[liberationtech] CryptoParty Handbook

Jacob Appelbaum jacob at appelbaum.net
Mon Oct 8 15:46:12 PDT 2012 

Asher Wolf:
> The argument everyone is politely avoiding - while pondering the
> numerous ways CryptoParty will expose already compromised individuals -
> is whether the masses SHOULD use crypto.
> 

I'm not ignoring it and most of the world has been using crypto for
online stuff since SSLv2 was released to the world.

> Rain-check: it's happening - or at least, the users are are trying -
> regardless of whether they're are doing it right, or regardless of
> whether more experienced ppl are willing to offer their advice or not,
> and completely separate to the philosophical, technical and security
> related-discussions that are currently swirling.
> 
> Basically: hello crypto, the users are here.
> 

I'm sorry to say it but a lot of the users have been here for a while -
most people that use crypto just don't know they're doing it.
Ironically, if users don't get good advice, they'll just be in the same
spot - thinking they're safe when they're not - all over again!

>>From experience, most of the non-tech ppl who attended Melbourne's
> Cryptoparty had previously attempted to install various tools by
> themselves and had either (a) failed (b) installed them incorrectly (c)
> couldn't figure out how to configure them (d) given up 'til now.
> 
> CryptoParty is essentially the user saying: We are working together to
> trying to figure out how to do it better. We need these tools.
> 
> Whatever the best-practice model actually is, it'll be crowdsourced,
> because people are unwilling to wait for easy 'crypto manna from
> heaven', offered up on a plate.
> 
> And frankly, the users have much to learn from the crypto experts and
> it'd be a damn shame if knowledgeable people refused to teach or share
> their expertise because ppl are "doing it wrong."

I think that the real changes belong in the platforms - anything that
requires configuration is probably already doomed to fail and screw a
user. That's generally the approach that I've seen work - everything
that requires 0) user education and 1) realistic honesty about threats
or risks results in 2) denial or mistakes or a bork'ed tool shooting the
user in the foot.

> 
> We've known we've been doing it wrong for a long time now and going back
> to Facebook to organise is no longer an option.
> 
> The creation of CryptoParty was a spontaneous, viral storm. It was NOT a
> concerted, centrally-organised campaign, with funding or even a
> best-practice model. My hope is that experts contribute to eventually
> provide a best-practice model, and that users give the necessary
> feedback allowing for tweaks in tools and creation of more accessible
> crypto.
> 

Since clearly a few loud people were bent out of shape by my comments -
they have no idea that I encouraged you or tried to help out; so let me
set the record straight: go you!

I think it is *great* to make the book and I think it is great to do it
with a set of unifying principles - it will help to ensure that good
stuff gets into the book and crappy stuff stays out of the book or is so
noted as crappy or contentious. I think that means that peer review is
essential before rushing to publish.

I really encourage you to put in a few chapters about the following:

 social and technical compartmentalization
 targeted exploitation realities (from Core Impact to Metasploit)
 threat modeling
 intention/goal based risk analysis
 physical security risks
 practical information on real surveillance/censorship systems
 getting involved
   going from a user (to a translator or...) to a developer
 outlining the currently missing tools that we need to build

Overall - I think the EFF's SSD is a great document to consider in the
process and I think you're well aware of it...

All the best,
Jacob

More information about the liberationtech mailing list