Cryptoparty/2014/April

Mobile Security

  • Encrypting mobile communications are not completely secure (metadata can still be read), but concealing the contents of communication can provide you with some security
  • You can also secure the endpoints - full disk encryption is possible on Android. Settings -> Security, choose option to encrypt your entire device
  • If your device is returned by the state, it's possible there's been
  • Even ordering the phone online can be man-in-the-middle'd
  • If you're being stalked (not by the state), it's unlikely they've bugged the hardware itself.
  • Different threat is retroactive surveillance - looking through the logs - but much more difficult if you
  • Using TextSecure, text messages are encrypted on the phone, unlocked with a password. It's always a good idea to shut down your phone
  • Default text messaging app on Android default is Google Hangouts - make sure to disable it if you're not rooting the phone
    • Good idea to take the APK out completely
  • Authentication : So long as there's an encrypted connection between two points, most people are not highly concerned about authentication and use a TOFU approach (Trust On First Use)
    • End-to-end vs. transport layer encryption
    • OTR, PGP, are end-to-end
    • You can use Pidgin + OTR and check to ensure it's working by simultaneously running GChat in your browser. If it shows jibberish, you're good! That's what Google sees.
  • Gibberbot, now called ChatSecure, for iOS and Android for instant messaging.
  • In order to use fdroid (a free and open source app store for Android), go to Settings, Allow Unknown Sources so you don't need Google's permission to install apps. It's fairly trivial to modify the contents of the APK while it remains signed by Google.
  • Recommended to put phones into Airplane mode (or at least toggle off WiFi) so that they're not sending out identifying probe packets. Private corporations can track your movements
    • Juice Defender to turn off your radios for saving battery life.
    • It may be possible to spoof your Android's MAC address, some devices

Anonymity

  • For anonymous browsing, install the Tor Browser Bundle (or Orbot on Android, though not as strong as Tor)
  • Tails running off a USB stick is recommended.
    • Live distributions ensure you're essentially running the operating system like it's the first time, every time.
      • Difficulty is if you need persistent data storage, though Tails also incorporates a persistent volume.
  • Recommended for journalists along with SecureDrop
  • Anonymity vs Security
    • Anonymity: Browser headers can be linked to your identity, for instance.
  • Panopticlick: Can scan the identifying data on your hard drive
  • Tor conceals your IP address, and thus your *location* by routing it through layers of other servers
  • Tor Browser Bundle uses a version of Firefox with extended support

Email

  • There's a plugin for Postfix that automatically encrypts emails sent to you -
  • Riseup.net is a trusted and vetted email provider
  • Electric Embers, local worker coop, for paid mail hosting
  • 1984 and Gandi.net for web hosting
  • Riseup, AirVPN, IP Vanish
  • OpenSMTPD
  • Cryptobot

Dropbox

  • Dropbox is not end-to-end encrypted
  • Condoleeza Rice is now on the Board of Directors for Dropbox.
  • BoxCryptor for encrypting your cloud storage.
  • Spider Oak - Client-side encrypted.
  • OwnCloud - Run your own Dropbox. Does not do client-side encryption.
  • Cozy.io -
  • Or just a copy of Apache with WebDAV
  • rsync all the things!

Note-Taking

  • Etherpad
    • Developed for different databases, like NoSQL databases, making fully-replicable Etherpads possible
  • Workflowy

Legal

  • Will the police force you to input your password?
    • No precedent has really been set yet.
    • "Expectation of privacy"
    • Australia and the UK will force you to input your password - you can be held in jail until you decrypt it. Which is crazy, considering you can have random bits accumulate on your computer that appear encrypted.
  • If its on shared hosting, a hosting provider is required to hand over just the data belonging to the suspect.
  • TrueCrypt use raises suspicion, you're expected to have a hidden TrueCrypt volume the password to which must be revealed.
  • USB Debugging on allows anyone to access the phone and get content off it, even if the phone is locked.
  • Most mobile phones can be pwned almost instantly

MAC Addresses

  • Difficult to spoof for mobile devices - may be possible on some rooted Android phones
  • Macspoofer on Linux - easy!

Bitcoin

  • What can you buy with Bitcoin?
    • CheapAir - flights
    • Foodler - food
    • Overstock.com
    • Tiger Direct
    • Alibaba
    • Donate to the EFF or to Sudo Room!
  • Better to host your own wallet than to use one of the third-party services that could steal your shit.
    • Create the wallet while completely offline.
  • Lots of altcoins popping up
  • Drop in Bitcoin after hedgefund was created to store something like 49 million Bitcoins, though the Bitcoin community seems to have now forgotten about it.