[CryptoParty] Fwd: [cp-global] 31C3 and NSA

[an.to_n-73 at riseup.net]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Viele Gruesse

Anton

- -- 
an.to_n-73 at riseup dot net , PGP:
0B4C DF2C CB22 5DF4 25EA F212 49D1 ABF2 A2A9 7D7D



Subject: [cp-global] 31C3 and NSA
Date: Wed, 07 Jan 2015 00:45:43 +0100
From: no.thing_to-hide at cryptopathie.eu
To: global at cryptoparty.is

Hello and have a good new year 2015!

At 31C3 were some more sessions from Cryptoparty.

We had a meeting "How to throw a CryptoParty", pad here (1) and the
content in addition below.

I gave the Firefox DO! NOT! TRACK! session with ca. 25 participants,
slides here (2), pad here (3) and its content in addition below.

On 2014-12-28 DER SPIEGEL published an article about NSA's
cryptanalysis capabilities (4) and a bunch of documents (5). I OCRed
and merged the 660 pages to one PDF, downloadable here (6).

Best regards and /stay wiretapped/!

Anton


1)
https://pads.ccc.de/5og0hauZo7
2)
https://mega.co.nz/#!9okThAhA!DSb4x5LrDXhLaeA1480qTsqe9yLbmHuFxqv7HIKqy0E
SHA256:
2a0c6cad98e7c9005cc6754dbc9084b0368b2f598e98ac96f8b71d39fdf314ca
3)
https://pads.ccc.de/1xOh6z8Uus
4)
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
5)
http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html
6)
https://mega.co.nz/#!wpNwxZzI!XYSX6sJfXSFiOtMOxnOSHqX9BX8SW3jLhERgO3zuTi8
SHA256
4d9fd67325549fd71249ada5c9c5a3eac08600ce516d9b089f6987c9cb220cb1



