LibTechConf 2016

Here are resources, credits, etc. related to my keynote at LibTechConf on March 17, 2016.


(direct link to video)

The slide deck is licensed CC BY-SA. The PDF export looked gross, though, so I haven’t posted it here. I’m happy to email you a Keynote file if you link.

General resources from the talk

Some hard questions to ask

  • “How do you store passwords?”
    • Good answer: “Salted and hashed.” Or using a standard tool that performs salting and hashing, like bcrypt.
    • Bad answer: Literally anything else (including “hashed, but not salted”).
    • Also bad: If you ask what hash function they use and they say “MD-5” or “SHA-1”; both of these were formerly used for passwords but are no longer considered secure.
  • “What’s your data retention policy?” Important because, as famed security expert Bruce Schneier points out, data is a toxic asset.
  • “How do I report security vulnerabilities?” (See Heroku’s security policy for an example of a fantastic response to questions like this.)
    • Good answer: “Here’s the dedicated email address you use just for security bugs (usually something like security@company.com); we have a team of people with security expertise who monitor that account and triage issues; here’s our average response time; here are our security policies.”
    • Bad answer: Anything else, especially if they can’t answer at all.
  • “How do you mitigate the OWASP Top 10?” (For more information on this project, check out the OWASP wiki. They also have a Top 10 Privacy Risks project.)
    • Good answer: When you go down the list point-by-point, they can tell you what they do to mitigate each one. If you ask for more details, they can give you one, and they appear to know what they’re talking about. They can define the OWASP terms for you. (It’s OK if the salesperson can’t do this; it’s not OK if they can’t find an engineer who can.)
    • Bad answer: Again, literally anything else.

Design credits

Design doesn’t come easily to me; I need a lot of help to make slide decks I’m happy with. Big ups to the following:

Photo credits

Bonus good stuff

These are things that, in a better world or longer time slot, would have made it into my talk.

In particular, I focused on encryption and its relationship to patron privacy. However, other issues with a huge connection between library values and technical implementation include:

  • surveillance
  • accessibility and universal design
  • algorithmic bias
  • the internet of things and its terrifyingly casual relationship to security

Also, archivists have their own set of questions relating to personal privacy and safety in their roles as stewards of the stories of specific, often still living, people and groups with diverse cultural values.

Advertisements