I am wondering if, following the news today about GCHQ trying to break bank and email encryption etc, we could run a massive crypto-party in Manchester - perhaps with the peoples assembly against austerity? (they have an email list with about 800 names on, all of which could potentially be intrested)
http://www.cryptoparty.in http://thepeoplesassembly.org.uk/
Any Thoughts?
(I know very little about this stuff!)
Best
Anna
On 06/09/13 13:21, Anna Morris wrote:
I am wondering if, following the news today about GCHQ trying to break bank and email encryption etc, we could run a massive crypto-party in Manchester - perhaps with the peoples assembly against austerity? (they have an email list with about 800 names on, all of which could potentially be intrested)
http://www.cryptoparty.in http://thepeoplesassembly.org.uk/
Any Thoughts?
(I know very little about this stuff!)
The technology has changed, but the principles are timeless
I hear that after Britain conquered the German Enigma machine in WW2, they immediately started supplying copies of the "secure" device to former colonies like India
How soon do you plan to organise the event? I might be in the UK again in November
On 06/09/13 12:28, Daniel Pocock wrote:
The technology has changed, but the principles are timeless
I hear that after Britain conquered the German Enigma machine in WW2, they immediately started supplying copies of the "secure" device to former colonies like India
How soon do you plan to organise the event? I might be in the UK again in November
I was thinking sooner than that, however, you can still help remotely - we could use you as someone to try crypto-chat with abroad!
:) A x
ps: where are you in the world right now?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/09/13 13:44, Anna F J Morris wrote:
On 06/09/13 12:28, Daniel Pocock wrote:
The technology has changed, but the principles are timeless
I hear that after Britain conquered the German Enigma machine in WW2, they immediately started supplying copies of the "secure" device to former colonies like India
How soon do you plan to organise the event? I might be in the UK again in November
I was thinking sooner than that, however, you can still help remotely - we could use you as someone to try crypto-chat with abroad!
:) A x
ps: where are you in the world right now?
I'm in .ch - supposedly one of the last places where citizens assert a right to privacy and I would be happy to try and set up a ZRTP encrypted video chat session to my mountain hideout if I can't come in person.
Hi Anna (& list)
Unfortunately, I'm not sure that a cryptoparty quite cuts it any more, in this post-Snowden world. It all feels a little too "last year".
Besides, what would we teach people?
As the various articles have revealed, actually using PGP/GPG is simply a flag to the spooks to monitor you even more closely. Personally, I don't really trust any of the PGP versions released this century (I used DOS PGP in the 90s - as part of my job - but v3.6.3i is the last one I ever published a key for). Even Phil Zimmerman no longer uses PGP - as he stated in this interview last month: http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-proble... GPG might be more secure, but I've not messed with it since last year, when I found that the key generation module in GPG4Win wasn't working properly.
We've known for a while that SSL can't be trusted on mobile browsers - as the telecoms providers perform a man-in-the-middle decrypt/re-encrypt on the stream (ostensibly so they can squeeze graphics to speed up page loading - but we now know who else gets to see the "temporary" plaintext). And the latest revelations show that VPNs can be cracked, if the spooks really want to look inside.
I could even see TOR being rendered useless soon - as fewer exit nodes can be trusted (many will already be run by government agencies - the others are going to be raided one-by-one using whatever bogey-man excuse works best under the laws of the resident's country). The recent botnet surge on TOR is probably a sign of the end-times: http://arstechnica.com/security/2013/09/sudden-spike-of-tor-users-likely-cau...
Online privacy/security is a massively complex topic - and (IMO) quite a fascinating one. There are many more techniques left in the armoury - OTR could be a useful one (maybe) - but many are not developed enough yet for use by "the masses", and are more like curiosities for academic study than practical tools.
If you've not seen it, read this piece by Bruce Schneier: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-survei...
But you are right, Anna, in that this is now a very hot topic. The Mailpile project, on IndieGoGo, is currently at 147% of its $100K funding target, with 4 days to go - and the comments show that donors are mostly concerned about email privacy: http://www.indiegogo.com/projects/mailpile-taking-e-mail-back
A cryptoparty may still be a good idea - but it might just have to be Cryptoparty Ver2 (post Snowden).
Regards
David
On 06/09/13 12:21, Anna Morris wrote:
I am wondering if, following the news today about GCHQ trying to break bank and email encryption etc, we could run a massive crypto-party in Manchester - perhaps with the peoples assembly against austerity? (they have an email list with about 800 names on, all of which could potentially be intrested)
http://www.cryptoparty.in http://thepeoplesassembly.org.uk/
Any Thoughts?
