Reykjavík Cryptoparty 2014

Reykjavík successfully held it’s third cryptoparty last night, as part of the Tor developer conference happening here all week. Tor developers joined people from the local pirate party, universities and hackerspace to discuss and teach crypto technologies with anyone interested.

One of the easily-removable vinyl Tor camera-covering stickers in action on my laptop.

I didn’t get an exact count but estimate that around 50 people attended in total, filling the bottom floor of multi-kulti.org to the brim with a fairly healthy balance of ages, genders and skill levels.

Ásta and Jason kicked off the evening with a quick welcome, then we split off into groups to teach various different sorts of crypto. Newcomers learnt how to use cryptocat for basic encrypted communications in your browser.

I covered secure text/audio/voice calling, explaining how OTR’s encryption and secure key exchange allows you to use untrusted services like Google Talk safely. We installed jitsi.org on a bunch of computers, got secure text chatting working and explained the various methods of key verification — how to ensure that a) the person you’re talking to is really who they say they are, and b) that your messages aren’t being modified or snooped on. Several people also tried out the Android nightly version of Jitsi with varying success, noting that without a UI exposing the key fingerprint it’s impossible to verify keys correctly.

Brennan of mailpile.is covered encrypted email using GPG/PGP, explaining how public and private keys work as well as the different key strengths available, and helping people get set up with tools like GPGTools, Enigmail and Mailvelope.

There was much key-signing and ID checking going on throughout the entire evening, mainly for GPG keys but also trading assurances for CAcert.org participants. Described as a “government-issued ID roleplaying game”, CAcert is a “community driven certificate authority” where potential issuers meet in-person and verify that they are indeed who they say they are. The more people who assure you, the more trustworthy your certificates and assurances are. I filled out an application form but didn’t have my passport with me, so didn’t get assured by anyone.

Jason demoed Tails, a secure browsing environment on a USB stick containing Tor and some other utilities for secure communications. I didn’t get to sit in on the Tor demo and discussion but had an interesting conversation with Tor developer Ximin Luo, who amongst other things is working on a Tor technology called pluggable transports, a way to circumvent Tor-blocking in censorship-heavy countries like China by disguising Tor traffic as unencrypted traffic.

Ximin also touched on the state of secure group chat — whilst two-person OTR-encrypted text chat is fairly well established and understood, group chat is an exponentially more complex topic, the security properties of which have yet to be formally defined. For example, it’s intuitive enough that all parties involved should be assured that everyone is seeing the same messages, from the same people, but what happens when someone joins chat? Should they be able to see all previous messages? What if someone drops out then rejoins — should they be able to see the messages exchanged in the interim?

Decisions made at this stage in the process have significant UI implications further down the road, and I am left wondering to what degree interface and interaction designers are involved in the decision making.

Overall the cryptoparty was a resounding success, leaving a small fraction of the population of Reykjavík more aware and empowered to use crypto to secure their communications. I look forward to the next one!