Skip to content

Instantly share code, notes, and snippets.

@pawal

pawal/Cryptoparty-Workshop-30c3.md

Created September 19, 2014 12:26
Show Gist options
  • Save pawal/6602d4db96fb6124bd3e to your computer and use it in GitHub Desktop.
Save pawal/6602d4db96fb6124bd3e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Cryptoparty-Workshop-30c3.md

30C3 How to CryptoParty

Result from working groups

Group 1: Reasons sensability (I have nothing to hide!)

  • short story to show "daily situation)
  • make handouts (paper is more present than one more URL)
  • reasons from work, hobbies,
  • bad feeling about what is going on
  • Q&A collection (?)
    • Q: if I encrypt everything, wouldn't this make a broken disk a mess for me? 
    • A: use a backup system which can handle this

Group 2

  • Discussion about picking the right time slot
    • 3-4 hours per topic not much more
  • Importance for Mixed or "Women only" or "eldery cryptoparties"
    • When its 50/50 it works great as well
    • The code of conduct helps
    • Another alternative is to advertise the party as "For women and allies" to put the emphasis but still include everyone
    • Tandems (one young and one old person)
      • For kids (mother/father and kid tandems)
  • Having a handout that people can bring home
  • People should bring their own machine + power cable
  • Make it such that people feel safe to ask any question => e.g. have a cryptcat chatroom for questions
  • (Irc might be to difficult for beginners)
  • Make it fun (Alice and Bob dialogue)
  • You should not scare people (or tell true stories)
  • Be sure to encurage people to use crypto, don't come off as a smartass
  • Self hosting
  • Teaching how weak is SMTP by default
    • Ask two people (Alice and Bob) in the room and send a message to Bob as AliceuGeneral issues about organizing an event
    • Finding a room
      • University
      • Libraries
      • Community colleges
      • Art centers

Group 3

  • Experience from Freiburg
    • intro on NSA leaks to explain relevance
    • standardize on tools:
      • everybody learns to use pgp in combi with Thunderbird. Even though ppl learn pgp by becoming clickmonkeys, it's a start
  • Where to store the private keys, is it safe to store it on your cell
  • Point of discussion: is it better to teach normal people some basic data hygiene (anti-tracking browser extensions, strong passwords...) versus teaching them how to use pgp if they won't use it bcs they don't have anyone to email with who also uses it?


Group 4: Real world examples for explaining crypto

  • Public/Private-Key Method:
    • Box is being constructed with an open lock, I keep the key to open it. I send the box to other people which put contents into the box and close the padlock. Only I will be able to open the box, since I keep the key.
  • Use known exaples to bring unexperienced attendees closer to the topics (enigma etc).


Group 5

Collection of talking points in german translation needed: http://wiki.piratenpartei.de/Ich_habe_nichts_zu_verbergen!

Predictable arguments, talking points or phrases are often used to justify the further weakening our privacy -- or the spectre of terrorism & sex offenders are used to evoke a fear which will a) stop a conversation on our right to privacy, and b) attempt to garnish our consent for a further loss of privacy.

These phrases are usually the following;

  • If you've nothing to fear, you've nothing to hide.
  • Paedophiles and terrorists seek privacy, therefore to catch paedophiles there must be a reduction in everyone's privacy.
  • Paedophiles and terrorists seek privacy, therefore anyone who seeks privacy is suspicious.
  • Collecting small amounts of personal information isn't a breach of privacy.
  • Etc.

Privacy concerns effect everyone, and thus far the privacy debate has been framed as a law & order necessity, rather than a debate on a person's rights & liberties -- allowing a person to think these questions do not effect o concern them personally.

