MacSysadmin 2022: Security for Humans - Revisited A completely remastered and mostly re-written version of my MacAD.UK talk. Read about all the buzz below. This one was recorded at the Finns Sommarteater stage in front of a gapingly empty non-audience, over three days. I was interrupted by incompetence (which is where the first day went), bad timing (second day) and rain (third day), but in the end, i got a rather nice multicamera production recorded … using just one camera (because that’s all i had).

A colleague1 pinged to tell me he clicked a button in an email which he realised was not legit and that he may have done a bad thing. First of all, thank you for informing us security peeps and not hiding! This is how we all can be more secure. In my turn, i shall do my best to stay approachable and i’m grateful for anyone who steps forward in a security incident like this.

In February 2016, Bangladesh was robbed of US$101 million by cunning cyber criminals using fraudulent SWIFT transfer requests. The money was siphoned from the Bangladesh National Bank’s account at the US Federal Reserve to banks in Sri Lanka and the Philippines. Another US$850M was stopped from being transferred due to a happenstance. Check The Lazarus Heist for juicy details. What made the heist possible? Timing. Careful, thought-out execution. Ruthlessness. The bank robbery took place during a weekend of Lunar New Year festivities in South Asia, so there wasn’t really anyone on call to check and stop the transfers.

It’s surprisingly easy to share two factor authentication among your peers (depending on your definition of ‘easy’). You’ll need just a little work on the command line to prove that any of you are, in fact, you.

Adding a second layer of authentication to your account is essential for your security, but like having a lock on your door, it can lock you out when things go wrong. You really need to think of the spare keys before that happens.

Lo and behold. The cat in Schrödinger’s speaker box is alive! Or in more concrete terms, i will be speaking at Macaduk this year after all! Yes, the Macaduk organisers had dropped my request, but then, another already confirmed speaker had to cancel, so i’m on the stage again. And with a little less time that i’m entirely comfortable with. Like last time, i’m going to talk about security, but this time from a more humane perspective.

I would like to explore the idea of Humane security as an alternative to Mandated security. None of these terms exist, or, at least, are established terms from before, so allow me to explain what i mean. In traditional computer security, corporate security, public sector security, and basically any high security environment, there’s a power structure where the user is told what to do and what not to do and that’s the end of it.

Today i learned (the hard way) that doing something by hand that you usually get through automation can be really tedious. So when you Automate Everything, make sure there’s an easy manual override when needed. But that’s for another post. I’ve given my second ever presentation, which was at the Finnish Mac Admins' meet-up. The presentation was essentially the same as i did in London earlier this year, about “Government Level Security (while maintaining your sanity and humanity)”, but in Finnish.

The first time you contact an ssh server, you’re presented with a fingerprint and asked whether you want to trust the server to be who it is, based on this fingerprint. Blindly, i might add. If you’re at least a bit concerned about (usable) security, this should send a few shivers down your spine; how the heck are you supposed to know whether this fingerprint is right or not. If you’re managing your servers with ansible, this query can be inconvenient, as it stops your flow at some random place and it’s not entirely clear where it will commence.