This is a read only archive of pad.okfn.org. See the
CryptoParty - Helsinki
Friday, February 19th
Caloniuksenkatu 9D 64 00100 Helsinki
Link to the event https://www.facebook.com/events/582907025199020/
Suggested topics of discussion (please add more!!):
- Basics of crypto
- Quick overview of symmetric and asymmetric crypto
- What is end to end encryption
- What is forward secrecy
- What is deniability
- What is a digital signature / GPG Web of Trust, and why we need it
- Introduction to threat modeling
- The role of UX/UI for crypto tools (Link this to"Why Johny can't encrypt?" and talk about Mailvelopes https://www.mailvelope.com/)
- Overview of FVEY mass/targeted surveillance techniques -- (I can suggest some pointers as lately I have been researching on this--Sid)
- Mass surveillance in Finland (!!! Are there any?--Sid)
- How to download and use Tor
- What Tor does and does not do (expand on Tor FAQ)
- How to download and use Tails
- Limitations of end to end encryption
Workshops (if anyone is interested)
- Tor setup and use
- Tails setup and use
- Signal setup and use
- GPG/keybase.io setup and use (Also mailvelopes)
- What can be done about NSA hacking your computer
- Basic user research on crypto-tools
- Set up a piratebox (https://piratebox.cc/) to upload the participant's keys to the server or to seek feedback about the cryptoparty anonymously.
- Tools documentation
- Tor branch on github for UX/UI improvements
CryptoParty is a decentralized, global initiative to introduce the most basic cryptography
programs and the fundamental concepts of their operation to the general public. CryptoParties are
- free to attend,
- commercially and politically non-aligned and
- absolutely against sexual harassment and discrimination.
Again, everybody who agrees to these principles is invited. It would be nice if you
know how to turn on your computer (although not required) – and bring it with you.
Be excellent to each other is a guiding principle of CryptoParty. Wikipedia uses a somewhat similar rule,
which they call “the fundamental rule of all social spaces. Every other policy for getting along is a special
case of it.” Unlike Wikipedia, CryptoParty takes a positive approach, and avoids the practice of officially
enumerating the myriad potential special cases; “be excellent” is enough.
Doing excellent stuff at CryptoParty does not require permission or an official consensus decision. If you're
uncertain about the excellence of something you want to do, you should ask someone else what they think.
Leadership is taken by individuals for specific projects. This is called “sudo leadership” after the *nix command
sudo which allows a regular user to do one root-level, or superuser, task. In other words, if you want CryptoParty
to do something, start doing it. At times someone may take sudo leadership to take a tutorial, fix the Wi-Fi, update
the wiki, or organise the next CryptoParty.
CryptoParty is dedicated to providing a harassment-free sharing experience for everyone, regardless of gender,
sexual orientation, disability, physical appearance, body size, race, religion or technical ability. Harassment includes
- hurtful or offensive comments
- deliberate intimidation
- direct or indirect threats
- inappropriate physical contact
- unwelcome sexual attention
If you are asked to stop any harassing behavior you are expected to do so immediately. Participants who violate
the anti-harassment policy will be asked to leave, and may be permanently barred from attending future events.
As simple as possible
Cryptoparties try to bring crypto to the masses. Examples can't be too low-tech. Our focus is the attendant with only
very basic computer skills, but geeks'n'nerds are very invited, as well. In the end, the visitors should go home with a
running crypto toolset on their devices. There is no clear distinction between teacher and pupil. Whenever you think
you can do something useful for others, simply do it. There are people who even don't know what “encryption”,
"public key" or “hash/fingerprint” means. Don't laugh at them, they know other things better than you instead. Don't
tire your audience with lengthy explanations. Make sure they really understand you. Encourage them to ask
questions. If they don't get it, it's you who failed, not them.
- The right to personal anonymity, pseudonymity and privacy is a basic human right.
- Each of us has the right to a private life, a right to explore, browse and communicate with others as one wishes,
- without living in fear of prying eyes.
- We are here to empower people who feel that maintaining privacy on the Internet is also a personal responsibility.
- The individual alone owns the right to their identity. Only the individual may choose what they share. Coercive
- attempts to gain access to personal information without explicit consent is a breach of human rights. Just as
- governments should exist only to serve their citizens - so too, cryptography should belong to the people.
- Technology should not be locked away from the people.
- Cryptography is the only way to protect information online. Since mid 90's, it has become ubiquitous part of e-commerce.
- Major internet services already encrypt communication by default, sometimes even end-to-end.
- Surveillance cannot be separated from censorship, and the slavery it entails. Crypto is a key to our collective freedom.
- Code is speech: code is human created language. To ban, censor or lock cryptography away from the people is to deprive
- human beings from a human right, the freedom of speech.
- Privacy is the right of the individual. Transparency is a requirement of governments and corporations who act in the name of
- the people. Opposite assignment of privacy to government and transparency to people is an implication of Orwellian police state.