(I know very little about this stuff!)
Best
Anna
On 07/09/13 17:38, David Bolton wrote:
Hi Anna (& list)
Unfortunately, I'm not sure that a cryptoparty quite cuts it any more, in this post-Snowden world. It all feels a little too "last year".
Besides, what would we teach people?
We could watch the X files, that would cover the "trust no one" concept
As the various articles have revealed, actually using PGP/GPG is simply a flag to the spooks to monitor you even more closely. Personally, I don't really trust any of the PGP versions released this century (I used DOS PGP in the 90s - as part of my job - but v3.6.3i is the last one I ever published a key for). Even Phil Zimmerman no longer uses PGP - as he stated in this interview last month: http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-proble... GPG might be more secure, but I've not messed with it since last year, when I found that the key generation module in GPG4Win wasn't working properly.
GPG offers strong algorithms but they are not used by default due to backwards compatibility with PGP users (that argument could well be something created by the NSA)
We've known for a while that SSL can't be trusted on mobile browsers - as the telecoms providers perform a man-in-the-middle decrypt/re-encrypt on the stream (ostensibly so they can squeeze graphics to speed up page loading - but we now know who else gets to see the "temporary" plaintext). And the latest revelations show that VPNs can be cracked, if the spooks really want to look inside.
Modern SSL clients (mobile browsers or even free operating systems like Debian and Fedora) come with a bucket load of CA certs. The SSL libraries trust them all equally but the (insert your favourite bad guy acronym here) only need to compromise one of those 100 CAs in order to trick you.
I could even see TOR being rendered useless soon - as fewer exit nodes can be trusted (many will already be run by government agencies - the others are going to be raided one-by-one using whatever bogey-man excuse works best under the laws of the resident's country). The recent botnet surge on TOR is probably a sign of the end-times: http://arstechnica.com/security/2013/09/sudden-spike-of-tor-users-likely-cau...
Not just that - I already predicted in an earlier blog that with the extent of coverage they have in internet exchange points and cross border networks, the bad guys may be able to gain enough insight or use statistical methods to trace the real source of ToR sessions.
Online privacy/security is a massively complex topic - and (IMO) quite a fascinating one. There are many more techniques left in the armoury - OTR could be a useful one (maybe) - but many are not developed enough yet for use by "the masses", and are more like curiosities for academic study than practical tools.
If you've not seen it, read this piece by Bruce Schneier: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-survei...
But you are right, Anna, in that this is now a very hot topic. The Mailpile project, on IndieGoGo, is currently at 147% of its $100K funding target, with 4 days to go - and the comments show that donors are mostly concerned about email privacy: http://www.indiegogo.com/projects/mailpile-taking-e-mail-back
A cryptoparty may still be a good idea - but it might just have to be Cryptoparty Ver2 (post Snowden).
There is some value in it, even in going back to basics and helping people do something like using a map and compass instead of a smartphone GPS.
GPG offers strong algorithms but they are not used by default due to backwards compatibility with PGP users (that argument could well be something created by the NSA)
Enough people use GnuPG for this not to be an issue. Besides, I believe the default is now 2048-bit RSA which is more than enough for a few years, and supported by PGP. 4096-bit might make you feel comfy, but it's overkill. Much more practical to stick with the default for now, and switch to ECDSA or better in a few years when it is hopefully standardised.
Simon
On 08/09/13 19:43, Simon Ward wrote:
GPG offers strong algorithms but they are not used by default due to backwards compatibility with PGP users (that argument could well be something created by the NSA)
Enough people use GnuPG for this not to be an issue. Besides, I believe the default is now 2048-bit RSA which is more than enough for a few years, and supported by PGP. 4096-bit might make you feel comfy, but it's overkill. Much more practical to stick with the default for now, and switch to ECDSA or better in a few years when it is hopefully standardised.
The SHA1 hash is another default that appears to be retained for backwards compatibility
As for ECDSA, some people are questioning that now because the NSA suggested specific curves that are in the RFCs:
http://infosecurity.ch/20100926/not-every-elliptic-curve-is-the-same-trough-...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, David. The discussions I have had so far with FSFE people, Ben Webb and a few others have lead me to believe that
- - GPG is bulletproof unless you "cheat" by stealing keys - - OTR is also bulletproof right now - - and that wile using these tech's is a flag to the spooks, the more flags there are, the safer are the people who seriously need to encrypt. A woods-trees analogy. - - lastly, the encryption that has been "broken" is predominantly things like skype, etc etc.
