Theater of Digital Surveillance / Cryptotherapy

Friday, September 28, 6pm-8pm @ Museum of Contemporary Art Tuscon

Theater of Digital Surveillance is a digital reenactment of the initial Snowden-Poitras communications by LA Cryptoparty, followed by a live role-play workshop in which participants will learn to establish secure lines of communication, send and receive information, and verify that the digital people they are talking to are the same as the physical ones. Dark Web Treasure Hunt is an interactive game where participants explore the Dark Web in small groups to better understand the hidden landscape. After an initial history lesson on the Dark Web and Tor, LA Cryptoparty will be your guide as you, the wayward traveler, seeks to navigate the hidden websites without the help of Google. Our main stop will be to checkout sites managed by newspapers for whistleblowers to provide tips securely.

Fireside Family Crypto Chats

A rough synopsis of what transpired:

We got caught up on news events around privacy and crypto:

1. How did the FBI get Paul Manaforts encrypted What’s App messages? -> https://gizmodo.com/paul-manafort-learns-that-encrypting-messages-doesnt-ma-1826561511 ie dont backup your messages to the cloud and make sure you delete them. Better yet use something like Signal with timed messages that disappear after a day or a minute or something else short.

2. A bit of talk about the GDPR and the ambiguity of who qualifies as a data subject (https://eugdprcompliant.com/what-is-data-subject/) under its protection

Then we made a huge list of topics that would be good to unpack and talk about with your family:

Passwords / Password Managers
Internet-enabled devices in the home (i.e. Alexa)
Spying on kids aka kid location trackers and other software for child monitoring
Geolocation of photos and phones
DNA services like 23andme / myancestry.com <http://myancestry.com>
Cloud services
Ways to transmit important information back and forth between family members
Social media practices of family members (checking into geolocations, tagging in photos, privacy settings)
Phishing and safely opening emails / browsing the web
The discussion around “Why Privacy Matters” and how approaching it with family may necessitate a different/more personal approach than strategies developed for other audiences

The group first focused on DNA privacy. People shared stories of family members using these DNA reading services and websites to track their geneology and in some cases use social media features of these services to locate/message newly discovered relatives. There were a few privacy issues discussed:

1. because your DNA is shared with your biological relatives, when one person decides to use a service they are effectively making that decision for the rest of the family, lots of times without their consent
2. most of the for profit DNA analysis companies are not HIPAA-compliant and have very broad Terms of Service which effectively allow them to resell your DNA profiles to other companies such as insurance companies or drug companies
3. the companies also make it easy for law enforcement to work with them, making it easier to identity or misidentify people based on their DNA (these are not government databases like police fingerprint databases, but they are effectively becoming them because they can be easily accessed by law enforcement) -> new article on Science Mag about this http://science.sciencemag.org/content/360/6393/1078
4. we also discussed how bad the validity of the analysis is that they are doing. someone realized that no one has ever heard a story of a sample coming back from a company telling a person that their spit wasn’t good enough to derive DNA from, these companies are just shuttling through samples without effective data cleanliness and sometimes ulterior motives (example of abuse of DNA testing in Canada to give false positives of indigeneity) – this can easily result in questionably valid results for individuals which can be exploited or sold or used by law enforcement leading to other errors

We then discussed spy tools used on kids. The group came to the conclusion that like most parenting, it should be a discussion with their family as to what technologies they are going to choose to use together. One participant said their family had decided to never enable any geolocation tracking for their family members including teens, it was a difficult decision, but they wanted to give their kids the ability to have privacy. The other part of this discussion was getting kids and really any family members to understand public vs private and guide them to making good decisions about what they post where. One participant had their daughter in the 5th grade create a private instagram and a public instagram account, and each photo they posted they would make the decision whether it should be private or public. This seems like a good technique for teaching anyone about privacy. A point was also made how schools can be complicit in collecting personal data and selling it to third parties, such as in the case of the PSATs (https://www.washingtonpost.com/news/answer-sheet/wp/2017/03/30/how-the-sat-and-psat-collect-personal-data-on-students-and-what-the-college-board-does-with-it/?noredirect=on&utm_term=.72a29370fc16).

