diff options
author | Lars Wirzenius <lwirzenius@wikimedia.org> | 2020-09-25 14:17:51 +0300 |
---|---|---|
committer | Lars Wirzenius <lwirzenius@wikimedia.org> | 2020-09-25 14:17:51 +0300 |
commit | d25070d655a7ae0c05cbf99a2a05809c5cceec29 (patch) | |
tree | 946508fab776d6f5df2aac89e5e5eb57624a3b13 | |
parent | 42ed311f5fe76ed6ca6f3d0ca9cc6adc5701c883 (diff) | |
download | wmf-talks-d25070d655a7ae0c05cbf99a2a05809c5cceec29.tar.gz |
first draft
-rw-r--r-- | 2020-09-28-yubikey.md | 234 | ||||
-rw-r--r-- | Human_Brain.png | bin | 0 -> 136025 bytes | |||
-rw-r--r-- | YubiKey-4.png | bin | 0 -> 641683 bytes | |||
-rw-r--r-- | YubiKey-5-Nano.png | bin | 0 -> 150457 bytes |
4 files changed, 52 insertions, 182 deletions
diff --git a/2020-09-28-yubikey.md b/2020-09-28-yubikey.md index 97975de..3b1b275 100644 --- a/2020-09-28-yubikey.md +++ b/2020-09-28-yubikey.md @@ -1,226 +1,90 @@ -# Why? +# Human brains are wholly inadequate for secrets -* I realised the following some weeks ago: - I now maintain deployment tooling for one of the most important - websites in the world. When I make a mistake, and Wikipedia goes down, - the whole world will notice. +![](Human_Brain.png) -* How can I avoid making at least some mistakes? +<!-- -* How can I avoid the New York Times and Hacker News discussing my - shortcomings? +* Passwords can be brute force guessed by an attacker. +* The only thing that helps is length. + - rules for what characters don't help nearly enough + - minimum (2010): 12 random characters +* Human-invented passwords are rarely strong. +* Humans can rarely memorise more than a couple strong passwords. + - never mind typing them correctly +* Attacker gain more raw computing power every year. Human ability to + remember longer passwords has already reached its limit. ------------------------------------------------------------------------------ - -# We have no safe place to... - -* Try changes to train tooling - -* Try out train tooling to see if it still works - -* Learn how to conduct the train - -* Experiment with changes to how we do the train - ------------------------------------------------------------------------------ - -# Theses - -* Changing `scap` or `deploy-promote` is plain old software development - -* Changing how we do the train is very similar to software development - -* We should treat the train as a software development project - ------------------------------------------------------------------------------ - -# (Controversial?) opinion on development (1/9) - -* Agile is not wrong - -* Agile is not right - -* Same for every other formal method or methodology - -* Higher stakes require more formalism - ------------------------------------------------------------------------------ - -# (Controversial?) opinion on development (2/9) - -* Have a rough idea of the end goal - - - this will change and become clearer the closer you get - - - that's OK, part of the process is figuring out what you (or your - users or customers or stakeholders) really, really want - - - don't obsess about getting this exactly right in the beginning - ------------------------------------------------------------------------------ - -# (Controversial?) opinion on software development (3/9) - -* Make something that sort of works to start with - - - a prototype, spike, wireframe, sketch, whatever - - - it can be limited, bad, ugly, and wrong - - - a project with a million commits starts with hello, world - ------------------------------------------------------------------------------ +Conclusion: we can't rely on passwords for security. -# (Controversial?) opinion on software development (4/9) +* Possible solutions: hardware token, password managers. -* Iterate quickly, more or less towards the end goal +--> - - have a very clear goal for each iteration - - - get feedback at the end of the iteration, to feed into forming - goals for future iterations - - - a week is usually enough for one iteration - - - many weeks is too long: too much changes in the world in that time - - - it's better to spend a week going in the wrong direction than a - month ----------------------------------------------------------------------------- -# (Controversial?) opinion on software development (5/9) - -* Experiment, make mistakes, learn - - - "what happens if I press this button?" - - - if nothing bad can happen, just press the button, and then you'll - know - - - make sure it's safe to press any button - ------------------------------------------------------------------------------ +# What are hardware security tokens? -# (Controversial?) opinion on software development (6/9) +![Nano](YubiKey-5-Nano.png) -* If something is painful, do it more often +<!