Skip to content

Latest commit

 

History

History
 
 

security

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

The security challenge is a little different - you won't be writing code. Instead, you'll be thinking about security, practicing your professional communication skills by writing about a threat model as if you were emailing a coworker. Then you'll apply what you've learned by improving your own practical personal security, and again write up what you've done (just to document it, but a good stretch goal is to make your writing even more polished and publish it as a blog post).

For both of these, turn it in by commiting a Markdown file with your writing to your fork of this repository. If you publish elsewhere, please share the link as well.

Part 1 - Understand and Communicate a Threat Model

Think of a threat model - a situation with a user (or type of user) and a context that frames their personal security preferences and situation. Concepts you should consider (and a few examples of each) include:

  • Attack surface (what tech/situation exposes them, e.g. systems they use, places they go)
  • Adversaries (who may be interested in compromising their security, e.g. criminals, pranksters)
  • Attack vectors (specifically how they may be compromised, e.g. password theft/cracking, surveillance)
  • Mitigations (what can be done to reduce the risk, e.g. 2-factor auth, encryption)

Write a summary of the overall situation as if you were going to send it as a professional email to explain it to a coworker. Please turn in a file ThreatModel.md with 1-2 paragraphs addressing the above concepts in a concise fashion.

Part 2 - Practical Security

Do something to improve your personal security setup - if you’re not using a password manager, set one up. If you’re doing that, then set up two factor for some of your accounts. If you’re doing that, then set up proper SSH keypairs for services that support it (e.g. GitHub). And you can keep going - set up a GPG keypair, consider simple dedicated hardware for second factor, set up a trusted computer/VM running only open source software, set up a "sandboxed" environment for web browsing that doesn't save state, etc.

Use the practices and approaches we learned about this week - this means pick a suitably long passphrase to protect your password manager, and think about what your threat model is and what services you want to trust with what information. Some general tips:

  • You are a software developer, which means you're a high value target (you are a potential attack vector to anyone who runs your code)
  • Unless you're working on something controversial for the political regime you reside in, the NSA/Mossad/KGB/MI5/etc. are probably not your adversaries
  • The sorts of threats you should worry about - common criminals/organized crime, botnets, malware, extortion (stealing your files, DDoS-ing your service)
  • For deciding whether or not to trust a service, consider history, reputation, and incentives, as well as what countries it operates in (which will impact the laws it is subject to, both in terms of disclosure and potential damages)

Some resources/goals:

After you do some of the above, turn in a file PracticalSecurity.md with 1-2 paragraphs summarizing what you did (remember, a good security setup doesn't depend on security through obscurity, so it should be safe to talk about it as long as you don't share actual passwords/secrets). As a stretch goal, write a blog post about your security setup describing what you’ve learned and tips you have for others.