# LCA 2016 Day 2

Another lovely morning in Hobart, with a delightful sunrise, blue-winged green parrots flying past my window, and fucking crows cawing at 5 in the morning. But that’s OK, because I’d already been awake for hours, because I couldn’t stop thinking about ideas from some of yesterday’s talks. Yes, speakers, your content gave me insomnia. For good reasons.

One person failed to be present for their spot prize, but that’s all the more for the second person out of the hat.

Please do not chase the animals for cuddles.

Something awesome: buses from the CBD to the accomodation which run into the evening. This makes getting a look at Hobart a lot easier.

Pia Waugh @PiaWaugh

“We’re at a very important tipping point… we’re in danger of reinventing the same old world with shiny new things.”

• Started as a sysadmin. Any decent sysadmin looks for the config files, and tweaking things. “I do that for society.”

• We can make choices. Accepting the status quo, doing nothing is a choice to support the status quo.

• We evolved over hundreds of thousands of years; out success was based on building our knowledge as a species, of advancing the status quo. The latency is huge, but our achievements are huge.

• We started 200,000 years ago, and improved slowly. Then we developed cities - and specialisation.

• With spare time comes philosophy, science.

• With great advancements came great surpluses, great and not-so-great leaders with power. Every so often people would revolt against bad rulers and brun everything down.

• That wasn’t a great model. It only cured the symptom of a bad ruler, not the structural problems that lead to bad rulers with power.

• Independence movements arose - the idea of rights, inalienable rights, redistributing power more broadly across society. : rights, democracy, changing things in orderly fashion.

• “Wer are individually the most powerful we’ve been in the history of our species.”

• Open source, open knowledge, these things are products of, and amplifuiers of this shift.

• We are on the cusp of an opportunity to accelerate these changes exponentially.

Pia has produced a change log for humanity (https://www.bighistoryproject.com).

• We’re more powerful than we’ve ever before.
• The rate of change is increasing.
• These structures are made by us, and we can re-make them if they’re not fit for purpose.
• These structures are made by us, and we can re-make them if they’re not fit for purpose.

We outsource thinking about things, unfortunately - we go into work and just do things thwe way they’ve always been done.

So how could the world be better?

• Property: 3D printing is a big of a fun thing, but it’s becoming more serious. We could solve a lot of problems with these tehnologies - but we’re already trying to re-impose artificial scarcity.
• The future of work: Why do we work? We’re terrified of losing our jobs. Why are we working the same amount? Why do we peg our value to our job?
• Augmentation: we’ve always augmented ourselves with clothes, makeup, tattoos. We care about normality; Pia hews to the optimistic view that as we share more it will become clear none of us are normal, and we’ll become more tolerant. Explore the limits of humanity and augmentation. Can we grow our babies in vats?
• Transport: what does the world look like if we can travel around the worlds in hours? If we set up colonies, how to we set them up?
• Global citizenship: we represent ourselves through lens of nationality. But do we feel like our nation represents are us? Nationalism is being replaced by communities - we feel more aligned to our community than our nation. (Read The Dispossessed, Pia urges us).

“There is no justice. Just us.”

We should take responsibility for building the tools for freedom, for this future, but more importantly, how do we help our fellow citizens exercise our rights? When we build decisionmaking systems, AI, whatever, what assumptions are we building into these systems?

You’re just scratching an itch? What does your doctor say about that? You need, not just symptomatic relief, but systemic fixes.

Why is our community so non-diverse?

• Who are you building for. Who aren’t you building for?
• What is the default position in society?
• What does being human mean to you?
• What do we value in society?
• What assumptions and unconcious bias do you have?
• How are you helping people help themselves?
• What should be the rights, responsibilities and roles of citizens, governments, companies, academia?

### Some Thoughts

• The observation that a lot of work is not necessary is not new; Bertrand Russel made it nearly 100 years ago; we’ve spent time mostly cascading the benefits of a high-surplus society upwards.
• We’re already in a post-scarcity society for essentials; we produce more food, globally, than we need. Hunger is a symptom of a society where we’ve decided that some people starving is OK if it avoids structural change.
• The idea that we’re immune to automation is, well, not true; not least because I’ve run into a few people who have told me I’m worthless shit because I have an infrastructure bent. Even within the priviledged microculture of LCA attendees, contempt and a desire to destroy livings are A Thing. Even if that weren’t true, being the agents of destorying the livings of others for people who aren’t interested in a post-scarcity utopia makes us useful idiots, not visionaries.
• All that said, Pia’s done a lot of awesome stuff, so perhaps her relentless optimism leads to better outcomes anyway.

## securely backing up gpg private keys.. to the cloud‽

Joey Hess

• Imagine if everyone used GPG? Wouldn’t that be great?
• Ephemeral security is great, but GPG is still great: email, backup, an encrypted journal.
• But in a world where everyone has a GPG key, everyone has a GPG backup problem.
• Backup to cloud? Well, now your key is in the cloud, not so good.
• Back up your key encrypted with GPG. Doesn’t really solve the problem.
• Paper backup: hard to back up, hard top store, hard to restore. Doesn’t help increase the number of people who can use GPG.
• Sharding your key: really easy to screw up.
• Most common: don’t actually back it up.

