Cryptoparty/2014/April

Revision as of 14:37, 20 April 2014 by Tunabananas (talk | contribs) (april notes)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Mobile Security

  • Encrypting mobile communications are not completely secure (metadata can still be read), but concealing the contents of communication can provide you with some security
  • You can also secure the endpoints - full disk encryption is possible on Android. Settings -> Security, choose option to encrypt your entire device
  • If your device is returned by the state, it's possible there's been
  • Even ordering the phone online can be man-in-the-middle'd
  • If you're being stalked (not by the state), it's unlikely they've bugged the hardware itself.
  • Different threat is retroactive surveillance - looking through the logs - but much more difficult if you
  • Using TextSecure, text messages are encrypted on the phone, unlocked with a password. It's always a good idea to shut down your phone
  • Default text messaging app on Android default is Google Hangouts - make sure to disable it if you're not rooting the phone
    • Good idea to take the APK out completely
  • Authentication : So long as there's an encrypted connection between two points, most people are not highly concerned about authentication and use a TOFU approach (Trust On First Use)
    • End-to-end vs. transport layer encryption
    • OTR, PGP, are end-to-end
    • You can use Pidgin + OTR and check to ensure it's working by simultaneously running GChat in your browser. If it shows jibberish, you're good! That's what Google sees.
  • Gibberbot, now called ChatSecure, for iOS and Android for instant messaging.
  • In order to use fdroid (a free and open source app store for Android), go to Settings, Allow Unknown Sources so you don't need Google's permission to install apps. It's fairly trivial to modify the contents of the APK while it remains signed by Google.

Anonymity

  • For anonymous browsing, install the Tor Browser Bundle (or Orbot on Android, though not as strong as Tor)
  • Tails running off a USB stick is recommended.
    • Live distributions ensure you're essentially running the operating system like it's the first time, every time.
      • Difficulty is if you need persistent data storage, though Tails also incorporates a persistent volume.
  • Recommended for journalists along with SecureDrop
  • Anonymity vs Security
    • Anonymity: Browser headers can be linked to your identity, for instance.
  • Panopticlick: Can scan the identifying data on your hard drive
  • Tor conceals your IP address, and thus your *location* by routing it through layers of other servers
  • Tor Browser Bundle uses a version of Firefox with extended support

Email

  • There's a plugin for Postfix that automatically encrypts emails sent to you -
  • Riseup.net is a trusted and vetted email provider
  • Electric Embers, local worker coop, for paid mail hosting
  • 1984 and Gandi.net for web hosting
  • OpenSMTPD