CryptoParty at Pögehaus 15.01.2016 – Ressources

Our CryptoParty was orginally presented in German and translated into Kurdish.

Sildes and Discourse

Our slides. (Download: Zip-Archiv | Tarball )

discussion forum for questions, comments, hints. Simply register and start.

Threat models

Threat models allow evaluation of risks which eventually come across as a by-product of digital communication.

They describe potential attacks and expose risks in behaviors, in transmissions or in channels.

This descriptions provide knowledge, which enables you to estimate limits and possibilities of solutions such as end-to-end-encryptions or transport security regarding the given use case and provides hints for adapdting the own online behavior.

The slides of the talk What the Hell is Threat Modelling Anyway? give a short introduction into conceptualizing risks, which you might face whenever using communication technology.

Electronic Frontier Foundation (EFF) provide a short Introduction on thread models focused on the needs of journalists.

Passphrases and Password Managers

Please do not consider using a cloud-based password manager. Instead, we recommend using a password manager which stores your passwords into a encrypted container or database on your own device.

If you cannot avoid using cloud based storage we suggest sharing the encrypted database of a password manager who runs on your own device.

The following password managers seem recommendable for us:

KeePass: offcial site with tutorials, docs and a bbs. You can find KeePass Source code in the download section.

MacPass (MacOSX/macOS): offical site. source code is hosted on Github.

KeepassX (Linux): offical site with docs, bbs and source code.

KeeWeb: offical site.

PasswortSafe: offical site with doc and source code

Remember: Length beats complexity. A good password is a long password (20-30 letters or 8-12 words) even when it is simple. A simple method for choosing a good password is to combine at least 6 random words and use memory techniques to remember. Please resist writing it down. Another method is to generated a random password by using your Password Manager and remember only a good master password.

Diceware™ is a method to compile a password or a passphare by using a dice and a dictionary list. Using a high-quality dice (casino dice) is recommend. Instead you can use Software base on a cryptographically secure pseudorandom number generator only. Good passphrases generated this way consits of at least eight words (80 bits entropy).
Twelve words (120 bit entropy) are considerd as a strong passphrase. Generating a passphrase that provides enough entropy that lasts a year by current standards should
provide 65 bit entropy at least.

Webtracking and Digital Shadow

By Using digitial services with our devices we leave traces – intentional or not. We click on websites, comment on Twitter or upload photos to Facebook or Instagram or share your thougts in Vlogs on YouTube. Even if we phone our write texts we leave this traces.

Metaphorically speaking our digital shadow is growing and growing continously. By using My Digital Shadow Technical Tech provides a tool to visualize these traces.

Most websites use cookies to gather information about their visitors and users. There are different kinds of cookies where some are more persitent than others.

Especially media sites use tracker scripts to identify users and provide personalized advertising and services.You can use Trackography to visualize the way your data colleted by these tracker flows around the globe.

Browser Fingerprints are another quite popular method of tracking your online behavoir. Use Panopticlick and HTML5 Canvas Fingerprinting to check if your browser setup allows fingerprinting to identify you uniquely.

Behavioral Profiling tracks key strokes, mouse movments and clicks to build a very unique and identifying behavoiral profile you cannot get rid of. There is no broad defence method available for this new kind of surveillance.

Recently Cross Device Tracking has been added to the arsenal of tracking technolgy which uses ultrasound (silent to the human ear) to identify users across their different devices (Mobile, Laptop, Computer). This method is also able to deanoynomize Tor users. It could be a wise decision to put your mobile devices into a fridge while using any method to cover your tracks.

SSL and TLS

SSL or better TLS is a standard end-to-end-encrytion used in the internet. Whenever possible use this kind of end-to-end-encryption. The strength of this encryption relies heavily on the server side. Thus it is out of your controll most of the time. Always us the latest version of your Browser (Firefox or Tor-Browser are recommend).

Check the validity of server SSL/TLS certificiates is alaways a good idea when you need to trust the website you are using. The proof is done by checking the SHA256 fingerprint. You need the correct fingerprint sent to you by a secure channel before.

Tor – The Anonymity Network

Tor is the most famous and the best reviewed anonymity network.

Tor aims to obfuscate data traces and meta data generated by online traffic such as visiting websites, receving emails or using an instant messenger.

Driven by Onion routing the traffic is routed trough randomly choosen Tor nodes using 3 hops each request while layered encryption ensures that no participating node can leak its traffic information.

This efforts render the Tor network nearly incapable of serving large amount of bandwidth, which are usualy consumed by services such as media streaming or online gaming.

Using specific protocols to transfer large amount of data such as the Bittorent protocol even undo the efforts of covering your tracks and enables deanonymization.

Theoretically Tor complicates tracking users inside its networks. However studies show latetly, that statistic analysis can be used over time to almost deanonymize certain participants. Moreover intelligence make huge efforts to infilitrate parts of the Tor network (so called Relays) in order to uncover participants.

The Tor Browser Bundle is a hardend version of Firefox, specially adapted and configured for the use of Tor. Unfurtunatly this makes this Browser a special target. The FBI recently attacked the Tor Browser in combination with infected malicous relays in order to uncover certain users.

Nevertheless it is recommoned to use Tor only on Tails, a special Linux-Live-Distribution with anonymity in mind. Tails purpose is to avoid metadata and increase the efforts to uncover its users.

Using Tor comes with the price of changing your online behavoir in order to provide best protection and anonymity. The Whonix Project colleted some advice of things not to do.

Recommend readings and talks

 

Prism-break.org – Used cases and non-privacy invasive tools and/or alternatives

Surveillance Self-Defense Guide of EFF

Security-In-A-Box (sometimes outdated tutorials)

Slides of our talk Überwachungskapitalismus (German) at CryptoCon15.

Talk on CCC-Kongress Dezember 2014:
ECCHacks: A gentle introduction to elliptic-curve cryptograph

Handbook of Applied Cryptography”:
Offizielle Download-Seite für die einzelnen englischen Kapitel zur privaten Verwendung.