33C3-Session zu Cryptoparties
* Analogies
- Padlock + Mail envelope
- Three Matroska Boxes
- Crypto Santa Tor Boxes
* Topics
- No math
* Training
- At least 1h
- non-technical trainers
- PGP
- no enigmail/mailvelope, but copy-paste pgp
- install it first to verify tor signatures (no mail client etc)
- first steps
- come back when you have a PW manager and browser plugins
- „noob table“
- split guest groups by competence level and topic and expectations
- Training the trainers
- Let techies train the non-techies
- Techies get better at training
- non-techies get better at tech
- Rounds where everybody explains everything all over again to refine explanations
- Film the teachers and let them watch (and only them!) (dry runs)
- Enforce time limits for presentations and explanations in dry runs
- Didactics tutorial info
- ARIBA
- https://myshadow.org/ (train section)
* Follow-Up
- Do key-sharing party one month afterwards
- getting feedback
- collecting mail addresses, conducting surveys
* How to get trainers on the same page regarding tools * How not to scare visitors and make them believe they can „make meaningful progress“ * „It depends“
Topics * How the internet works * linux * hard drive enc * email enc * mobile enc * Easy: TorBrowser, TrueCrypt | Hard: Enigmail (bc of webmailer) * what do they expect * categories: communication, data enc, anonymity * BBBBBBBBYYYYYYYYYYOOOOOOOOOODDDDDDDDDD * but also Test Systems (fresh linux, windows, mac, phones) to setup demo accounts * other peoples' keyboards are lava (reduces blame on the trainer if sth goes wrong)
„how many people did this at at least one of their cryptoparties?“ (max=9) XMPP 3 XMPP Desktop 1 Conversations 4 Signal 6 PGP 9 Enigmail 9 Mailvelope 0 TrueCrypt 2 VeraCrypt 3 TorBrowser 7 Threema 1 Telegram 1 PW Managers 6 (KeePass, one person OnePassword) Ublock Origin 3 Adblock 3 Priv Badger 5 NoScript 8 HTTPS every 8 Phone enc 3 Linux 4 BSD 1 (FreeBSD/OpenBSD) Offering Tails 4 Whonix 2 I2P 1 Freenet Project 2 Tox 1 Ring 0 Wire 0 WhatsApp e2e 0 2 factor auth (2 ppl informally, no walkthrough) SMSSecure 0 Cryptocat 0 Examples of (spear)fishing 0 Keybase 1 protonmail 0 pep 0
„Asymmetric encryption: Public and private key“ „End2End encryption works, but both parties need it, how to verify“ „Encrypting non-important stuff makes encryption seem less suspicious“ „Show visual traceroute from local place to mail provider (look at all these computers) visualroute.com“ „“
* start with peoples' ideas and needs, give sense of empowerment, don't rush, never use computer to explain stuff, theoretical stuff beforehand, no wise-ass-guy, more moderation than explaining * don't be shy to cover topics we are not familiar with, „intersting, but i cannot help“ / „i'm not comfortable with explaining that to you“ / „let's find out together“ / say beforehand „we're not experts“ * empowerment: „study: if 15% use crypto, the nsa starts having economic problems“ → audience has influence! * use the peoples' machines, make them more secure * „don't assume everybody worries about the nsa“ → instead talk about cybercriminals, advertisers, device theft * share stuff on https://github.com/cryptoparty * be up to date on cryptoparty.in, global mailing lists, contact info * trackography.org * how does the inet work → trackers →
- Demoing on visitors' machines can expose private information, prevent that before it happens
Things gone terribly wrong: * PGP on apple * Truecrypt (wrecked partitions, no backups were made despite warnings) * Updating a Raspi took all the time that was intended to demo hidden services * Setting up Linux for person who bought laptop for that particular person and „had backups“, and hat to catch a flight the next morning (uefi fuckup, hw/software problems until 5am) * ASK PEOPLE WHEN THEY MADE BACKUPS OVER AND OVER AGAIN * Linux install day on MONDAY evening (6 trainers, 50 guests), 40 installs, less than 4% retention rate (LUG event)
windows fearmongering is „dangerous territory“ because there is no hard proof and borders conspiracy theories
"TSA approved locks" analogy though
How do we ask people what they are worried about?