The crypto party manual, and the manuals the mick uses are about GPG, OTR (and Tor, about which I know little so far), so I don't really see the need for a version two of crypto party. Verion one still seems to cover things which are working.
Realistically, I am not technically skilled enough to debate most of these things with you. My method has been to briefly check that, on the whole, GPG/OTR/TOR are still working, and then dive into fighting back en masse.
I refuse to accept that there is nothing I can do ;)
A X
On 07/09/13 16:38, David Bolton wrote:
Hi Anna (& list)
Unfortunately, I'm not sure that a cryptoparty quite cuts it any more, in this post-Snowden world. It all feels a little too "last year".
Besides, what would we teach people?
As the various articles have revealed, actually using PGP/GPG is simply a flag to the spooks to monitor you even more closely. Personally, I don't really trust any of the PGP versions released this century (I used DOS PGP in the 90s - as part of my job - but v3.6.3i is the last one I ever published a key for). Even Phil Zimmerman no longer uses PGP - as he stated in this interview last month: http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-proble...
GPG might be more secure, but I've not messed with it since last year,
when I found that the key generation module in GPG4Win wasn't working properly.
We've known for a while that SSL can't be trusted on mobile browsers - as the telecoms providers perform a man-in-the-middle decrypt/re-encrypt on the stream (ostensibly so they can squeeze graphics to speed up page loading - but we now know who else gets to see the "temporary" plaintext). And the latest revelations show that VPNs can be cracked, if the spooks really want to look inside.
I could even see TOR being rendered useless soon - as fewer exit nodes can be trusted (many will already be run by government agencies - the others are going to be raided one-by-one using whatever bogey-man excuse works best under the laws of the resident's country). The recent botnet surge on TOR is probably a sign of the end-times: http://arstechnica.com/security/2013/09/sudden-spike-of-tor-users-likely-cau...
Online privacy/security is a massively complex topic - and (IMO) quite a fascinating one. There are many more techniques left in the armoury - OTR could be a useful one (maybe) - but many are not developed enough yet for use by "the masses", and are more like curiosities for academic study than practical tools.
If you've not seen it, read this piece by Bruce Schneier: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-survei...
But you are right, Anna, in that this is now a very hot topic. The Mailpile project, on IndieGoGo, is currently at 147% of its $100K funding target, with 4 days to go - and the comments show that donors are mostly concerned about email privacy: http://www.indiegogo.com/projects/mailpile-taking-e-mail-back
A cryptoparty may still be a good idea - but it might just have to be Cryptoparty Ver2 (post Snowden).
Regards
David
On 06/09/13 12:21, Anna Morris wrote:
I am wondering if, following the news today about GCHQ trying to break bank and email encryption etc, we could run a massive crypto-party in Manchester - perhaps with the peoples assembly against austerity? (they have an email list with about 800 names on, all of which could potentially be intrested)
http://www.cryptoparty.in http://thepeoplesassembly.org.uk/
Any Thoughts?
(I know very little about this stuff!)
Best
Anna
_______________________________________________ Manchester mailing list Manchester@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/manchester
David Bolton david@nucleon.co.uk wrote:
Hi Anna (& list)
Unfortunately, I'm not sure that a cryptoparty quite cuts it any more, in this post-Snowden world. It all feels a little too "last year".
I don't think Snowden changes our cryptographic capabilities. That we now know states are spying on citizens (as if we didn't suspect it before anyway) doesn't change the state of cryptography or cryptanalysis. It is more likely give people a bigger incentive to invest more time in improving cryptography, and in turn cryptanalysts will invest more time into breaking it.
None of the Snowden stuff suggests states are actually breaking modern ciphers, and I think it unlikely that they are when they are used sensibly. What we see, and have being seeing since ancient times, is that the main cause of weakness in any encryption scheme is human error. We do things like repeating phrases, reusing keys, or not being as random as we should be. This is what we should be looking at improving.
A lot of people are hyping "new things" such as: elliptic curve ciphers, which don't significantly increase security in real terms, but do allow us to encipher more efficiently; and quantum cryptography, which in theory could attain perfect secrecy, but in practise the implementations are expensive and have vulnerabilities that belie that assumption.