## Pad "How to throw a CryptoParty", state of now

https://pads.ccc.de/5og0hauZo7

Participants:
Anton, Graz, an.to_n-73 at riseup net, 0xA2A97D7D
Petter, Umeå, pettter at acc.umu.se (XMPP/e-mail) 0xE1BF1597 DECT 2517
Christian, Berlin, dawning_sun at mailbox.org (E215 FA04 3B3A 5E0B E6A3
4E65 1816 EADC BA98 5D1E), Congress-GSM: 2610
notes:
Introduction round, Collection of experiences
Location: hackerspaces, problem: reputation
Try to find neutral places
General advice: Do not scare te particants too much
Create a relaxed atmosphere
Q: Quality control? How to check if the particiants are sucessfull in
aplying the new knowledge?
- --> Offer contact via e-mail in case of questions. Check success b
exchanging encrypted e-mails. CP is open movement, every group can
conduct individual parties. Do not try to achieve perfection, is not
possibe.
Q: Marketing. Brest practice for content? What attracts people
- --> https://github.com/cryptoparty , repo for material for CP,
recommended to use, makes preparation more easy
Show PGP and OTR by practising and showing the application
Privacy cafe: Set up latops ith practical examples, show that the
programs are easy to use, recommend overview sites like
https://prism-break.org . PR: Public libraries can make PR, use PR
resources of public institutions (libraries, universities). Keep
distance to hacker spaces. Target audience: IT students, law students,
medicine students,
Example Berlin: Public financial administration not able to handle
enryption, hint on homepage. --> Letter are better than bad encryption.
List of tools on cryptoparty page
(https://www.cryptoparty.in/overview_tools)
train the trainer sessions: drop by at the cryptoparty assembly any time
Paris: Different communities coming to CP. CP go into commnities:
Feminists, LGBT, people feel better in own community.
Privacy cafe: Own tool list. https://privacycafe.nl . Teach people a
mindset, create awareness, give background information. Do not do the
technical work for the partipants, support them by doing it
themselves. Explain metadata by tweet: Ratio of tweet-characters to
metadata characters.
Educational graphic from EFF https://www.eff.org/pages/tor-and-https
Explain the basic problems.
Care about the didactic, different kinds of learners, adopt to
non-technical users. Offer text-based and graphics-based teaching material
Graz: Do not focus too much on technical solutions. A letter can be
the best solution for non-technical users for important communication.
Privacy Cafe: Explain the internet to the people, how electronic
communication works in principle. Ask them for their model about te
internet.
Explain the basics like browser, MUA, ...
Use the resources on cryptoparty.in like the ORC channel for basic
questions
https://www.cryptoparty.in/communication/irc
Paris: Smartphones. On group dealing with smartphones.
Aberdeen: Protection from immediate tracking from shopping centers.
RFCD tag on bus stops
Paris: Advertisement screens scanning for smartphones
Graz: Android Smartphones are a _basic_ privacy problem, how t make a
compromise
Privacy Cafe: Use F-Droid, good 1st step not to install spyware .
Infosheet for smartphones
Frankfurt: Don't use apps, use the website to ge the information
https://fsfe.org/campaigns/android/android.en.html
Berlin: Promote free software.
Graz: In some cases free software is not applicable (Windows, Outlook ...)
Privacy cafe: Small steps help, Firefox on Windows is better than IE
or Chrome on Windows
Aberdeen: Problem keybase.io. Demands the private key for the services
- --> bad idea.
How to recommende mailproviders an webservices? Business related.
- --> Question of trust.
- --> Avoid cloud services where you need to be online to work.
Loosing control of own data.
Mailprovider: Choose one reliable and pay them with money. Then they
earn money from you and not from your data.
Comment: Main question is trust. Who can non-technical people trust?
Problem: Terms of service, nobdy reads that
https://tosdr.org --> Take part, they lack manpower
Size of Cryptoparties: Not more than 5 participants per cryptopath
Do not create confusion with the name: Cryptoparty is not only about
partying, also about tech.
But: Prepare some drinks and cookies (HA HA cookies :-) ).
Duration: 2 h to half a day, participants filled up after 4 h.
Create a party athmosphere, a social situation
Number of participants hard to predict.
Berlin: CP in different locations, rotating monthly. Do not be
frustrated when 0 or 1 participants are there. Take it as an relaxed
evening.
Q: Registration for CP?
- --> Not a good idea. Much more participants than signed-in people.
General: Objection against signup
Registration for volunteers may be useful to make the preparation.
Wikimedia Berlin offers offices for activists, they use Google Docs.
Compromise: Setup an anonymous questionnaire: How many people, what
special topics?
Only optional registration
Prohibit taking photographs. Example: Pirate Party making promotional
CP with press.
Q: Bad experiences with police or services? What are we afraid of?
- - 1 case: Deliverance of malware at CP (asked him to leave)
- - Berlin: Creepy people, possibly "fake journalists" from somewhere
introductions
Space - hackerspaces maybe not the best. Find a café, pub, university
or library?
PR - the space people can probably help with PR, if a Pub, they can
help find the people who usually are there
Inviting atmosphere, cbase
focus on getting something working, not get bogged down in explaining
everything
have several tables, e.g. one for PGP, one for OTR etc. (1 see below)
~~ but don't call it GPG, OTR, but mail, chat etc. on the tables
because people won't know what the names stand for,
do not talk too much in the beginning, start quickly by doing
=== LINKS

        "How to CryptoParty" (Sofia, April 2014):
https://va.ludost.net/files/initlab/20140502cparty.mp4

    https://github.com/cryptoparty (e.g. table cards per topic (1),
stickers, flyers, posters)

