[Cryptoparty] Notes from Cryptoparty/Dig Security Wkshp reboot sesh

Jenny Ryan tunabananas at gmail.com
Fri Aug 24 16:24:23 PDT 2018


Greetings cryptoparty comrades old and new!
A few of us met back in June to discuss rebooting digital security
workshops at sudo room - and oh my, I just discovered these notes in my
Drafts folder >_<
AND we didn't get it together for our proposed first workshop date, August
19th.
Shall we aim to host one in October or November?

Recorded for posterity at: https://sudoroom.org/wiki/Cryptoparty/2018/June

<3jnny

*--*

*Cryptoparty Reboot - 16 June 2018*

= attendees =
* jenny, lesley, bill, sierk, gabby, alexis, toast, mai

Wiki: https://sudoroom.org/wiki/Cryptoparty
Mailing List: http://lists.sudoroom.org/listinfo/cryptoparty

= notes =
* alexis works with techactivist.org - outreach and education for activists
* offensive-security.com - training by the makers of Kali
* bill - wary of using Tor for false assurances - eg web browsing
identifiers
* bill: always going to be a "well actually" douchebag at every cryptoparty
- how to deal with the know-it-all taking over the cryptoparty / making it
alienating for those who most need the education
** alexis: got excellent training on that from Khalil __ (missed it) -
cutting off soliloquoy and redirecting back to the convo, invite to
converse after the workshop, etc
*** bill: having knowledge and skills doesn't make one able to be an
educator - match technical knowledge with
** mai: best cryptoparties i've been to set expectations right at the
beginning, code of conduct, "no such thing as stupid questions",
* alexis: always make sure to emphasize how using Tor/VPNs can impact your
web traffic
* gabby: I've been using a VPN and it's been slowing my web browsing very
significantly
** bill: There's not particularly a correlation between speed and security
of VPNs. Suggests reviewing thatoneprivacysite.net to compare VPNs
* bill: i always make sure to emphasize there's no such thing as 100%
secure - eg; endpoints can be hacked - tho you can continue to improve
** mai: using metaphors helps a lot -
* toast: get a list going of things people would like to see in messaging
apps. EFF probably has this. brainstorming suggestions
* alexis: best to try and work with what people already use, hard to get
people to adopt new things
** eg; facebook has encrypted messaging - most people don't know about it -
"make conversation secret"
* bill - hushmail - big security vulnerability - can target a specific
population to backdoor the service (eg by IP address) - protonmail has this
same problem

== previous cryptoparties ==
* lesley: trying to do it every month was just too often. sam moved away...
* jnny: just no capacity at a certain point - to do the outreach, hold the
space, get someone super infosec-savvy to be present in the event of
complex problems someone brings
* gabby:  outreach-teaching event one month, training trainers / working
group another month. could also have just two of us host it every month
* jnny: having equal # tech/sec-savvy and people coming to learn is great,
can pair people off
* bill - don't want to call it a cryptoparty as it draws the wrong people
(people who already know what they're doing)
* mai: could do it more thematically, eg "Secure your mobile
communications" - narrowing framing would enable us to teach better and
target a more specific audience
* sierk: users teaching users, Drupal meetups, [missed this]
* bill: narrowing focus great way to bring people out
** lesley: could have different talks set up ahead of time. got me
interested was looking up things, the acronyms etc
*** jenny: maybe make that a ground rule, don't abuse acronyms.
**** bill: or just state that "we'll be covering a lot of things, but
everything we're talking about is in the handout
* gabby: didn't know exactly what a cryptoparty was - didn't expect

= what to learn/teach =

== web browsing ==
* orbot - tor for mobile - initiated by Guardian Project, now officially
Tor Project?
** orfox - tor browser for android - Guardian Project -
https://guardianproject.info/apps/orfox/
** firefox focus - app that essentially enables you to always be browsing
incognito
** firefox quantum - multi container add-on -
https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?src=search
- create different containers for eg facebook, google, etc
* HTTPS Everywhere - download separately and then deliver it to the browser
- offline signing process

== email ==
* protonmail - encrypts email in transit (still shows plantext in browser)
- https://protonmail.com/
* mailvelope - add-on for GMail encryption - https://www.mailvelope.com/en
* riseup - and the canary: https://riseup.net/en/canary

== operating systems ==
* qubes - "A reasonably secure operating system" - https://www.qubes-os.org/
** like having multiple containers/Virtual Machines (VMs)
** network VM separate from application VM
* tails - https://tails.boum.org/

== VPNs ==
* can be fast and secure, slow and insecure, fast and insecure, etc;
** https://thatoneprivacysite.net/ -
https://thatoneprivacysite.net/simple-vpn-comparison-chart/

== Clearing up Misconceptions ==
* Using Signal securely
* Vulnerabilities of PGP
* No 100% security - endpoints can be hacked

= resources to create/build =
* piratebox with software for faster downloads
* handouts:
** anonyzebra zine? (see https://sudoroom.org/wiki/Cryptoparty /
https://sudoroom.org/mediawiki/images/1/11/Anonyzebra.jpg )
** for different levels of security / threat models (eg average users,
* code of conduct


= resources for trainers =
* EFF's Security Education Companion - https://sec.eff.org/
*

= next digital security wkshp =
* August 19th

--
Jenny

Help open a professional kitchen at the Omni Commons in Oakland!
https://omnicommons.org/kitchen

`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`
"Technology is the campfire around which we tell our stories."
-Laurie Anderson

"Storytelling reveals meaning without committing the error of defining it."
 -Hannah Arendt

"To define is to kill. To suggest is to create."
-Stéphane Mallarmé

"Anything done for the first time unleashes a demon."
--Dave Sim, "Cerebus the Aardvark"
~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`~`
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sudoroom.org/pipermail/cryptoparty/attachments/20180824/e2ba265e/attachment-0001.html>


More information about the cryptoparty mailing list