The tools are evolving faster than our ability to use them. While we should continue research in the ongoing battle between cryptography and cryptanalysis, we need to address the human error.
Besides, what would we teach people?
A lot of people still don't understand the need for cryptography, we need to make them aware of the reasons to use it. They may think it's a waste of time, or they might like the idea. At least they'll be making a more informed choice.
Unfortunately, people appealed by the use of cryptography often end up not using it at all because they perceive it as being too difficult. We should show them how to use it, help them up the steep part of the learning curve. Once you're setup it becomes easier.
Tell people about the different tools available: OpenPGP, TLS, SSH and Tor to start with. Talk about the OpenPGP web of trust, get some key-signing going. If we get some CACert notaries along, get people started with CACert.
Oh, I almost forgot, tell people about password managers. Show that they are actually easy to use. No more same easy-to-remember passwords shared across different sites please! With a password manager you can have a unique, long, random password for every different login (assuming the lack of silly restrictions). Further, because you use it all of the time, a longer and more complicated master password can me more easily memorised.
Tell people about the FreedomBox. This isn't necessarily about cryptography, but it's a good place to introduce the idea of control over your own data and moving away from centralised services. For people sufficiently far along with this, talk about running your own DNS, mail, IM, etc and their options for security.
Probably getting too advanced, but I'd like to disabuse people of the notion that IPsec is only useful for VPNs; that it can be used to secure all host to host communication. Introduce DNSSEC, DANE, SSHFP, and others. I don't know of any implementations so far, but it might be worth mentioning STEED, intended to be a mostly transparent email encryption scheme.
As the various articles have revealed, actually using PGP/GPG is simply a flag to the spooks to monitor you even more closely.
Help make encryption the norm. Give people who don't think they need encryption generally the incentive to use it anyway. When they do need encryption there is no flag because the majority of data is encrypted anyway. Even unauthenticated encryption, which is by definition not secure, raises the barrier against passive snooping.
Personally, I don't really trust any of the PGP versions released this century
I wouldn't trust it either. It's proprietary for one (although Zimmerman may have released the source for early versions, I don't think Symantec have).
Even Phil Zimmerman no longer uses PGP - as he stated in this interview last month: http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-proble...
He said he no longer uses it because it doesn't work for him, not that email encryption is a bad idea. Maybe he should invest the small amount of time needed to get GnuPG working on his Mac? I think he is wrong to only use encryption when he requires it; encryption should be the default.
GPG might be more secure, but I've not messed with it since last year, when I found that the key generation module in GPG4Win wasn't working properly.
Did you report that?
In any case, if you're using Windows how do you assure yourself that the OS isn't defeating your encryption for you? At least with free software, even if I don't audit every bit of code myself, I can have some level of assurance that backdoors are less likely: free software developers are less likely to intentionally introduce backdoors because they might be called out on it, and other people probably have looked at the code.
We've known for a while that SSL can't be trusted on mobile browsers - as the telecoms providers perform a man-in-the-middle decrypt/re-encrypt on the stream (ostensibly so they can squeeze graphics to speed up page
loading - but we now know who else gets to see the "temporary" plaintext).
The SSL problems on mobile platforms are mainly implementation deficiencies, and the MitM would be improbable on a good implementation if the operator's certificate is not in the trusted certificate store.
If you don't want to have the phone company MitM you, don't use their OS. Get a phone out of contract, preferably one you can replace the OS (e.g. replace Android with Replicant) if necessary, or at least be able to remove all of the spyware and crapware.
And the latest revelations show that VPNs can be cracked, if the spooks really want to look inside.
I could even see TOR being rendered useless soon - as fewer exit nodes can be trusted (many will already be run by government agencies - the others are going to be raided one-by-one using whatever bogey-man excuse works best under the laws of the resident's country). The recent botnet surge on TOR is probably a sign of the end-times: http://arstechnica.com/security/2013/09/sudden-spike-of-tor-users-likely-cau...
Make sure you always use end-to-end encryption, especially when using Tor. Run some Tor nodes yourself. Encourage others to do so too. Remember that it is necessary to monitor both entry and exit communications if there is no leakage outside of the Tor network.
Simon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Simon, thanks for your reply - I wonder if you would be able to run one of the workshops on the day? Perhaps you could do one about password managers or tor?
