From tunabananas at gmail.com Fri Aug 24 16:24:23 2018 From: tunabananas at gmail.com (Jenny Ryan) Date: Fri, 24 Aug 2018 16:24:23 -0700 Subject: [Cryptoparty] Notes from Cryptoparty/Dig Security Wkshp reboot sesh Message-ID: Greetings cryptoparty comrades old and new! A few of us met back in June to discuss rebooting digital security workshops at sudo room - and oh my, I just discovered these notes in my Drafts folder >_< AND we didn't get it together for our proposed first workshop date, August 19th. Shall we aim to host one in October or November? Recorded for posterity at: https://sudoroom.org/wiki/Cryptoparty/2018/June <3jnny *--* *Cryptoparty Reboot - 16 June 2018* = attendees = * jenny, lesley, bill, sierk, gabby, alexis, toast, mai Wiki: https://sudoroom.org/wiki/Cryptoparty Mailing List: http://lists.sudoroom.org/listinfo/cryptoparty = notes = * alexis works with techactivist.org - outreach and education for activists * offensive-security.com - training by the makers of Kali * bill - wary of using Tor for false assurances - eg web browsing identifiers * bill: always going to be a "well actually" douchebag at every cryptoparty - how to deal with the know-it-all taking over the cryptoparty / making it alienating for those who most need the education ** alexis: got excellent training on that from Khalil __ (missed it) - cutting off soliloquoy and redirecting back to the convo, invite to converse after the workshop, etc *** bill: having knowledge and skills doesn't make one able to be an educator - match technical knowledge with ** mai: best cryptoparties i've been to set expectations right at the beginning, code of conduct, "no such thing as stupid questions", * alexis: always make sure to emphasize how using Tor/VPNs can impact your web traffic * gabby: I've been using a VPN and it's been slowing my web browsing very significantly ** bill: There's not particularly a correlation between speed and security of VPNs. Suggests reviewing thatoneprivacysite.net to compare VPNs * bill: i always make sure to emphasize there's no such thing as 100% secure - eg; endpoints can be hacked - tho you can continue to improve ** mai: using metaphors helps a lot - * toast: get a list going of things people would like to see in messaging apps. EFF probably has this. brainstorming suggestions * alexis: best to try and work with what people already use, hard to get people to adopt new things ** eg; facebook has encrypted messaging - most people don't know about it - "make conversation secret" * bill - hushmail - big security vulnerability - can target a specific population to backdoor the service (eg by IP address) - protonmail has this same problem == previous cryptoparties == * lesley: trying to do it every month was just too often. sam moved away... * jnny: just no capacity at a certain point - to do the outreach, hold the space, get someone super infosec-savvy to be present in the event of complex problems someone brings * gabby: outreach-teaching event one month, training trainers / working group another month. could also have just two of us host it every month * jnny: having equal # tech/sec-savvy and people coming to learn is great, can pair people off * bill - don't want to call it a cryptoparty as it draws the wrong people (people who already know what they're doing) * mai: could do it more thematically, eg "Secure your mobile communications" - narrowing framing would enable us to teach better and target a more specific audience * sierk: users teaching users, Drupal meetups, [missed this] * bill: narrowing focus great way to bring people out ** lesley: could have different talks set up ahead of time. got me interested was looking up things, the acronyms etc *** jenny: maybe make that a ground rule, don't abuse acronyms. **** bill: or just state that "we'll be covering a lot of things, but everything we're talking about is in the handout * gabby: didn't know exactly what a cryptoparty was - didn't expect = what to learn/teach = == web browsing == * orbot - tor for mobile - initiated by Guardian Project, now officially Tor Project? ** orfox - tor browser for android - Guardian Project - https://guardianproject.info/apps/orfox/ ** firefox focus - app that essentially enables you to always be browsing incognito ** firefox quantum - multi container add-on - https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?src=search - create different containers for eg facebook, google, etc * HTTPS Everywhere - download separately and then deliver it to the browser - offline signing process == email == * protonmail - encrypts email in transit (still shows plantext in browser) - https://protonmail.com/ * mailvelope - add-on for GMail encryption - https://www.mailvelope.com/en * riseup - and the canary: https://riseup.net/en/canary == operating systems == * qubes - "A reasonably secure operating system" - https://www.qubes-os.org/ ** like having multiple containers/Virtual Machines (VMs) ** network VM separate from application VM * tails - https://tails.boum.org/ == VPNs == * can be fast and secure, slow and insecure, fast and insecure, etc; ** https://thatoneprivacysite.net/ - https://thatoneprivacysite.net/simple-vpn-comparison-chart/ == Clearing up Misconceptions == * Using Signal securely * Vulnerabilities of PGP * No 100% security - endpoints can be hacked = resources to create/build = * piratebox with software for faster downloads * handouts: ** anonyzebra zine? (see https://sudoroom.org/wiki/Cryptoparty / https://sudoroom.org/mediawiki/images/1/11/Anonyzebra.jpg ) ** for different levels of security / threat models (eg average users, * code of conduct = resources for trainers = * EFF's Security Education Companion - https://sec.eff.org/ * = next digital security wkshp = * August 19th -- Jenny Help open a professional kitchen at the Omni Commons in Oakland! https://omnicommons.org/kitchen `~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~` "Technology is the campfire around which we tell our stories." -Laurie Anderson "Storytelling reveals meaning without committing the error of defining it." -Hannah Arendt "To define is to kill. To suggest is to create." -Stéphane Mallarmé "Anything done for the first time unleashes a demon." --Dave Sim, "Cerebus the Aardvark" ~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~` -------------- next part -------------- An HTML attachment was scrubbed... URL: