Cryptography for Nonprofits
Crypto online and crypto offline
What do we want to talk about? web of trust systems – alternatives to certificate authorities how to convince activists to use safe practices the interconnectedness to OTHERS and vulnerabilities posed to them implementing ssl for at least logins – what cert authority to use? false sense of security from 'safe practices'
Crypto-party: In the early 90s people thought of crypto as a very powerful tool to bring privacy to the masses. This seems to have dropped off, crypto-parties are advocacy outreach to bring crypto to the masses
SSL Secure socket layer (http / https) – browsers used to have a padlock icon, and UI designers have taken these out often Browser developers find that the scary pop-up warnings are too difficult to understand, now browser developers are starting to adopt a view on mixed-content in which insecure content will just not be displayed. Behavior above creates an incentive for better practices or things don't display SSL does more than encryption it also authenticates the party that you are communicating with without https one could do a false authentication and serve malicious content Strict transport security header that tells not only does this site use https but disallow any usage of http content widgets and stuff on a site with SSL ought to be served on SSL Arguments to not use SSL – when content is coming from insecure connections more computation – server load you need a source of random numbers – and a server may not be able to generate them quick enough with a lot of load it is slower to establish the conversation – as there is a conversation about the encryption and then serves the content one used to have to pay to have a certificate from a certifying authority
HOW DO WE GET PEOPLE TO USE CRYPTO? PGP and OTR PGP is often used for email and is more complex OTR is for chat and easier to use (and maybe less secure... but the ease allows ease of adoption) Techsecure(?) Adium(?) TOR (!!!) Don't let perfection be the enemy of good enough. SCARY DEMOS People often allow strangers to have access to their credit card info – but may be more disturbed about having others know what you've been looking at. It is important for people to share only what they want People of privilege may feel very safe – many other may not – and have real world reasons to not want to share all. Things that may seem benign right now may not be considered okay in the future Social networks have normalized lack of privacy – tagging friends and us and where we are THEY is stalkers, NSA, Google, Facebook, cops, employers Things that seem innocuous now may not be so later What about if a bank checks the credit ratings of your friends and builds a model out of that You have info about others and other's secrets – maybe YOU don't care but THEY may Are we able to create an online enviroment in which people who use crypto are more normalized or a weirdo secret agent drug smuggling child pornographer in China fighting for Tibetan independence
PGP can't stop people from knowing WHO you are communicating with. And is using crypto a redflag?
HOW CAN CRYPTO BE A FALSE SENSE OF SECURITY? Side channel attacks: Keyloggers, trojan that screenshots, and ways of checking plain text Traffic analysis – not tracking what was said, but when, to whom from who, and how long the message is – is still a viable form of analytics – inferences by non-encrypted data End point security – malware – losing track of your system – governments are increasingly building better malware Tracking of affinity groups from figuring out a social map and seeing actions and reactions – though nodal focal points – a chain of command can be inferred You can tell when someone stayed in one place for a period of time based on accessing stuff from one IP address – and behaviors -they checked their email here last night, and today they may have stayed at home that night
HTTPS and TOR – Working together to protect your privacy – EFF infographic (https://www.eff.org/pages/tor-and-https)
-Crypto only goes so far – data is leaked by connecting at all – there are effective attacks agnostic of breaking crypto -Even if you don't think YOU need crypto others may