Secured communications for activism
The goal of this meetup is to discuss ways to define a common, user-friendly and secured way for activist groups to communicate between each other, if possible before the CCC camp so we can determine what infos and techniques could be interesting to focus on when we'll be there. The time and day are still subject to change, we'll discuss them during the next TechTuesday.
EDIT : Finally we keep the date, so the meeting will be held this Friday. Let's make it a FrHackNight :-P !
sources for inspiration:
- https://github.com/unhosted/unhosted/ / https://github.com/unhosted/unhosted/wiki/
Time for debriefing !
we'll check out collaboration tools and their secure uses
what's to say about secure communication:
- encryption (rsa vs dh vs block ciphers)
- authentication (strong authentication, prevent mitm/man in the middle)
- perfect forward secrecy
- how is this different from anonymous communication ?
- security starts with your proper privacy; so know how to keep your own systems trust-worthy eg. http://events.ccc.de/congress/2010/wiki/How_To_Survive
we just noted down some of the collaboration tools we use, and had a look at if they provide any level of security.
- thunderbird+enigmail(GPG) -- people create trusted relations -
- pidgin+OTR: off-the-record is a plugin for pidgin, which allows you to strongly authenticate your chat-buddy, provide encryption & perfect forward secrecy and deniability.
socialist millionaire protocol ?
- IRC over ssl, will provide integrity, but that's it
- silcnet.org? http://silcnet.org/ ( http://silcnet.org/general/about/security.php )
online storage / file exchange
- local encrypt&upload : encrypt your files before uploading using a strong symmetric cipher (bcrypt, openssl http://www.madboa.com/geek/openssl/#encrypt-simple) (dropbox, bittorrent)
- piratebox - portable torrent tracker
- ssl/tls : setup a authenticated & encrypted TCP stream (most known from https) client & server can authenticate using public/private keys -- public trust is artificially created by centralized 'certification authorities'.
- proxy :
- tor : https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms -- tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.
- vpn/darknet - several softwares exist, most known opensource tools are openvpn, tinc-vpn -- clients create authenticated & encrypted tunnels to the server(s), server will
- freenet -- anonimity, anti-censorship, gore
- skype -- this is a closed source protocol, so it's not know if there are backdoors,
neither known are the parties involved into skype, who has access to the communication content
- asterisk secure sip -- asterisk does not come with released support for voice encryption -- http://www.voip-info.org/wiki/view/Asterisk+encryption
- authentication http://www.voip-info.org/wiki/view/Asterisk+iax+rsa+auth
- encrypted content Secure RTP -- http://www.e164.org/wiki/AsteriskSRTP
- a vpn can be a solution for authentication & encryption here
- mobile phone : throw it
wireless mesh networks
general meditation points
- security needs organization : key -pgpkey etc ... certificates ...
so in general people forgot what about stolen computer or saisie/derequisition 'police, enemy)
- what about something small quick to help organizing a event .... delay in hours ?
or something easy to put in the computer and have "communication" with your peers (over internet, private network or lan ....) ?
Q : anonymity needs encryption - T/F ?
- investigation about security : Gobby can use GNUTLS
http://www.absoluteastronomy.com/topics/Gobby based on TLS, transport layer protocol -- http://en.wikipedia.org/wiki/Transport_Layer_Security juste to have an idea tls 1 is the same as ssl 3 - later for a workshop ? people need to take care about exchanging public keys to provide strong authentication, this needs some setup (key exchange / setup a Certificate Authority/ trust an existing CA)
another question : how to setup a real gobby for several people ? we know we need a pair of key for the creator of the seassion, what about authentication of the other participants, need to be well prepared ... (thing to do)
SSL could be provided by webserver
apache ssl, enforcing client certificate auth users need: - their client certificate and - to check the server certificate
to trust the browser? 'portable app?'
- Live distribution of linux bundled with TOR and encryption software (TrueCrypt).
- Can be used from anywhere or almost.
- Check these pages for details :
You can download it from here (torrent available) : https://tails.boum.org/download/index.en.html