Also, we have lots of linux experts as always, which is great, but anyone has knowledge of mac and iphone windows etc implementations of GPG / OTR etc, that would be really vital. I mean, we can just look it up etc, but it would be good to find some people with first hand experience :)
Best
Anna
On 08/09/13 18:43, Simon Ward wrote:
David Bolton david@nucleon.co.uk wrote:
Hi Anna (& list)
Unfortunately, I'm not sure that a cryptoparty quite cuts it any more, in this post-Snowden world. It all feels a little too "last year".
I don't think Snowden changes our cryptographic capabilities. That we now know states are spying on citizens (as if we didn't suspect it before anyway) doesn't change the state of cryptography or cryptanalysis. It is more likely give people a bigger incentive to invest more time in improving cryptography, and in turn cryptanalysts will invest more time into breaking it.
None of the Snowden stuff suggests states are actually breaking modern ciphers, and I think it unlikely that they are when they are used sensibly. What we see, and have being seeing since ancient times, is that the main cause of weakness in any encryption scheme is human error. We do things like repeating phrases, reusing keys, or not being as random as we should be. This is what we should be looking at improving.
A lot of people are hyping "new things" such as: elliptic curve ciphers, which don't significantly increase security in real terms, but do allow us to encipher more efficiently; and quantum cryptography, which in theory could attain perfect secrecy, but in practise the implementations are expensive and have vulnerabilities that belie that assumption.
The tools are evolving faster than our ability to use them. While we should continue research in the ongoing battle between cryptography and cryptanalysis, we need to address the human error.
Besides, what would we teach people?
A lot of people still don't understand the need for cryptography, we need to make them aware of the reasons to use it. They may think it's a waste of time, or they might like the idea. At least they'll be making a more informed choice.
Unfortunately, people appealed by the use of cryptography often end up not using it at all because they perceive it as being too difficult. We should show them how to use it, help them up the steep part of the learning curve. Once you're setup it becomes easier.
Tell people about the different tools available: OpenPGP, TLS, SSH and Tor to start with. Talk about the OpenPGP web of trust, get some key-signing going. If we get some CACert notaries along, get people started with CACert.
Oh, I almost forgot, tell people about password managers. Show that they are actually easy to use. No more same easy-to-remember passwords shared across different sites please! With a password manager you can have a unique, long, random password for every different login (assuming the lack of silly restrictions). Further, because you use it all of the time, a longer and more complicated master password can me more easily memorised.
Tell people about the FreedomBox. This isn't necessarily about cryptography, but it's a good place to introduce the idea of control over your own data and moving away from centralised services. For people sufficiently far along with this, talk about running your own DNS, mail, IM, etc and their options for security.
Probably getting too advanced, but I'd like to disabuse people of the notion that IPsec is only useful for VPNs; that it can be used to secure all host to host communication. Introduce DNSSEC, DANE, SSHFP, and others. I don't know of any implementations so far, but it might be worth mentioning STEED, intended to be a mostly transparent email encryption scheme.
As the various articles have revealed, actually using PGP/GPG is simply a flag to the spooks to monitor you even more closely.
Help make encryption the norm. Give people who don't think they need encryption generally the incentive to use it anyway. When they do need encryption there is no flag because the majority of data is encrypted anyway. Even unauthenticated encryption, which is by definition not secure, raises the barrier against passive snooping.
Personally, I don't really trust any of the PGP versions released this century
I wouldn't trust it either. It's proprietary for one (although Zimmerman may have released the source for early versions, I don't think Symantec have).
Even Phil Zimmerman no longer uses PGP - as he stated in this interview last month: http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-proble...
He said he no longer uses it because it doesn't work for him, not that email encryption is a bad idea. Maybe he should invest the small amount of time needed to get GnuPG working on his Mac? I think he is wrong to only use encryption when he requires it; encryption should be the default.
GPG might be more secure, but I've not messed with it since last year, when I found that the key generation module in GPG4Win wasn't working properly.
Did you report that?
In any case, if you're using Windows how do you assure yourself that the OS isn't defeating your encryption for you? At least with free software, even if I don't audit every bit of code myself, I can have some level of assurance that backdoors are less likely: free software developers are less likely to intentionally introduce backdoors because they might be called out on it, and other people probably have looked at the code.
We've known for a while that SSL can't be trusted on mobile browsers - as the telecoms providers perform a man-in-the-middle decrypt/re-encrypt on the stream (ostensibly so they can squeeze graphics to speed up page
loading - but we now know who else gets to see the "temporary" plaintext).