End-to-end encrypted email
End-to-end encrypted chat / VoIP with computers
End-to-end encrypted instant messaging with smartphones
End-to-end encrypted video conferencing
End-to-end encrypted VoIP with smartphones
- Boxcryptor - www.boxcryptor.com (all platforms and a lot of the main cloud sharing platforms are supported, yes also for WP) Seems very user friendly. Only 2 devices for free users, if you want more you need 5 successful referrals for every extra device. https://www.boxcryptor.com/app/referral/?code=lORcvJCQ3tv0nPne (I don't understand their key export) Note that BoxCryptor CLASSIC is separate from the new Boxcryptor. The Classic version is actually a compatible port of EncFS
- Search engines that respect your privacy
- Tor browser bundle: https://securityinabox.org/en/guide/torbrowser/windows
- Tor is a bit of heavy duty open source security software that's famously used to access anonymous, hidden services (the so-called Dark Web) but, more commonly, used as a way to access the regular internet anonymously and in a way that's resistant to state surveillance.
- Tor (short for The Onion Router) works by wrapping internet traffic under three additional layers of encryption, and relaying the traffic through three Tor nodes chosen randomly from all nodes run by volunteers. Each node knows how to decrypt exactly one layer, revealing only the next IP:
- First node (entry node) decrypts outermost layer.
- It knows the IP of you and middle node.
- It doesn't know the IP of exit node or server.
- Middle node decrypts middle layer of encryption.
- It knows the IP of entry node and exit node.
- It doesn't know the IP of you or target server.
- Last node (exit node) decrypts last layer of encryption.
- It knows the IP of middle node and target server.
- It doestn' know the IP of you or entry node.
- Anyone can set up a Tor node, and because it's the place where traffic is decrypted. Tor does not encrypt your traffic! Anyone who runs an exit node can read the metadata of traffic and unencrypted content passing through their exit node.
- Tor browser: a version of Mozilla Firefox with Tor support built in, as well as several privacy add-ons pre-installed and strong privacy settings that can be turned even tighter
- Tails: an amnesic live operating system that sends all internet traffic through Tor // were all bullets indented below intended for Tails or Tor?
- The default search engine is set to Startpage, with DuckDuckGo as the second option. Both are search engines respect your privacy by policy, as opposed to Google which keeps a record of everything you search for.
- Privacy is also enforced by technology
- Private browsing – in which cookies are not kept between sessions and no browsing history is recorded – is the default mode of operation.
- Browser plugins like Flash are disabled.
- There's a Tor logo button in the toolbar. This gives you access to a menu of quick options.
Full Disk Encryption
What is encryption
- Art and science of protecting information
- Confidentiality: Only recipient can read message
- Integrity: No one can tamper content during transit
- Authenticity: Recipient knows who the actual sender of message was
- How does it work
- Symmetric (secret key) encryption
- Same key opens and closes a lock
- How to exchange symmetric key?
- Public key cryptography
- RSA encryption
- Encryption key closes lock
- Public = Message encryption key
- Private = Message signing key
- Decryption key opens lock
- Public = Digital signature verification key
- Private = Message decryption key
- Diffie Hellman ephemeral key exchange
- No long term decryption keys = Forward secrecy
Why do we need encryption in Finland?
- Finland is proposing a legislation for mass surveillance with passive collection
- "Collect all, filter results" OR "filter during collection", we don't know.
- Metadata: Efficient tool (excluding Tor traffic)
- Content: Useless; Extra effort is needed to find unencrypted tools
- MITM capability? Hard to say.
- Finland has a law for targeted surveillance (includes hacking)
- Only for serious crimes
- Police misconduct
- We are fair game to surveillance and hacking by entities such as
- Foreign governments
- looking for foreign political adversaries
- stealing innovation to help domestic businesses
- stealing state/military/diplomatic secrets / cables
- selling data about finns to Finnish government
- Organized crime
- stealing credit card data / money from online banks
- phishing passwords
- mining cryptocurrency
- extorting money
- insert ransomware that encrypts our data
- stealing private documents
- Security by policy is not enought
- Surveillance is the business model of the internet
- Finnish idea about ehtical business is out of touch with reality
- in US, companies make business decisions that weigh profit and risk of getting caught and having to pay fines
- ruling Safe Harbour invalid changes very little
- We can't tell what kind of government we have in the future
- Every tyrant craves for panopticon: the ultimate enforcer
- We should not build tools of control that are ineffective for catching terrorists
I have nothing to hide
- You're lying. You have
- a fantastic idea for business / patent but you're lacking the funding
- Industrial espionage ruins competition
- made mistakes / offences you're making up to for the rest of your life
- unknowingly broken the law
- The society functions only if not every surgeon is jailed for possessing a lobster of wrong size
- surveillance makes that possible
- secrets your friends have trusted to you exclusively
- client confidentiality with clients and patients
- done legal yet humiliating things you wish nobody caught on tape
- done illegal yet ethically sound things (homosexuality in Burma/Iran..)
