Table of Contents
Tinfoil Hat Party #0
Overall goal: Increase capability of citizens to create privacy.
Date: 2013-10-25
Venue: Main room of the Edinburgh Hacklab
Next party: Tinfoil hat party #1
Intro
We get our tinfoil hats on to save us from the cosmic death rays, and talk crypto for a night to keep the aliens out of our business. If you want to learn how to manage your privacy in the cloud better, this event would be a perfect place to start. On the first night we will introduce the complicated myth of online privacy, and talk about GPG, the Web of Trust, and encrypting emails to introduce a false sense of security. Tinfoil hats will be provided, but be sure to have your laptop at hand.
Structure
First night:
- Disclaimer: the tools presented in the workshop are only useful if the rest of the system is well protected, too. This means the system's security configuration as a whole should be fine-tuned against attackers. Communication is secure only as long as your partner employs the same level of paranoia. You're probably safe from a random thief, not NSA. (35 mins) - rhapsodhy
- analyze e-mail headers to raise awareness(?).
- gnupg & Thunderbird- Jane
- Keysigning party!
Second night:
- Truecrypt - rsdy
- Tor - ?
Length: ~3h
Good old e-mail
Conduct a workshop that raises awareness that methods to send and receive encrypted emails are on hand. Train people with no public key, to generate a key pair with the applicable attributes. Enable them through a workshop to incorporate their key into the open source e-mail client Thunderbird. Confirm that every participant of the workshop, understands how to send and receive an encrypted e-mail. Wear a tinfoil hat while you explain the different underlining security scenarios.
What is needed to make it happen
- Participants (max 10 people)
- What OS is used to provide with the
- Workshop hosts: rhapsodhy, Jane
- Trainings material
- 3h
Update
We discussed to provide a workshop about disc encryption at the same evening. The challenge here is, that on top of providing applicable training material about disc encryption, more resource are needed to get a neat USB sticks done. I am not entirely sure if we have the capacity to do this on the first night. (Review and next planning IRC 2013-11-31) I am planning to limit the workshop content just to Thunderbird. I know there are x millions e-mail clients out there but I don't have the time to look into all of them. It might be the best to promote the event early and see if enough participants would go for this selection.
What is lacking is play: what do people belief is private/public.
I would like to do the black bar over the eyes video display but FaceOSC limits me to one face at the time. So I thought to get a monitor and a frame and fake a mirror. This mirror would display you but not your eyes. Maybe replace it with the mirror in the toilet. (Private room AND less faces to track).
An other way is looking into OpenCV, to check if a lib. supports multiple face recognition.
Also I don't like this Alice and Bob story, either this gets replaced with Romeo and Juliet or a famous homosexual couple. If you have a suggestions, feel free to share them. I know everyone is in for NSA, but I am tired of that. The wish to have privacy was around before and will be after. This includes as well the skill to access information. https://opennet.net/about-filtering outlines that here the wide range of reason why privacy can be interrupted.
We are not aware about the extend our private data is used for or against us but somehow this tech is also something we can hack and use for our purposes. (end of the bla bla part :))
Anyway, maybe you have some ideas, how to hack ideas/misunderstandings/hopes about privacy.
Disk encryption/Encrypted storage
Truecrypt
Talk about the use of TrueCrypt and the best practices about store encrypted data. The goal would be to have everyone set up an encrypted container on their laptops, and copy files into it. Talk about the possible attack vectors and adversaries (usecases), that should be considered when using encrypted storage. Talk about picking a cypher/hash algo to feed conteo trolls, and talk hidden volumes for storing child porn real sensitive data. Legal warnings about disk encryption in the UK. (https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom)
GPG
Part 2 should be based on the GPG part, for storing/sending/archiving data using GPG. Compare and contrast the usecases with using a symmetric algo for file storage.
