Last Saturday, I attended the first ORGCon North event, hosted by the Open Rights Group. Speakers included John Buckman (chair of the EFF), Loz Kaye (leader of the UK Pirate Party), lots of other excellent people and… me!
The latter half of the conference was reserved for unconference slots. This was a new idea to me, but the general principle is that sessions are proposed by regular conference-goers. There’s no obligation to actually chair a session you propose, but putting forward some idea of how the session should be ran is quite important. So, what are unconference sessions about? Maybe you have something to show, or some knowledge to share? Maybe you just want to hold a discussion, gather ideas? This is the opportunity! If you proposal is appealing, others can vote on it – the highest-voted sessions are given some time and a room!
I proposed a session on good password security principles and it got accepted! I thought that it would be appropriate, given the recent high-profile exploitations of sites such as LinkedIn and Evernote, to talk about the severe implications of password breaches. You don’t only run the risk of losing your own personal information – there’s a lot more at stake. If you’re a journalist, your exclusive scoop may be stolen, or even the identities of confidential sources leaked.
In the session, we discussed how using the same password everywhere is not appropriate. Using that strategy in today’s disparate online environment, one breach can cascade into several. However, this moves the problem onto remembering all your passwords. Given the increasingly complex security requirements this problem is difficult! So, we talked about the merits and flaws of LastPass, KeePass and PwdHash. There was no clear winner here, although some preferred how PwdHash doesn’t keep a centralised list of all your passwords.
Bruce Schneier described three types of authentication: something you are, something you know, or something you have. With this in mind, I introduced the concept of two-factor authentication, such as YubiKey and Google Authenticator, as a means of further restricting access to online accounts.
A brief diversion into the differences between http and https (it’s not just a golden padlock) led into an unnervingly-common case where insecure http calls can be made over https connections. Some browsers block this by default, others will in later versions. The implications of this have been detailed wonderfully by Troy Hunt.
The session then came to a close! The one major point that, due to time constraints, I didn’t get to mention was that once the problem of cracking passwords becomes too difficult, the bad guys move the problem onwards and turn to social engineering. Vigilance is required in addition to good passwords.
I’m very thankful to the attendees for contributing so much to the conversation and I hope they all came away having learnt something new! If you’re thinking about developing your public speaking skills – I can highly recommend proposing an unconference session!