SRCCON 2019 • July 11 & 12 in MPLS Sponsor SRCCON

Session Transcript:
More security trainers, please!

Session facilitator(s): Amanda Hickman, Kevin O’Gorman

Day & Time: Friday, 11:45am-1pm

Room: Thomas Swain

AMANDA: I proposed a talk on accidental security trainers who are people who come to with questions whether or not they know the answers. And Dan and Erika Ryan if their infinite wisdom were like, huh, instead of a session at SRCCON, or in addition to a session at SRCCON, we convene people in Chicago to write — create real resources for that. And I was like, sure. So we did and Kevin came out for that and has been a super active participant in, like, editing and publishing what we wrote in that convening of June 2017. And so the outcome, and the sort of guiding principles of this quickly project were, A, that there were a ton of really great privacy and security training resources out there, and one of them don’t go deep enough. I at one point was at BuzzFeed News and people were coming to me constantly and saying, hey, Amanda can you help me with PGP email? And I finally wound up making phone calls and saying, how come you guys don’t have a thing on this? And I got people doing professional training saying, okay, there’s some concrete reasons why there aren’t PGP materials out there and it’s because people don’t use it right, and people use it badly. And I was like, oh, if you’re in a universe where the way to be secure in email is probably not the greatest universe to start and I felt like there was a lot of, “You don’t need to know that. Let’s just get you the basics.”

That was super not-helpful. And so our sort of guiding principles in developing the curriculum. So what is the curriculum URL? If you look at the session or the etherpad, you can get it. And so our guiding principles were that, one we didn’t want to recreate the wheel, that we wanted to flag existing resources as much as possible, And we wanted this to be as much a new curriculum as it is a, like, excellent round-up of existing training resources, guides, handouts, articles about how to do a better job of protecting your data, security, and privacy. And the other guiding principle was that there was a lot of people doing security training well and badly and starting to sort of facilitate and foment some best practices in training, both in the sense of being a good trainer but also things that are things related to security is probably more valuable than trying to play a game of whack-a-mole and say, you shouldn’t be doing that! You’re irresponsible! Because that doesn’t help anybody. So I guess…

KEVIN: So I guess it’s a change of pace because we have a smaller group. We have live transcription going and this is a talk about security so if you want to talk about something we can pause until we restart it. The other thing is, obviously, there are, obviously, you know, no stupid questions. There are probably, in fact, Wednesday that we actually ourselves want to know the answer for. So feel free to ask about anything that pops in your head, or feel free to jot it down on a Post-It later. And if we don’t know something, we will say, we don’t know, and follow up when possible. This is a great practice anyway with security issues. You don’t want to make things up as you go along, being honest, and defining them is a good thing.

AMANDA: It’s an incredibly important practice of being ready to know what you not know. I remember a training workshop, where somebody said, do you know Google Drive best practices? And I went into threat mode and I was like, I have no fucking idea. But I would definitely need to sort of like, let’s think about your threat models and what solutions might be rather than like before I even try to begin to try to answer that question, I need to step back and do research because it’s not something that I have expertise in and so like —

KEVIN: Nothing to be ashamed of.

AMANDA: And I’ve had conversations with people that are like, stay in your lane! But given the opportunity I’m like, no, probably… no. And the other important thing as a sort of add-on to asking important questions when I do trainings is I really do encourage people to think of asking questions as, like, a community gift, right? Like, you are — if you don’t understand something, you’re probably not the only person that doesn’t understand. So, one, there are no stupid questions because if you don’t understand, it’s not a stupid question. We’re smart people here. And, two, you’re probably not the only person. So even if you’re feeling like this is a stupid question because you feel like you think if I ask this question, everyone will know that I’m a dunce, it sometimes that reframes it by saying, I know I’m asking the stupid question that everybody else is wondering. So I really like to sort of raise that as a guideline in workshops. And I teach that. So I remind people in class, too, that you should ask because you’re probably not the only person wondering and getting to the end of a three-hour class, and having everybody be like, “Yeah, I was really confused, too.” I’m like, okay. We could have done that better if somebody had spoken up. And that tends to be an issue more in classroom-classrooms but I think it’s an important guideline to use.

KEVIN: Do you want to talk about the structure of the guide at all? Just to kind of briefly kind of mention that.

