information in your
password store
as well so yeah so that's that's a big
overview of the features there is first
you have plugin integration with all the
common browsers if you have the latest
version of iOS on your phone your iPhone
or iPad that like it's built into the OS
that you have a password manager now you
can turn on connection to LastPass or
one password and it just says you know
oh you want to login with this and it
actually does the browser fill in right
there
so that value works that works very well
yeah it basically I'm the browser
plug-in if I actually log in to any
website it says oh I don't see I have
never seen this password before or this
look account do you want to save it to
the password store and you just say yes
and then it'll try to detect when you
update the password it does offer up
Jeff random password generator so that
you can and when you create a new
account - it just says hey it looks like
you created a new account on a website
you want to put in this random password
that we just generated and it gives you
lots of options to say I want 20
characters I want 30 characters I want
numbers and stuff because sometimes you
have to tweak it a little bit because
sometimes password or account icon from
the websites are saying you have to do
it this certain way another thing that I
definitely like is that there's a notes
area in all these systems that you could
put a little number of other information
to do with the account I I definitely if
there are security questions will
actually you know put the what the
security question I what the particular
any question I collected was and even
make up a fake answer that doesn't
really make any sense because somebody
could probably look up my mother's
maiden name or where it's born or
something if they really wanted to get
into my account
and so usually I'll come up with you
could put a random string of letters and
numbers generally I'd say sometimes on
the phone when you call into these
companies and if you have a promise or
account they'll want to know the answers
to these secret questions and so what
I've been doing actually recently is
just using a website on the internet
just a random word generator and putting
like four or five words in the answer
that I can then keep in my notes in my
password manager so that if they say hey
what's the answer to the question what
town were you born in I'll give them
five words that match what they have on
their screen and they'll probably think
I'm a little weird because I didn't
actually answer the question but it's a
more secure way I think of managing that
that's really a big part of password
managers that's that's another good
point yeah they will often give you that
option to say hey do you want to check
and verify all these passwords this is
all the same or are there a bunch of
accounts of the same password sometimes
especially if you're a web developer you
might actually have the same website on
your local machine and the internet
somewhere it so maybe they do actually
have the same password because you just
didn't bother to change it you know from
one environment to another but but it is
very a good idea to say hey oh yeah look
I do actually have this password used in
three or four different places maybe I
should change couple of those also
recommend that because it is that kind
of this high-security one password that
you can have to remember for it to get
access to everything else it does make
me recommend that you change that every
once in a while I wouldn't I don't think
you'd want to change all your passwords
too often okay hopefully you don't have
to but changing the password that gets
into all your password
just make sure it's something you can
remember yeah that's that's good good
tip another part of what you can do to
be more secure with your password
manager and other things is using some
multi-factor authentication
yeah there's different types of
authentication and there's kind of these
three different big areas there's
something you know like a password or an
access code a PIN number there's
something you have like a card or a
token or a fob or something like that
and then something you are yeah like a
fingerprint or the but it looks like
your face I guess and or you know in the
in the science fiction movies these days
it's you get a little pinprick and get
your DNA and verify that yes that's you
so maybe someday not here too much but
there's different ways you can use these
other factors one like I mentioned on
like an iPhone instead of actually
putting in your password which if you're
gonna be secure it probably should be
kind of a long password and not just a
four or six digit PIN number if you're
gonna put in your password it can take a
couple seconds and it's not the funnest
thing to type in the world but you could
use something like the touch ID your
face ID or a fingerprint of some sort in
order to get you logged in faster and
woodsey yeah I think it's nice way to
kind of have convenience and security at
some point at the same time basically so
you did put in your password sometime
the last you know hours or days but you
don't have to put it in again you can
just do some other verification that
says yes I'm still that person who just
put the password in a little bit ago and
that's that can be good enough I think
the one reason that they at some point
will fall back to the password is if you
try if you've tried a number of times
you don't succeed then it might say you
can't actually use this factor anymore
and you actually have to kind of go back
to the usual password the one thing that
can happen I think is there's at least
some legal parts in the u.s. that say
you could be kind of coerced or forced
to give your your face or your
fingerprint or something like that
because it isn't something that you
legally have the right to say no I'm not
