Personal and Company Security Week


#1

Motivation

Status is a decentralized organization that works on creating decentralized products for the Ethereum ecosystem. This combination introduces a drastically new paradigm for what “security” is. Instead of the traditional methodology of focusing on centralized, localized, highly-control networks and devices, we minimize such a thing and whatever infrastructure does exist lives in the cloud.

What does this mean?

In much the same way we’ve decentralized the organization and applications, we’ve done the same for security.
It means the vast majority of the attack surface is you, the people that contribute. Furthermore, the controls and information a security specialist has in terms of making decisions and monitoring how things are run is constrained.

It also means education takes a forward step in importance across the organization, and personal responsibility of quality security practices become paramount. It is up the people to understand potential threats, take preventative measures, and report any issues they come across to the security team to protect the organization as a whole.

Security Week Proposal

With all of the above in light, it seems a great idea to have a week of education and personal checklists that help an individual audit their personal practices and get on track, broken up into multiple sections that focus on certain things (structure also up for discussion). Something like the following:

Some time in advance (1-2 weeks??)

  1. purchase/upgrade personal necessary hardware (on company’s dime).
  2. Configure/set-up said hardware for personal procedures week.

Personal Security Week

  • days 1-2:
    • establish channels of communication and ground rules for what they’re used for
    • initiate personal procedures checklist (focused on personal property and asset management)
  • days 3-4:
    • continue personal procedures checklist (focused on company based interaction)
  • days 5-7:
    • initiate company-wide checklist
    • come together on company-wide practices
    • start regular interval security education series

Thoughts

Please discuss how this sounds and what we should add/remove. I’m hoping that this can be a collaborative effort across the company, and upon a successful finish, we can publish about this experience: what we learned, how we’re moving forward, and how other companies that structure themselves similarly can do the same to move the entire community forward w.r.t. security (both traditional and decentralized).

Stay safe out there!


#2

Here is a list of things that will be a part of the week. Please comment on your preferences w.r.t. inclusion/exclusion of items:

WIP compendium of tasks checklist


#3

Possible additional topics:

  • Use of VPNs
  • Recommended browsers settings and extensions (like HTTPSEverywhere) and reducing online fingerprinting
  • Recommendations to secure your OS

#4

Thanks for posting this, going to be awesome.

More ideas off the top of my head:

  1. Crypto party - https://www.cryptoparty.in/organize/howto (Prague?)
  2. Invite the community participate in this in a permission-less way
  3. Possibly some stuff from here https://ssd.eff.org/en
  4. Privacy - grok how much you leak online, e.g. https://panopticlick.eff.org/, learn intuitive basics of differential privacy, something like “three (location, time) points to identify individual”, https://33bits.wordpress.com/
  5. Use dice ware http://world.std.com/~reinhold/dicewarefaq.html
  6. Keys - understanding what a good trade-off is wrt paranoia/impractical and security/usability wrt threat model, i.e. not being intimidated by stuff like 4 shades of PGP keys and key rotation etc https://medium.com/@johnnyRose/getting-started-with-pgp-and-gpg-58c8d6c35df5 - KISS that works
  7. Soft side re security paranoia - when you are too paranoid; a word on pyramid of pain and likely attack etc; (briefly on psyops?)

#5

So I have an example of this in the wild, unfortunately the example affects me personally.

Our website www.thebitcoinpodcast.com was hacked and deleted yesterday.

This occurred through a weak password of one of our admins, which was brute forced, and gained access to. The attacker then deleted the WP entirely.

It only takes one person with a weak credential to take the entire thing down, so I’d like to belabor the point that everyone should attempt to rise the tide of the entire organization.


#6

I’d love to be sherpa’d through many of these issues with which I otherwise wouldn’t think about. Sign me up to participate.


#7

I’d find this really helpful.


#8

If we are going to have this week after Prague, we should probably ensure people can order things next week. And possibly distribute things like Yubikeys and HW wallets to people in Prague.

On that note - any recommendations for a simple and solid No-Wifi Printer?


#9

I’d shoot for a bit further after Prague, maybe two weeks after. I do agree on using Prague as the distribution place. We should make that yubikey/hardware wallet order then. It might be too late to get that many this soon.

As for printers, this is a simple quality one that I have personal attestations that it lasts for multiple years:
amazon link

That doesn’t come with a cable, and not sure where to get it overseas for various people.


#10

There’s a store in Prague that mentioned they have a limited number of: Yubikey 5 NFC, Yubikey 4 and YubiKey 4 Nano. Which device would we be looking for specifically? I don’t think we’ll be able to get one for everyone in the amount of time we have left as the stock levels are not high, but if they have a few of them I could try buying some (and maybe give priority to those living in areas where these are harder to come by?)


#11

What’s happening with this? Would be good with a follow up on when this will happen. Does everyone have material necessary?


#12

I’m trying to get things set up to get everyone necessary hardware, and move forward slowly with things that don’t require them (social media, personal hardware audit, etc).

I’m thinking as it is difficult to coordinate things across the company, moving slowly (1 concept a week) would allow everyone to complete things on their own schedules.

We’re also working with MyCrypto for an “security advent calendar” of sorts for next month, which will roll in some of our guides (that I and a few others are making).

I was also pushed back a bit due to company re-org, and travel due to a death in the family.