summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <lwirzenius@wikimedia.org>2019-04-22 08:30:06 -0500
committerLars Wirzenius <lwirzenius@wikimedia.org>2019-04-22 08:30:06 -0500
commit5e29d53d1cf83168b7e82e7c12b28c8721aeb2a6 (patch)
tree8b673ce5e189b87931e676b542e2b601b76fbb96
downloadwmf-talks-5e29d53d1cf83168b7e82e7c12b28c8721aeb2a6.tar.gz
Add: pgptalk, docmaint
-rw-r--r--docmaint.html26
-rw-r--r--docmaint.mdwn80
-rw-r--r--pgptalk.html26
-rw-r--r--pgptalk.mdwn361
4 files changed, 493 insertions, 0 deletions
diff --git a/docmaint.html b/docmaint.html
new file mode 100644
index 0000000..80b4fc5
--- /dev/null
+++ b/docmaint.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>Maintaining documentation: RelEng</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+ <style type="text/css">
+ @import url(https://fonts.googleapis.com/css?family=Yanone+Kaffeesatz);
+ @import url(https://fonts.googleapis.com/css?family=Droid+Serif:400,700,400italic);
+ @import url(https://fonts.googleapis.com/css?family=Ubuntu+Mono:400,700,400italic);
+
+ body { font-family: 'Droid Serif'; }
+ h1, h2, h3 {
+ font-family: 'Yanone Kaffeesatz';
+ font-weight: normal;
+ }
+ .remark-code, .remark-inline-code { font-family: 'Ubuntu Mono'; }
+ </style>
+ </head>
+ <body>
+ <script src="https://remarkjs.com/downloads/remark-latest.min.js" type="text/javascript">
+ </script>
+ <script type="text/javascript">
+ var slideshow = remark.create({sourceUrl: 'docmaint.mdwn'});
+ </script>
+ </body>
+</html>
diff --git a/docmaint.mdwn b/docmaint.mdwn
new file mode 100644
index 0000000..560138b
--- /dev/null
+++ b/docmaint.mdwn
@@ -0,0 +1,80 @@
+class: center, middle
+
+Maintaining documentation: RelEng
+=============================================================================
+
+What, who, how, when.
+
+---
+
+Problem
+=============================================================================
+
+The problem isn't that we have too little documentation.
+
+The problem is what we have too much, it's hard to find, and some of
+it is out of date or otherwise wrong.
+
+---
+
+A proposal
+=============================================================================
+
+* We take **ownership**.
+
+* We **write** docs.
+
+* We **maintain** docs.
+
+* We **update** docs.
+
+* We **fix** docs.
+
+* **Together**.
+
+* No question left unanswered by documentation.
+
+---
+
+class: center, middle
+
+It's more important that do documentation exists and answers questions
+that are asked than that it is great technical writing. A crappy
+document in broken English is better than nothing, as long as it
+doesn't mislead the reader.
+
+---
+
+class: left, middle
+
+**Accuracy, brevity, clarity**
+
+Simon Illyan, head of Imperial Security
+
+---
+
+In more detail
+=============================================================================
+
+* We **pick** the aspects of what we are responsible for, as a team,
+ and list the documentation that we or others need.
+
+* We **find or write** the documentation. Much of it probably already
+ exists.
+
+* We **make a list** of what we take responsibility for: if it's not
+ on the list, it's not our responsibility.
+
+* We **review** all documentation **regularly**, maybe once a quarter,
+ in a rotating fashion.
+
+* We make a **checklist** of what makes good documentation for us.
+
+* We make a **process** for dealing with other documentation that
+ touches our team's scope that we encounter. _Hunt it down and kill
+ it?_ (Or adopt it, or replace with a link to our own document?)
