Micro training session



While discussing with @sakura, an idea emerged to enable journalists to learn new security concepts. As part of the journalist interview script used to better understand how they relate to communication tools, a quizz was designed[1]. It proved to be enjoyable because:

  • it re-enforces concepts that are known because articulating a one sentence definition requires thinking
  • it is an opportunity to learn new concepts, even if superficially

It would be interesting to have a short quizz session (15 minutes? 30 minutes?) on a recurring basis in real life (Install party? cryptoparty?). The speaker / tutor would ask the question, someone in the audience gives a definition, someone in the audience asks one question to the person who gave the definition. And questions and answers are one sentence only to keep things moving quickly.

It would be an opportunity for very busy journalists or not so busy but still learning students from journalism schools to learn security concepts.

What do you think?

[1] Quizz: please define the following in one sentence. The game stops after two concepts are unknown. The interviewer provides the definitions for the concepts that are not known.

  • Encrypted e-mail
  • An encryption key
    • A public key
    • A private key
    • A key fingerprint
  • Tor
    • Tor browser
    • A .onion URL
    • HTTPS in Tor
  • 2FA
    • TOTP and HOTP
  • Live system, tails
  • Airgap machine
  • If someone steals the disk from your computer (not the whole computer), can they read your files without your password?
  • An encrypted disk versus a locked session
  • A whistleblower communication system
  • Metadata
    • file metadata
    • mobile device metadata
    • computers metadata
    • cleaning metadata on files
  • how is a USB storage key different from an SSD or a hard drive
  • E2E
  • passphrase vs password
  • passphrase strength
  • A cryptographic signature
  • A checksum
    • Checksum collision attack
  • A threat model
    • An adversary in the context of a thread model
  • HTTP
    • HTTPS compare HTTP
    • A referer in the context of visiting a web site
    • The logs of a website
    • The logs of a service en ligne
  • Intrusion Detection System
  • GSM
  • GSM antenna
  • Security update pour un système d’exploitation
  • Device/machine compromission
  • Malware
  • Man in the middle
  • Cloud
    • Shared hosting vs dedicated hosting
    • Hosted physical machine
    • Virtual machine
    • Self-hosted
  • Backup and restore
  • Fingerprinting of a Tor Browser
    • JavaScript
    • JavaScript virtual machine
    • What happens when a web page displays an advertisement? Where does the ad comes from? How is it chosen?
  • Online service fingerprinting
  • Internet filtering
  • Internet blocking or censorship
  • What is a third party? And why it matters for security.
  • Which third party do you need to trust when using:
    • Signal?
    • Tor?
    • HTTPS?
    • Encrypted Email?
    • Facebook?
    • Twitter?
    • Mastodon?
    • OTR?
  • Safely erasing a file or a disk
  • Perfect Forward Secrecy
  • Encryption strength
  • Brute force attack