How to get back your privacy?

IntroHOW TO : EncryptionHOW TO : Anonymity

Conclusion

How to get back your privacy?

Naam, Genma

EPITA / [email protected]

[email protected]

01/17/14

Naam, Genma Anonymity and encryption


Conclusion

Overview

1 IntroWhy we do this talk ?The digital identity

2 HOW TO : EncryptionWTF is encryption ?What can I encrypt ? How ?

3 HOW TO : AnonymityWhy does it matter ?There is always a tool that �ts your need

4 ConclusionWe're not in a XOXO worldCryptoparty



Conclusion

Why we do this talk ?The digital identity

Sensitive data

De�nition

a set of values of qualitative or quantitative variables

individual pieces of information

Some of them are (important|critical)s, don't play with Mallory.



Conclusion


The right to stay anonymous

The Convention for the Protection of Human Rights and Fundamen-tal Freedoms states that :

Article 8 - Right to respect for private and family life

Everyone has the right to respect for his private and family life(...).

There shall be no interference by a public authority with theexercise of this right except such as is in accordance with thelaw and is necessary in a democratic society in the interests of

national security, public safety or the economic well-being of

the country, for the prevention of disorder or crime, for the

protection of health or morals, or for the protection of the

rights and freedoms of others.



Conclusion


Current situation



Conclusion


You will also see

Tons of softwares, distributions, techniques to defeat tooinquisitive people and censorship.

What's a Cryptoparty and what you could learn from it.



Conclusion


About me

Where can you �nd me onInternet ?

Blog (in French) :http ://genma.free.fr

Twitter :http ://twitter.com/genma

My Hobbies ? Many things

Crypto

Privacy



Conclusion


Digital identity, what is it ?

De�nition

Digital identity is all the public data you can �nd about someoneusing Internet research.

It's the famous e-reputation.



Conclusion


What do you think of me ?

Google you name

The results shown are they exactly what you want ?



Conclusion


Saying

Words �y, writings remain

This adage is especially true with the Internet.

It must be assumed that what is said will always be accessible,even years later.

Everything on the Internet is public or will be (even if it is"private", Terms of Use may change).

it is therefore not an abuse of freedom of expression and itremains respectful of laws



Conclusion


Pseudonymity

De�ntion

Contraction of anonymity and pseudonym words, the term pseu-donymity re�ects quite well the contradictory of being a public�gure and to remain anonymous ...

Have a pseudonym does not mean to say and do anything.

This is the image that I return, this is my credibility (past,present and future).

A pseudonym is also a public identity, which is associated withdi�erent account : my blog, my Twitter, my Facebook account.

The digital identity are all these public data associated with thisidentity.



Conclusion


Samples

Twitter

Linkedin



Conclusion


Pseudonymity is disapearing...

Facebook

Facebook doesn't allow the creation of an account with apseudonym, if you really want there is some easy steps tofollow.

The goal is to force people to express themselves using theirreal names,



Conclusion


Pseudonymity is seen as a problem

The problem is that the anonymity is taken as an excuse to condemnthe use of the Internet as a tool for freedom of expression.If people are monitored, they do not say what they think, they donot criticize the politicians.With the Internet, the citizen is gradually taking power on politicians.



Conclusion


Conclusion

Pseudonymity is a necessity

Manage your digital identity.

Pseudonymity is the �rst step to take back you privacy.



Conclusion


Something unclear ?

Feel free to ask for questions now.



Conclusion

WTF is encryption ?What can I encrypt ? How ?

De�nition - cryptage, encrypt, encryption ?

Encryption

Encryption is to encrypt a document / �le using an encryption key.The reverse operation is decryption.

Cryptage

Term � cryptage � is derived from the English encryption and doesnot exist in French. Decryption is the fact of breaking the encryptionwhen the private key is unknown.

Cryptography

Science is called Cryptography.



Conclusion


Encryption, how does it work ?

Symetric Encryption

This involves encrypting a message with the same key that will beused for decryption process.Sample : Caesar code, with an o�set letter. A->C, B->D etc.Nous venons en paix -> Pqwu xgpqpu gp rckzThe reverse process is applied to get the message.

