Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] CryptoParty Handbook

Julian Oliver julian at julianoliver.com
Wed Oct 10 03:10:10 PDT 2012


Hi list,

Great to be subscribed! 

I'm one of the core group that spearheaded the CryptoParty Handbook here in
Berlin and thought I'd share a few words on its reception.

I'd like to emphasise that the point of the book is not as a static reference
guide but a text intended to grow in direct response to the inevitable evolution
of threats. As such each draft should never be considered definitive, with the
first draft was written and distributed with the expressed statement it needs
work. More so (and as the name suggests) it's material intended for reference
(and discussion) at Crypto Parties.

Around 20 people were involved in total during the 'book sprint' of just 3 days.
We went in knowing it was not possible to write a definitive, bug-free guide in
56 hours, let alone on a topic such as securing oneself in this techno-political
jungle we call the Internet. For this reason we invited help, opening it up for
public review. 

Seth, your comments about the Quantum Crypto text are excellent and, on looking
more closely, factually correct. I personally don't think such material has a
place in a handbook like this but with your clarifications it will at least
render it great reference material. Your comments about journaled file-systems
and shredders/wipers were super and so will be added to the next edition.

Missing chapters like Threat Modeling (introducing it to newbies, first of all)
need to be written, as well as an unintimidating reference table for strength of
encryption by type and threat context. This is something that came up in
discussion during the book sprint.

Currently there's a bit of an issue with the Github fork running off on its own
but only because it's splitting expertise and can't be easily merged.  I'm
personally for the BookType/Booki version as we can export to E-Pub/PDF/Kindle
and use the lovely CSS formating and renderer. It makes attractive books whilst
letting those that simply want to fix a typo an opportunity to contribute
without having to learn the wily ways of Git (which I use for code development,
but not the writing of essays/books).

Indeed the unchecked references to PPTP were unfortunate, imported from the book
Basic Internet Security (Gerber, Hassan, Stein, van Geffen, van Santen, van der
Velden, den Tex, Schmidt et al). It was trusted material. I don't think any of
us knew PPTP was cloud-crackable albeit we did know it was less secure than
OpenVPN (I'm doubly thankful I use OpenVPN on my own server!). It shouldn't have
gone into the first draft without appropriate warnings for fear of it being
misconstrued as endorsement of this readily breakable PPP tunnelling method.

Still, I don't think it justifies those few security pros clumsily (and somewhat
destructively) writing off the book entirely. Rather than being black and white
when it comes to security it's far more constructive to let people into the
process of learning to think for themselves by understanding such particular
risks; to be aware, agile and vigilant. Security itself is a process in constant
dialogue with awareness, not a boolean of safety.

Telling people not to use the book as a whole, while not taking the time to
contribute welcomed specific criticism, only keeps people vulnerable. 

Why? 

Firstly - perhaps obviously - it discourages people from gleaning any other good
from the book, whether that be getting people started with Tor, Anonymised
searching, Encrypted VoIP or basic Email and Browsing security. Lots of folk
have written in to say it's the best pro-newbie guide they've read to these
effects.

Secondly, hundreds of VPN services still use PPTP (including Riseup.net,
PirateBay, iPredator). So it follows that to /not/ reference this fact -
alongside stark warnings as to the risks - in such a book may result in less
people using VPNs and remaining out in the open. Why do these providers use
PPTP? Perhaps some actually believe that after the minor MS-CHAPv2/MPPE
improvements it's safe whereas others consider speed important (faster than
OpenVPN), especially in mobile contexts. 

There's a conspicuous lack of OpenVPN clients out there for Smartphones.
Thankfully the excellent GuardianProject is changing that.

While I personally support the general consensus to remove all the VPN HOWTO
references using PPTP from the handbook, I do feel it's better to let people
take and make risks in Knowledge. To this end PPTP would not be excluded from
the book but discussed and warned against. 

As much as saying the following will be enough to send some crypto geeks running
down a hill with an axe, there may be cases where using a PPTP VPN might even be
a little bit better than not using a VPN altogether..

Let me unpack that seemingly ridiculous statement: 

A BlackBerry user simply wants to get through the company or UNI gateway without
being spied upon but doesn't really have a lot at stake if caught. Thus the
convenience of using a PPTP VPN service with a free app on their smartphone fits
their needs, then, at that time. Another case may be a person without a gateway
facing device of their own setting up and using a /temporary/ VPN account on a
friend's machine just for an urgent 10 minute session. PPTP may actually be seem
a /reasonable calculated risk/ in that case as it's extremely unlikely to be
CloudCracked with ChapCrack parsed handshake, captured by a listener on the
wire, in that time:

    https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/    

I feel context is really important when it comes to security. We need to let
people into the world of crypto, both by providing vocabularic bridges and
helping them understand that the process of improving their security isn't
represented by set of tools they blindly install and trust but tools used
in knowledge. Tool development itself is only a part of improving the situation.

There are many dark alleys on the Internet yet few even know to look over their
shoulder, lest of all what to look for. 

Simply lashing out with "It sucks. Don't trust it people." only asserts a
knowledge hegemony that ultimately dis-empowers, a hegemony that is almost
tradition in the InfoSec space (as some seem to assert their thrones as wise men
and women in an effort to protect their prospects and social standing).

It is more constructive to make projects like this little install-party handbook
better, explaining how to read, understand and mitigate threats. Together we
move forward!

I don't claim to be a security professional but I do believe that being black
and white in such a context is itself "fraught with peril".

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org



More information about the liberationtech mailing list