Difference between revisions of "Crypto Party"

From HacDC Wiki
Jump to: navigation, search
(adding anonimity vs privacy explanation section)
Line 3: Line 3:
 
"They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
 
"They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
 
-Benjamin Franklin, Franklin's Contributions to the Conference on February 17 (III) Fri, Feb 17, 1775 (http://www.ushistory.org/franklin/quotable/singlehtml.htm)
 
-Benjamin Franklin, Franklin's Contributions to the Conference on February 17 (III) Fri, Feb 17, 1775 (http://www.ushistory.org/franklin/quotable/singlehtml.htm)
 +
 +
= Anonimity/Privacy? =
  
 
= SSL =
 
= SSL =

Revision as of 10:26, 17 November 2013


"They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Franklin's Contributions to the Conference on February 17 (III) Fri, Feb 17, 1775 (http://www.ushistory.org/franklin/quotable/singlehtml.htm)

Anonimity/Privacy?

SSL

Why SSL is broken: http://notary.icsi.berkeley.edu/trust-tree/ The red circles on that map are the "root CAs", the Certificate Authorities that have their certificate trusted in most browsers. The size of the circle is based on the amount of certificates the CA is thought to have issued. These are all the entities that if one gets hacked, they can issue a wildcard certificate and your browser would show the certificate as valid.

GPG

This page shows how the web of trust works: http://www.gnupg.org/gph/en/manual.html#WOT-EXAMPLES

Suggested Software:

Software usable under multiple operating systems is normally listed under each operating system.

Note about Truecrypt-No complete audit has been done yet, people are currently collecting funds for a full audit - http://istruecryptauditedyet.com/

OS independent (Normally bootable iso images):

Program: Desc: URL: Why?
TAILS (The Amnesiac Incognito Live System) Secure workstation LiveCD https://tails.boum.org/ A Linux Live edition for accessing TOR outside of your normal operating system (Note, for security reasons make sure your normal hard drive isn't accessible while booted into this, running encrypting with any whole drive encryption software should work).
DBAN Secure storage media destruction. http://dban.org/

If you require help burning ISO images, please join the HacDC Blabber mailing list (https://groups.google.com/a/hacdc.org/group/Blabber/subscribe) and ask how (make sure to include which operating system you are running when asking for help).

Linux and other Unix variants:

Program: Desc: URL:
Truecrypt Hard Drive Encryption, File encryption http://truecrypt.org/
Tor Browser Bundle Anonymous web surfing (includes Tor & web browser) https://www.torproject.org/download/download-easy.html.en
Thunderbird Email Encryption https://www.mozilla.org/en-US/thunderbird/all.html

Windows:

Program: Desc: URL:
Truecrypt Hard Drive Encryption, File encryption http://truecrypt.org/
Tor Browser Bundle Anonymous web surfing (includes Tor & web browser) https://www.torproject.org/download/download-easy.html.en
Thunderbird Email Encryption https://www.mozilla.org/en-US/thunderbird/all.html
GPG4Win GPG front-end for Windows http://www.gpg4win.org/download.html
eraser Secure Delete http://eraser.heidi.ie/

Mac OS:

Program: Desc: URL:
Truecrypt Hard Drive Encryption, File encryption http://truecrypt.org/
Tor Browser Bundle Anonymous web surfing (includes Tor & web browser) https://www.torproject.org/download/download-easy.html.en
Thunderbird Email Encryption https://www.mozilla.org/en-US/thunderbird/all.html
GPGtools Integrates GnuPG with MacOSX. http://gpgtools.org/

Android:

Program: Desc:
Orbot TOR for Android
Orweb TOR web browser for Android (Orbot required)
APG GPG Program
K-9 Mail Email program for Android that can directly interact with APG
Adblock Plus Detects and blocks advertisements (images, JavaScript, Java applets)

iOS:

Ghostery Blocks web analytics agents (web bugs, JavaScript) https://www.ghostery.com/

Web Browser Plugins:

Safari:

Ghostery Blocks web analytics agents (web bugs, JavaScript) https://www.ghostery.com/
Lastpass Password manager https://lastpass.com

Firefox:

