[HacktionLab] hacktion lab May 2012 workshop
Sikes
sikes at squat.net
Thu May 3 16:34:55 UTC 2012
HAI
First and foremost: I never wanted to suggest that giving the Thunderbird
workshop was a bad idea. I think its a great idea, and I will most
certainly be participating ;)
(more inline herunder)
On Thu, 3 May 2012, Mick Fuzz wrote:
> On 03/05/12 15:53, Sikes wrote:
>> HAI
>>
>> This leads us to the field of soft/social secure computing at large.
>> Fact is that for many activists, 'hard' cryptography is beyond
>> reasonable reach mainly because the tech is difficult to fathom and
>> therefore often next to impossible to implement.
>
> I agree with everything you say apart from the above which I would like
> to question.
> So my question is... Is Thunderbird and Enigmail too difficult to fathom?
> I admit it tool me a while to figure out.
The 'difficulty' does not start with the crypto part, but with the
understanding of how email (and digital messaging in general) works.
As trivial as it may look to a techie, the whole protocol chain id SMTP
and (S)POP3/IMAP(S), required to understand what the role of thunderbird
is at all is not evidently understood by the average user of email.
Needless to say that concepts and implementations of public key encryption
and the tools that come with it do not exactly make things easier :S
Most ppl use webmail and will keep using it, so exploring PKI encrytion
for webmail is crucial , if the goal is the make email usage at large more
secure.
In fact the basic-internet-security flossmanual has quite a good chapter
on it:
http://en.flossmanuals.net/basic-internet-security/ch033_webmail-security/
> I'd like to test that question by really working on the documentation
> and to explore how we teach the use of this particular tool. My first
> goal is to break it down into easy to understand stages and to get
> feedback from you guys and other about if I'm trying to do that in the
> right way.
will do and feed it back here
>
> I'm starting with say the first 60-90 mins of learning that someone
> might be able to take in at one go, and still come out having achieved
> something.
>
> I've done a bit more work on the workbook and the first challenge of the
> work book.
> http://en.flossmanuals.net/thunderbird-workbook
> And I've put the key stages into a p2pu 'challenge'.
> https://p2pu.org/en/groups/encrypt-and-sign-your-email/
>
> This is based on the material here -
> http://en.flossmanuals.net/basic-internet-security/
>
> With this length of workshop it's all about working out what detail you
> can leave out, as opposed to trying to cram it all in.
>
> So this system allows people to work through a task and to get feedback
> from peers. I would be really grateful if anyone was up for checking it
> out, and trying to do the challenge on line.
>
> Also if this is the first workshop on Thunderbird & email security, what
> would you put in the second one?
* use PGP with your existing webmail account
* where can one get a trustworthy encrytion enabled 'cloud based' (sorry
for the use of weird buzzwords;) mail account
and really, a chat on how not to tell the net all your secrets would be
great :P
kizziz
IAH
>
> nice one
> mick
>
>>
>> What is reachable and easy to use are the alternatives to the big
>> 'free' email (and other digital communications) providers, especially
>> if there is a layer of tech savvy geeks willing to put good efforts in
>> setting up such an infrastructure. Riseup.net, axtivix.org, squat.net,
>> puscii.nl, network23.org and indenti.ca are just some examples.
>>
>> Another important aspect is the fact that ppl are currently willing to
>> give away insights on their most intimate details willingly, no
>> attacks whatsover required!
>>
>> Such fundamental question of intentional use and control of personal
>> data and communications are closer to the reality of most of the
>> intended audience of the hacktionlab, than the inner workings of PKI
>> and details of its implementation.
>>
>> If ppl ask at the hacktion lab, where they should start, I believe
>> that there should be a set of practical solution at hand:
>>
>> - explain why _not_ using your real name and other details on the net
>> is not cowardice but good practice
>> - point ppl to a list of _easy_ to use services (proxies and alikes)
>> - give out webmail accounts on trusted servers on location
>>
>> and so on
>>
>> kizziz
>> IAH
>>
>>
>> ________________________________
>> fighting for your digital rights:
>> http://www.gnu.org/ (A)
>>
>>
>> On Thu, 3 May 2012, Martin wrote:
>>
>>> To answer this question you'll have to "define" your "threat model",
>>> i.e.,
>>> what threat does the computation provider present?