The SSL problems on mobile platforms are mainly implementation deficiencies, and the MitM would be improbable on a good implementation if the operator's certificate is not in the trusted certificate store.
If you don't want to have the phone company MitM you, don't use their OS. Get a phone out of contract, preferably one you can replace the OS (e.g. replace Android with Replicant) if necessary, or at least be able to remove all of the spyware and crapware.
And the latest revelations show that VPNs can be cracked, if the spooks really want to look inside.
I could even see TOR being rendered useless soon - as fewer exit nodes can be trusted (many will already be run by government agencies - the others are going to be raided one-by-one using whatever bogey-man excuse works best under the laws of the resident's country). The recent botnet surge on TOR is probably a sign of the end-times: http://arstechnica.com/security/2013/09/sudden-spike-of-tor-users-likely-cau...
Make sure you always use end-to-end encryption, especially when using Tor. Run some Tor nodes yourself. Encourage others to do so too. Remember that it is necessary to monitor both entry and exit communications if there is no leakage outside of the Tor network.
Simon _______________________________________________ Manchester mailing list Manchester@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/manchester
Anna F J Morris anna.morris@fsfe.org wrote:
Hi Simon, thanks for your reply - I wonder if you would be able to run one of the workshops on the day? Perhaps you could do one about password managers or tor?
I could possibly do a little something about the pros and cons of password managers, and demonstrate the use of KeePassX.
Simon
Anna F J Morris anna.morris@fsfe.org wrote:
Hi Simon, thanks for your reply - I wonder if you would be able to run one of the workshops on the day? Perhaps you could do one about password managers or tor?
I could possibly do a little something about the pros and cons of password managers, and demonstrate the use of KeePassX.
Simon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/09/13 07:42, Simon Ward wrote:
Anna F J Morris anna.morris@fsfe.org wrote:
Hi Simon, thanks for your reply - I wonder if you would be able to run one of the workshops on the day? Perhaps you could do one about password managers or tor?
I could possibly do a little something about the pros and cons of password managers, and demonstrate the use of KeePassX.
great - I will put that on the list. Is that a linux thing or is it usable on all systems?
Simon
Anna F J Morris anna.morris@fsfe.org wrote:
I could possibly do a little something about the pros and cons of password managers, and demonstrate the use of KeePassX.
great - I will put that on the list. Is that a linux thing or is it usable on all systems?
It will almost certainly not work on *all* systems without substantial modification. I'm guessing you really mean "does it run on Windows and Mac OS X?" to which the answer is "yes", but I'm not interested in discussing running it on these systems.
Since it's possible to make a free Android distribution (Replicant) I will say that KeePassDroid (also free software) can read the same password database format.
Simon
On 10/09/13 17:41, Simon Ward wrote:
Anna F J Morris anna.morris@fsfe.org wrote:
I could possibly do a little something about the pros and cons of password managers, and demonstrate the use of KeePassX.
great - I will put that on the list. Is that a linux thing or is it usable on all systems?
It will almost certainly not work on *all* systems without substantial modification. I'm guessing you really mean "does it run on Windows and Mac OS X?" to which the answer is "yes", but I'm not interested in discussing running it on these systems.
Hi, fair enough, I have similar feeling oft myself. That said, it means you will be doing the workshop for the "linux" peeps there, like myself, who are more likely to be the people running the other workshops. I guess we will need to see how the numbers stack up.
In general, I really want to make sure that if we teach a skill, we teach is to every one possible, and on a practical level too, whatever device or software they are using :)
Best
Anna
Anna F J Morris anna.morris@fsfe.org wrote:
Hi, fair enough, I have similar feeling oft myself. That said, it means you will be doing the workshop for the "linux" peeps there, like myself, who are more likely to be the people running the other workshops. I guess we will need to see how the numbers stack up.
In general, I really want to make sure that if we teach a skill, we teach is to every one possible, and on a practical level too, whatever device or software they are using :)
The software is integral, especially if you're trying to market the event off the back of state spying.
It has been suspected in the past that Microsoft introduced or allowed to be introduced backdoors into their operating system. It is also suspected that popular commercial (and proprietary) cryptography software is similarly afflicted.
I can't say anything for members of state organisations--GHCQ and the NSA both employ a fair number of very intelligent people, enough that internal review may be sufficient. In the civilian world, no cryptographer trusts a cryptosystem that is not open and has been subject to peer review and withstood cryptanalysis for some time. A closed cryptosystem is simply out of the question.
