Code for DC CryptoParty Agenda | December 18, 2018
Encrypt all your things in under an hour
Bring your phone, tablet, computer, or pen/paper to follow along!
Code for DC CryptoParty Ethos
Privacy is a fundamental human right. It is recognized in many countries to be as central to individual human dignity and social values as Freedom of Association and Freedom of Speech. Privacy is where we draw the line on how far a society can intrude into our personal lives. It is user-defined and varies between individuals. You are the steward of your identity. You are the only person who has the right to disclose your personal story.
Today will be a workshop session. You can participate without an Internet device, but having one will allow you to implement these security practices while we're here to help. This agenda has been adapted from a guide published on freeCodeCamp.
We will walk through five easy things make our digital lives safer and more secure. Steps 1-4 do not require any special software tools other than the devices and services you already own. Time allowing, we will download Signal, so please investigate that tool and feel comfortable with installing the software to your mobile device.
I was using a VPN when I built this agenda, so sorry that the links are Canadian.
1 - Use two-factor authentication on your inbox
Why? Your inbox is a way for an attacker to compromise every single aspect of your life. Not only will they be able to read your emails, they can reset your passwords, access your social media, and even your bank accounts.
Two-factor refers to two means of authentication. Like turning two keys to launch a missile. A password is one. A single-use code sent to you via SMS or generated by an authenticator app like Google Authenticator or Authy is another. If you don't have one of these apps installed and set up already, that's okay. We can use SMS for now.
Follow these steps to enable 2-factor authentication on your email. Please ask any questions you have about getting it set up or about why we're doing this right now.
Gmail enable 2-factor authentication
2 - Encrypt your hard drive
3 - Turn on password protection on your phone
Why? You can keep your password a secret, but you cannot keep your fingerprint a secret. A court can compel you to use your fingerprint. Attackers can use partial fingerprints or even force you to use your finger to unlock a device.
Also, you get 10 tries before the phone completely locks out. Here are some common passwords you should avoid:
9999, 1111, 3333, 0000, 5555, 1212, 6666, 7777, 1122, 1004, 1313, 2000, 8888, 4444, 4321, 2222, 2001, 6969, 1010
Pro tip: I like using my fingerprint because it's convenient. If you are ever arrested, crossing an international border, or both at the same time- power off your phone. When turned back on, the password will be required to unlock it.
4 - use different passwords for different things
Why? Passwords are inherently insecure. They can be lost, stolen, or even accidentally leaked by a large hotel chain.
This is where a password manager comes in handy. In a previous session, we discussed different options.
Don't use the same password in more than one place. End. Of. Story.
You can also check and see if a password associated with your email address has ever been compromised with Have I Been Pwned.
5 - Secure your text messages with Signal
Why? SMS messages are easy to intercept, other platforms store your messages on remote servers (meaning they possess and retain your data for a time). Signal is a popular messaging service that uses a protocol of the same name. The Signal protocol is the current gold standard for end-to-end encryption and the app got a perfect score from the Electronic Frontier Foundation.
You can do all the things you would normally do via text message: group chats, send photos, videos, gifs, bitmojis. The only difference is that everything is encrypted and nothing is stored on a third-party server. Everything exists on your own device and the devices of your recipients- nowhere else.
The encryption is so strong that if your messages are intercepted, they are nearly impossible to decrypt.
- Download and install Signal.
- Invite your friends to install it, see which of your contacts are already on Signal.
- Send messages.
So am I good to go now?
Almost, one thing we didn't talk about tonight is how to protect your web traffic, searches, etc. We've covered the topics of Tor and VPNs in a previous session, but after the holidays we will talk about:
- the myth of private browsing with incognito mode
- private browsing with Tor
- using a tool like Orfox or Brave
- decoupling your search history from Google with Duck Duck Go.
Want to lead a CryptoParty?
Is there a topic in digital security you're particularly interested in? Leading a CryptoParty is a great way to learn more about emerging cryptographic and security concepts. We are looking for folks with all kinds of backgrounds and interests to share their knowledge and interest. Talk to
@Ed O. on Slack if you're interested!