AMANDA: I do not Internet. But the guide has, like, three basic chapters. There’s one entire chapter around how to be a good trainer. We would love feedback on that, input on that. It’s all in GitHub and published to a read-the-docs file. So there are lots of different ways that you can offer feedback. So that first pass is, like, focused on how to be a good trainer. The second chapter is a series of lessons that are broken down topically. Some of them are very short and very much designed to be incorporated with other lessons, or used as an icebreaker in a staff meeting, used altogether different. And the third chapter is really a round-up of big-picture resources. So a lot of, like, broad resources about, like, other security training curriculums, and great things that you should be reading he and lists. I actually don’t think there’s any lists in there. And there’s a couple of resources in the resource section.

KEVIN: Did you mention the glossary?

AMANDA: There’s actually a glossary.

KEVIN: But it’s very, very short at the moment.

AMANDA: The glossary is in the back of my mind. One of the things is a glossary with security terms with definitions with really a lot of analogies that people find useful. So it’s not like here’s a precise definition of what a key-based authentication is. But it’s more like for people who do trainings, or don’t do trainings explain key-based authentication. So we — so that’s the other thing, we’re a community resource. We’re trying really hard to continually check in with it and to make sure that everything has a date for when it’s last edited so that anyone who looks at it gets a basic sense whether or not they want to work with material that dates back to 2002. But we absolutely welcome input and more examples. There’s always room for more examples.

KEVIN: So how many people here are actually comfortable or familiar with GitHub and happy working with it? Pretty much everybody. That’s great. So one thing that we’ve actually done is, basically, obviously, the field guide itself are actually in a git repo. We have our contribution guidelines and so forth defined there, as well. So it should be pretty easy to kind of work with those if you actually ever feel like you do want to add anything into it. If you have colleagues who aren’t familiar with GitHub but they still have ideas about stuff they’d like to see included, or they have feedback about what they actually thought about guide, they’re interested getting that, too. So, obviously, that would be via email or Slack messages or whatever. So basically any way that we can get information from people and fold it in, we will take. But git is definitely the preferred one.

AMANDA: And the last thing that I want to walk you through before we huddle and make you work is one of the things in chapter one is a really good guide on how to have a good session. Some of the kind of high-level things that I think are really important out of that are, like, things to think about before a session — I think I wrote down, “Assess, assess, assess.” Going into it with a sense of with what people already know. Mostly, you’re working with folks in newsrooms, although there are other people that end up using it. But send it out a week in advance at least with some pre-work and a note about what you’re going to cover in the session. There’s a lot of suggested reading in every module. So, like, pull the things — pull two or three; don’t give them every single article.

But, like, within a week of any session, like, you should be reaching out and say, “Here’s what we’re going to be doing next week. Here’s what to expect.” Review the material for yourself. Sometimes that’s obvious, sometimes that’s not. And during the session, one, assume that half the people who come won’t have bothered to have read anything you sent them. And that’s okay. We’re not here snapping people on the back of the hand with a ruler. Our goal is a lot more people in a lot more newsrooms leveling up their security. One of the things that I’ve been thinking about a lot in terms of yesterday’s stuff is this covers a very specific column in the security world, and there’s not a lot of upset, there’s not a lot of physical security, there’s not a lot of things about physical security in here. There are a lot of really important parts about security that are not in here. And the other thing that I will super-flag is this whole guide is written very much — it’s written by Americans and Canadians, and it’s written very clearly towards a very American and Canadian landscape. I had someone talk to us about translating it into Spanish and I’m like, um, surely because you’re not going to use this on unrevised beyond translation as training for Spanish secure experts. So if you’re working with people outside the U.S., this is a good starting point, you should go deeper. That said, if you’re going deeper and working with people with resources in non-U.S. contexts, we would love to hear about those, whatever scrappy form they come in. We would love to assemble more resources for people working outside of the U.S.

AUDIENCE: So I worked with the crime and porting project in Eastern Europe and Asia for a number of years. So if you would like to talk about that, including the physical and the digital.

AMANDA: So those are some of the flags. There are a lot of things that this doesn’t cover. What this does cover is a lot of technology-based solutions that people at BuzzFeed News were asking me about, and people in other newsrooms at those convenings were like, these are the starting points that our colleagues — they really need to start at least what they’re interested in. And then follow up, right? Like, afterwards, point folks to more articles, encourage people. If there was homework, which sometimes there is… if someone was supposed to go home and implement a practice, follow up a week out, and remind them to check in whether or not they’ve made progress, and point them to a few more articles. So keep that. It’s like the lifelong version of here’s what I’m going to I say, I’m saying it, and here’s what I said. That’s a really important part of the learning process. So with that said, there are a couple of things… the other thing that I will super-duper say is any of you choose to lead a training in your newsroom and are interested or able to give me feedback, I have — we went through a whole process, and I’m still scheduling calls; I’m not done with it. But I would love to hear from you directly. So if you lead a training and you’re like, hey, I led a training, are you going to write back and say, can we talk for half an hour… I would love to talk about how to make the guide a stronger resource.