Draft Tin foil hat party announcement
The reason why we keep certain information private, when and to whom we disclose it, is a private choice. The Edinburgh Hacklab hosts this month the first tin foil hat party to investigate together how you can hack your daily routine to limit access to this information (Yes, it is a cryptoparty.in with a hat).
The event has three parts to it: talk and workshop require booking and are limited to seven to nine participants. The last part is the key signing party, which is open to all and kicks of at 9pm. All parts of the event are free to attend. This is brought to you by regular membership fees and donations to the Hacklab. (Look a donate button :))
Here is the agenda for the night: Talk: Disclaimer: the tools presented in the workshop are only useful if the rest of the system is well protected, too. This means the system's security configuration as a whole should be fine-tuned against attackers. Communication is secure only as long as your partner employs the same level of paranoia. You're probably safe from a random thief, not NSA. (35 mins)
Workshop 2 1/2h: Setting up a GnuPG RSA 4096-bits key pair Encrypt and decrypt e-mails using Thunderbird on your laptop. (This workshop does not cover e-mail clients installed on hand held devices. Consider it an e-mail client workshop like it's 2007. (Still interested in encrypt and decrypt files on Android? securityinabox.org/en/apg_main))
Reference: securityinabox.org/en/thunderbird_main cryptoparty.in/documentation/handbook
Here is what you need for the key signing party * Be there: physical attendance (with tin foil hat). * Have your passport/national identity card (without hat). * Have your key ID, key type, fingerprint, and key size. (Workshop participants → We generate it on the day)
Here some notes: The timing of the event is not great for everyone. If you would like to attend this kind of event and can't make it, please contact us, we try to work something out. The Hacklab is located in Summerhall http://edinburghhacklab.com/visit/. and accessible with a wheelchair http://www.summerhall.co.uk/about/accessibility/. As always does the anti-harassment policy apply for this event http://wiki.edinburghhacklab.com/antiharassment?s[]=anti&s[]=harassment.
You would like to wear your tin foil hat at home?
Some advice on how to bypass online censorship http://en.flossmanuals.net/bypassing-censorship/ch004_quickstart-from-lg/
Sticker idea
- edinburghhacklab: tin foil hats, like it's 1984
- edinburghhacklab: shared knowledge under one sheet
- edinburghhacklab: shared space/knowledge
- edinburghhacklab: shared space, shared knowledge
Thunderbird with Enigmail
Thunderbird with Enigmail is available on all major OS platforms (Linux, Mac, Windows) and is therefore the most widely available. Install:
Alternative you become a customer and (which can be used by Thunderbird). Start Thunderbird: Menu → Internet → Thunderbird Set up your new e-mail account in Thunderbird to use IMAP. (In the example, Yahoo Mail is used, but the method is the same for Gmail.) Make sure your firewall allows ports 993 (IMAP) and 465 (SMTP) and 11371 (HKP). Thunderbird → file → New → Mail Account… → (Enter Your name, Email address, Password) → IMAP: Access folders and messages from multiple computers (ticked) → Create Account Generate a new OpenPGP key pair: Thunderbird → OpenPGP → Key Management → Generate → New Key Pair → (fill in desired passpharase, if any, and details) → Advanced → Key Size:4096-bits key → Key type: RSA → Generate key → “We highly recommend to generate a revocation certificate for your key…” → Generate Certificate This method will use pre-selected key servers stored in the default Thunderbird settings. If you wish to add selected key servers (such as keys.gnupg.net and keyserver.ubuntu.com): Thunderbird → OpenPGP → Preferences → Keyserver → Specify your keyserver(s): → keys.gnupg.net, keyserver.ubuntu.com → OK Turn off HTML in messages: Thunderbird → (Email Account ID) → Composition & Addressing → Compose messages in HTML format (unticked) → OK Send and sign encrypted email with your OpenPGP key. Thunderbird → Write → (compose message) → OpenPGP → Sign Message (ticked) → Encrypt Message (ticked) → Send