Group 6

Experience report from previous organizers:

  • mode of operation was long debated before (party mode versus lecture style) with its pros and cons
  • we came to the conclusion that a short introduction (e.g. "what is a public key?" how does email roughly work, etc) is a good idea and should be followed by a more interactive demo/workshop phase.
  • Prefer two speakers sharing their duties over one. This makes the talk typically more lively, even entertaning (sometimes by accident but that's ok) ;)
  • we limited ourselves to a single topic per party (at least in the Email/OpenPGP case) because there is just so much to talk about even without explaining the web of trust
  • We had some trouble promoting the party. Every time only about 10 people showed up. (It was promoted via local newspaper, Facebook, local radio station, no posters/flyers, though).
  • "theater" (we actually brought a physical box and some locks) helped people understand what public/private keys are. works for explaining MITM attacks, too ;)
  • Number of people needed (organizers, angels): 2+3, at least one for Windows
  • sitting in circle or U-form helps people help each other
  • supporter angles are a good idea to avoid disruption. It's bad when the speaker has to go fix other peoples' computer problems.
  • Cryptoparties might be at pubs, with beer, or like workshops (maybe also with beer)
  • Include warnings about possible compromization of the device, that subject lines are not encrypted, unexpected advances in cryptology might happen, and most importantly: enable encrpytion before writing the Email (or disable draft storage on the server) unless you want unencrypted drafts to be transmitted to your email server!
  • Inform the audience where to look for the next party covering possibly other topics.

Different aspects:

  • It might be interesting/useful to go into topics of general computer safety. But this needs several sessions, and is slightly off title.
  • Idea to explain encryption: lock (public key) and key (private), 
  • signature: signet in old style letters, or wachs inprint of key
  • when inviting for party: ask for inofficial notice of participation, Computer knowledge, System
  • possibilities: fixed topic (pro: better prepared, con: people might not be interested) vs. several possible topics and let people choose (con: lot of work to prepare), vs. chaos party (needs people in audience that can help the others)

  • Commets from Nivatius (wasn't at the c3, organized some Parties)
  • having two speakers is a really good idea, one can take questions and remind the other person of things they forget. the change between two people makes it more fun to listen

Tools:

  1. Private Conversations Over Instant Messaging (OTR/Pidgin/Adium) // DONE
  2. Encrypting Emails (PGP/Enigmail/Thunderbird/GPG4USB/GPGTools) // NOW
  3. Disk Encryption (Truecrypt)
  4. Privacy Protected Browsing (Tor Browser Bundle)
    • [Slides] 
  5. Anonymity Techniques

Group 6.2:

  • Focus on what the users want
  • Actual encryption maths is not necessarily important - it might be enough to just say what the encryption does (hides content), and does not (hide identities)
  • Do standardised/crossplatform tools (Firefox + plugins, not every browser, thunderbird, not outlook/Mail.app/foo)
  • It might be a good idea to serialise/make it continuous to build up a community/recurrent group of people, and to grow from time to time


group 7.1: motivation/ chaos experts for social challenges and for technology education

  • Are "we" responsible?
  • Does the society expect solutions from the hacker community? (Esp. considering press/ media coverage at the moment- which could generate expectations)
  • Should we train the trainers?

group 7.2: PR/ management of media/ press/ journalists

  • Decide on inviting press or not inviting press at the beginning of the planning
  • Communicate explicitly on press/ media being invited for the event or not (so everyone knows they'll be coming).
  • Provide journalists with sufficient information before the event so they can get the (or at least a) bigger picture.
  • Press/ media need people to communicate with. Try to find someone in your community who is willing to do this.
  • Find people who are willing to appear in media (quoted in interviews) (possibly in disguise/ with their pseudonyms), should press/ media be invited for an event.
  • None of "us" in the media means that both our ideas will not be spread as good as possible and also that society might think of "us" as a strange crowd. And thus ignoring us or the insight/ information we are willing to share.
  • Press/ media do not understand our (not existing) organisational hierarchy. For them the term "chaos" has a negative connotation!