-- ------------------------------------------------------------------------------ -# (Controversial?) opinion on software development (7/9) +* A small bit of physically secured computer that can do some + cryptography operations. + - can store secrets + - secrets can't be extracted - modulo bugs +* Typically a USB connected smart card of sort. +* Some kind of button for user interaction. -* Smooth away unnecessary friction +--> ----------------------------------------------------------------------------- -# (Controversial?) opinion on software development (8/9) +You should still use passwords. Two-factor authentication is stronger +than one-factor authentication. -* Acceptance criteria are the most important part of a software project - - - knowing what to do is harder than knowing how to do it - - - automated tests are more important that production code +Use strong passwords: randomly generated and long. Use password +managers. Use a different password for every site, application, device. ----------------------------------------------------------------------------- -# (Controversial?) opinion on software development (9/9) - -* It's not finished, until it's run repeatedly +# Why a Yubikey specifically - - can your web server handle one billion sequential trivial - read-only requests, however slowly? - - - can you conduct the train every week for a year? +![Big](YubiKey-4.png) ----------------------------------------------------------------------------- -# On development speed +# Use cases -* Edit, build, run, test, debug +* web: U2F, WebAuthn - - the inner loop of software development - - if the loop is slow, development is slow: changes take a long time to make +* local: disks, login -* Anything that slows down the inner loop is bad +* OpenPGP (sign, encrypt) - - if the whole world notices when you make a mistake, you are - careful making changes - - the careful developer is a slow developer - -* Software development always involves making mistakes - - - developing things quickly requires making mistakes fast - - each mistake teaches you something - - but mistakes should be cheap, safe, harmless +* SSH: via gpg-agent ----------------------------------------------------------------------------- -# train-dev +# Demo -* A safe place to make mistakes related to development tooling +* Use U2F for 2FA on gitlab.com. -* Simulates the production environment sufficiently that if things - work in train-dev, they hopefully work in production +* Store GnuPG subkeys onto Yubikey - * Does not try to be an exact replica of production +* Configure GnuPG to use Yubikey - * Will not always be "right", but "sometimes good enough" is vastly - better than "try it in production and take down Wikipedia if - you're wrong" - -* We'll make it be closer to production over time - - * Iterate, fix discrepancies as we find them + - scdaemon ----------------------------------------------------------------------------- -# Overview - -* Nested virtual machines - -* Outer VM provides an environment in which inner VMs operate in - isolation - -* Inner VMs provide the various servers and services needed to conduct - the train - - - git server ("Gerrit") - - a deploy server ("deploy1001.eqiad.wmnet") - -* The goal is to be able to run all the steps of the train inside the - train-dev environment - ------------------------------------------------------------------------------ - -# Current status - -* The first step works - - * `scap prep 1.35.0-wmf.34` - * Real scap, not one modified for train-dev - -* Does not access the Internet outside train-dev - -* An incomplete, bad, ugly, and wrong first step - -* Let's start iterating? - ------------------------------------------------------------------------------ - -# Do please try this at home! - -* train-dev repository on Gerrit - -* `vdc/README.md` has instructions - -* <https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/tools/train-dev/+/refs/heads/master/vdc/README.md> - -* There are pre-built images that you can try, no need to build your - own. But you need to give Lars your SSH public key first so the next - build of the image will give you access the VMs. +# SEE ALSO +* [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>) +* [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength) +* [`http://web.cs.wpi.edu/~guttman/cs557_website/ papers/passwords/MorrisThompsonPasswordSecurity.pdf`](http://web.cs.wpi.edu/~guttman/cs557_website/papers/passwords/MorrisThompsonPasswordSecurity.pdf) ----------------------------------------------------------------------------- @@ -233,10 +97,16 @@ Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence. [CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/ +Images from Injurymap, +<https://www.injurymap.com/free-human-anatomy-illustrations>, and +Yubico.com. + + + --- title: "Yubikey hardware security tokens" subtitle: "Lunch and learn" -author: "Lars Wirzenius / Wikimedia Foundation" +author: "Lars Wirzenius" date: "2020-09-28" ... diff --git a/Human_Brain.png b/Human_Brain.png Binary files differnew file mode 100644 index 0000000..f58dbf1 --- /dev/null +++ b/Human_Brain.png diff --git a/YubiKey-4.png b/YubiKey-4.png Binary files differnew file mode 100644 index 0000000..627d8e3 --- /dev/null +++ b/YubiKey-4.png diff --git a/YubiKey-5-Nano.png b/YubiKey-5-Nano.png Binary files differnew file mode 100644 index 0000000..5c36bde --- /dev/null +++ b/YubiKey-5-Nano.png |