[HacktionLab] hacktion lab May 2012 workshop

Sikes sikes at squat.net
Thu May 3 14:53:42 UTC 2012 

HAI

This leads us to the field of soft/social secure computing at large. Fact 
is that for many activists, 'hard' cryptography is beyond reasonable reach 
mainly because the tech is difficult to fathom and therefore often next to 
impossible to implement.

What is reachable and easy to use are the alternatives to the big 'free' 
email (and other digital communications) providers, especially if there is 
a layer of tech savvy geeks willing to put good efforts in setting up such 
an infrastructure. Riseup.net, axtivix.org, squat.net, puscii.nl, 
network23.org and indenti.ca are just some examples.

Another important aspect is the fact that ppl are currently willing to 
give away insights on their most intimate details willingly, no attacks 
whatsover required!

Such fundamental question of intentional use and control of personal data 
and communications are closer to the reality of most of the intended 
audience of the hacktionlab, than the inner workings of PKI and details of 
its implementation.

If ppl ask at the hacktion lab, where they should start, I believe that 
there should be a set of practical solution at hand:

- explain why _not_ using your real name and other details on the net is 
not cowardice but good practice
- point ppl to a list of _easy_ to use services (proxies and alikes)
- give out webmail accounts on trusted servers on location

and so on

kizziz
IAH


________________________________
fighting for your digital rights:
http://www.gnu.org/ (A)


On Thu, 3 May 2012, Martin wrote:

> To answer this question you'll have to "define" your  "threat model", i.e.,
> what threat does the computation provider present?
>
> Essentially, if all your computation & storage is provided by untrusted
> sources you cannot use cryptography securely, you don't even know the machine
> in question executes the commands you want it to execute.
>
> Ways around this would be to (a) split trust (i.e., multi-party computation)
> or to perform some computations on personal "devices" such as your computer,
> phone or your head.
>
> Note that entering your password does not count as performing some
> computations in your head, you'd need at least some challenge
> response/temporary password thing if you want any security at all. All of
> these - I think - fundamentally require some trusted source to bootstrap from.
>
> So my preliminary answer would be: don't do it unless you trust the machine
> which stores and runs your crypto. Note however this isn't as bad as it seems
> as it ups the game: from asking your e-mail provider politely to and over your
> unencrypted email the adversary has to ask your computing provider to mount an
> active attack against you (person-in-the-middle, keylogger etc.) so it's
> better than not doing it.
>
> On Thursday 03 May 2012, Sikes wrote:
>> HAI
>>
>> In this context, I think the following could be mentioned
>>
>> Crytography without a personal computer
>>
>> The thunderbird workshop (as outlined bellow) and alikes require ppl to
>> store their keyring and alikes on a _local and personal_ device. Although
>> this is undoubtly the 'proper' way, many ppl do not compute locally but
>> have their /home on a remote machine somewhere on the web, using different
>> terminals to access it.
>>
>> Beside the geek setup (shell account via ssh, everything from there), what
>> would be the viable ways for ppl without a (relatively) secure personal
>> computer to be able to use cryptography at all? What are the services as
>> offered by the community (or even commercially) to achieve such a set up
>> in a (here again, relatively) trustworthy environement?
>>
>>
>> kizziz
>> IAH
>>
>> On Thu, 3 May 2012, Mick Fuzz wrote:
>>> hi there,
>>>
>>> For beginner instructions on setting up Thunderbird to do encrypted
>>> emails, I've created a workbook with step by step tasks.
>>>
>>> I've just done this today in preparation for the weekend and I have a
>>> little time left to tweak it so any feedback would be helpful.
>>>
>>> Try working your want through the tasks and give feedback.
>>>
>>> http://en.flossmanuals.net/thunderbird-workbook/
>>>
>>> Also let me know how long each bit takes you as I want to include that
>>> info too.
>>>
>>> nice one
>>> Mick
>>>
>>> On 02/05/12 22:56, Alan Dawson wrote:
>>>
>>> Hi all,
>>>
>>> It's likely that we'll have our perennial gpg signing workshop at
>>> hacktionlab, so ...
>>>
>>> In advance,
>>>
>>> - write down your gpg fingerprint ( example )
>>>
>>>     - gpg --fingerprint  0xE81A4BBA
>>>
>>> - publish your key to a keyserver
>>>
>>>     - gpg --keyserver pool.sks-keyservers.net --send-key 0xE81A4BBA
>>>
>>> - If it's a gpg key for a 'real name'
>>>
>>>     - bring some ID
>>>
>>> Whilst this seems rather boring and geeky...
>>> what happens is .
>>> we get to meet , decide we like each other and want to work together.
>>> but we forget to do a key signing and then cannot find a gpg trust path
>>> and everything stalls for 6 months!
>>>
>>> So bring your fingerprints!
>>>
>>> Regards,
>>>
>>> Alan Dawson
>>>
>>>
>>> _______________________________________________
>>> HacktionLab mailing list
>>> HacktionLab at lists.aktivix.org
>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>
>> _______________________________________________
>> HacktionLab mailing list
>> HacktionLab at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>
> Cheers,
> Martin
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>

More information about the HacktionLab mailing list