Link collection

https://bettercrypto.org/
http://cryptoparty.in/

Mindmap, cryptoparty howto: http://mind42.com/public/c1203c00-b809-4f0f-b94d-70def8b4e9c1

https://cryptoparty-hamburg.de/slides/ (German) -> Dev: https://github.com/ccchh/Cryptoparty-Slides
https://www.accessnow.org/pages/protecting-your-security-online

Collection of all Cryptoparty links, applications and tutorials https://opleviathan.piratenpad.de/brainstorming-tutorials

irc.oftc.net:6697 #cryptoparty howto here: http://www.cryptoparty.in/communication/irc https://www.ccczh.ch/Cryptoparty (German, Review of held Cryptoparty)

Nice Demo of RSA Cryptography (German/English):
http://www.cryptool.org/

https://de.wikibooks.org/wiki/Privacy-Handbuch (German, developing phase)

Workshop handouts
https://www.4zm.org/files/2013/cp13-ws-street-smart.pdf (swedish)
https://www.4zm.org/files/2013/cp13-ws-mobile.pdf (swedish)
https://www.cryptoparty.se/ (swedish)

https://kinko.me/ when it only goes live

https://www.coursera.org/course/crypto  <- Math courses: how the ciphers work
http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

Some Slides from the "Anti Prism Party" in Karlsruhe: (German)
http://www.anti-prism-party.de/cms/downloads/downloads.html
http://retroshare.sourceforge.net/ < What to do with gpg besides e-mail
https://prism-break.org/
http://sourceforge.net/projects/enigmagpg (gpg encryption on the web. gmail, etc.)
http://www.mailvelope.com/ for people who want to use PGP in GMail
http://retroshare.sourceforge.net/

Material from Göttingen: http://cryptoparty-goettingen.de/ http://www.ich-hab-doch-nichts-zu-verbergen.de/

Blogpost about CryptoParty Stockholm on The Tor Blog
https://blog.torproject.org/blog/cryptoparty-stockholm (eng)

Press about Stockholm CryptoParty
DN (Dagens Nyheter) - http://blogg.dn.se/teknikbloggen/2013/11/19/tre-torsdagar-for-digitalt-sjalvforsvar/ (swedish)
Ny Teknik - http://www.nyteknik.se/nyheter/it_telekom/allmant/article3793001.ece#comments (swedish)

Video (with slides, in Swedish) from cryptoparty in Umeå:
http://umeahackerspace.se/2013/06/20/video-fran-cryptoparty-1/

http://cryptoparty.in/

https://www.schneier.com/solitaire.html (You can use a deck of cards to play this crypto and introduce Bruce Schneier) ((and Neal Stephenson's Cryptonomicon))

Some less technical OpenPGP introduction (sorry, in German language): http://ubucon.de/2013/programm#openpgp

Feminist cryptoparty-slides from vienna (in german) http://de.slideshare.net/Mahriah1/cryptoparty-email-verschlusselung

General Topics:

  • Focus on which topics (Where go the typical questions of guests?)
    • Generic crypto
      • What is "secure"? What is not. -> Dos and Don'ts.
      • Keys
      • Random numbers
      • Signatures
      • Hashes
      • MAC
      • Perfect forward secrecy
      • Symmetric/Assymetric Crypto difference
      • The evolution of crypto (ROT-13 ...)
    • PGP/GnuPG
      • enigmail
      • gpgtools
      • what metadata is still plaintext
      • web of trust
    • OTR
      • Pidgin
      • Adium
    • Picking good passwords
      • How to remember good passwords
      • How to avoid pitfalls (password which looks secure)
      • Password safes
      • Password generators
    • All the other three letter acronyms :)
    • What to avoid
    • WiFi security
      • Protect your network
      • Your device is leaking SSIDs
      • Rouge APs
      • Wardriving
    • VPN
    • HTTP proxies
    • Mobile phones
    • Smartphones
      • Are they "secure"?
    • git-annex (assistant) http://git-annex.branchable.com/assistant/
    • Cloud
      • CryptoBox
      • Boxcryptor
    • Full-disk encryption
      • TrueCrypt
      • dm-crypt Luks
        • Operating Systems with batteries included
          • Fedora
          • Ubuntu
      • BitLocker
      • FileVault and why not to use it
      • Tahoe-LAFS
    • File Encryption
      • USBSticks
      • Dropbox
        • Alternative to Dropbox(spideroak?)
    • TLS
      • CAs
      • HTTP(S)
      • StartTLS (SMTP)
      • DNSSEC
    • Webbrowser (Security)
      • What is a "secure browser"?
      • Plugins
        • HTTPS Everywhere
        • Adblocker
        • Ghostery
        • Javascript blocking
      • Cookies (evercookies... HTML5 file cache etc.)
      • Detect "bad" SSL
        • RC4
        • CAcert
      • Secure backup
        • of keys
        • of data