+
+* We make a **feedback loop** for documentation. When anyone asks
+ RelEng about anything, we check if the answer is in our
+ documentation and if not, create a task to improve the
+ documentation?
diff --git a/pgptalk.html b/pgptalk.html
new file mode 100644
index 0000000..28e6c20
--- /dev/null
+++ b/pgptalk.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>PGP</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+ <style type="text/css">
+ @import url(https://fonts.googleapis.com/css?family=Yanone+Kaffeesatz);
+ @import url(https://fonts.googleapis.com/css?family=Droid+Serif:400,700,400italic);
+ @import url(https://fonts.googleapis.com/css?family=Ubuntu+Mono:400,700,400italic);
+
+ body { font-family: 'Droid Serif'; }
+ h1, h2, h3 {
+ font-family: 'Yanone Kaffeesatz';
+ font-weight: normal;
+ }
+ .remark-code, .remark-inline-code { font-family: 'Ubuntu Mono'; }
+ </style>
+ </head>
+ <body>
+ <script src="https://remarkjs.com/downloads/remark-latest.min.js" type="text/javascript">
+ </script>
+ <script type="text/javascript">
+ var slideshow = remark.create({sourceUrl: 'pgptalk.mdwn'});
+ </script>
+ </body>
+</html>
diff --git a/pgptalk.mdwn b/pgptalk.mdwn
new file mode 100644
index 0000000..1a08915
--- /dev/null
+++ b/pgptalk.mdwn
@@ -0,0 +1,361 @@
+class: center, middle
+
+PGP
+=============================================================================
+
+Use of unnecessary swearing while using crypto software...
+has been approved
+
+**THIS IS A DRAFT AND WILL BE USED INTERNALLY AT WORK**
+
+---
+
+Everyday uses of PGP
+=============================================================================
+
+* email: sign, encrypt (all emails I send are signed by default)
+
+* git: signed tags, signed commits (for releases)
+
+* software releases: sign your tarballs, downloadables
+
+* SSH: you can use your PGP key as an SSH key
+
+ * I use a PGP subkey on my Yubikey for SSH
+
+* amaze people at parties, be an international celebrity
+
+---
+
+Threat models
+=============================================================================
+
+* Why would anyone attack **you**?
+
+ * you, your data, or your computing resources might be valuable
+ * you might be a stepping stone to another target, such as
+ your employer
+ * you might be an easy target
+
+* An attacker may want to...
+
+ * **impersonate** you
+ * **falsify** a file you need or provide, such as a software
+ download
+ * **eavesdrop** your communications to steal sensitive information
+
+* An attacker may be...
+
+ * a government: US, UK, Russia, China, etc, possibly illegally
+ * law enforcement, possibly illegally
+ * a large private organisation, possibly your employer
+ * a criminal organisation
+ * a minor criminal
+ * someone with too much time and a twisted sense of humour
+ * someone you know who doesn't like you
+---
+
+Defences
+=============================================================================
+
+* cryptography
+
+* widespread use of cryptography ("herd immunity")
+
+* general infosec and opsec: keep your devices secure, and don't
+ do stuff that leaves you open for an attack
+
+* this can be really difficult, depending who you are and who's
+ attacking you; if you're a desirable target, you need to learn to
+ be secure, but if you're not, a few basic precautions is enough
+
+* compare with driving
+
+ * if you're just running errands, you'll be OK after normal
+ driving lessons
+ * if you're in a Formula 1 race, you need to learn a lot more and
+ work hard to even be allowed in the car
+
+* if the attacker is sufficiently motivated or sufficiently
+ well-funded, and has sufficient time, you will probably eventually
+ lose, sorry
+
+---
+
+Basics of public key cryptography
+=============================================================================
+
+* Everyone has a key pair: a **public** and a **secret** key, which
+ are linked together using advanced maths, such that data encrypted
+ with one can only be decrypted with the other
+
+ * you keep the **secret key secure** so that only you have a copy,
+ and only you can use it