RACHEL: I wonder if this would be a good journalism starting point for starts.

AMANDA: I think it would be a good starting point. Did you teach?

RACHEL: I taught a data security class. And I did a one security lecture — I was a math major as well as a linguistics major and then I proved and attacked our essay. And so I just did math behind our essay and what is public-key cryptography. Not super useful —

AMANDA: But it’s interesting.

RACHEL: But that’s not a lot of practice, but a lot of theory.

CHRIS: I did some training at the University of Missouri for students and how do I put this — they ignored it completely because they’re 19 years old and at a U.S. university and don’t — if they are reporting, they’re reporting on the city council and they don’t see that as a risk, nor should they, right? And so a couple people got past their managers and that’s how far I’ve gotten.

RACHEL: I think I was talking more about the risks to credit cards…

CHRIS: Those are daddy’s credit cards, though.

RACHEL: More than the risk of their records being accessed.

CHRIS: That’s what I mean with the master password stuff and…

AMANDA: And that’s what I was trying to — I try not to overanalogize… if you tell students to brush their teeth for two minutes, and half of them brush their teeth, that’s good. You’ve made progress. So setting achievable goals. So there’s a whole lot of things that we probably should be doing every day and mostly I hope we’re brushing our teeth in regular intervals. But, like, exercise and stress-relief practices. So there’s a whole bunch of things that we’re not doing. One, knowing that we’re not perfect, and, two, knowing that there’s a workshop where people take a handful of steps when they leave, that’s good. If you expect everyone to leave the room totally owning it, good luck! So, like, don’t be too hard on yourself if you haven’t radically changed everyone.

KEVIN: And also giving analoies is important because people will start using it. I gave with the investigative team that I was working with at the time including the password managers. I checked in two months later, one person out of the six was using a password manager. We were having a conversation with the same team, everyone was using a password manager. So just give it time. You know, give them in the skills, should they decide to cruise with them works well.

CHRIS: My old organization started threatening to fire people if they didn’t use one.

KEVIN: I think a lot of problems with why you end up with security trainers is it’s not an organizational priority yet.

CHRIS: We had former large Soviet companies trying to get into our systems on a fairly regular basis so…

KEVIN: That’ll do it.

CHRIS: You’re at the door if you don’t use a password manager immediately.

AMANDA: So with that, our plan was sort of to break into tables but we have one. We have a choice. I haven’t actually asked you guys anything. How many of you are leading security trainings now? I know you are.

RACHEL: I talk to students but I’m not going to do this at work. We have people who do this professionally. So… I’m not gonna.

AMANDA: But would you consider doing some brown bags with students?

RACHEL: I would consider doing brown bags with students and I actually have friends who are interested. I live in Washington, and I have government people who are interested in this kind of thing.

AMANDA: Where are you with this?

BRENT: I work with St. Louis Radio and we don’t really have any standardized processes or trainings or anything. We have people who occasionally say, yeah, this might be a good idea if we did this, maybe we shouldn’t email the password. Maybe we should put it on a Google doc and share it with everyone.

CHRIS: Is that a password protected Google doc, or is it like you have the link you can read it Google doc?

BRENT: I’m not sure. So I am interested in bringing some of these best practices to that kind of environment where we don’t really have a lot of that and we’re dealing with, like — we’re part of the university system so we have to deal with them. We have our own IT people so we have to deal with that. We have to interface with NPR stuff. So we have to deal with some of that, too. So bringing it to an environment like that his kind of mixed.

KEVIN: It’s cool that you mention the IT department because I think that’s something that Apple don’t really take account of. A lot of the times people do this independently, and they’ll end up using resources that are not available to them, or they’re end up butting heads with the IT department, they’ll start installing stuff that IT department doesn’t want, so it’s good to flag that straightaway.

AUDIENCE: Hi, I’m a grad student at the University of Missouri, and I’m interested in security in general. I just got my first VPN thanks to my friend’s suggestion. So I’m just sort of getting into security stuff, so I’m just here out of curiosity. Yeah.

CHRIS: So my name is Christopher, and I used to work with the criminal and crime reporting project as a fellow in Eastern Europe and Central Asia. And now I’m at Duke University.