We talked about how to send private information back and forth within the family. It was decided that it depends largely on the level of security of the information, so that emailing a throwaway password for a shared Netflix account might not matter, but sending a social security password or password for an email address would be really bad. It was suggested that telling passwords over the phone or sending them over a secure messenger was much better than email. Many password managers also have family features that allow you to keep and share passwords with family members, which has the added benefit of facilitating access to family member’s passwords in the event of needing to provide them tech support. We also discussed Signal and some other secure messengers as options, but recognized even despite the user friendliness of Signal it was still sometimes a challenge to convince family members to use a new platform.

Finally, we talked about why privacy matters and strategies to engage family members in particular. A recurring strategy was to ask pointed questions to family members about what they understand about the technology they use in order to help them make decisions for themselves. One way to do this is using modes of learning they already work well with, such as getting someone to read the book Data and Goliath by Bruce Schneier – https://www.schneier.com/books/data_and_goliath/

If you’d like to receive updates from any of the other orgs involved in this event, sign-up pages are here:
LA Cryptoparty: https://cryptoparty.is/mailman/listinfo/losangeles
CRASH Space: https://groups.google.com/forum/#!forum/crashspace
README: https://readme.gseis.ucla.edu/get-involved

P.S. This article has come out since Wednesday but it’s relevant in terms of potential abuse of IoT/spying devices within the domestic setting: https://nyti.ms/2KdGgVC

Cryptosocial: Inauguration

We talked and demoed stuff for about 2.5 hours:
Byron did some phenomenal demoing of Qubes OS especially showing off how all of the VMs interact together, and we did some testing with quarantining USBs -> https://www.qubes-os.org/
Justin and Jay from Crash were nice enough to demonstrate and confirm that EXIF data especially geolocation is stripped from photos taken from within Signal (it doesn’t work if you take a photo with the normal camera and send it with signal)
We had some rambling conversations about FB and GDPR (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation), what VPNs block (ISPs sniffing) and data expiration / retention standards (we need more data retention controls and explicit times up front from data controllers!) https://www.sidley.com/-/media/publications/cslp-september-2016-1516.pdf
How to cross the USA border and what you can and can’t say (thanks Lee for the link), go watch this talk! https://media.ccc.de/v/34c3-9086-protecting_your_privacy_at_the_border
Byron had a setup where we could search for our old usernames and account names and see if we had been pwned, similar to https://haveibeenpwned.com/ (turns out I have been!!! [panic])

Consorting Cryptos: Removing the Training Wheels

README and LA Cryptoparty invite you to learn how to inspire and train your fellow humans in the dark arts of privacy, security, and anonymity through the form of the cryptoparty. Rank up and gain skillz to lead discussions on why digital privacy and security matters (it does!) through teaching methods such as performance, roll play, and threat modeling. We will run through past events organized by LA Cryptoparty, share strategies and resources for teaching annoyingly technical material, and collectively brainstorm how to adapt the cryptoparty format to support different communities.

Nothing is required but an alias. A laptop will help, a burner phone could reduce the chances, and a costume or mask will never be frowned upon.

Though we are talking about training trainers, all levels of 1337 hacker skillz are welcome.

README <https://readme.gseis.ucla.edu> advocates for digital rights including privacy, security, access, and intellectual freedom within libraries, archives, and information work.

LA Cryptoparty <http://crypto.la> has been bringing the party back to cryptoparty in the Los Angeles since 2013.

Zines + Software @ NAH Fair

The LA Crypto Crew will be at the NAH FAIR 2017 this weekend! Come visit our table noon-8pm, for crypto propaganda, thumb drives with useful goodies, NETRUNNER? and sporadic rants, tangents + crypto-tutorials.

BONUS! We’re hosting a workshop at the fair 1-3PM, will be informal affair covering ENCRYPTED EMAIL, BURNER PHONES + (semi) ANONYMOUS COMPUTERS, ANONYMOUS BITCOINS, and TOR/DARK WEB.

Skill Share at CRASH Space

Monday, January 30, 2017

8-10pm

@ CRASH Space

10526 Venice Blvd
Culver City CA 90232

Street View

Join us for a community-driven skill share. All levels of privacy and security knowledge are welcome! Teach what you know and learn what you don’t! There will be no leadership at this meeting. Instead, consider this an opportunity to gather, discuss, and share information and tools.

Possible things you might want to bring: a laptop, a phone, a burner laptop, a burner phone, some usb thumb drives, raspberry pi.

Possible things you might want to discuss: PGP encryption, secure communication on your phone, places to host your email or mailing lists, secure collaboration tools, setting up anonymous devices, hosting dark websites, bitcoin wallets.