+ * you **publish the public key** so that everyone can have a copy
+
+* Prove data or message is from you by **signing**: encrypt with your
+ secret key, anyone can check by decrypting with your public key
+
+* Keep communications **secret**: everyone can encrypt with your
+ public key, only you can decrypt using your secret key
+
+* RSA, ElGamal, Diffie-Hellman, elliptic curve, etc: interesting maths
+ if that's your thing, not required to be understood for using crypto
+ (this might be a little controversial)
+
+* Subkeys: the main key is kept safe and forms the identity, but
+ additional keys, linked to the main key (using advanced maths), new
+ ones can be generated at will for specific purposes, such as for
+ keeping on a laptop for email
+
+---
+
+Storing keys securely
+=============================================================================
+
+* Consider your threat models: what do you need to protect against
+
+* You should probably at least keep your main key pair off-line,
+ on a USB stick, and only use it in a device whose security you
+ trust
+
+* This can be taken into extremes, if the threat model warrants it
+
+ * Be careful you're not so secure you don't use crypto at all
+
+* Subkeys can be stored on your normal devices, since they're easy
+ to replace with new ones if they're compromised
+
+* Subkeys can also be stored on special devices for more secure key
+ storage, such as Yubikeys
+
+---
+
+Creating a key, with subkeys, with GnuPG
+=============================================================================
+
+* Install GnuPG aka GPG aka gpg, version 2.1 or later
+
+ * Linux, Mac, Windows, ...
+
+* **`gpg --gen-key`**, use defaults unless you know better
+
+* Also create subkeys, at least one for encryption and one for signing
+
+* Follow one of these:
+
+ * <https://alexcabal.com/creating-the-perfect-gpg-keypair>
+
+ * <https://blog.liw.fi/posts/2017/05/29/using_a_yubikey_4_for_ensafening_one_s_encryption/>
+
+* Remember to create a **key revocation certificate** and store that
+ somewhere safe that you can access without your PGP key
+
+---
+
+Publishing a public key
+=============================================================================
+
+* A network of key servers exist for this, to make it easy to find
+ keys
+
+* Always use full fingerprints or 64-bit ("long") key ids to refer
+ to keys
+
+ * 32-bit (8 hex digit) short ids are no longer secure, and there
+ are hoax keys with real names
+
+* **In principle** it doesn't matter which keyserver you use, the
+ built-in default should be good enough
+
+---
+
+Signing a key
+=============================================================================
+
+* You can add any names and email addresses you like to a key
+ generate; **anyone can create a new key and put your name on it;**
+ how can anyone trust any given key?
+
+* "Web of trust" vs "Trust on first use"
+
+* Keys can have signatures, which mean **"the person who signed this
+ key is confident that this key belongs to the person named in
+ the key"**
+
+ * Does *not* mean "is a trustworthy person, you should loan them
+ money and your car"
+ * "Is confident" is up to the signer, there are no rules
+
+* Key signatures are also published on the keyservers
+
+* You can tell GnuPG which keys' signatures you trust, and how
+ much, and GnuPG will tell you if you can trust a key, even if
+ you haven't signed it yourself
+
+ * compare with introducing people in real life
+ * "I trust Alice to introduce me to new people and not lie to me"
+
+---
+
+Signing a key: HOWTO, part 1
+=============================================================================
+
+* You need the fingerprint of the key you want to sign (KEYID below)
+ and to get the actual key from the keyservers; or you can get in a
+ file via email or similar
+
+ * **`gpg --recv-key KEYID`**
+ * **`gpg --import FILENAME`**
+
+* Sign key key, which is done by "editing" the key
+
+ * **`gpg --edit-key KEYID`**
+ * this will result in a **`gpg>`** prompt
+ * enter the **`sign`** command, *check the fingerprint*, answer yes
+ if you want to sign; this will ask for your key passphrase