>>>
>>> Essentially, if all your computation & storage is provided by untrusted
>>> sources you cannot use cryptography securely, you don't even know the
>>> machine
>>> in question executes the commands you want it to execute.
>>>
>>> Ways around this would be to (a) split trust (i.e., multi-party
>>> computation)
>>> or to perform some computations on personal "devices" such as your
>>> computer,
>>> phone or your head.
>>>
>>> Note that entering your password does not count as performing some
>>> computations in your head, you'd need at least some challenge
>>> response/temporary password thing if you want any security at all.
>>> All of
>>> these - I think - fundamentally require some trusted source to
>>> bootstrap from.
>>>
>>> So my preliminary answer would be: don't do it unless you trust the
>>> machine
>>> which stores and runs your crypto. Note however this isn't as bad as
>>> it seems
>>> as it ups the game: from asking your e-mail provider politely to and
>>> over your
>>> unencrypted email the adversary has to ask your computing provider to
>>> mount an
>>> active attack against you (person-in-the-middle, keylogger etc.) so it's
>>> better than not doing it.
>>>
>>> On Thursday 03 May 2012, Sikes wrote:
>>>> HAI
>>>>
>>>> In this context, I think the following could be mentioned
>>>>
>>>> Crytography without a personal computer
>>>>
>>>> The thunderbird workshop (as outlined bellow) and alikes require ppl to
>>>> store their keyring and alikes on a _local and personal_ device.
>>>> Although
>>>> this is undoubtly the 'proper' way, many ppl do not compute locally but
>>>> have their /home on a remote machine somewhere on the web, using
>>>> different
>>>> terminals to access it.
>>>>
>>>> Beside the geek setup (shell account via ssh, everything from
>>>> there), what
>>>> would be the viable ways for ppl without a (relatively) secure personal
>>>> computer to be able to use cryptography at all? What are the
>>>> services as
>>>> offered by the community (or even commercially) to achieve such a
>>>> set up
>>>> in a (here again, relatively) trustworthy environement?
>>>>
>>>>
>>>> kizziz
>>>> IAH
>>>>
>>>> On Thu, 3 May 2012, Mick Fuzz wrote:
>>>>> hi there,
>>>>>
>>>>> For beginner instructions on setting up Thunderbird to do encrypted
>>>>> emails, I've created a workbook with step by step tasks.
>>>>>
>>>>> I've just done this today in preparation for the weekend and I have a
>>>>> little time left to tweak it so any feedback would be helpful.
>>>>>
>>>>> Try working your want through the tasks and give feedback.
>>>>>
>>>>> http://en.flossmanuals.net/thunderbird-workbook/
>>>>>
>>>>> Also let me know how long each bit takes you as I want to include that
>>>>> info too.
>>>>>
>>>>> nice one
>>>>> Mick
>>>>>
>>>>> On 02/05/12 22:56, Alan Dawson wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> It's likely that we'll have our perennial gpg signing workshop at
>>>>> hacktionlab, so ...
>>>>>
>>>>> In advance,
>>>>>
>>>>> - write down your gpg fingerprint ( example )
>>>>>
>>>>> - gpg --fingerprint 0xE81A4BBA
>>>>>
>>>>> - publish your key to a keyserver
>>>>>
>>>>> - gpg --keyserver pool.sks-keyservers.net --send-key 0xE81A4BBA
>>>>>
>>>>> - If it's a gpg key for a 'real name'
>>>>>
>>>>> - bring some ID
>>>>>
>>>>> Whilst this seems rather boring and geeky...
>>>>> what happens is .
>>>>> we get to meet , decide we like each other and want to work together.
>>>>> but we forget to do a key signing and then cannot find a gpg trust
>>>>> path
>>>>> and everything stalls for 6 months!
>>>>>
>>>>> So bring your fingerprints!
>>>>>
>>>>> Regards,
>>>>>
>>>>> Alan Dawson
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> HacktionLab mailing list
>>>>> HacktionLab at lists.aktivix.org
>>>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>>>
>>>> _______________________________________________
>>>> HacktionLab mailing list
>>>> HacktionLab at lists.aktivix.org
>>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>>
>>> Cheers,
>>> Martin
>>>
>>> _______________________________________________
>>> HacktionLab mailing list
>>> HacktionLab at lists.aktivix.org
>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>>
>>
>> _______________________________________________
>> HacktionLab mailing list
>> HacktionLab at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>
More information about the HacktionLab
mailing list