Keysafe is an attempt to solve the problem, and gather feedback.

• Checks to see if your key has been backed up.
• Looks for a name (your first opet etc).

To restore it takes 10 minutes to download and 25 minutes to decrypt.

Uses argon2 has the hashing algorithm and shamir secret sharing; shamir shards a secret into many pieces, and you can set a policy about the minimum number to restore (e.g. 5 shards and you only need 3 of them).

• The password cracking cost is high: even a terrible password might take 25 CPU-years to generate; a bad one might take 50,000 CPU-years to get all 256 AES keys to brute force.
• Keys are stored on keysafe servers, which are key:value database servers.

• Only accessed for Tor.
• Proof of work for access; as load goes up, time to access goes up.
• As long as 2 of 3 servers are fine, so is your password.
• Current state: the keysafe has 3,600 lines of Haskell and could use some review; reviewers welcome.

• There are three public servers committed to run 10 years. More would be good.

### Q&A

• Why is GPG not safe to backup? Because the password on your GPG is very weak - it can be cracked in a week. It’s there to give you a bit of time to revoke a stolen key, not to protect the key.
• Don’t you have an AES key backup problem? No, because it can be re-generated. It doesn’t need to be backed up.
• Can use it in a local-only mode? Yes.

## Preventing Deserialization attacks in Java applications

Jason Shepherd

### What is deserialisation?

• Mapping objects to binary, and back again; for network transmission, disk storage, and so on.
• Standard Java mechanism.

### How does the exploit work?

• Uses a gadget chain; a form of code reuse attack.
• Relies on code already in the application.
• Creates a chain of objects, with a target call and the end of the chain.
• The ysoserial toolkit is for creating gadget chains leveraging flaws in various libraries.

### Are we vulnerable?

• Many common libraries: ommons-collections, Hibernate, etc.

### How do we protect ourselves?

• Use notsoserial as part of yor test regime to find potential flaws.
• Use whitelisting for objects you’ll agree to recieve.

### Some Thoughts

The suggestion was made that moving from traditional Java serialisation to a different serialisation scheme, such as JSON, would solve the problem was made; I was disappointed that Jason agreed. I’d argue - very strongly - that serialisation bugs are a function of unsafe unpacking of data. The data format and transport is significantly less important than how you deserialise the data.

• 3 Categories of audience:
• Lay audience: the community, a user. They will not have background knowledge, jargon, or acronyms.
• Mangerial audience: may not have information about the detail, but they need information that lets them make decisions.
• Experts: they may be looking for problems; they will want citations and audiences.
• There’s also the press. Press releases are a really different audiences - have a look at The Care and Feeding of the Press
• Writing the manual? That’s a whole conference. But you could have a look at opensource.com/write-better-docs

Pick up On Writing: A Memoir of the Craft by Stephen King. It’s really good, even if you don’t like King.

Rikki Endsley

“If you want to be a writer, you must do two things above all others: read a lot and write a lot. There s no way around these two things” - Stephen King

Read examples of the kind of writing you’d like to deliver, writing by people who are doing it well.

Be clear on expectations about what people want and need; read examples that relate to those specific examples.

Consider How Your Content Might Be Re-Used:

• Write the hardest thing first. Start with the hardest thing that requires the most research.
• Re-use/re-purpose e.g. a long-form article for short form.

“An opening line should invite the reader to begin the story. It should say: Listen. Come in here. You Want to know about this.” - Stephen King

### Tell a Story

“When you write a story, you’re telling yourself the story. When you re-write the main job is to take out parts that aren’t the story.” - Stephen King

### Leave Out the Boring Parts

“This suggest cutting to speed the pace, and that’s what most of us end up having to do (kill your little darling, kill your darlings, even when it breaks your egocentric little scribbler’s heart, kill your darlings.” - Stephen King

Be focused, understand how long your audience can sustain interest for. An audience may find 500 words too long, 1,000, 2,000. The audience will determine what goes in and what becomes merely a reference to somewhere else.

A sample outline for an announcement might look like:

• Introduction.
• Brief background (state the problem).
• Share the news (explain the solution).
• Conclusion.

Whereas a tech article or tutorial might look like:

• Introduction (invite the reader in).
• Provide background.
• Share the news (the solution).
• Provide the technical detail (steps, FAQs).
• Conclusion.

### To Edit is Divine

“To write is human’ to edit is divine.” - Stephen King

Always leave time to edit; if you can’ find a reviewer; one is frank and direct in clear.

• Don’t take criticism personally.
• You don’t have to accept every change if you think the reviwer is wrong.

### Start Writing

“The scariest moment is always just before you start. After that things can only get better.” - Stephen King

### Q&A

• Should the authorial voice be present in technical writing? I m pretty old school; unless it’s personal you should be neutral so other people can take it over, but for a more personal piece - an article for example - a more individual voice can be important.
• If a clown offers me a manuscript but I have to follow him into a swer to get it, should I follow? No.