- political opinions that might make you target of violence by extremists
- political opinions that make you target to those in power
- The society we're living in was born by breaking the laws of the tyrannists
- Surveillance would have made progress impossible
- trusted different people with different things, and you'd be horrified if all that information was brought together and used against you
- changed the way you act when you see police car / surveillance camera, someone filming / taking photographs
- changed your behaviour after realizing you're not sure if someone's watching
- Selfish attitude: What you say might damage your friends' reputation or make them a target
no different than saying you don't care about free speech because you have nothing to say"
- "Arguing that you don't care about the right to privacy because you have nothing to hide is
- You don't get to decide whether your political opinions make you a terrorist or not. The government decides that.
- To you terrorism means
- "danger to national security"
- To governments it means
- "danger to national interests"
- doing something that poses meaningful challenges to our excersice of power
- Privacy is fundamental human right.
- You might not need need a specific right, but that doesn't mean others won't need it
- Once the right is gone, the only way to get it back might be revolution.
- Having no privacy makes it easy to find the ones willing to stand up
- Saying that is a coping mechanism
- People instinctively solve privacy problems they can
- They cover their smart phone screens when someone sits next to them
- They pull curtains in front of windows
- They lock the door when using the toilet, even when they're alone
- They lower their voice when talking privately
- They clear browsing history / use incognito mode
- They use strong passwords
- People cope with problems they can't solve
- Surveillance by powerful entities is more complex issue and technical protection is hard
- Resisting only makes it worse, you'll look suspicious
- "I don't stand out therefore they won't investigate me."
- Fallacy. Everyone. Everyone. Everyone is monitored if it's possible
- Even if you're a saint, your information is valuable to others
- Your information will be part of packet exchanged between companies. It has value in itself, even if you can't sell it yourself
- Your information can empower others: Gerrymandering
- Greenwald: Extreme act of self-deprecation
- "I'm so harmless, un-threatening, uninteresting person I don't care if government knows what I'm doing"
- Even if you decide you never want to be a dissident, society benefits from others who resist orthodoxy
- Rosa Luxemburg:
- "He who does not move does not notice his chains"
- But isn't encryption helping criminals?
- So are cars and roads
- ...and oxygen
- There are many ways to bypass encryption
- Hack the computer (bulk CNE is the trend)
- Listen to encrypted phone call via laptop microphone
- Listen to encrypted phone call via Hello Barbie / Imgur on Toast 3000 etc
- Paper by Schneier, Landau talks about IoT on rise and how going dark is not the reality
- Targeted implants
- Wireless bridges
- Retro reflectors
- Hidden cameras / microphones
- Targeted eavesdropping
- But these attacks mean encryption is useless!
- No. Targeting requires them to spend more resources per target, hopefully focusing on terrorists
- The challenge is determining how much effort does everyone need to put to make mass surveillance of everyone impractical
- Our intelligence services are failing us regardless of existing encryption
- Paris: Unencrypted messages by known suspects were not detected by Frenchelon, one of the most powerful surveillance systems in the world.
- NSA operates their own DISHFIRE program that collects SMSs too, yet the largest intelligence agency failed to detect the attack
So many apps, what should I use?
- Algorithm design
- Kerchoffs' Principle
- Algorithm, software and hardware is known to adversary
- Only message and encryption key is secret
- Software Design
- Proprietary software
- Can't view the source
- Can't fix problems
- Open Source Software
- Can view the source
- You can tell if it's vulnerable/bad design
- You can make informed choice and vote with your feet
- Can't fix problems
- Free and Open Source Software
- Can view the source
- You can tell if it's vulnerable/bad design
- Can fix problems
- Key security
- Who has access to private keys that protect messages?
- KIK messenger
- Yahoo Messenger
- Who controls authenticity of public keys (who selects the encryption key for you)
- Proprietary key servers (Fake end-to-end encryption)
- Users (True end-to-end encryption) How to tell: Fingerprints
- Conversations (2.5€)
- Gajim plugin
- Tor Messenger
- Adium (addon)
- Pidgin (addon)
- Thunderbird (enigmail addon)
Telegram (Bad design)
- Excellent lectures/talks/videos on related topics -- Watching these on your free time is highly recommended
- Citizenfour (Oscar winning documetary by Laura Poitras)
- End-to-end encryption
- Post-quantum cryptography
- Privacy / anonymity
- Jacob Appelbaum
- Bruce Schneier
- Aral Balkan
- Christopher Soghoian
- Glenn Greenwald
- Edward Snowden
- Cypherpunks (with Julian Assange, Jacob Appelbaum et al.)
Presentation from Markus (@matteola)
- Be excellent to each other and crypto on!