going to give you that information it is
kind of more public information of who
you are to some extent and so that's one
reason that maybe you don't want to use
that as your main factor of information
but but yes then yeah let's see the
second is is another way to improve
security is two-factor authentication
which means that both of these different
factors your password and another factor
of a verification would be acquired to
access and then this is more secure
because well just as I have a long
complicated password and you have to
know that and also have this other thing
that I have that I carry on with me that
isn't very easy to get a copy
so yeah even if they get your password
then they still don't have this other
thing they need to get into your system
so oh I guess I was gonna shoot well
yeah there's a number of different ways
to do that I actually have you know a
this is a table public you baqi just on
my keychain and when I log into LastPass
I have to give my password but then also
kind of plug this in tap it or this one
muscle is NFC so I can just like pair it
with my phone or and it's tap it up
against my phone and it will actually
verify that as well so there are a lot
of different ways to do that type of
thing you know your Google account and
your Facebook and Twitter accounts will
have it will have an option there to say
you have to open the Google Facebook
Twitter app on this one phone device
that you currently have and it verifies
you type in a code that type of thing
and those are another way of kind of
verifying that that you at least have
this device that you said you would have
when you try to log in under name at a
new place let's see you know yeah I've
got a number of other items here
um yeah again kind of about that kind of
verification that you are who you say
you are there's some problem to some
extent that the film numbers you know
can be a little bit unsecure I've seen
and heard recordings of calls with
customer service where someone says hey
I'm this person I can't get in my
account right now can you help me and
makes a very convincing case that they
are that person but they're not actually
that person and somehow then they get
access to this other person's telephone
account they get a a SIM card with their
name on it or you know they get they
transfer to their device and so you know
if you have it set up to say send me any
more when I log in send me a code and
text it to me they could somehow
actually get this information but also
the phone system is a very large
international system that doesn't really
have that much security it could be a
you know it could be that somebody who
worked at the phone company could could
could just get your information right
get your phone number and I didn't get a
copy of you access to your account and
so generally using something like a
software thing that is on your phone oh
the other thing that happens that can be
useful very often is Google Offers like
a Google Authenticator which is just a
system that kind of is out and then
there's a number of other companies that
offer this Authenticator app on your
phone where it basically just gives out
kind of random numbers instead of
actually getting this here it would
actually get to you sent to your phone
number would just say open your
Authenticator app and there will be six
numbers in there and verify that that is
the number you're expecting so that's a
time-based kind of verification code
so yeah don't do that you know I mean
you can do that I think if the SMS text
thing works very well but I don't think
it's the most secure way to do it there
is often option other options and now
with the last pass and one password at
least LastPass I know they gave her a
dozens of options really for like yes
you could use Google Authenticator you
could use you know this you Baqi that I
have you can use you know the last
passes their own Authenticator built
into their iOS app and other other
mobile apps and so they give you a lot
of options to say yes I want to actually
use these other different factors of
authentication in there in addition to
the password you can even set two or
three of them and so if you only have
one if you don't have the thing that you
usually have with you then you can fall
back to using something else yeah I
think one thing to note about this too
is when you get a new phone if you have
one of these types of apps on your thing
around your on your phone that helps you
verify it doesn't always get transferred
over with all your phone information
because it actually is stored in kind of
this private information area on your
phone that doesn't actually get
transferred over all the time so I would
recommend you know when you get a new
phone maybe make sure you still have the
old phone available to kind of verify
you in order to log in and then actually
set up verification on your new device
so that you don't want to lock yourself
out of that type of thing but that also
brings I think another good point to
this too is the weakest link in this
type of situation is what what did they
allow you to do if you don't actually
have this second factor available if you
don't if I don't actually have this fob
in my pocket or this little Yubikey
thing in my pocket like can I still get
into my account and so I have it set up
yes I have the Google Authenticator app
as my kind of back
but you know if you don't actually have
it do they just say oh hey we'll e-mail
you this or we'll text you this and if
if that's like basically anyone who
wants to get in your account can always
then this happens for also the forgot
password type of thing too
but anyone who wants to get in your
account if they just have this option to
say oh yeah no I don't actually need to
know your password I can just tell them
your mother's maiden name and where
you're born and then it makes it pretty
easy for them to get in into your
account and change your password to be
whatever they want so it's a good idea
to be at least aware of what kind of
what ways are getting around these
secure passwords you're making and maybe
talk to the account provider and say hey
I'd rather that you don't offer this
because it's not that secure or like I
said maybe yeah make some sort of
questions that don't really have the
answer everyone's expecting but it's
something that you know yeah let's see I
think that's that's I went through this
pretty fast I guess but this is the this
is most of what I wanted to go through I
think this is just kind of a couple
different ideas here at the end yeah so
I think a big part of security is just
all sort of realizing that you have to
trust various people with your
information well at least you probably
do have to trust at least a little bit
your internet service provider your
phone your phone provider any iCloud or
any cloud service providers you have to
kind of trust that they have to some
extent your best interest if you're
using something like an open source
system then maybe maybe you could verify
throughout that that you do you don't
have to
but you're encrypting information before
it actually gets tetany sort of provider
but you know they they you're you're the
company that makes your phone the
company that stores your your email and
that type of information hopefully
they're encrypting it and they are
making it hard for their employees to
just look at your information and amend
and that type of thing so yeah I think
there is a certain amount of like if you
can actually get crypt
all the data before it gets to those
kind of service providers then to some
extent you don't have to really trust
anyone but yeah I think at least it's it
might be a little bit hard to verify
this but LastPass says they say and then
one password two they actually say hey
you forget your password you know we
have this random looking data encrypted
data on our server but we really can't
get it back if you don't have this
password and they actually will
recommend like hey you print out this
sheet that is kind of one-time access
codes in order to in order to recover it
if you do actually forget your password
then that can be a good idea I recommend
you store that in a very safe place if
you did if you do printing it out
but that that's that's definitely one
lady they want to make sure you can get
into your account but also that you
don't really have a way to come to them
and say hey I got locked out but I cuz I
don't remember it and I need your help
and they might in if it's this kind of
situation where they say hey we don't
even really have
information we can't help you and it's
good to be aware of when that's
happening and when it's not this is nice
when you don't have to trust that
everyone has your security in mind but
there's also a big downside to that is
if you actually do forget the important
information or lose it then you also
lost all this information that was being
stored there so like I say with great
power with great power comes great
responsibility I think someone else said
that before but now yeah just closing on
the end here too is just backup your
data if you if you have important data
in order to keep it secure put it
somewhere in more than one place really
that give that that will make ensure
that like data is not just completely
wiped out and yeah it's yeah if you
don't have that then you know if
something terrible happens then your
data might be gone forever have a backup
backup plan
back it on site as well as off-site and
maybe even you know put a copy of it in
a safe deposit box or vault or something
I don't know if if you really want to
make sure it sticks around because
sometimes they disappears and
think that's mostly when I wanted to
talk about and I think I went through
that pretty quickly so I don't know if
anybody has any questions and other
ideas for security I think that's a that
yeah this is kind of yeah what I had for
just making help improving your security
personally but we could also talk about
you know security and drool or something
if you want to I don't know I don't know
[Music]
that's a good question I think yeah I
mean I think there's definitely a
certain amount of like you don't want to
just say hey you're you're really doing
this wrong but like you know just nicely
saying this this is something that you
know I think I do occasionally sometimes
maybe send customers and a password via
email but I think if you do that say hey
you should definitely change this
afterward or sometimes there's even
options to within the software say after
that use this once than they actually do
have to change this and that type of
thing so I think it I think it just
comes to kind of comes down to nicely
educating them to say hey there might be
a better way to do this but I'm not for
anybody else any good ideas honestly the
best thing I've done with older people
or best I've been able to do is say if
you can't make it random at least make
it long so I would recommend use a line
from a movie use remembers good one yeah
so so that you know at least assume they
can remember but at least it's the
longer they make it the first care
probably would be even it's not
completely random you know they email me
about their pets that's a lot of times
obvious I'll be like you know
laughs requesting officially do not
email your meet your pastor decipher
preempts them with that information
sometimes they just for the recording
and just if I just captured that real
quickly but like yeah if you for for the
the password if it's not at least very
random maybe make it very long have a
long phrase that type of thing and that
that can be very helpful I think for the
as a yeah I'm not sure that it helps too
much in that like you still have to I
mean I think most people even non tech
people still have a lot of different
accounts and so I would think you'd
still want to have some way to remember
remember like where you use this
password even if it's a nice long
password any kind of I think that's why
I think a password manager is probably
still the best solution but and I think
the the big message is really saying hey
this isn't that hard to do it's not
expensive it's not a lot of work I mean
it's a little bit more work but there's
a you know there's obviously a trade-off
between being somewhat secure and having
convenience and
you know I think I think it's a little
bit easier than they think it is maybe
yeah there are some things that are used
to someone suggest when they work with
older people who are about the computer
savvy if they're not the yearning will
have like an address book so he would
tell them to break their passwords in
their address book and the offeree
and that way they can have more than one
it helps I'll have it in a place that's
secure mmm and easy for them to access
yeah let's definitely I think a good
option to have it written down somewhere
but you just have to be aware that I
think it's it's definitely a bit of a
security risk it for you carrying that
around all the time or if you you know
are yeah if everyone knows all your
passwords are in there and so yeah could
be ever thought of storing that password
yeah what's written out somewhere it's
good idea yeah yet VPNs for your devices
that's true that VPN wherever you're at
yep the VPN basically kind of yet crypts
the data and sends it to somewhere else
that is probably more secure than where
you're currently at so write the VPN we
go back to your house or back to you
know VPN service somewhere and it would
crypt all the data between your computer
and and that that point and then it send
it out as if it's coming from
they're so awesome do you have any
suggestion for tools to be able to judge
how secure your system like um tools
that's that's a good question I think
yeah it I think it depends on you talk
about just overall to an old system yeah
test my system just be bit locally like
see how it is their way or do you know
of any tools that data flow hmm I mean
there are definitely you know tools that
you can download that will basically act
this kind of some sort of a traffic
sniffing tool you know kind of like what
hackers may be using I don't know but so
something actually looks at is actually
somewhere on your network and says oh I
can see all this traffic moving through
and so that could be something I guess
to see to identify what actually is
leaving your network and and what state
it's in that's good that's probably a
lot of data to go through I think it it
you know there's a lot of different
tools for a different place actually
let's see I do have a little more slide
actually and this is actually good spot
remind remember it one of the places
that I've learned a lot of this
information actually is from this guy
named Steve Gibson he's a security
researcher at his website GRC dot-com he
does have a lot of little security tools
he's got like a port scanning tool that
will scan the ports on your network on
your device and say hey what should
these ports can you actually see from
the internet he's got a tool about you
know how you know how the internet or
the DNS can be how fast your DNS is and
maybe how secure the DNS information is
the innocence not too secure either but
that's another story but yeah but he's
basically a security researcher
developer and with the Leo Laporte in
the TWiT Network they do actually have a
weekly podcast where they talk a lot
about various security issues if you go
back to some of the earliest ones they
even talked about
the basics of like what is the internet
what is security and they've been doing
it for like 13 plus years now so but
yeah he's got a lot of note he's got a
fun little idea for the tool to for its
using QR codes for logins on a website
so instead of actually using a username
password even and actually just use this
with QR code or kind of yeah it's a very
interesting idea and I'm not sure I mean
I think it's I think it's pretty good it
would just be good good question is like
does that really replace passwords for
lots of people and it actually is really
available so I think you know there's a
lot of tools out there I mean if you
want to talk about you know the security
of the SSL certificate on your website
there's like SSL labs comm it's a place
where you can kind of scan the SSL
certificates and information on your web
server set up and say hey is this
actually secure so I think there's a lot
of different options there and it might
be just oh yeah I don't think there's
one tool that just says this is gonna
check all of your security but unless
somebody else has a good idea but so you
know I think we've with Drupal websites
and that type of thing there is ways to
you know add add tools that say hey make
it required that everyone has to reset
their password on the website or
you know look at kind of the complexity
of those passwords as people are
entering them so I think I think it
yeah there's I mean there's definitely
security tools for a lot so different
things but it really depends on what
yeah well what what what exactly you're
looking to check the security off I
think anybody else
well thanks for coming out and yeah if
you want you can rate the session
give me some honest feedback I don't
know and yeah if you want to come
tomorrow to a contribution day even if
you don't know anything about really
writing a code or PHP it's always good
to have contributors that you know we
can always use help with contributing
documentation and coming up with other
ideas too so just improving Drupal in
many different ways so yeah please come
out to that Thanks
[Applause]
[Music]
