HOW TO HOST YOUR OWN CRYPTOPARTY
Scott Leslie, BC Libraries Cooperative
VISLC, April 2017
- Systems Manager @bclibrariescoop
- Long-time Open Internet advocate
- More recent Privacy Advocate
Hands up, are you
- involved with library programming?
- involved with digital literacy efforts?
- work for a public library? university library?
Who ...are you? 2
Self-assess your technical knowledge. Are you:
- Very comfortable with technology - I roll my own
- Pretty comfortable with tech - I use it at daily but bits of it are still a mystery to me
- Not so comfortable - I use it if I have to
- Get me out of here - I avoid tech as much as I can
Who...are you? 3
- What does "https" in a URL mean?
- True or False - Turning on "Private Browsing" means no one can see what websites I've visited?
- True or False - if I have to log on to the wifi, it should be secure to do my private banking on there?
- True or False - the only risk of advertisers knowing what sites I visit is getting more targeted ads?
What...is a "CryptoParty"?
A global and decentralized grass-roots movement to help everyday people learn how to improve their internet security with open source tools.
What is a CryptoParty? 2
- Typically 3-5 hours, hands-on
- Topics can vary widely, based on the experience level of participants, their needs, and what expertise is in the room
- open to everyone;
- politically and commercially non-aligned;
- "Be excellent to each other"
- DO THINGS!
Why...Your patrons' "Threat Model"
- Partly an exercise in helping them with this, partly an exercise in expanding it
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those?
The "I have nothing to hide" argument
- Presumably if they are already at your session, they need less persuading but useful to engage early on
- Create greater empathy and understanding for how widespread and serious the issue and need is
- "Surveillance Capitalism"
Some Common Concerns
What are common everyday things your patrons are likely to be concerned about
- How can I shop online without having my credit card stolen?
- How can I not have my online accounts hacked?
- How do I prevent my home computer from becoming compromised?
- How do I protect my privacy online? How do I prevent people I don't want to find out about what I am doing online?
How can I shop online without having my credit card stolen?
- Strong passwords
- Internet-only credit cards
- Explain the concept
- Install https://www.eff.org/https-everywhere
- Free Options (and their issues) - Opera's built in; Windscribe, Tunnel Bear, Hotspot Shield
- Paid Options - https://nordvpn.com/, https://www.expressvpn.com/
- Is there room for libraries here? "Borrow a VPN"? Provide a VPN for patrons to log in with their library card?
- Password rubrics
- Password Managers - KeePass, Blur (maybe not LastPass http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/)
Online-only Credit Cards
How can I not have my online accounts hacked?
- Password Managers
- Two Factor Authentication
How do I prevent my home computer from becoming compromised?
- Phishing & Malware education
- Ad blockers and NoScript
How to Recognize When You're Being Phished
- Tip 1: Don’t trust the display name
- Tip 2: Look but don’t click
- Tip 3: Check for spelling mistakes
- Tip 4: Analyze the salutation
- Tip 5: Don’t give up personal information
- Tip 7: Review the signature
- Tip 8: Don’t click on attachments
Tip 9: Don’t trust the header from email address
Adblockers and No-Script
- Adblocks like "uBlock Origin" or "Adblock Plus" don't just prevent ads from loading, they can prevent malicious ads from running/compromising browser/computer
- LongURL - https://addons.mozilla.org/En-us/firefox/addon/long-url-please/
Antivirus? Worth it or not?
How do I protect my privacy online? How do I prevent people I don't want to find out about what I am doing online?
- Why is this even an issue? Education, Lightbeam
- Private Mode - What it Does and Doesn't Do
- Adblockers and other countermeasures
- VPNs and TOR
Why is this even important?
- Responding to the "I have nothing to hide" canard
VPNs & TOR
- Both can help, but not all tracking is IP-based
- Encrypting Email
- Secure Chat
- Secure Operating Systems (TAILS, QubesOS)
- Phone/Tablet Security
What are some of the issues you might face?
Who is going to teach all of this?
- "I'm not qualified" - If you know one thing more than your audience and are willing to share, then you are in the right place
- Crypto Angels and where to find them?
- Building Community - regular meetings
- "community tech advisory committee"
- https://www.level-up.cc/ - Train the Security Trainer resources
- Do ask people to be up to date - that's a security precaution too!
- No getting around this in a BYOD world
- Can be helped by limiting the scope/length of a session
3-5 Hours is WAY too long
- Maybe true - but I guarantee that anything under 2 is too short to be "hands on"
- Breaking it into some of these topics can help, but do respect the "CryptoParty" brand/ethos if you do
- What else is preventing you from running such an event?
- Are there things we can do as a larger community to help?