+ * enter the **`save`** command at the prompt
+
+
+---
+
+Signing a key: HOWTO, part 2
+=============================================================================
+
+* Export and encrypt the signed key:
+
+ * **`gpg --export --armor KEYID > key.pub`**
+ * **`gpg --encrypt -r KEYID key.pub`**
+ * GnupPG may tell you that the key isn't ultimately trusted; tell
+ it to use the key anyway
+
+* Email the encrypted file **`key.pub.gpg`** (note suffix!) to the email
+ address listed on the key
+
+* This ensures the person who controls the secret key actually
+ receives email to the address given on the key
+
+
+---
+
+Receiving a signature for your key
+=============================================================================
+
+* Decrypt the email
+
+* Save the signed copy of your key to a file
+
+* Import the key: **`gpg --import FILENAME`**
+
+* Send the update key to the keyserver: **`gpg --send-key YOURKEYID`**
+
+
+
+---
+
+Signing a key: the easy way
+=============================================================================
+
+* On Debian and derived Linux distributions
+
+* **`apt install signing-party`**
+
+* **`caff FINGERPRINT`**
+
+* may require for a mail transport agent to be configured on the
+ laptop
+
+---
+
+Extending key expiration date
+=============================================================================
+
+* Every key can have an expiration date
+
+* The secret key holder can extend the expiration date
+
+* It's optional, and not terribly useful
+
+ * makes sure you don't forget how to use GnuPG
+
+ * if you lose your secret key (careless!) it warns people to not
+ use your key after it's expired
+
+* Make sure you have a revocation certificate and can get that even if
+ you lose your secret key
+
+---
+
+Using a USB stick: why?
+=============================================================================
+
+* Store main key only on USB stick
+
+* Keep USB stick physically safe
+
+ * full-disk encryption with stong passphrase
+ * maybe stored in a safe
+ * possibly guarded by armed guards with dogs
+ * castles, moats, and sharks are probably overkill
+
+* Also, only use USB stick in a computer you trust
+
+* You may want to mark all copies of the stick clearly
+
+* Have subkeys on laptop for everyday use
+
+---
+
+Using a USB stick: overall approach
+=============================================================================
+
+* GnuPG keeps everything in **`~/.gnupg`** by default, override by
+ setting the **`GNUPGHOME`** environment variable
+
+* Use this to have two GnuPG instances: **main key on a USB stick**,
+ and **subkeys on your laptop**
+
+ * format a dedicated USB stick with a suitable filesystem (e.g.,
+ **ext4**), give it a filesystem **label**, and mount it (e.g.,
+ **`/media/liw/usb-stick`**)
+ * make backup copies of the stick; probably best give each backup
+ copy a dedicated filesystem label so you know which one is which
+
+* To use the main key, set **`export GNUPGHOME=/media/liw/usb-stick`**
+ for key signing, importing signatures, creating new subkeys
+
+* For everything else, don't set the environment variable
+
+* GnuPG sometimes starts **background services**; you should **kill
+ them** when switching between keys, or you'll be confused
+
+ * **`gpgconf --kill gpg-agent`**
+ * **`gpgconf --kill dirmngr`**
+
+---
+
+Using a USB stick: moving main key
+=============================================================================
+
+* Create your PGP and subkeys normally on your laptop, mount your USB stick
+
+ * Mount point it something like **`/media/liw/usb-stick`**
+
+* Export secret subkeys to a file (on laptop)
+
+ * **`gpg --export-secret-subkeys YOURKEYID > secret.key`**
+
+* Move the laptop's GnuPG stuff to USB stick.
+
+ * **`mv ~/.gnupg /media/liw/usbstick/gnupg`**
+
+* Import the exported keys to laptop
+
+ * **`gpg --import secret.key`**
+ * this creates a new **`~/.gnupg`** directory; you may want to
+ configure it
+
+* Check results: **`gpg -K`**
+
+ * should show **`sec#`** to indicate missing main secret key
+ * should show **`ssb`** to indicate secret subkey being present