What is an encryption key ?

A key is called so because it opens / closes the padlock that is theused encryption algorithm.

Here, the algorithm is the o�set.

The key is the number of o�set of letter (here two letters).



Conclusion


Asymetric Encryption 1/2

Public key - Private key

Asymetric Encryption is based on the pair public key - private key.⇒ What you need to know :

My private key is... private and my own.

My public key is shared with everyone.

The encryption algorithm

The encryption algorithm is more complexe than the fact of shiftingletters ; it is based on mathematical concepts (�rst number ...)



Conclusion


Asymetric Encryption 2/2

Encryption

With the public key of my correspondent, I encrypt a �le.⇒ The �le can only be decrypted by the person who possesses theprivate key corresponding to the public key that I used (and thereforemy correspondent).

Decryption

With its private key, my correspondent decrypts the �le.⇒ He can then read the message.

Concret case

Mail Encryption with PGP.



Conclusion


Bob send a message to Alice



Conclusion


Why encryption ?



Conclusion


Encrypt - The arguments against

Nobody does...

FALSE. Without knowing it, you do it every day.Sample 1 : "padlock" when connecting (https)Sample 2 : Wi� key.

Nothing to hide...

FALSE. Who would accept the postman reading his medical post ?

Encryption, it's for the pedo-nazi...

FALSE. For journalists / bloggers dissidents who are denouncing dic-tatorships...



Conclusion


Encrypt - The arguments for

Encryption, it's not so complicated

It is not more complicated than using a "software". You just haveto understand the principle.

Protection and security

My personnal data are safe Cf. PRISM, NSA...

Privacy

Only the person for who the "message" is, is able to read it.



Conclusion


Edward Snowden

Encryption works. Properly implemented strong crypto systems areone of the few things that you can rely on.



Conclusion


Encryption limit

Which is encrypted can be decrypted today tomorrow

Tomorrow's computers will allow to decrypt the encrypted data to-day.

It the private key is lost

We no longer have access to data.

Metadata, social graph

PGP does not protect against the analysis of metadata (ser-vers transit, addresses, headers, subject). Do not forget to cleanthe meta-data �les (EXIF tag photos, o�ce documents with trackedchanges). DNS... Case of tracking Internet ...



Conclusion


Law and encryption

In France, the law therefore considers that the use of cryptology isfree (LCEN Article 30-1) and there is therefore now no limit to thesize of the encryption key that can be used .

In case of search, the refusal of submission of the encryption key mayresult in 3 years imprisonment and 45000e.

This penalty is increased if Encryption was used to commit a crime.

It is therefore recommended to give the decryption key, except in thecase where the decrypted data would result in a judicial proceedingin which the �nal sentence would be greater than the interferencewith the judicial investigation.



Conclusion


Encryption

Locally - your data

Hard disk

USB Key

Smartphone

Network - Communications

Https : HTTPSEveryWhere for Firefox

E-mails : GPG with Enigmail for Thunderbird

Connexion : VPN, SSH, TOR...

⇒ Each "use", there is an encryption solution.



Conclusion


Emails - PGP, GPG ?

PGP

Pretty Good Privacy - PGP is an encryption software created by theAmerican Phil Zimmermann in 1991.

OpenPGP

This standard describes the format of messages, signatures or cer-ti�cates that can send software such as GNU Privacy Guard. It istherefore not a software but a format for the secure exchange ofdata, which owes its name to the historic program Pretty Good Pri-vacy (PGP).

GnuPG

GnuPG (GNU Privacy Guard) is the free software.



Conclusion


Harddisk encryption

Software integrated in operating systems

Windows 7/8 : Bitlocker (Backdoor)

MacOS : FileVault

GNU/Linux : Encfs...

Can you trust closed source software ?

Independently of the operating system

⇒ TrueCrypt. For a USB key/an external hard drive.



Conclusion


TrueCrypt audit



Conclusion


Encryption and privacy

Encryption meets the need for privacy

and allows data protection.



