Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
94 lines (69 sloc) 6.96 KB

Code for DC CryptoParty Agenda | December 18, 2018

Encrypt all your things in under an hour

Bring your phone, tablet, computer, or pen/paper to follow along!

Code for DC CryptoParty Ethos

Privacy is a fundamental human right. It is recognized in many countries to be as central to individual human dignity and social values as Freedom of Association and Freedom of Speech. Privacy is where we draw the line on how far a society can intrude into our personal lives. It is user-defined and varies between individuals. You are the steward of your identity. You are the only person who has the right to disclose your personal story.

Remember to join #cryptoparty on Code for DC's Slack. If you plan on eating pizza 🍕, remember to RSVP on meetup.

Today's Session

Today will be a workshop session. You can participate without an Internet device, but having one will allow you to implement these security practices while we're here to help. This agenda has been adapted from a guide published on freeCodeCamp.

We will walk through five easy things make our digital lives safer and more secure. Steps 1-4 do not require any special software tools other than the devices and services you already own. Time allowing, we will download Signal, so please investigate that tool and feel comfortable with installing the software to your mobile device.

I was using a VPN when I built this agenda, so sorry that the links are Canadian.

1 - Use two-factor authentication on your inbox

Why? Your inbox is a way for an attacker to compromise every single aspect of your life. Not only will they be able to read your emails, they can reset your passwords, access your social media, and even your bank accounts.

Two-factor refers to two means of authentication. Like turning two keys to launch a missile. A password is one. A single-use code sent to you via SMS or generated by an authenticator app like Google Authenticator or Authy is another. If you don't have one of these apps installed and set up already, that's okay. We can use SMS for now.

Follow these steps to enable 2-factor authentication on your email. Please ask any questions you have about getting it set up or about why we're doing this right now.

Gmail enable 2-factor authentication

2 - Encrypt your hard drive

Why? So an attacker won't be able to access the data stored on your machine. Both Windows and MacOS have full-disk encryption built-in. Just turn it on.

3 - Turn on password protection on your phone

Why? You can keep your password a secret, but you cannot keep your fingerprint a secret. A court can compel you to use your fingerprint. Attackers can use partial fingerprints or even force you to use your finger to unlock a device.

Also, you get 10 tries before the phone completely locks out. Here are some common passwords you should avoid:

9999, 1111, 3333, 0000, 5555, 1212, 6666, 7777, 1122, 1004, 1313, 2000, 8888, 4444, 4321, 2222, 2001, 6969, 1010

Pro tip: I like using my fingerprint because it's convenient. If you are ever arrested, crossing an international border, or both at the same time- power off your phone. When turned back on, the password will be required to unlock it.

4 - use different passwords for different things

Why? Passwords are inherently insecure. They can be lost, stolen, or even accidentally leaked by a large hotel chain.

This is where a password manager comes in handy. In a previous session, we discussed different options.

Don't use the same password in more than one place. End. Of. Story.

I use a Chrome extension called Strong Password Generator and Google Passwords. Both free. LastPass and One Password are both secure, good options but are not entirely free.

You can also check and see if a password associated with your email address has ever been compromised with Have I Been Pwned.

5 - Secure your text messages with Signal

Why? SMS messages are easy to intercept, other platforms store your messages on remote servers (meaning they possess and retain your data for a time). Signal is a popular messaging service that uses a protocol of the same name. The Signal protocol is the current gold standard for end-to-end encryption and the app got a perfect score from the Electronic Frontier Foundation.

You can do all the things you would normally do via text message: group chats, send photos, videos, gifs, bitmojis. The only difference is that everything is encrypted and nothing is stored on a third-party server. Everything exists on your own device and the devices of your recipients- nowhere else.

The encryption is so strong that if your messages are intercepted, they are nearly impossible to decrypt.

  1. Download and install Signal.
  2. Invite your friends to install it, see which of your contacts are already on Signal.
  3. Send messages.
  4. Profit.

So am I good to go now?

Almost, one thing we didn't talk about tonight is how to protect your web traffic, searches, etc. We've covered the topics of Tor and VPNs in a previous session, but after the holidays we will talk about:

  • the myth of private browsing with incognito mode
  • private browsing with Tor
  • using a tool like Orfox or Brave
  • decoupling your search history from Google with Duck Duck Go.

Happy Holidays! 🎄⛄️🎅🏽

Want to lead a CryptoParty?

Is there a topic in digital security you're particularly interested in? Leading a CryptoParty is a great way to learn more about emerging cryptographic and security concepts. We are looking for folks with all kinds of backgrounds and interests to share their knowledge and interest. Talk to @csethna or @Ed O. on Slack if you're interested!

You can’t perform that action at this time.