Add pdf slides to repo

dark.style

@@ -1,6 +1,6 @@
 pageSetup:
     size: null
-    width: 16cm
+    width: 12cm
     height: 9cm
     margin-top: 0cm
     margin-bottom: 0cm
@@ -44,7 +44,7 @@ styles:
 
     table-heading:
       parent: heading
-      backColor: black 
+      backColor: #666666 
       alignment : TA_LEFT
 
     code:

slides.rst

@@ -1,158 +1,175 @@
-Plotting with Matplotlib
+Surviving phishing
-------------------------
+------------------
+Password reuse, password managers and strong passwords
+======================================================
+.. contents:: :depth: 1
 
-Also creating a presentation with rst2pdf
+Why is Password Reuse a Problem?
-=========================================
+--------------------------------
+.. image:: password_reuse_1.png
+   :height: 6.5cm
 
-Data Structures
+Consider the following hypothetical users that reuse a strong password in
----------------
+most places and the following common scenario:
-Favour simpler data structures if they do what you need.  In order:
 
-#. Built-in Lists
++------------------+--------------------------+
-    - 2xN data or simpler
+| User             | Password                 |
-    - Can't install system dependencies
++==================+==========================+
-#. Numpy arrays
+| mark1@gmail.com  | QUo5Qt+1Wa/Q1smDJRDbFg== |
-    - 2 (or higher) dimensional data
++------------------+--------------------------+
-    - Lots of numerical calculations
+| mark2@gmail.com  | +9Hz+/20rVkSkbcsmgdVFw== |
-#. Pandas series/dataframes
++------------------+--------------------------+
-    - 'Data Wrangling', reshaping, merging, sorting, querying
+| mark3@gmail.com  | wnYkRcbi7Kkh7Fx2uR8EeA== |
-    - Importing from complex formats
++------------------+--------------------------+
 
-Shamelessly stolen from https://stackoverflow.com/a/45288000
+#. User registers an account with a careless service, eg Facebook, Yahoo,
-
+   Google, Equifax etc. etc.
-Loading Data from Disk
+#. The service is hacked and the password and email is leaked
-----------------------
+#. The hacker logs in to the email account
-Natively
+#. The hacker resets passwords on all important accounts tied to that email 
-========
+   address
-
-.. code-block:: python
-
-   >>> import csv
-   >>> with open('eggs.csv', newline='') as csvfile:
-   ...     spam = csv.reader(csvfile, 
-   ...                       delimiter=' ', 
-   ...                       quotechar='|')
-   ...     for row in spam:
-   ...         # Do things
-   ...         pass
-
-Loading Data from Disk
-----------------------
-Numpy
-=====
-
-.. code-block:: python
-
-   >>> import numpy
-   >>> spam = numpy.genfromtxt('eggs.csv', 
-   ...                         delimiter=' ', 
-   ...                         dtype=None) # No error handling!
-   >>> for row in spam:
-   ...     # Do things
-   ...     pass
-
-``numpy.genfromtxt`` will try to infer the datatype of each column if 
-``dtype=None`` is set.
-
-``numpy.loadtxt`` is generally faster at runtime if your data is well formated 
-(no missing values, only numerical data or constant length strings)
-
-Loading Data from Disk
-----------------------
-Numpy NB.
-=========
-**Remind me to look at some actual numpy usage at the end**
-
-- I think numpy does some type coercion when creating arrays.
-- Arrays created by ``numpy.genfromtxt`` can not in general be indexed like
-  ``data[xstart:xend, ystart:yend]``.
-- Data of unequal types are problematic!  Pandas *may* be a better choice in
-  that case.
-- Specifying some value for ``dtype`` is probably necessary in most cases in
-  practice: https://docs.scipy.org/doc/numpy/reference/arrays.dtypes.html
-
-Loading Data from Disk
-----------------------
-Pandas
-======
-
-.. code-block:: python
-
-   >>> import pandas
-   >>> # dtype=None is def
-   >>> spam = pandas.read_csv('eggs.csv',
-   ...                        delimiter=' ',
-   ...                        header=None) 
-   >>> for row in spam:
-   ...     # Do things
-   ...     pass
-
-``header=None`` is required if the flie does not have a header.
 
 
+About password strength
+-----------------------
 
-Generating Data for Testing
+How is strength measured?
----------------------------
+=========================
+'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the 
+password:
 
-Generating the data on the fly with numpy is convenient.
+.. math:: 
+        s = log_2(a^n)
 
-.. code-block:: python
+* 0889234877724602 -> 53 bits
+* ZeZJieatdH -> 60 bits
 
-   >>> import numpy.random as ran
+Why are weak passwords problematic?
-   >>> # For repeatability 
+===================================
-   >>> ran.seed(7890234) 
+Weak passwords are trivial to crack in many situations. A password with 53 bits
-   >>> # Uniform [0, 1) floats
+may be cracked by a criminal organisation in less than an hour.
-   >>> data = ran.rand(100, 2)
-   >>> # Uniform [0, 1) floats
-   >>> data = ran.rand(100, 100, 100)
-   >>> # Std. normal floats
-   >>> data = ran.randn(100)
-   >>> # 3x14x15 array of binomial ints with n = 100, p = 0.1
-   >>> data = ran.binomial(100, 0.1, (3, 14, 15))
-
-Plotting Time Series
---------------------
-
-Plot data of the form:
-
-.. math:: y=f(t)
 