Conclusion


Encryption for connexions : SSL/TLS

Session layer based, a�ect application layer (TFP, HTTP,SMTP, IMAP, POP , DNS, RTMP ...)

Prefer using TLS over SSL when you have choice.

Asymetrical encryption, forward secrecy (Di�e-Hellman).

Only use up to date browser in order to have the correct �ngerprintcaught on your computer and avoid MITM attack. If your browserdoes not have a certi�cate pinning system install certi�cate patrol(assuming your �rst connection is safe) or HTTPS everywhere withthe SSL observatory ON.



Conclusion


Di�e-Hellman key exchange

With color

two people that never met agreeson the same keys

heavy use of one-way function

Select a public color, then eachpart select a private secret one.

each part mix private/public keyand send it to the other.

Each part mix the mixture of theother with their own private colorand arrive to the same �nal privatecolor.



Conclusion



With maths : (modular|clock) arithmetic

work on prime modulus andgenerator of that modulus.

3nmod17 = X with0 <= X <= 17 hard to reversewhen len(prime modulus) increase.

so each part agrees on a primemodulus (p) and a generator (g).Then calculateg secretmod(p) = Mix and send itpublicly.

each part compute nowMix secretmod(p) = Key



Conclusion


Encryption for chat sessions : OTR

OTR : O�-the-Record Messaging


o�-the-record conversation

repudiable authentication by using message authenticationcodes.(authentication ON | digital signature OFF)

Bob cannot prove that Alice generated the MAC. Install Pidgin(cross-plateform) with plugin (available from the OTR homepage)and start playing.



Conclusion


Encryption for disk

Many possibilities, but full disk encryption is advised in case youreally care about privacy. For this purpose you have a plethora ofchoice.

Stacked �lesystem encryption (eCryptfs, EncFs, disk utility ...)

Disk encryption (dm-crypt, GELI, FileVault, DiskCryptor,trueCrypt ...)

Case study : Plain dm-crypt

full disk encryption

bootloader and key on external device

(can also be done with Diskcryptor)



Conclusion


Encryption for smartphone

Android

Chatsecure (Facebook chat, GTalk, Jabber) [OTR Messaging]

Textsecure (SMS)

LUKS Manager (ROOT requiered)

iOS

Chatsecure (Facebook chat, GTalk, Jabber) [OTR Messaging]

FDE available by default, bypass techniques available,proprietary built system...(More details : iPhone Forensic, O'Reilly)



Conclusion


Example : chatsecure with facebook



Conclusion


Example : chatsecure with facebook

Win.

Facebook cannot read yourmessages.

But you can't read itanymore after your currentsession.



Conclusion


Encryption for �les

Mails : Use GPG

create your keys

share your public key

enter the matrix Web Of Trust (WOT)

encrypt/sign your message and send it.

receive mails too.

Files

Basically you can do the same with 'regular �le'... Make sure not tostore keys near encrypted �les, prefer symetrical encryption if �leswill not be shared.



Conclusion


Choosing a password : Diceware method

The diceware method allow you to construct very strong passwordwith the following advantages :

Very easy to remember

strong passphrase with high entropy ( 20char +)

truly random ; password is totally detached from userhabits/knowledge etc.

Test your password strength in bits

Entropy calculated by : Htn =∑n

k=1 L ∗LogNLog2

Do NOT test your password strength online. Take a calculator andcalcul the entropy yourself.



Conclusion


Diceware, overall strength



Conclusion


Diceware, how does it work

You only need a true random source and an o�cial mapped dictio-nary.

Draw 1 : 5 1 5 5 5

Draw 2 : 5 4 5 6 6

Draw 3 : 6 5 6 4 6

Draw 4 : 5 4 3 1 2

Draw 5 : 2 2 3 5 4

...

14245 bit

14246 bitch

14247 bite

...

Results

in French : phase ribose vv rebut clebs

in English : rest sober 80 skye data



Conclusion


Something unclear ?




Conclusion

Why does it matter ?There is always a tool that �ts your need

Anonymity



Conclusion


Anonymity, why does it matter ?