Noscript Disable JavaScript, Java, Flash, Silverlight, XSS, Clickjacking, etc http://noscript.net/
Lastpass Password manager https://lastpass.com
HTTPS Everywhere Enable SSL wherever possible https://www.eff.org/https-everywhere
Web of Trust Website reputation checker https://www.mywot.com/
Mailvelope GPG Add-on for Firefox and Chrome. Needs vetting and only the chrome addon is available prebuilt from them but the ff adon is easy to build and can be built ahead of time if needed. http://www.mailvelope.com/
Calomel SSL Validation Analyzes SSL configuration of sites you visit and gives you an analysis with reasoning behind the rating. https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/
ShareMeNot Blocks sharing buttons and applets unless you specifically click on them to enable them. http://sharemenot.cs.washington.edu/
HTTPS Finder Automatically detect SSL capabilities. Generates rules for HTTPS Everywhere. https://github.com/kevinjacobs/HTTPS-Finder
Ghostery Blocks web analytics agents (web bugs, JavaScript) https://www.ghostery.com/
Adblock Plus Detects and blocks advertisements (images, JavaScript, Java applets) https://adblockplus.org/

Chrome:

Lastpass Password manager https://lastpass.com
HTTPS Everywhere Enable SSL wherever possible https://www.eff.org/https-everywhere
Web of Trust Website reputation checker https://www.mywot.com/
Mailvelope GPG Add-on for Firefox and Chrome. Needs vetting and only the chrome addon is available prebuilt from them but the ff adon is easy to build and can be built ahead of time if needed. http://www.mailvelope.com/
ShareMeNot Blocks sharing buttons and applets unless you specifically click on them to enable them. http://sharemenot.cs.washington.edu/
Ghostery Blocks web analytics agents (web bugs, JavaScript) https://www.ghostery.com/
Adblock Plus Detects and blocks advertisements (images, JavaScript, Java applets) https://adblockplus.org/

Opera:

Lastpass Password manager https://lastpass.com
Ghostery Blocks web analytics agents (web bugs, JavaScript) https://www.ghostery.com/
Adblock Plus Detects and blocks advertisements (images, JavaScript, Java applets) https://adblockplus.org/

Internet Explorer:

Lastpass Password manager https://lastpass.com
Ghostery Blocks web analytics agents (web bugs, JavaScript) https://www.ghostery.com/

Non web browser plugins:

Thunderbird:

Enigmail GPG Add-on for Thunderbird http://www.enigmail.net/download/index.php


Links:

Site: URL: Notes:
tormail.org http://jhiwjjlqpyawmpjx.onion/ Email service only available via tor
Mailvelope http://www.mailvelope.com/ In-browser PGP encryption for webmail
Encrypt Everything https://www.encrypteverything.ca/index.php?title=Main_Page Good resource on encryption for the web. Good resource for beginner to intermediate skill level.
Surveilance Self-Defense https://ssd.eff.org/ EFF's guide to protecting yourself from digital surveilance. Extremely in-depth and detailed. For the advanced (or very paranoid). Not light reading.
Qualys Browsercheck https://browsercheck.qualys.com/ Automated scanning of browser, plugins, and Windows updates for vulnerable, out-of-date configuration
SSL Labs https://www.ssllabs.com/ Tool for checking any site's SSL setup for bad practices and vulnerabilities
Calomel SSL Validation https://calomel.org/firefox_ssl_validation.html Firefox add-on for analyzing and verifying SSL configurations of sites you visit.
DEATH NOTE: L, ANONYMITY & ELUDING ENTROPY http://www.gwern.net/Death%20Note%20Anonymity A.k.a., why "metadata" matters and how much the NSA can really know about you from your phone records.
Using Metadata to Find Paul Revere http://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/ Illustration of how to use seemingly useless data points to pin charges on someone. Told from the perspective of a British intelligence officer looking for trators in collonial America.
crypto-log http://www.uni-mannheim.de/studorg/gahg/PGP/cryptolog1.html Updated 1996
Intro level guide to Internet Security http://qz.com/120946/the-complete-guide-to-not-being-that-idiot-who-got-the-company-hacked/ A guide for non-technical denizens of the Internet on how not to be low-hanging fruit for hackers.