 
-Subplots
+What about strong passwords?
---------
+============================
+They are difficult to remember, a problem especially when you use a different 
+strong password for every service.  You are also tempted to write them down, or 
+reuse them.
+
+It's surprisingly difficult for humans to generate good passwords!
+
+A strong password, as of 2019, has at least 80 bits of entropy.
+
+Password Managers to the Rescue!
+--------------------------------
+Password managers allow you to create a unique and strong password for every
+service.
+
+Additional benefits:
+
+* Remembers passwords for you
+* Generates passwords for you
+* Automagically fills in passwords on websites for you, this is important!
+* Makes passwords available on all your configured devices
+* Can store additional related data, usernames, answers to security questions,
+  pins for debit/credit cards
+
+Any of the mainstream password manager is equivalent in the above respects.
+
+Can you trust password managers?
+--------------------------------
+Yes*
+
+How do they keep passwords secure?
+----------------------------------
+1. User supplies a password
+2. A slow function derives an encryption key
+3. The encryption key is used to encrypt/decrypt your passwords
+
+Security of the encryption depends on the strengh of your
+password:  
+
++---------+------------------------+
+| Entropy | Time to crack,         |
+|         | assuming 1 second per  |
+|         | attempt per typical    |
+|         | CPU                    |
++=========+========================+
+| 50b     | < 1 Month              |
++---------+------------------------+
+| 60b     | ~ 50 Years             |
++---------+------------------------+
+| 70b     | ~ 50,000 yers          |
++---------+------------------------+
+
+Generating a Strong Password
+----------------------------
+Passphrases are better than passwords:
+
+* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
+* correct horse battery stable -> 44 bits of entropy, easy to remember
+
+If you have to remember it, use a passphrase.
+
+Generate passphrases with Diceware_
+===================================
+1. Roll 5, 6 sided, *physical* dice
+2. Read the numbers left to right
+3. Find the word with that number on a list 6^5 (7776) words
+4. Repeat until desired length is reached.  For a password manager, use at 
+   least 7.
+5. Write down your passphrase on paper and keep it somewhere secure
+6. If you are 100% confident that you will not forget the passphrase, destroy
+   the paper by burning
+
+What about phishing?
+====================
+* A password manager will refuse to fill out a password on a spoofed website, 
+  for instance faceb00k.com vs facebook.com
+* Using different passwords on every service protects all other services even 
+  if phishing is successful on one of them
+* Good password managers will navigate to the login page for you, reducing the
+  risk of spoofed websites
 
 
-Saving Plots
+Other advice
 ------------
+In no particular order:
 
-So far I've just displayed plots with ``plt.show()``.  You can actually save 
+* Only log in on webpages that you navigated to by typing in the url yourself,
-the plots from that interface manually, but when scripting, it's convenient
+  by searching on google, duckduckgo or some other reputable search engine or 
-to do so automatically:
+  from a bookmark.  If after clicking a link in an email you are directed to a 
-
+  log in page, it's probably a phishing attempt
-.. code-block:: python
+* Only log in to webpages that are protected by SSL/TLS (HTTPS).  Look for a 
-   
+  green address bar, or a green lock icon or similar in your browser
-   >>> # Some plotting has previously occured
+* Use two factor or two step authentication everywhere if possible
-   >>> plt.savefig('eggs.pdf', dpi=300, transparent=False)
+* Turn of automatic image rendering. Better still, disable HTML rendering and 
-
+  authoring entirely in your email client
-The output format is interpreted from the file extension.  
+* Be suspicious of *all* emails. Risky things: HTML email, images, unknown 
-The keyword arguments are optional here.  Other options exist.
+  sender, poor spelling/grammer, 'Your email client can't display this email,
-
+  click here to view in your browser' or similar attempts to coerce you to click
-Error Bars
+  on things
-----------
-
-
-Stacked Bar Graph
------------------
-
 
 Resources
 ---------
-NumPy User Guide: https://docs.scipy.org/doc/numpy/user/index.html
 
-NumPy Reference: https://docs.scipy.org/doc/numpy/reference/index.html#reference
+`EFF notes on Diceware`_ They generally have good advice for these kinds of 
+topics.
 
-Matplotlib example gallery: https://matplotlib.org/gallery/index.html
+`This Presentation`_
 
-Pandas: It probably exists.  Good luck.
+`Keepass`_, an offline password manager
 
-This presentation: https://git.friedersdorff.com/max/plotting_with_matplotlib.git
+`1Password`_, a pay to use password manager with some nice features
+
+`LastPass`_, an online password manager with a gratis tier
+
+.. _Diceware: http://world.std.com/~reinhold/diceware.html
+.. _EFF notes on Diceware: https://www.eff.org/dice
+.. _This Presentation: https://git.friedersdorff.com/max/intro_dice_and_pmgmnt
+.. _Keepass: https://keepass.info/
+.. _1Password: https://1password.com/
+.. _LastPass: https://www.lastpass.com/
+
+
+.. target-notes::