## Sorting Out the Mess: How Information Architecture Can Help

Darren Chan

Darren is an information architect for Rackspace, as part of a team of 16 people.

### What is IA?

The structural design of information of objects, with a view to being able to find information quickly and consistently. It’s talked about a lot in the UX domain, but it’s generally applicable. A supermarket has an IA designed to help you find the right types of product quickly, for example.

### Why is IA Important?

We have plenty of information, but finding what we want has become the main problem, along with interacting with it.

IA defines and implements structures depending on how information is delivered.

Understanding user behaviour is critical.

### Factors that impact IA Design

• Context - what are you trying to deliver and for who?
• Content
• Users - understanding user behaviour is critical. Some users might be looking for fixes for a production problem; others will be wanting to have a information that helps them at the start of a long-term piece of design work.

User research is important, even critical to help you understand what you need to deliver.

### Content Analysis

• Perform regular content inventories to check whether your content is sufficient, necessary, relevant.
• Be prepared to perform content audits:
• document the content
• extract analytics
• have an action plan for items

### Designing the IA

1. Collate user research data.
2. Draft topics and groupings.
3. Check the IA suits users.
4. When it feels right, get feedback from users and stakeholders.

Steps 3 and 4 should be an ongoing iteration.

### Resources

• IA For the Web and Beyond (Louis Rosenfeld, Peter Morville, Jorge Arango).

## Make More Secure Code

Jason Cohen

• Wanting to provide an overview of how to improve security through better lifecycle, design, and tooling.
• It’s a huge subject, so this is providing a starting point.
• Resources to consider: OWASP, Secur Programming with Static Analysis, SDL: A Process for Developing Demonstrably More Secure Software.

• If you develop code, you should rely less on mitigants and more on better practises.

• Consequences of failure are becoming more serious: medical devices, remotely accessible vehicles and so on.

• Government agencies are indicating they will push harder inb this area.

• Bugs aren’t shallow with enough eyes, it tuns out.
• Are enough qualified people reviewing, for example.
• The demand for exploits is growing:

• Bug bounties and crimeware are making it more lucrative.
• Intelligence agencies have their own motivation.
• It’s a systemic problem.

• e.g. universities still often don’t cover security.
• The focus on time-to-market makes it hard.
• More happily, people are making more use of tooling (static analysis, fuzzers, etc) to find problems.

• But controlling security in open source projects is hard:

### SDL - Security Development Lifecycle

Training -> Requirements -> Design -> Implementation -> Verification -> Release

You may want to tweak his for Agile.

• Study history so you don’t repeat it them.
• Do training.
• Get to know the major flaws.
• CMU have some secure code guidelines.
• Learn from similar applications.
• Defense in depth.
• Assume input is malicious.
• Make sure updates are easy.
• Make it easy for users to do the right thing.
• Look at your threat model - it’s one of the most import things you can do. Learn about the Stride model for example.
• Have and enforce code standards.
• Static code analysis asseses code without running it.
• SCA is not a repacement fo dynamic testing.

## Rage Against the Ghost in the Machine

Lilly Ryan

Lilly presents a almost-there vision of our own ghosts: as our ability to harvest and correlate metadata improves, we can reproduce pictures of ourselves more and more accurately. We can correlate the heart rate from our Fitbit with which web site we were reading to understand how we react to a Facebook post. As this becomes more and more sophisticated, building on existing machine learning and assistant technology, we could chose to create more and more realistic simulatra of ourselves. We could create chatbots that let us talk to ourselves.

We could even create ghosts for our children and grandchildren; rather than building AI constructs, we can extend Cortana with an increasingly accurate simulation of our personality that we can create a useful simulacra.

This could be an appealing idea: imagine that, when you get a terminal cancer diagnosis at 45, you can leave your children a ghost of yourself instead of a video telling them about your hopes for them.

But then Lilly invites us to consider some less appealing alternatives; sure, it would be awesome for a future great-grand child to ask us for advice long after we’ve died, but what happens if the owner of this data - Facebook or Google, not us - decides that the way to improve their customer service experience is to have our ghosts augment their assistant technology. Do we want a simulacra of ourselves to work in a call centre forever? How do we feel about the fact that Facebook owns that data? Are we happy that our descendants could be competing with our ghosts for jobs, while Facebook claim the royalties on our personality?

Lilly noted that there are some technological countermeasures - but that ultimately adblockers, cookie cleaners and so on will be in an arms race with the data gatherers; she advocates that the real solution is legal: data retention laws, metadata laws, data ownership, and so on.

## FreeIPA project update (turbo talk)

Fraser Tweedie

• FreeIPA is an identity management system.
• LDAP, Kerberos, AD integration, web UI, CA.
• The SSSD client component.

Some recent and future developments include:

• Adding sub-certs to differentiate between e.g. VPNs, client certs, and so on.
• Kerberos auth indicator. Allows selective requirement for 2FA for certain services.