Internet anonymity/privacy

Organization

  • Prepare your topics
  • Use the existing resources (Like documentation, slides and so on)
  • Tell them why it is important. Be conscious why and when to use crypto.
    • Prepare examples, demos of how easy things are broken.
  • Which type of protection you need for what you want to do.
  • Room
  • Internet connection
  • Place for people to sit
  • Invite the media (including preparation of the recording crew)
  • Why not using a "Volkshochschule"/community college as a platform
  • Enough laptops/computers
    • OS (Both Worlds)
    • Application
  • Code of conduct
  • Invite not only friends, invite your mother, daughter, nurses, journalists, teachers of your kids
  • Club mate
  • Estimate the size of your cryptoparty: how many supporters for how many attendees?
  • food: pizza, pie, soup, cookies :)

How to do it

  • Avoid spreading false premises which would give a false sense of security
  • Make people feel welcome to the cryptoparty.
  • Avoid jargon at all cost: It will scare away our target audience.
  • Explain how Public Key encryption works in an easy way: Multiplying two prime numbers creates a secret number because it is hard to find original prime numbers if you only have the product. Not much more is needed in my experience.
  • Try to reuse your (good) examples - once understood it is a base to dig deeper.
  • Explain other "computery" subjects also simply, also without math and jargon. (Example: what are the entitites involved in e-mail?)
  • Use pictures or diagrams!
  • Don't explain to much. Better few things understood than to overwhelm people.
  • Make easy examples for the encryption mechanis. Keep to practicalities, what is usable? For what?  (with sticky paper and pens, i.e. ROT13)
  • (Possibly) Keep to practicalities, what is usable? For what?
  • Have people ready to explains many different topics
  • Keep the math simple, usually it's fine to use basic operations.
  • Use the attendees as a resource as supporters: Ask how knows what, and who doesn't know anything about said topic. Assign the expereienced users to support the less experienced ones.
  • Be ready to give background and historical info to unexperienced users to bring them closer to the topics.
  • Do talks together - a non tech and a tech person can be the bridge to everyone ;) 
  • Pickup the attendees where their knowledge is solid.

Audience

20:25 < x> "How to host a cryptoparty": if you are going to be talking about something make sure your explanation is really refined, trying explaining Tor/Bitcoin/Whatever to a non-technical relative
20:25 < x> if they find it interesting, you're good to go
20:25 < x> it took me ages to work that out and I think I just assumed because I knew what was going on that knowledge would magically translate into being a good teacher

How to enhance the usability of enigmail???????

Agenda for tomorrow:

Shameless plug: #PrismCamp (17/18 May 2014, Stuttgart) will provide time & space for a two-day non-stop #CryptoParty

Is there a "one true way" for creating gpg keypair? Maybe follow this blog post: https://alexcabal.com/creating-the-perfect-gpg-keypair/

Swedish: https://www.dfri.se/dfri/work-in-progress/gpg/gpg-huvudnycklar/ and https://www.dfri.se/dfri/work-in-progress/gpg/gpg-privatnyckel/

Any further strategies, after creating a good master key, for maintaining a subkey structure (granity, expiration, hierarchy depth) would be nice to have in a write-up.

openpgpg-schulungen explains it in quite some detail.

cryptoctcryp//cr

Group from the edge, some feminists

  • talk to people
  • ask people for their opinions
  • CryptoParties for women only (feminist CryptoParty), attracts many women
  • small groups, max. 20 people
  • one angel per 5 people
  • arguments, lawyers, journalists should use encryption because of their function
  • https://www.tacticaltech.org/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment