[CryptoParty] Fwd: NSA - 2012 state of cryptanalysis, 31C3

an.to_n-73 at riseup.net an.to_n-73 at riseup.net
So Dez 28 21:56:38 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Subject: NSA - 2012 state of cryptanalysis, 31C3
Date: Sun, 28 Dec 2014 21:50:50 +0100
From: no.thing_to-hide at cryptopathie.eu
To: z_list cryptoparty.is global <global at cryptoparty.is>

Hi from 31C3!

Today the German SPIEGEL published a very interesting article about
NSA's cryptanalysis skills, state of 2012:

http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

The bad news: Much stuff is broken!
The good news: Some programs are still safe!

And at 31C3 we had a meeting of cryptoparty organizers:
https://events.ccc.de/congress/2014/wiki/Session:Meeting_of_CryptoParty_organizers

The notes are here:
https://pads.ccc.de/7rJKafAxkt

and in addition below, state of now.

Best regards and /stay decrypted/

Anton

- ----
Participants:
Anton, Graz, an.to_n-73 at riseup.net, 0xA2A97D7D,
Yuval, TLV, yuval at y3xz.com, 271386AA2EB7672F
Eelco, Amsterdam, eelco at hotting.nl, 0x791EB13F406A6F3B
Fred, Hamburg, hallo at cryptoparty-hamburg.de, 0xB960EC68
Petter, Umeå, pettter at acc.umu.se  0xD8363776E1BF1597 congress-GSM 2517
Marie, Berlin, marie.gutbub at systemli.org, 0x4c5980f4bb86a00a
Christian, Berlin, dawning_sun at mailbox.org, E215 FA04 3B3A 5E0B E6A3
4E65 1816 EADC BA98 5D1E, Congress-GSM: 2610

Topics:
- - Handbook as a verbose, not neccesarily useful resource
- - House cryptoparties group of 5-10 friends
- --> page in german and english:
https://www.cryptoparty.in/berlin/living_room
- - How to deal with the different kinds of hardware/OS'es that visitors
bring
- - How to organize those parties? Exchanging best practices

Privacy Cafe (NL): Cooperation with public Libraries
Non-mandatory sign-up form (demanded by libraries)
Poblems with Win8 machines

Cryptoparty Köln/Bonn: Event for journalists
Jens (Ingolstadt): Ask for info about hardware / OS before Party
- - Put dates of ucoming parties on
https://www.cryptoparty.in/parties/upcoming
- - How-To add your own CryptoParty:
https://www.cryptoparty.in/parties/add-a-date
- --> Christian (dawning_sun) is more than glad to help you with it
- - Ask universities for rooms
- - Possibility for anonymity important (no mandatory signing-up etc)
- - No need for detailled planning, "Self organisation" :-)
- - Luxemburg: Announcement via meetup (?), overcrowded party,
participants new the topic
- - NL: Advertisement for parties at schools, public institutions ...
- - Berlin: Ask motivated participants to come back and enter the
organisation
- - Individual decision for non-mandatory sign-up form for preparation
of party (devices, OS ...)
- - Hamburg: promise to delete data of sign-up process. Information
before party for preparation is helpful (programs to install etc. ...)
- - NL: Flyers for Privacy Cafe, Location: Cafes and bars in libraries
- - Question: Need for best-practice Cryptoparty HowTo in written form,
e. g. guidelines, experiences ... ?
- - No mandatory "standards", every cryptoparty is very individual
- - Entry on https://www.cryptoparty.in/31c3 : Improve the writte
recommendations
- - Cryptoparty: Non-political, no political direction
- - Privacy cafe: Requests from political parties and companies. No
commercial aims, tell the compabies how to do this themselves
- - Discussion: May an event only for women take the name "Cryptoparty"?
=> Exclusion of men etc..
- - SE: Paid for talk at journalist association,
- - Hamburg: Good experience with guidelines, "protecting the brand",
Request from political party: Can call it Cryptoparty, but needs to be
open, Refuse of public school throwing paid cryptoparties
- - Guidelines are important to keep less-desired people out (political
radicals, trolls etc)
- - No lever to enforce the commitment to the rules
- - Final objective: Get the people to encrypt their stuff
- - Yuval: Content of cryptoparty (Tor, OTR, PGP). Do we address the
right topics? Other topics like threat modelling?
- - Luxemburg: Individual topics, dependent on participants, e. g. one
Facebook session
- - NL: Tell the people about the risks of mass surveillance, create
motivation to keep their privacy, FSFE E-Mail seld defense guide
- - Frankfurt: Teach a mindset, teach best practices.
- - SE: No "complete" security, every little bit helps
- - NL+Ingolstadt: Many more messaging tools in Post-Snowden era
- - NL: General audience at privacy cafe, not afraid of NSA, more
concerned about kids on FB, neighbors knowing something, online
banking security etc.
- - Luxemburg: Address normal people, not the "super digital activist"
etc. The right tools for the individual needs
- - Huge knowledge gap of normal users, show pictures where which data
flows to (Google, Bluffdale ...)
Question: Get the people. Everybody listens to the lectures about
surveillance, almost nobody acts afterwards
- - General problem to motivate people to do encryption in practice
- - Do not focus on NSA and mass surveillance, keep the secret services
- - Concept of compartementialisation (different nicks fo different needs)
- - Workshop at NDR: Half of room cleared out after talk. Journalists
said afterwards, he would need somebody to explain instead he was there
- - Most journalists do not talk to whistleblowers, no high danger
during communication
- - Frankfurt: Release non-perfect software, encryption with possible
errors is better than no encryption.
- - Do not intimidate visitors too much
- - Know your limits, journalists in real danger shall consult experts,
_not_ the local crytoparty
- - Experience with visitors from non-democratic countries: Give a short
introduction, raise awareness
- - Fit the IT security to the threat level
- - Users must feel good with applied IT security, even if it is
plaintext e-mail
- -
THE END: Keysigning
Thanks for reading

