LibTechConf 2016

Here are resources, credits, etc. related to my keynote at LibTechConf on March 17, 2016.

(direct link to video)

The slide deck is licensed CC BY-SA. The PDF export looked gross, though, so I haven’t posted it here. I’m happy to email you a Keynote file if you link.

General resources from the talk

• ALA Core Values of Librarianship
• Wireshark
• Here’s the video backup version of the Wireshark demo I did live.
• SIP2 protocol specs
• All about passwords: plaintext; how cryptographic hashing works; and two examples of hash functions, MD5 (not secure enough for passwords) and the SHA family of hashes (SHA-2 hashes are currently suitable for password protection; SHA-1 are not).
• LITA Patron Privacy Interest Group (and its mailing list)
• The Library Digital Privacy Pledge
• The Library Freedom Project
• The ALA Privacy Toolkit
• San José Public Library’s Virtual Privacy Lab
• The Electronic Frontier Foundation’s Surveillance Self-Defense guide

Some hard questions to ask

• “How do you store passwords?”
• Good answer: “Salted and hashed.” Or using a standard tool that performs salting and hashing, like bcrypt.
• Bad answer: Literally anything else (including “hashed, but not salted”).
• Also bad: If you ask what hash function they use and they say “MD-5” or “SHA-1”; both of these were formerly used for passwords but are no longer considered secure.
• “What’s your data retention policy?” Important because, as famed security expert Bruce Schneier points out, data is a toxic asset.
• “How do I report security vulnerabilities?” (See Heroku’s security policy for an example of a fantastic response to questions like this.)
• Good answer: “Here’s the dedicated email address you use just for security bugs (usually something like security@company.com); we have a team of people with security expertise who monitor that account and triage issues; here’s our average response time; here are our security policies.”
• Bad answer: Anything else, especially if they can’t answer at all.
• “How do you mitigate the OWASP Top 10?” (For more information on this project, check out the OWASP wiki. They also have a Top 10 Privacy Risks project.)
• Good answer: When you go down the list point-by-point, they can tell you what they do to mitigate each one. If you ask for more details, they can give you one, and they appear to know what they’re talking about. They can define the OWASP terms for you. (It’s OK if the salesperson can’t do this; it’s not OK if they can’t find an engineer who can.)
• Bad answer: Again, literally anything else.

Design credits

Design doesn’t come easily to me; I need a lot of help to make slide decks I’m happy with. Big ups to the following:

• Apple’s Keynote presentation software, which makes just about anything look good.
• Note and Point has gorgeous example slide decks. For this presentation, I particularly drew inspiration from User Experience Is Not What You Think, How to Stop Killer Robots, How To Create Slides That Rock, and Top 20 Design Myths.
• The Non-Designer’s Design Book is exactly what it says on the tin, and breaks things down into short simple rules for those of us who need to start there.
• There are a ton of great sites with tools and ideas for font selection; just search for “font pairing”. (FYI: the sans serif is Bebas Neue, the cursive is Lobster, and the monospace is Hack — which is also what I use for writing code.)

Photo credits

• implementation matters: cake wreck / Jenna (BY-SA)
• https slide: lock / Mark Fischer (BY-SA)
• End-to-end encryption slide: woman using computer / David Goehring (BY); cloud security / Perspecsys (BY-SA), via Flickr; server racks / Tristan Schmurr (BY)
• Wireshark slide: shark! / VirtualWolf (BY-SA)
• SIP2 slide: self-check machine / Ellen Forsyth (BY-SA)
• Plaintext slide: Linux password file / Christiaan Colen (BY-SA)
• Password reuse slide: social media icons; Bank / massmatt (BY) ; doctor / NEC Corporation of America (BY)
• Apple slide: Jon Rawlinson (BY)
• University of Minnesota slide: AlexiusHoratius (BY-SA)
• Library digital privacy pledge slide: computer lock / Yuri Samoilov (BY)
• Educate yourself/your patrons and talk to your techies/decisionmakers slide: the completely awesome women of color in tech stock photos by #WoCInTechChat (BY)
• Ask hard questions slide: why graffiti / Katie Sayer (BY-SA)

Bonus good stuff

These are things that, in a better world or longer time slot, would have made it into my talk.

In particular, I focused on encryption and its relationship to patron privacy. However, other issues with a huge connection between library values and technical implementation include:

• surveillance
• accessibility and universal design
• algorithmic bias
• the internet of things and its terrifyingly casual relationship to security

Also, archivists have their own set of questions relating to personal privacy and safety in their roles as stewards of the stories of specific, often still living, people and groups with diverse cultural values.

• “Architecture is Politics”, Dre Orphanides’ talk at Code4Lib 2016
• Ed Summers often writes things relating to architecture and ethics, from a web archiving perspective; see his blog, inkdroid, or his Medium posting as @edsu. The projects he’s part of, on rapid response social media archiving, may be my favorite library technology work today.
• Apple vs. FBI. (Jason Griffey blogged about this from a library perspective, if you need a crash course on the issues.)
• Windows 10: surveillance by default.
• Eric Hellman analyzes privacy in a library catalog
• Accessibility and universal design. (How-to guides from the A11y Project; guidance from Penn State on techniques, ideas, and testing methods; Cynthia Ng’s blog frequently covers accessibility and universal design from a library perspective)
• “Algorithmic Bias in Library Discovery Systems”: Matthew Reidsma’s article is scholarly, laugh-out-loud funny, and deeply disquieting.
• Internet of Things security is terrible, parts 1 and 2 of many: you can hack other hotel guests’ room via their light switches, “I bought some awful light bulbs so you don’t have to”. From the latter:

So, in summary: it’s a device that infringes my copyright, gives you root access in response to trivial credentials, has access control that depends entirely on nobody ever looking at the packets, is sufficiently poorly implemented that you can crash both it and the bulbs, has a cloud access protocol that has no security whatsoever and also acts as an easy mechanism for people to circumvent your network security. This may be the single worst device I’ve ever bought.