[HacktionLab] hacktion lab May 2012 workshop

Mick Fuzz mickfuzz at clearerchannel.org
Thu May 3 15:29:14 UTC 2012 

On 03/05/12 15:53, Sikes wrote:
> HAI
>
> This leads us to the field of soft/social secure computing at large.
> Fact is that for many activists, 'hard' cryptography is beyond
> reasonable reach mainly because the tech is difficult to fathom and
> therefore often next to impossible to implement.

I agree with everything you say apart from the above which I would like
to question.
So my question is... Is Thunderbird and Enigmail too difficult to fathom?
I admit it tool me a while to figure out.
I'd like to test that question by really working on the documentation
and to explore how we teach the use of this particular tool. My first
goal is to break it down into easy to understand stages and to get
feedback from you guys and other about if I'm trying to do that in the
right way.

I'm starting with say the first 60-90 mins of learning that someone
might be able to take in at one go, and still come out having achieved
something.

I've done a bit more work on the workbook and the first challenge of the
work book.
http://en.flossmanuals.net/thunderbird-workbook
And I've put the key stages into a p2pu 'challenge'.
https://p2pu.org/en/groups/encrypt-and-sign-your-email/

This is based on the material here -
http://en.flossmanuals.net/basic-internet-security/

With this length of workshop it's all about working out what detail you
can leave out, as opposed to trying to cram it all in.

So this system allows people to work through a task and to get feedback
from peers. I would be really grateful if anyone was up for checking it
out, and trying to do the challenge on line.

Also if this is the first workshop on Thunderbird & email security, what
would you put in the second one?

nice one
mick

>
> What is reachable and easy to use are the alternatives to the big
> 'free' email (and other digital communications) providers, especially
> if there is a layer of tech savvy geeks willing to put good efforts in
> setting up such an infrastructure. Riseup.net, axtivix.org, squat.net,
> puscii.nl, network23.org and indenti.ca are just some examples.
>
> Another important aspect is the fact that ppl are currently willing to
> give away insights on their most intimate details willingly, no
> attacks whatsover required!
>
> Such fundamental question of intentional use and control of personal
> data and communications are closer to the reality of most of the
> intended audience of the hacktionlab, than the inner workings of PKI
> and details of its implementation.
>
> If ppl ask at the hacktion lab, where they should start, I believe
> that there should be a set of practical solution at hand:
>
> - explain why _not_ using your real name and other details on the net
> is not cowardice but good practice
> - point ppl to a list of _easy_ to use services (proxies and alikes)
> - give out webmail accounts on trusted servers on location
>
> and so on
>
> kizziz
> IAH
>
>
> ________________________________
> fighting for your digital rights:
> http://www.gnu.org/ (A)
>
>
> On Thu, 3 May 2012, Martin wrote:
>
>> To answer this question you'll have to "define" your  "threat model",
>> i.e.,
>> what threat does the computation provider present?
>>
>> Essentially, if all your computation & storage is provided by untrusted
>> sources you cannot use cryptography securely, you don't even know the
>> machine
>> in question executes the commands you want it to execute.
>>
>> Ways around this would be to (a) split trust (i.e., multi-party
>> computation)
>> or to perform some computations on personal "devices" such as your
>> computer,
>> phone or your head.
>>
>> Note that entering your password does not count as performing some
>> computations in your head, you'd need at least some challenge
>> response/temporary password thing if you want any security at all.
>> All of
>> these - I think - fundamentally require some trusted source to
>> bootstrap from.
>>
>> So my preliminary answer would be: don't do it unless you trust the
>> machine
>> which stores and runs your crypto. Note however this isn't as bad as
>> it seems
>> as it ups the game: from asking your e-mail provider politely to and
>> over your
>> unencrypted email the adversary has to ask your computing provider to
>> mount an
>> active attack against you (person-in-the-middle, keylogger etc.) so it's
>> better than not doing it.
>>
>> On Thursday 03 May 2012, Sikes wrote:
>>> HAI
>>>
>>> In this context, I think the following could be mentioned
>>>
>>> Crytography without a personal computer
>>>
>>> The thunderbird workshop (as outlined bellow) and alikes require ppl to
>>> store their keyring and alikes on a _local and personal_ device.
>>> Although
>>> this is undoubtly the 'proper' way, many ppl do not compute locally but
>>> have their /home on a remote machine somewhere on the web, using
>>> different
>>> terminals to access it.
>>>
>>> Beside the geek setup (shell account via ssh, everything from
>>> there), what
>>> would be the viable ways for ppl without a (relatively) secure personal
>>> computer to be able to use cryptography at all? What are the
>>> services as
>>> offered by the community (or even commercially) to achieve such a
>>> set up
>>> in a (here again, relatively) trustworthy environement?
>>>
>>>
>>> kizziz
>>> IAH
>>>
>>> On Thu, 3 May 2012, Mick Fuzz wrote:
>>>> hi there,
>>>>
>>>> For beginner instructions on setting up Thunderbird to do encrypted
>>>> emails, I've created a workbook with step by step tasks.
>>>>
>>>> I've just done this today in preparation for the weekend and I have a
>>>> little time left to tweak it so any feedback would be helpful.
>>>>
>>>> Try working your want through the tasks and give feedback.
>>>>
>>>> http://en.flossmanuals.net/thunderbird-workbook/
>>>>
>>>> Also let me know how long each bit takes you as I want to include that
>>>> info too.
>>>>
>>>> nice one
>>>> Mick
>>>>
>>>> On 02/05/12 22:56, Alan Dawson wrote:
>>>>
>>>> Hi all,
>>>>
>>>> It's likely that we'll have our perennial gpg signing workshop at
>>>> hacktionlab, so ...
>>>>
>>>> In advance,
>>>>
>>>> - write down your gpg fingerprint ( example )
>>>>
>>>>     - gpg --fingerprint  0xE81A4BBA
>>>>
>>>> - publish your key to a keyserver
>>>>
>>>>     - gpg --keyserver pool.sks-keyservers.net --send-key 0xE81A4BBA
>>>>
>>>> - If it's a gpg key for a 'real name'
>>>>
>>>>     - bring some ID
>>>>
>>>> Whilst this seems rather boring and geeky...
>>>> what happens is .
>>>> we get to meet , decide we like each other and want to work together.
>>>> but we forget to do a key signing and then cannot find a gpg trust
>>>> path
>>>> and everything stalls for 6 months!
>>>>
>>>> So bring your fingerprints!
>>>>
>>>> Regards,
>>>>
>>>> Alan Dawson
>>>>
>>>>
>>>> _______________________________________________
>>>> HacktionLab mailing list
>>>> HacktionLab at lists.aktivix.org
>>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>>
>>> _______________________________________________
>>> HacktionLab mailing list
>>> HacktionLab at lists.aktivix.org
>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>
>> Cheers,
>> Martin
>>
>> _______________________________________________
>> HacktionLab mailing list
>> HacktionLab at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

More information about the HacktionLab mailing list