This includes the software used to operate it, and so at the very least the ability to examine the source code is a necessity to have any assurance that you have a reasonable level of security. If all of the system cannot be reviewed by many others you place your trust in a small number of entities who may be coerced by the state. You might have perfect cryptography but the another part of the system could be giving away your secret keys, undermining the whole effort.
Simon
On 10/09/13 20:46, Simon Ward wrote:
This includes the software used to operate it, and so at the very least the ability to examine the source code is a necessity to have any assurance that you have a reasonable level of security. If all of the system cannot be reviewed by many others you place your trust in a small number of entities who may be coerced by the state. You might have perfect cryptography but the another part of the system could be giving away your secret keys, undermining the whole effort.
Everyone who has attended the cryptography should leave knowing how and why free software is more secure in terms of the arguments above, and during the event, they will have taken some small steps towards being secure by being introduced to whatever is the best tool available to them on their current device/platform.
I hope that this will be the first step on a journey towards being free software users for them, both for reasons of security and for general free software advocacy reasons, but if they decide to carry on using windows or mac in the long term in spite of what they have learnd, then that is their decision and they will atleast have made it with their eyes open.
Best
Anna
The guys at the Mailpile project probably don't need any more money, but they have just released another short video which is well worth watching. It is about decentralization of email - which in some ways is as important (if not more so) than encryption - as it can help to make the task of harvesting metadata (i.e. who contacted whom, and when) more expensive.
David
Interesting article on Wired: "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack" http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
On 14/09/13 20:45, David Bolton wrote:
Interesting article on Wired: "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack" http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
That's pretty tame when you think about it - the CIA used to control Osama bin Laden:
On 14/09/13 19:55, Daniel Pocock wrote:
On 14/09/13 20:45, David Bolton wrote:
Interesting article on Wired: "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack" http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
That's pretty tame when you think about it - the CIA used to control Osama bin Laden:
http://www.theinsider.org/news/article.asp?id=0228 _______________________________________________ Manchester mailing list Manchester@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/manchester
Grauniad: "The 10 key myths about Osama bin Laden"
http://www.theguardian.com/world/2011/may/03/osama-bin-laden-10-myths-cia-ar...
factcheck.org: "There’s no evidence the U.S. recruited, trained, armed or funded bin Laden in Soviet-Afghan war"
http://www.factcheck.org/2013/02/rand-pauls-bin-laden-claim-is-urban-myth/
Of course the US did send a lot of hardware to the area - and much of the weaponry delivered to Pakistan got diverted to the Indian border conflict (much to the annoyance of both India and the USA).
On 15/09/13 00:57, David Bolton wrote:
On 14/09/13 19:55, Daniel Pocock wrote:
On 14/09/13 20:45, David Bolton wrote:
Interesting article on Wired: "FBI Admits It Controlled Tor Servers Behind Mass Malware Attack" http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
That's pretty tame when you think about it - the CIA used to control Osama bin Laden:
http://www.theinsider.org/news/article.asp?id=0228 _______________________________________________ Manchester mailing list Manchester@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/manchester
Grauniad: "The 10 key myths about Osama bin Laden"
http://www.theguardian.com/world/2011/may/03/osama-bin-laden-10-myths-cia-ar...
factcheck.org: "There’s no evidence the U.S. recruited, trained, armed or funded bin Laden in Soviet-Afghan war"
http://www.factcheck.org/2013/02/rand-pauls-bin-laden-claim-is-urban-myth/
What about the CIA's alien? You're not going to tell me that is not real?
On 15/09/13 00:14, David Bolton wrote:
On 15/09/13 00:00, Daniel Pocock wrote:
What about the CIA's alien? You're not going to tell me that is not real?
Of course it's real. And what's more, he is Elvis.
And he ain't nothing but a hound dog....
;)
A x
Hi Simon,
On 08/09/13 18:43, Simon Ward wrote:
Tell people about the FreedomBox.
Last time I looked, the FreedomBox project appeared to be dead :-(
GPG might be more secure, but I've not messed with it since last year, when I found that the key generation module in GPG4Win wasn't working properly.
Did you report that?
No - as I suspected that the module was being sabotaged by an infection on that particular machine that had gone undetected by the antivirus software. And actually, that pc subsequently proved to be compromised - so I had to nuke it. I'm sticking to linux machines at home now.
David