    table cards are here: https://github.com/cryptoparty/handouts

    tools overview: https://www.cryptoparty.in/overview_tools

    Terms of Service; Didn't Read: https://tosdr.org




## Pad "DO NOT TRACK", state of now

https://pads.ccc.de/1xOh6z8Uus

DO! NO! TRACK!
31C3, 2014-12-29, 2 pm
Hello everbody!
in linux:
firefox -no-remote -P
Hints:
(1)
Firefox has a great built-in tool – the Network Monitor – for watching
what happens on the network.
To see that, simply press Ctrl+Shift+Q – or click on the Menu -->
Developer --> Network
There you can see all requests the browser sends to servers. If you
click on a row, you can see the details to the right.
For details see
https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor
To clarify:
In general, a website or company can collect data passively or
actively. Collecting data passively means remembering the data that
the server receives by the HTTP(S) request itself. Actively means the
company or server adds things/objects to the website – which in fact
might be invisible – or via cookies etc.
A company or server does not necessarily have to remember the data
that the server receives – whether actively or passively –, but it's
very easy to collect the data and save it on a disk
((
http://www.heise.de/newsticker/meldung/Adblock-Plus-Weitere-Vorwuerfe-und-Widersprueche-1909535.html
http://www.mobilegeeks.de/adblock-plus-undercover-einblicke-in-ein-mafioeses-werbenetzwerk/
http://tech.eu/features/2614/eyeo-profile-adblock-plus/
))
Tools
- ---------
FF Add On: CacheViewer
for flash cookies: http://samy.pl/evercookie/
Addon against flash cookies:
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
(remember to check the settings)
https://amiunique.org/
http://browserspy.dk/
https://panopticlick.eff.org/
http://samy.pl/evercookie/ compared to
https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html
   ??  also compare to Chrome's/Firefox's delete browser data
(including Flash)
which websites can track the mouse pointer location and how?
To prevent tracking the mouse you have to disable JavaScript.  Thanks!
I guess the sites can see the EXACT position? Every milisecond? Also
scrolling position?
yes, see Web API reference:
https://developer.mozilla.org/en-US/docs/Web/Reference/API
List of all Events: https://developer.mozilla.org/en-US/docs/Web/Events
MouseEvent:
https://developer.mozilla.org/en-US/docs/Web/API/MouseEvent Thank you!!
private session = temporary storage of data on computer, deleted
afterwards automatically ?
portable browsers vs installed browsers are equally secure/private?
AFAICT there is no difference. You could create a completely new
profile every time you start firefox. You could also have different
profiles. Nevertheless, data outside of the profile directory stays on
the PC, e.g. Flash Cookies.
"Block reported attack sites" --> are my URLs sent to Firefox servers
or compared to a locally downloaded blacklist? (also in Chrome safe
browsing)
https://www.google.com/safebrowsing/diagnostic?site=Google.com
integrated into chrome (and Firefox, Safari, etc?)
Go through Chrome's privacy settings at the end of the talk.
How much data can a DNS server like 8.8.8.8 or OpenDNS, etc get from
me? They can see every url I am visiting (and with DNS prefetching
enabled also links that I did not click but are on the website I visit?)
Unfortunately the TOR browser bundle or TAILS are not hardened as much
as possible (Javascript, referrer,...) by default
IXquick vs duckduckgo vs metager.de (vs qwant.com) ??? (just ixquick
uses google?)
Disconnect:
https://disconnect.me/
Search:
https://addons.mozilla.org/en-US/firefox/addon/disconnect-search/?src=dp-dl-othersby
Anti Tracking: https://addons.mozilla.org/ru/firefox/addon/disconnect/
WOT and ghostly addons are useful but the companies are working with
advertising networks (I think)
Ghostly vs https://www.requestpolicy.com vs NoScript (vs Adblock
EasyPrivacy/AntiSocial lists ... less controll) ???
If I have NoScript installed, installing Ghostly doesn't make any
sense, right?
some addons/extensions hide their code through base64??
Sites can track through pictures. I can disable pictures in the
browser settings, but can sites still track me if I have JS disabled?
(HTTP nowhere)
Can my mobile network provider like T-Mobile see my MAC adress?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCAAGBQJUri5aAAoJEEnRq/KiqX198ygP/jr3HAXgpqmwpSA5MplD/V2P
KkPuEauBx0p2YEaF1guEuc6TNEBeZlo/9/gjN0D+/YeEriFEQfp8yVGcqmV5REQa
N6Z6eY4d+De2PjsUFpE/PQ3aeuoqJhXHHRHwBOkUQRzMCl3Jpjp7zkeDcYgplfwJ
BICUuFwT1O3hM48N6y9U65VbVTP9G7nHzzycssk2UyYmWarsBpZMC5CJlqtCLbGO
KdhsmKv7zk1lV1tjOUxpcVf6EpIHSLGMYnbPC0wTumuFKFJJGp5eKxz9H0E2FuhE
uf0LdqNxGZfIE9dFIoK+n364CgGbzqmH1ER9H3Mqa01blb4c+1bPa0DxP16/T5Tr
97d1gpwSwWftieI2QsY/Cdez5QnMrGisZ8Sb/ZNpFjRS6oTBr55S2/Nr0mM6qYNG
KzHiycNnrQ0ZUdGHEzqaIHc9GxszCACNXCc52qcp8WxLKGIQeI4B8XN/UIvRDNzS
3QOFH4t+PhEo0hxSTme3TOqmWami4s5gHFN49mrnfK71igeMC89KpNuEj+clUMrJ
kSXTOFj6clafK6GfZnAc5Z/GCGgRdmZjqHklUPtlIO9/Oo0I5a/g2+MG43lp2Y0I
3crOqkYPTRdGDA8Am7U988kwuYV1yTET/Dv45iwR2G1KGyjLB9tEzDJlCuKfswyP
sgoFIB45M53WG1QPHXRl
=NndQ
-----END PGP SIGNATURE-----