Code for DC CryptoParty Agenda | September 17, 2018
Signal & Safe Surfing
Bring your phone, tablet, computer, or pen/paper to follow along!
Code for DC CryptoParty Ethos
Privacy is a fundamental human right. It is recognized in many countries to be as central to individual human dignity and social values as Freedom of Association and Freedom of Speech. Privacy is where we draw the line on how far a society can intrude into our personal lives. It is user-defined and varies between individuals. You are the steward of your identity. You are the only person who has the right to disclose your personal story.
Remember to join
#cryptoparty on Code for DC's Slack.
Signal is an open-source, encrypted messaging app built upon the Signal Protocol, widely regarded by cryptography experts as the gold standard of encrypted messaging.
- Let's install Signal on our phones. If you already use Signal, find someone who doesn't and help them find it in their app store, download, and install.
- It's worth mentioning the importance of disappearing messages. A New York Times reporter accidentally compromised several of their sources when their device was seized by law enforcement. Signal stores decrypted messages locally by default.
- Let's enable disappearing messages. These messages expire a set amount of time after they have been decrypted and read by the recipient. Disappearing messages must be set for each conversation you have on Signal. This way you can customize different lengths of time for different contacts.
End-to-end encryption refers to a privacy protocol that only allows data encrypted at the source to be decrypted by the specified recipient, hence content is secure from one end to the other. This works through a process called public key cryptography or
public key / private key authentication.
Boyd: The gold standard of encrypted messaging right now is the Signal Protocol which uses a combination of three different, mathematically complex encryption protocols.
Closed Source Alternatives
- Facebook Messenger, in the form of secret conversations
- Google Allo
Safer Surfing w/ HTTPS Anywhere, VPNs, and TOR
"Safe" can be a bit of a misnomer. Information security on the web is challenging, it's an inherently collaborative space intended for the free exchange of information. Every internet-connected device has the potential to be remotely exploited. We say "safer" surfing because there are some tools and techniques you can use to reduce the likelihood and repercussions of surveillance.
HTTPS Everywhere is a product of the Electronic Frontier Foundation. It exists as an extension for Google Chrome and is built into the functionality of the chromium-based, privacy-focused browser, Brave. HTTPS Anywhere detects unencrypted and attempts to establish an end-to-end encrypted connection with the host
- Setting up HTTPS to work on a website is not difficult for people with malicious intent.
- Verify web addresses you connect to and ensure you trust the source of the data before entering any sensitive information such as credit card numbers.
- HTTPS prevents third parties from intercepting and interfering with your communication to and from a website. It does not prevent the website from attempting to execute malicious code on your machine or trying to phish your personal information.
A VPN creates an encrypted tunnel between your device and a trusted, remote server. A VPN forces all outbound and inbound traffic through this end-to-end encrypted tunnel. Someone monitoring your connection activity will only be able to see encrypted traffic between you and the VPN server, not the traffic itself.
The VPN space is a crowded market and many companies will tell you their product is the "best". Ultimately, the VPN you chose will depend on your needs. Do you need the fastest connection? Protection while traveling? Privacy while accessing controversial information? A private server? Here are a couple takes on the "best" VPN by several different tech outlets:
- Do research the privacy laws of the country where your VPN is based.
- Do consider the fact some countries can prosecute users for using VPNs within their borders.
- Do be aware some servers will reject connections coming from known VPN locations as malicious.
- Don't use a free VPN
- Don't assume just because you've paid for a VPN service that the provider does not keep logs of traffic and cannot be compelled to turn over this information to the government or sell it to third parties.
- Don't think VPNs protect you from malicious content on the web.
Do you use a VPN? Which VPN do you use? What do you like (or dislike) about the service?
TOR & TAILS
- The Onion Router
- Basics of onion routing protocol: - Computerphile Video computerphile channel is a very helpful resource for introductory videos.
- Overview of 2600 article on how to get tails up and running on a chrome book - "Analog vs. Digital Living":
- Overview of 2600 article "A N00b's guide to the darkweb"
- 2600 magazine and podcast
- article on intro to dark web
- Are there any legitimate .onion domains?
- article on getting started with Tails
- Demystifying the Signal Protocol
- The Onion Report This is a "State of Tor" talk at an internet security conference.
Want to lead a CryptoParty?
Is there a topic in digital security you're particularly interested in? Leading a CryptoParty is a great way to learn more about emerging cryptographic and security concepts. We are looking for folks with all kinds of backgrounds and interests to share their knowledge and interest. Talk to
@Ed O. on Slack if you're interested!