[HacktionLab] hacktion lab May 2012 workshop

Martin charlychemnitz at yahoo.de
Thu May 3 13:41:06 UTC 2012


To answer this question you'll have to "define" your  "threat model", i.e., 
what threat does the computation provider present? 

Essentially, if all your computation & storage is provided by untrusted 
sources you cannot use cryptography securely, you don't even know the machine 
in question executes the commands you want it to execute. 

Ways around this would be to (a) split trust (i.e., multi-party computation) 
or to perform some computations on personal "devices" such as your computer, 
phone or your head.

Note that entering your password does not count as performing some 
computations in your head, you'd need at least some challenge 
response/temporary password thing if you want any security at all. All of 
these - I think - fundamentally require some trusted source to bootstrap from.

So my preliminary answer would be: don't do it unless you trust the machine 
which stores and runs your crypto. Note however this isn't as bad as it seems 
as it ups the game: from asking your e-mail provider politely to and over your 
unencrypted email the adversary has to ask your computing provider to mount an 
active attack against you (person-in-the-middle, keylogger etc.) so it's 
better than not doing it.

On Thursday 03 May 2012, Sikes wrote:
> HAI
> 
> In this context, I think the following could be mentioned
> 
> Crytography without a personal computer
> 
> The thunderbird workshop (as outlined bellow) and alikes require ppl to
> store their keyring and alikes on a _local and personal_ device. Although
> this is undoubtly the 'proper' way, many ppl do not compute locally but
> have their /home on a remote machine somewhere on the web, using different
> terminals to access it.
> 
> Beside the geek setup (shell account via ssh, everything from there), what
> would be the viable ways for ppl without a (relatively) secure personal
> computer to be able to use cryptography at all? What are the services as
> offered by the community (or even commercially) to achieve such a set up
> in a (here again, relatively) trustworthy environement?
> 
> 
> kizziz
> IAH
> 
> On Thu, 3 May 2012, Mick Fuzz wrote:
> > hi there,
> > 
> > For beginner instructions on setting up Thunderbird to do encrypted
> > emails, I've created a workbook with step by step tasks.
> > 
> > I've just done this today in preparation for the weekend and I have a
> > little time left to tweak it so any feedback would be helpful.
> > 
> > Try working your want through the tasks and give feedback.
> > 
> > http://en.flossmanuals.net/thunderbird-workbook/
> > 
> > Also let me know how long each bit takes you as I want to include that
> > info too.
> > 
> > nice one
> > Mick
> > 
> > On 02/05/12 22:56, Alan Dawson wrote:
> > 
> > Hi all,
> > 
> > It's likely that we'll have our perennial gpg signing workshop at
> > hacktionlab, so ...
> > 
> > In advance,
> > 
> > - write down your gpg fingerprint ( example )
> > 
> >     - gpg --fingerprint  0xE81A4BBA
> > 
> > - publish your key to a keyserver
> > 
> >     - gpg --keyserver pool.sks-keyservers.net --send-key 0xE81A4BBA
> > 
> > - If it's a gpg key for a 'real name'
> > 
> >     - bring some ID
> > 
> > Whilst this seems rather boring and geeky...
> > what happens is .
> > we get to meet , decide we like each other and want to work together.
> > but we forget to do a key signing and then cannot find a gpg trust path
> > and everything stalls for 6 months!
> > 
> > So bring your fingerprints!
> > 
> > Regards,
> > 
> > Alan Dawson
> > 
> > 
> > _______________________________________________
> > HacktionLab mailing list
> > HacktionLab at lists.aktivix.org
> > https://lists.aktivix.org/mailman/listinfo/hacktionlab
> 
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

Cheers,
Martin



More information about the HacktionLab mailing list