This is a double guest post, incorporating two separate presentations from the recent Melbourne Crytoparty event. Cryptoparties are grass-roots data security education activism – CryptoParties are free to attend, public, and are commercially non-aligned. Some of the information provided below is specific to Australian law; find a Cryptoparty MeetUp local to you if you want to check your specific legalities (follow the proceedings online if you can’t get to the MeetUp itself).
Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world. ~Cypherpunk Manifesto
GeorgieBC first explains why privacy is necessary for all of us, then Sarah Stokely expands on privacy matters and outlines the basics of using Tor as one of the tools for online privacy.
* * * * *
Hello CryptoParty. My name is Georgie online, Heather Marsh to some people and other things to other people. I would like to talk to you all a bit about privacy and anonymity. We all know privacy is essential in high risk activism, but it is so much more than keeping bloggers from being killed. Privacy is for us all, it is a right we used to have and most people do not realize we have lost it, or that we ever had it.
Most people in democracies feel that freedom of the press is essential in a democracy; this is because we need information about our government in order to participate in a democracy. This freedom has been turned on its head so that people now feel they have the right to see Kate Middleton’s breasts but not foreign policy documents. It’s the other way around. Foreign policy documents are subject to censorship that is not compatible with democracy. Kate Middleton has been subjected to surveillance in violation of her right to privacy. The news obsession with celebrities and their private matters is there to distract you from the real news which they are not showing you. They tell you what US president Obama’s daughters wore to school when we really need to know if he is going to bomb Iran.
In our grandparents day they had a wonderful thing called mind your own business. They did not give their first names to people they had just met. There were layers of trust you went through to get to know someone and you owned the truth about yourself. This expectation of privacy for individuals is gone and we need to bring it back; transparency is for public organizations and actions which affect the public, not for our private lives. Perfect strangers will now demand any detail of your life and feel they have a right to it. We know the surveillance culture has won when snooping is a virtue, equated with being open, honest, and having nothing to hide while a request for privacy is met with shock and hurt and group shunning. We need to start refusing to provide personal data as much as we can, privacy is a basic right and if we do not use it we will lose it. We have lost it.
It has been proven enough times, famously by Julian Assange and Bradley Manning but in many other cases as well, that authorities do not need to see any transactions or have evidence of any criminal activity to destroy your life; it is enough that you pull attention, that they are aware of your existence. The fact that you are doing nothing wrong or illegal is no protection if you have attracted the attention of someone with power or mental instability. Governments are not the only people on the internet; if you start expressing opinions you will find far more interesting opposition as well. Anonymity, once lost, can never be regained; even if you have no intention of ever expressing a controversial opinion, privacy should become a habit, like brushing your teeth.
Besides the safety aspect, online anonymity is cherished by internet dwellers as the only means to pure thought exchange, where ideas can be judged on their own merits, unclouded by preconceived judgements based on unrelated data.
I started out as a programmer, and there was a time where even just my voice would have made anything I said instantly discredited, people only listened to opinions on programming or politics from baritones and tenors. That is still the case in some circles, there is a reason my online names are usually sexually ambiguous or male. Alan Turing, one of the fathers of computer science faced the same obstacle when it became widely known that he was homosexual; there is a very sad quote from him, “Turing believes machines think. Turing lies with men. Therefore machines cannot think.” We have lost far too many brilliant ideas because of bigotry against the place they came from. Many women in history would never have been published if they did not publish as men; many brilliant thinkers have been attacked based on irrelevant personal data such as race, age, or opinions on unrelated topics and their ideas have been lost. Until we live in a world with no bigotry, anonymity is the only way for these voices to be heard.
In order to move to an idea driven system, away from a personality based one, we need to all stand up for privacy for us all. Crypto parties are an amazing initiative; Privacy is fun; Tor and PGP and OTR are very fun to use, and when you are comfortable with them, maybe you will also tell the next person who demands personal data from you to mind their own business which is also fun. I hope you all have a great evening!
* * * * *
First published as a slide presentation on 22nd September by @stokely: you can view the slides on GoogleDocs.
#Cryptoparty Workshop: Tor
Saturday, 22 September 2011, by @stokely
This is NOT copyright. It’s in the public domain. Use as you wish.
Why are we here?