"What are you worried about?" "
Post-session talk ended here because people were tired
NEXT DAY: HOW TO ORGANIZE A CRYPTOPARTY
Q: „Organizers, what is important?“
"Same regular time and place for the meeting" "Avoid Hackspaces, because they attract the wrong kind of audience" "Hand out flyers" "Don't grow it too big (200ppl at one party)" -yolo "need to be inclusive, ppl should be able to be anonymous" "bootstrap from core community that already has problems (eg activists)" "don't have technical discussions (cacert guy batteling gpg guy)" "do the techy part at the end so ppl can leave beforehand"
Q: „How do you prevent the discussion from drifting away to 'advantages of privacy' or 'tool1 vs tool2'?“
"have separate rooms" -yolo "there will be smaller groups later!" "deputize the disruptive nerd and give them a hard task" "oh you know so much about that? here's your own table" biobrause
Q: Can i start in my living room with my friends? → eveybody: „Yes!“
Q: How to deal with different languages at same Cryptoparty?
split languages by table explain in lang a, and while person a figures it out explain to person b in language b
Q: Different language materials
blabla look on cryptoparty.in use language specific subdomains of cryptoparty.in
Q: When are the topics decided? (flyers, intro, group)
few ppl: ask everbody what they want / larger group: raise hands or let ppl come to teacher
discuss beforehand which tool to teach for each task (yolo)
experimental format: "who are your enemies" -> (corps+ads | russian intelligence) -> threat model centered approach (including tool selection)
let groups interact, roleplay situation (ukrainians, russians, journalists, etc) -> what ressources do your enemies have?
Learn from each other, let elderly woman teach about passwords, ask attendees what they can teach
„Why are you here?“
Topics:
start with current events -> how does this affect me -> who has an iphone? -> show alternatives surveillance in your city
Don't use red/green tables, bc ppl will just believe you and not think about what the tools do for them (→ threat model)
Don't overwhelm ppl with many options, instead make them have success
Don't force them to give out contact info for testing purposes
Tell what is important to YOU! → What do you use? → do they satisfy your requirements? → oh we have to uninstall everything
convince ppl oss is better bc nerds can check it out
is it secure? → if you throw your phone into a river and can read your message on a new device, it's not god
advertise cryptoparty:
have person use social media for you (guenther) local newspaper tell all your frieds have your venue announce go where ppl gather put up ads in the analog world word of mouth (reqs recurring event) all of the above
Share posters/stickers/etc on github!!1
Q: ppl are sceptical of tools and think police is almighty and ppl believe that anything can be broken
give them examples of criminals/activists who [are/have been] active for a long time
Q: wat do when ppl have a threat model you cannot handle?
nobody actually responds to questions for a long time
do special event for those ppl and go into more detail
however it's not a good idea to announce a "whistleblower cryptoparty"
you can still help them by raising the average level of crypto usage
have one or two special angels ready for these ppl that can contact more advanced help ("are you a surveillance target?" -> "yes" -> and of to the other room)
Aspirin dont help, so i dont take it? → not taking it is no solution
Will i draw attention on me if i use $tool?
German reunification -> they cannot get us all when we are enough
cryptoparty is mental help: try to separate actual threat and paranoia. listen to ppl and validate what you say, capture the trauma (bring others for support)
then answer the question and relieve the stress from the situation -> emotional work
ppl who are sceptics of crypto are defeated, but they came to you despite them „knowing everything is bad“ → talk them down, emotional help
crypto-„party“
names: cryptoparty/privacy cafe/cafe privé actually do a party and let the musicians "accidently" learn about crypto
how do you plan the angel/attendee-ratio, what info to get from angels?
1:5 (never works out)
dont plan anything, bc normally enough angels show up (berlin)
failed for us, bc they showed up late and didnt know wat to do (yolo)
do smaller cryptoparties
get more reliable angels
have backup plan in case no angels show up (funny youtube videos) (non-berlin)
recruit attendees for next party: "send me an encrypted email if you wanna help"
ppl with android 2.2 → wat do?
tell them how the internet works and let them realise their phone is shit show them newer android where you can fine-grained permissions
REQUEST: USE THE LIST ON CRYPTOPARTY.IN!!!! (and the other stuff there)