- - existing materials: https://github.com/cryptoparty
- - Hamburg material: https://github.com/ccchh/Cryptoparty-Slides

(^^^ if anyone wants/needs github write access, email Yuval)
- --> add your own, remix existing stuff (yay Creative Commons License)
- - another great handbook alternative:
http://www.tcij.org/resources/handbooks/infosec

Recommended Sessions (Go there or watch the stream):

GnuPG in use with smart cards (Werner Koch, Maintainer GnuPG)
https://events.ccc.de/congress/2014/wiki/Session:GnuPG_in_use_with_smart_cards

DO! NOT! TRACK! (Antitracking Firefox)
<https://events.ccc.de/congress/2014/wiki/Session:DO!_NOT!_TRACK!>

Talk on Monday: "Trackography" @ 10 pm:
https://events.ccc.de/congress/2014/Fahrplan/events/6299.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCAAGBQJUoG5/AAoJEEnRq/KiqX19wkIP/RAa27QLU78e55Z7SZU6GC37
lJJCvkP80ZQuE9MzZ+kdLOO8kOlZsZHyFocLNXR9FmVNllClNr5VX860y4lKWEhD
SIfhyV6RF/Linv8u2nDLGyPFypHoqlOubHo39gnMZmRKzQ+kpHwt2HF1Njuq6Mot
s8VkvbpWZVTukA+jhQNfWQIstHBhT8W0v7Pp+/PlB3qC9VPicCrMmNCNQpy5dWHH
1aRrt7MHX+tb28aSHDMGBot5MObtaQmumv98wkym1/TlFOoMU3fNftAEYRL5U+qR
m1rnlUi4UnhH7mWs1WJ3hIUqkrSWdgvBbm7bQjJq+1eUxh0Vn6Esbflq+iHfnDh9
ACpoSf/yHLLJaSfDVUD4J8f1T91hpOxTHUmzfMm4PCAsRVX14MEHkVgf0aeObnlD
f36pcRCVB3FBu87+ds6XQ8J2ow0kd9bg5oA2KUtFdjeH6+F5+q08UqtOncwcXh24
z/WfrwMB+udc4/cLKNGHAYtvaHA3SE1Hbcl48/ApOjRQ6+O/QB6zosoEB73ghtiq
cb1lInJAm4PzHPF300yX6UadDrovp5O5EAhTlZgHyefRPyf2pGvYemaj85OBx2k1
sTeK7Pmhgz3Oomq5pP36EzXt1wVp7rg1PzZC8OXH4y9K0cwhy11ovD1+p0eTGHEo
hD0J+Tw/FPNjKKEgbBr6
=hPX+
-----END PGP SIGNATURE-----

Mehr Informationen über die Mailingliste CryptoParty