AUDIENCE: Outside of my day job, I’m working with people from the Philippines are part of kind of a people’s movement because there’s a lot of things going on in the Philippines right now. And so, we’re trying to get a place where writings from the Philippines and from people here in the U.S. can get out to a more mainstream audience here and a bit in Europe. So this is something that I am not quite prepared for, but this is amazing resources for me to try and just kind of protect the safety — try to, as much protect the safety of people that are in places that are dangerous for them to write these things.

KEVIN: I think this is one case where we run up against but a you mentioned earlier. Like, the threat model is going to be widely different so that’s something that you have to consider. There are I think an awful lot of resources for kind of activists’ groups and so forth. Like, you know, kind of Tibetan ex-pats might be more applicable impinge there’s a lot of stuff in ours that might be a good starting point and if you get into more dangerous situations, you can look further or look for those resources.

ARJUNA: I think it’s a starting point for us here in the U.S. to collaborate with these people to make sure that our end of what we’re doing here is not —

KEVIN: Endangering that.

ARJUNA: But yeah, I’m looking for all sorts of help.

CHRIS: There’s a group called Tactical Tech.

KEVIN: We mention them an awful lot in our resources and we actually refer to a lot of their courses, or their material in the class.

AMANDA: So I… I’m going to give folks a couple of choices and if everybody makes the same choice, that’s great. If you all take different choices, that’s fine. There are two sessions that I think would be great for everyone here to think about kind of, like, prepping for by walking through the sessions and checking about the sessions. One is Mobile App Security Settings, and other is App Hygiene. So those are two — so one choice you have is pull up your chair, pull up that lesson, read through it. Think about it sort of kind of, “Can I do this as a training?” But that also means walk through it yourself. The other option that I’m going to offer you is in our GitHub issues, which are also linked at the bottom of our etherpad, there are a bunch of tickets that are open for discussion and if you wanto take a look at those, and if you’re all by yourself, you can just add some notes and thoughts on those tickets. If there’s a few of you, you can talk and decide what you want to add to the ticket.

And the third is that one of the — actually, I didn’t go back to the forensics on, like, what happened to the draft. But one of the things that got left behind the draft through this whole edit process is a whole session on, like, someone gives you a thumb drive. Like, what can you do with that thumb drive? So there’s, like, the barrast of drafts in the security training drafts, if people want to huddle and work on that. Or if there are articles that tell you what can go horribly wrong, why they shouldn’t just stick it into your computer, that would be awesome. So I’m going to kind of make some tables. I’m going to call this the “actually working through one of the workshops table.”

AUDIENCE: Could you describe those two sessions?

CHRIS: And what is the etherpad?

AMANDA: It’s on the wall.

CHRIS: Sorry. Totally missed that train.

KEVIN: It’s also on the SRCCON schedule.

AMANDA: So Mobile App Security Training walks through — and you can pick a different session because if it’s what you think is interesting. But Mobile App Security training looks at Apps have access on your phone, what has access to your microphone. And oftentimes people are like, that’s interesting. I don’t know why I installed it. And Connected App Hygiene is a basic taking a look at what stray apps that you’ve enabled access to your Twitter account, or your Google Drive and decide whether or not you actually need those. And I will say, that Connected App Hygiene is one of the more important things to walk through. It’s also a really nice icebreaker. If you’re in a staff meeting or having a staff meeting about something else, being like hey, we’re actually going to do this first because a lot of kind of orphaned apps end up being a source of exploits. And there was a really big Google Drive exploit that started with — it wasn’t actually an orphan app. It was encouraging people to — you had to enable the app to get access to. And it was very, very dramatic. But taking a look at what apps you’ve enabled is a pretty important thing to do. So I’m going to say Connected App Hygiene at this table or choose a different session if you want to. And then if you want to tackle some other issues that weren’t on the external drive question, we can head over to that table. Does that sound good? Do you want to go over there?

[ Group Work ]

So this session is done in -3 minutes. I feel like we did a lot of wrap-up here but I will just say again: the more questions — like, we’ve identified a couple of really good issues that made it into tickets but as you guys go forth and play with this stuff and realize that you have questions and realize that there’s things that aren’t clear, that’s awesome and helps asking these questions stronger. And if anyone wants to do some research and start to tackle some of the tickets that are on there, awesome.

KEVIN: I’m just going to add some contact information on the bottom of the etherpad, if you want to put any contact information, feel free to put whatever you need on there and we’ll go from there.

AMANDA: Are you going to throw my email at the bottom on there, too?

KEVIN: Yeah. Do you want the… one or…?

AMANDA: Amanda@velociraptor.info.