In real life, anonymity is necessary for democraty (voting paper).On line, anonymity is necessary for freedom of expression.



Conclusion


TOR the Onion router



Conclusion


Onion routing principles



Conclusion


TOR : The Onion Router

It's an open-source implementation of the principles we just sawsupported by The Tor Project.



Conclusion


TOR : The Onion Router

Pros

Hiding you identity and location, prevents from eyesdropping.

Hiding you browsing habits and act like a debrider on theinformations that you're authorized to see.

encrypting your (incom|outgo)ing tra�c between nodes.

Cons

Slower connexion, forget about downloading big �les, torrents(deanonymize e�ect) etc...

Still vulnerable to some kind of analysis(timing deduction or infection between applications).

entry/exit nodes are vulnerables, no magic here.(Partial solution if you setup an exit enclaving node)

TOR is an anonymity tool, not a security one.Naam, Genma Anonymity and encryption


Conclusion


If you use it, do it smartly

Don't use standalone TORor Vidalia bundlle

Prefer the use of the TBB(Tor Browser Bundle)

or even better : tails (liveDebian), in hostileenvironment (public placesetc)

Try Tor browser launcher for your distribution, that keep TBB upda-ted. Grab-it from here :https ://github.com/micah�ee/torbrowser-launcher



Conclusion


If it's free,

then you're the product



Conclusion


What is the tracking ?

Tracking over the Internet

websites, announcers use it to learn your browsing habits.

they save what websites are you're visiting, what do you like ordislike and what you buy.

Data are processed in order to display the best ads that �t yourpreferences.



Conclusion


What's the magic ?

Ads and widget are spying you

The Like button : Allows FaceBook to know what you visit, evenif you don't click on it, even if you are properly disconnectedfrom Facebook.

Same for the +1 by Google, and Google Analytics script.

In fact every ad and many widget do it.



Conclusion


Want to test ? Try LightBeam (ex Collusion) with Firefox

That add-on allow you to see in real time which websites are trackingyou and the inter-connexion between the actual website and others.Kind of weird sometime.



Conclusion


Firefox

Firefox addons



Conclusion


Firefox scripts : Ghostery

Block all trackers.



Conclusion


Firefox scripts : Self destructing cookie

Automatic cookie deletion tech-niques. Prevent tracking andspying. Possibility to setup a whi-telist if you really want to keepsome cookies for some domainseven if you're not currently usingit.



Conclusion


Firefox scripts : HTTPSEverywhere

Made by the electronic fron-tier fondation (EFF), it forces theHTTPS when available on thewebsite. If you have one, consi-der registering it for your visitors(see https ://www.e�.org/https-everywhere/rulesets).Also, activate the SSL Observa-tory : it prevents from MITM at-tacks and more generally againstcorrupted certi�cates.



Conclusion


Firefox scripts : Certi�cate Patrol

Does approximately the same thing than the SSLObservatory. Lesstransparent in everyday use.



Conclusion


Search engines

Problems with search engines



Conclusion


Search engines

Duckduckgo (ddg.gg) personalizable interface for your needs.

Ixquick/startpage (ixquick.com/startpage.com) more than onesearch engine begind, automatic proxy if you want to.

binsearch (binsearch.info) search for binaries (newsgroups etc)that google is hiding from you.



Conclusion


Metadatas are evil

Metadatas are evil



Conclusion


Metadatas are evil



Conclusion


Metadatas are evil



Conclusion


Metadatas are evil

De�nition (http ://dictionary.reference.com/browse/meta-data)

Data about data.

information that is held as a description of stored data.

Examples

EXIF tags on photography (Date, cameras info, GPScoordinates...)

data stored on documents like .doc(x)

...



Conclusion


Metadatas are evil



Conclusion


Solution ? YES, partialy

There is a good tool to erase metadatas from a large spectrum of�letypes. It's called MAT (mat.boum.org).

Reside in Tails, standalone package (Debian), Git repos.

it has a GUI, no worry (can also be used in command line,don't worry too).