- we’re in an era of strong government action against internet users
- 250,000 Australians under surveillance (excl ASIO)
- there are two main areas under attack – piracy, and free speech
- International legal(?) action against Wikileaks, Megaupload
- Strong Government interest in the use of online social networks by political activists (Arab Spring, Occupy)
Global problems for cyberactivists & cyberdissidents, bloggers & journalists
*Reporters without Borders- Press Freedom roundup 2008:
- “Predatory activity is increasingly focused on the internet.”
- 1 blogger killed
- 59 bloggers arrested
- 1,740 websites bocked, shut down or suspended
- more online journalists incarcerated than other journalists for the first time
- Internet censorship in China, Cuba, parts of the Middle East
- western companies including Google and Yahoo selling or modifying their products and services to enable censorship regimes
LESS security, MORE surveillance
It’s never been particularly safe to communicate by email or on social networks due to insecurities in the tech, and it’s about to get worse. WHY?
- Increased surveillance of activists. There have already been subpoenas on Australians’ Twitter accounts & Twitter last week said they’d comply MORE with requests from the Australian police.
- The US government is strengthening laws to control the internet (See the proposed SOPA/PIPA laws)
- As signees of the Free Trade Agreement with the US, Australia is legally obliged to enforce laws like the DMCA in Australia. So their law can touch us.
- Social networks are voluntarily censoring (Twitter announced geo-censorship of tweets yesterday).
- I am not a lawyer, and this workshop is not about your legal rights or responsibilities.
- Seek legal advice. Use your common sense.
- This workshop will give you some simple tools to stay safer
- The key word is SAFER, not 100% safe.
- Today we’ll show you one or two layers in the security ‘onion’ – we’re not promising to protect you from the world’s best hackers or the FBI. If you are Wikileaks and people could die based on the information you’re sharing, basic security is not enough. You need to learn more about how to keep yourself, your communications and your community safe.
Part 1: Secure your email
Your email is not safe
- Vulnerabilities are human and technical.
- Human vulnerability: choosing easy to guess passwords, sending email to someone untrustworthy who forwards it to the authorities or a newspaper, sharing your password with someone who loses it.
- Tech vulnerabilities: Spyware like keyloggers, your password could be cracked, your login might be insecure (http), transmission of your email over the internet might be insecure.
- At least two ISPS will handle your email – the sending & receiving ISP. Do you trust your ISP? (Don’t). They are subject to Australian law and are routinely asked to provide information from/about their customers.
3 steps to safer email
- Keep your computer free of viruses/malware
- Keep your password secure
- Encrypt your email
- Malware exists to steal passwords, and to get exact copies of everything you type – it’s called keystroke logging.
- Players of online games like World of Warcraft get targetted by keystroke loggers, who capture their game login password so they can steal their accounts. It doesn’t just happen in the movies. It happened to me.
- Keep your software & operating system up to date, and install some anti-malware/anti-virus software – here are some step by step tips: https://security.ngoinabox.org/en/chapter-1
Protect your password
- Change your password. Today.
- This should be common to anyone with an ATM card, but it’s not
- Change it regularly, make it not personal to you (ie birthdays), mix in numbers, letters & capitalisation
- As a memory aid, use a mnemonic like:
- ‘To be or not to be? That is the question’ which becomes ’2Born2b?TitQ’
- One password to rule them all: Password manager software like KeePass
- Uses one master password to access & manage all your passwords.
- You need your email to be secure at the point of login (if you’re using webmail) and when it’s travelling the internet to reach the recipient of your mail.
- Webmail is less secure because you are trusting the content of all your emails to the company that’s sending it. (ie Google).
- Consider switching to an email client (email software like Thunderbird or Mail for Mac instead of using a web-based email like Gmail or Yahoo)
- Riseup is an email service run by and for activists that can be securely accessed by webmail or using an email client like Thunderbird (https://riseup.net/en)
- Choose a webmail provider that uses https to login.
Using https for your logins
- https uses SSL (Secure Socket Layer) to add a security layer to normal web pages (http), you’ll already use it for online banking.
- Gmail uses https by default. To check if it’s turned on:
- Sign in to Gmail.
- Click the gear icon in the upper-right corner, and select Mail settings.
- In the General tab, set ‘Browser Connection’ to ‘Always use https’.
