|

Episode 571 Security With Tim Nash Cell Phone Privacy and Tim’s New Course

ByRob
Tweet
Share
Pin
Share

Show Summary

This audio transcript features an interview with Tim Nash, a WordPress security expert, on the SDM Show, hosted by Rob Cairns. The discussion initially explores cell phone privacy and the implications of proposed Canadian legislation that would allow police access to data without warrants, contrasting it with existing UK laws and border control practices. The conversation then transitions to Nash’s new comprehensive WordPress security course, outlining its modules covering topics like user management, updates, browser security, server hardening, hosting, backups, monitoring, and compliance, designed for WordPress professionals seeking to enhance their security knowledge and client offerings.

Show Notes

Key Discussion Points

  • The Heatwave: Rob and Tim kick off the episode by commiserating about the current hot weather in Toronto and the UK, respectively.
  • Government Access to Data and Privacy Concerns:
    • Bill C2 in Canada: Rob raises concerns about Canada’s proposed Bill C2, which would grant police access to cell phone data without a warrant.
    • Checks and Balances: Both Rob and Tim strongly argue against unchecked access to personal data, emphasizing the potential for abuse by “bad actors” and the lack of technical savvy among some law enforcement personnel.
    • Slippery Slope: They highlight the “slippery slope” argument, fearing that granting access to cell phone data could lead to demands for banking, stock market, and health data.
    • Distinction from Border Searches: Rob clarifies that the discussion is not about border patrols searching phones, but rather government entities accessing transmitted data within a country.
    • UK Context: Tim explains that while UK police can seek court orders for phone access when someone is in custody, they cannot simply demand data from cell companies. He also notes the technical limitations of UK police in analyzing seized phones.
    • Politicians’ Understanding: Both express concern that politicians often don’t fully grasp the technical implications of the legislation they pass, citing examples from the UK’s cyber-based laws.
    • Future Implications: Tim warns that laws passed in liberal democracies, often with good intentions, can become authoritarian in future political cycles, potentially biting the politicians who initially supported them.
    • US Border Searches: They briefly touch on the increase in Canadians complaining about cell phone searches when entering the US, suggesting it’s been happening for years but is now more publicized due to political climate. They also discuss the reasons border agents might conduct searches (illegal work, smuggling, escort services) and the general desire of most agents for an easy process, unless incentivized otherwise by administration.

Tim Nash’s WordPress Security Course: WPSecurity101

  • Who Needs This Course?
    • Primarily for WordPress professionals who use WordPress daily and have admin-level access.
    • Not just for developers or system administrators, but anyone managing a WordPress site.
    • The course empowers users to implement security measures and confidently discuss security features with hosting providers.
  • Course Structure and Content:
    • The course will be released in modules every two weeks, starting with Module 2.
    • Module 1: Introduction to WordPress Security (Covers security basics, threat modeling, OWASP Top 10, common security myths).
    • Module 2: User Management (Covers user handling, temporary users, passwords, session management, MFA, SSO, auditing, magic links). This module is launching first.
    • Module 3: Updates (Focuses on safely updating WordPress, plugins, and themes, identifying security releases, and compliance with new acts like the EU and UK’s Cyber Resilience Act).
    • Module 4: Browser Security (Covers CORS, security headers, content security policies).
    • Module 5: Server Hardening (Discusses securing server setups, configuration management, SMTP, managing secrets, and API endpoints).
    • Module 6: Hosting and Backups.
    • Module 7: Monitoring and Building SIEMs (Security Information and Event Management).
    • Module 8: Compliance (Addresses GDPR, Cyber Essentials, PCI DSS, and ISO 27001 in relation to WordPress).
    • Module 9: Putting It All Together (Hands-on tutorials for building layered security).
  • Why Professionals Need It:
    • Many developers and designers lack the specific knowledge to adequately secure websites.
    • Security is everyone’s responsibility, especially for WordPress administrators.
    • The course helps professionals sell security with confidence to clients, differentiating themselves from those who offer “bulletproof security” without real substance.
  • Cost: ยฃ195 British Pounds (approximately $250 CAD).
  • Certification: Upon completion of all modules, practice quizzes, and an exam, participants receive a certificate, which Tim hopes will be a valuable addition to CVs.
  • Time Commitment: Each module has approximately three hours of video content plus written materials and recommended labs. Tim estimates that completing a module, including exercises, will take roughly two weeks. A “speedrun” of the entire course could take 15-20 hours.
  • Long-Term Vision: Tim hopes this course becomes the recommended “basic” course for anyone working professionally with WordPress, with plans for more specialized courses (e.g., incident response) in the future.

Public Service Announcements

  • Linux System Administrators: Tim advises running updates, especially for those on Ubuntu 20, due to a recently published “nasty bug” related to sudo.
  • Windows 10 Users: Rob warns Windows 10 users to start considering their options as Microsoft’s support for the operating system is nearing its end. He suggests getting a new machine for Windows 11 (especially if lacking a TPM chip) or exploring Linux as a viable desktop alternative, noting that Microsoft seems serious about ending support unlike previous extensions. Extended security support is also an option for those willing to pay.

Connect with Tim Nash

  • WPSecurity101 Course: wpsecurity101.com
  • Social Media: Blue Sky, LinkedIn, Mastodon (@nash@crikey.social). He noted he does not use Twitter DMs due to spam.
  • LinkedIn Videos: Tim has also resumed creating short videos for LinkedIn.

Tweet
Share
Pin
Share

Similar Posts