Files support :

Images : .png, JPEG (.jpg, .jpeg, . . . )

Documents : .odt, .odx, .ods, . . . , .docx, .pptx, .xlsx, . . . , .pdf

Tape ARchives (.tar, .tar.bz2, . . . )

Media : .mp3, .mp2, .mp1, . . . , .ogg, . . . , .�ac

Torrent (.torrent)



Conclusion


Something unclear ?




Conclusion

We're not in a XOXO worldCryptoparty

Conclusion

Conclusion



Conclusion


Crypto-anarchy

Everyone does encryption and what is really important is encryptedand embedded in it.

It creates noise which prevents mass surveillance (PRISM ...)

Careful ! At the current time, encryption is not widespread, anyonewho encrypts their e-mails can be considered as suspicious.



Conclusion


Relativity of anonymity today

Analysis on language elements

We can identify someone by studying the typography, style,vocabulary, culture, ideas ..

the frequency of words used, the turn of phrase, the kind ...

Theses techniques are used to determine who hides behind...Anonymous

Care of Logs

Schedules connections times and estimated time zone alsoprovide information ...



Conclusion


Relativity theory

Snowden's leak are recent, documents leaked are pretty old.

We have very strong tool but we do not know what they have.

State of the art techniques to defeat those technologies(processor noise etc...).



Conclusion


Want to help ?

With money : You can make donation to those open-sourceprojects.

With action : Use their services, give feedback, there is alwayssomething to do.

By spreading words, teach others how to use it.



Conclusion


Cryptoparty

Interested parties with computers, devices, and the desire to learnto use the most basic crypto programs and privacy tools and thefundamental concepts of their operation ! CryptoParties are free toattend, public, and are commercially and politically non-aligned.

What you'll do

Use crypto-tool, ask for questions, teach to others want you alreadyknow.

What you'll not do

Maths, learn deep crypto-concepts, ... Unless you want it.



Conclusion


Something unclear ?




Conclusion


Rendez vous at the Cryptoparty



Conclusion


Annexes



Conclusion


An Exchange of mails really secure

The problem with encrypted email ? We still know who talks towhom.

Solution

Exchange mail between two known / trusted servers who aredialoguing in https SSL / TLS between them.

Encrypt messages via PGP



Conclusion


Steganography - Steghide

Can you see a di�erence between these two pictures ?

vs

The second image contains the text "This is my hidden text." Thisis what is called steganography. Software : steghide



Conclusion


Bitmessage

Bitmessage , a protocol for sending / receiving messages and acentricfully encrypted, based on a mechanism simillaire bitcoin .



Conclusion


Bitmessage

Characteristics and comparison with an email solution + PGP

Send a pair hand , no need to create a server, register adomain name, or enroll in a service. You can create as manyaddresses as you want.

No need to trust a tier ( CA for example).

Censorship-resistant . Person , including a government can notdelete your address or messages.

It is not possible to impersonate a sender (spoo�ng).



Conclusion


Bitmessage

Bitmessage has a feature broadcast .

The identity of the sender and receiver of messages is easier tohide an email with PGP + solution .

Unlike PGP , the subject is encrypted by default .

Should be easier to use, no need to keep the public keys ofyour correspondents .

Opportunity to develop additional functionality based on theprotocol.



Conclusion


ZeroBin

ZeroBin is a minimalist, opensource online pastebin/discussion boardwhere the server has zero knowledge of hosted data. Data is encryp-ted/decrypted in the browser using 256 bits AES. You can test itonline or install on your own server.



Conclusion


ZeroBin



Conclusion


ZeroBin

When pasting a text into ZeroBin :

You paste your text in the browser and click the Send button.

A random 256 bits key is generated in the browser.

Data is compressed and encrypted with AES using specializedjavascript libraries.

Encrypted data is sent to server and stored.

The browser displays the �nal URL with the key.

The key is never transmitted to the server, which thereforecannot decrypt data.



Conclusion


ZeroBin



Conclusion


ZeroBin

When opening a ZeroBin URL :

The browser requests encrypted data from the server

The decryption key is in the anchor part of the URL which isnever sent to server.

Data is decrypted in the browser using the key and displayed.


Technology

How to get back your privacy?