HOW TO HOST YOUR OWN CRYPTOPARTY

Scott Leslie, BC Libraries Cooperative

VISLC, April 2017

Agenda

  • Who?
  • What?
  • Why?
  • How?

Who...am I?

  • Systems Manager @bclibrariescoop
  • Long-time Open Internet advocate
  • More recent Privacy Advocate

Who...are you?

Hands up, are you

  • involved with library programming?
  • involved with digital literacy efforts?
  • work for a public library? university library?

Who ...are you? 2

Self-assess your technical knowledge. Are you:

  • Very comfortable with technology - I roll my own
  • Pretty comfortable with tech - I use it at daily but bits of it are still a mystery to me
  • Not so comfortable - I use it if I have to
  • Get me out of here - I avoid tech as much as I can

Who...are you? 3

  • What does "https" in a URL mean?
     
  • True or False - Turning on "Private Browsing" means no one can see what websites I've visited?
     
  • True or False - if I have to log on to the wifi, it should be secure to do my private banking on there?
     
  • True or False - the only risk of advertisers knowing what sites I visit is getting more targeted ads?

http://www.pewinternet.org/quiz/cybersecurity-knowledge/

What...is a "CryptoParty"?

 

https://www.cryptoparty.in/

 

A global and decentralized grass-roots movement to help everyday people learn how to improve their internet security with open source tools. 

What is a CryptoParty? 2

  • Typically 3-5 hours, hands-on
  • Topics can vary widely, based on the experience level of participants, their needs, and what expertise is in the room
  • Principles:
    • free;
    • open to everyone;
    • politically and commercially non-aligned;
    • "Be excellent to each other"
    • DO THINGS!

Why...Your patrons' "Threat Model"

  • Partly an exercise in helping them with this, partly an exercise in expanding it
  1. What do you want to protect?
  2. Who do you want to protect it from?
  3. How likely is it that you will need to protect it?
  4. How bad are the consequences if you fail?
  5. How much trouble are you willing to go through in order to try to prevent those?

https://ssd.eff.org/en/module/introduction-threat-modeling

The "I have nothing to hide" argument

  • Presumably if they are already at your session, they need less persuading but useful to engage early on
  • Create greater empathy and understanding for how widespread and serious the issue and need is
  • "Surveillance Capitalism"

Some Common Concerns

What are common everyday things your patrons are likely to be concerned about

  • How can I shop online without having my credit card stolen?
  • How can I not have my online accounts hacked?
  • How do I prevent my home computer from becoming compromised?
  • How do I protect my privacy online? How do I prevent people I don't want to find out about what I am doing online? 

How can I shop online without having my credit card stolen?

  • HTTPS
  • VPN
  • Strong passwords
  • Internet-only credit cards

HTTPS

  • Explain the concept

 

 

 

 

 

 

 

 

  • Install https://www.eff.org/https-everywhere

VPN

  • Free Options (and their issues) - Opera's built in; Windscribe, Tunnel Bear, Hotspot Shield
  • Paid Options - https://nordvpn.com/, https://www.expressvpn.com/
  • Is there room for libraries here? "Borrow a VPN"? Provide a VPN for patrons to log in with their library card?

Strong Passwords

  • Password rubrics
  • Password Managers - KeePass, Blur (maybe not LastPass http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/)

Online-only Credit Cards

How can I not have my online accounts hacked?

  • Password Managers
  • Two Factor Authentication
  • https://haveibeenpwned.com/

How do I prevent my home computer from becoming compromised?

  • Phishing & Malware education
  • Ad blockers and NoScript
  • Antivirus?

How to Recognize When You're Being Phished

https://blog.returnpath.com/10-tips-on-how-to-identify-a-phishing-or-spoofing-email-v2/

  • Tip 1: Don’t trust the display name
  • Tip 2: Look but don’t click
  • Tip 3: Check for spelling mistakes
  • Tip 4: Analyze the salutation
  • Tip 5: Don’t give up personal information
  • Tip 7: Review the signature
  • Tip 8: Don’t click on attachments
  • Tip 9: Don’t trust the header from email address
     

Adblockers and No-Script

  • Adblocks like "uBlock Origin" or "Adblock Plus" don't just prevent ads from loading, they can prevent malicious ads from running/compromising browser/computer
  • No-Script - https://noscript.net/ blocks additional Javascript (gecko/mozilla-based browsers)
  • LongURL - https://addons.mozilla.org/En-us/firefox/addon/long-url-please/ 

Antivirus? Worth it or not?

How do I protect my privacy online? How do I prevent people I don't want to find out about what I am doing online?

  • Why is this even an issue? Education, Lightbeam
  • Private Mode - What it Does and Doesn't Do
  • Adblockers and other countermeasures
  • VPNs and TOR

Why is this even important?

  • Responding to the "I have nothing to hide" canard
  • https://labs.rs/en/browsing-histories/

Lightbeam

https://addons.mozilla.org/en-US/firefox/addon/lightbeam/

Countermeasures

Text

https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

https://www.eff.org/privacybadger

VPNs & TOR

  • Both can help, but not all tracking is IP-based

Advannced Topics

  • Encrypting Email
  • Secure Chat
  • Secure Operating Systems (TAILS, QubesOS)
  • Phone/Tablet Security

What are some of the issues you might face?

Who is going to teach all of this?

  • "I'm not qualified" - If you know one thing more than your audience and are willing to share, then you are in the right place
  • Crypto Angels and where to find them?
  • Building Community - regular meetings
  • "community tech advisory committee"
  • https://www.level-up.cc/ - Train the Security Trainer resources

Different Browsers/OS

  • Do ask people to be up to date - that's a security precaution too!
  • No getting around this in a BYOD world
  • Can be helped by limiting the scope/length of a session

3-5 Hours is WAY too long

  • Maybe true - but I guarantee that anything under 2 is too short to be "hands on"
  • Breaking it into some of these topics can help, but do respect the "CryptoParty" brand/ethos if you do

What else? 

  • What else is preventing you from running such an event?
  • Are there things we can do as a larger community to help?

THANKS!

scott.leslie@bc.libraries.coop

scottleslie.ca

cryptoparty how to

By Scott Leslie

cryptoparty how to

  • 2,720