If you’ve never changed the setting before, no radio buttons will be selected, even though the default is indeed ‘Always use https’.
- Click Save Changes.
Encrypt your mail
- Unencrypted email travels as-is online, meaning anyone snooping can read it.
- Encrypting mail means encoding it so snoopers can’t read it.
- Later we’ll break into groups to show you how to use Tails to encrypt mail and files and use keys to ensure that the sender (you) and the receipient are who they say they are.
Activity: Secure your webmail
- Break into groups
- With your group leader, work out if it’s possible to turn on https for your webmail and make sure it’s turned on.
- Change your password! Choose something more secure.
Secure your browsing
Use https everywhere that you can
- If you use the Firefox browser, you can install the “HTTPS Everywhere addon” so it happens all the time.
- Download it here: https://www.eff.org/files/https-everywhere-button.png
- There will be an HTTPS Everywhere button at the top right of your Firefox toolbar which lets you see & disable a ruleset if it’s causing problems with a site. eg if you try to get on a hotel wifi connection.
- There is no excuse for not using HTTPS-everywhere
Set Facebook & Twitter to https
- To make Facebook use https, go to the Account Settings menu, change the default value in the “Account security” sub-menu to https.
- More info here: https://www.facebook.com/blog.php?post=486790652130
- To turn on https on Twitter, go to your account settings (https://twitter.com/settings/account) and tick the box next to “Always use HTTPS” which is at the bottom of the page.
The Tor browser
- Tor is an online security project.
- Tor has been described as “a second Internet running inside the existing Internet”. It allows people from countries with strict regimes to bypass blocking and monitoring software.
- There’s a video of the Tor project creators talking about how governments and corporations have tried to block Tor.
- Tor bounces your online communication around a network of relays run by volunteers, instead of going straight from your IP address to your destination. This means it prevents people who might be spying on your internet connection from learning what sites you visit or learning your physical location and it lets you access blocked sites.
How Tor Works
The Tor browser
- You can install & use Tor software, or use the Tor browser to make your web browsing (more) secure.
- BE AWARE of Tor’s limits. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don’t want the sites you visit to see your identifying information. For example, you can use Torbutton while browsing the web to withhold some information about your computer’s configuration.
- What does this mean? External applications are not Tor-safe by default, and can unmask you.
- Tor is TCP only, and then apps can send your IP address, so it’s good to use vetted apps.
- One way around this is to use a transparent Tor proxy like Tails (https://tails.boum.org/)
The Tor browser bundle
- An easy way to use the Tor software is to download and use the Tor browser bundle.
- This means just by using the Tor browser, you’re protected by Tor software.
- It’s available for Windows, Mac or Linux.
- It can also run off a USB flash drive (AKA USB key). This means you can safely browse from any computer, by using your USB key.
- Download the Tor browser bundle here:
- Make sure you’ve actually got it working right.
- Once you’ve got the Tor browser installed, visit the Tor Check page: https://check.torproject.org/
- It will detect whether you’re using Tor or not, and tell you.
- On IRC: #tor
- Or: http://irc.oftc.net/
Suggested Activity: Set up a secure browser
- Install Firefox & HPPTS Everywhere and/or the Tor Browser
- Make sure you use the Tor Check tool as well!
Tools for Activists & Bloggers
Resources for safe publishing online
- Reporters without Borders handbook for bloggers and cyberdissidents
(PDF download: http://en.rsf.org/IMG/pdf/RSF_GUIDE_PRATIQUE_GB_v6.pdf)
Includes information on how to blog anonymously and technical ways to get around censorship
- Arts Law Centre of Australia Online – Legal issues for bloggers:
- EFF guide for bloggers
Tails – the amnesiac incognito live system
- Tails “is a complete operating-system designed to be used from a DVD or a USB stick independently of the computer’s original operating system. It comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc.”
- The Tails website is here:
- You can read an article about it here:
- Set up a USB key with Tails for secure computing
- Use Tails to encrypt files, email, and instant messaging
- Thank you for coming to #Cryptopart to learn and share what you know
- Remember ‘each one teach one’ – please find someone who needs to learn this stuff, and teach them!
I can email out this presentation with handy links to information and downloads, if you email me (email@example.com) or tweet me (@stokely).