not an expert

100% security is not possible

these methods are like "locks on the door", designed to deter 99% of the population
- if someone really wants to break into your house, a lock won't stop them
- but you can make it really hard and not worth their while
and it increases the per-capita cost of mass surveillance

(multiple paths and increasing cost diagram)

if you have a serious need for cryptography (i.e. activist/journalist), talk to orgs like EFF, Tactical Tech, AccessNow

security is a process
- not something you install
- it's something you do

tangent: zero-days

crypto is inconvenient. why?

one scenario:

you have a message than you want your friend to receive
an attacker is trying to intercept your message
how do you get your friend the message without the attacker seeing it?

here's how:

you and your friend each have a lock and a key for that lock
you put your message in the box, lock it, and send it to your friend
your friend puts their lock on and sends it back (so it's double-locked)
you unlock your lock and send the box back
your friend unlocks their lock and sees the message

threat modeling

who are you defending yourself against?

e.g. a hacker in a cafe is very different than the NSA

some real-world scenarios

public wifi (man-in-the-middle attacks)
stingrays

in the case of public wi-fi, encryption helps.

it helps in the stingray case but police can still collect metadata about your phone, identifying you at the protest. in some countries that's enough to get you in trouble.

in that case, leave your phone at home, or get a burner.

security is not just about computers

there are other ways of getting sensitive information

legal ways: e.g. national security letters
- you need keys for encryption. if facebook has those keys, the gov't can send a NSL and get those keys and your crypto doesn't matter
social engineering:
- "the easiest way to get info is to ask"
- "walk fast and carry a clipboard and you can get in anywhere"
- example: @deray twitter hack
carelessness: e.g. going to the bathroom and leaving your computer unlocked in a public place
trust:
- you can't cover all your bases
- you're not in control of every service you use
- "do I trust X?"
- but sometimes this isn't enough. maybe you trust apple's icloud but that got hacked anyways

HTTPS/SSL

protects against:

attacks on open/shared wifi

what to do:

install HTTPS Everywhere (Chrome & Firefox)

VPN

protects against:

attacks on open/shared wifi when HTTPS is not available
can provide browsing anonymity (depends on who the VPN provider is)

what to do:

install a VPN like TunnelBear (free) or AirVPN (recommended, what I use)

Password managers

protects against:

creating weak passwords
forgetting passwords
drastically decreases the attack surface

what to do:

use a password manager (e.g. 1password, keepass)
don't repeat passwords
avoid common patterns
generate complex passwords with a password manager
if you hear about a breach on a site you use
- change your password for that site
- change passwords on other sites that use the same password

tangent: password hacking

2-factor authentication

protects against:

if your password gets stolen, it's not enough for the attacker to get in

what to do:

set it up on any site you use that has it available (esp. gmail, twitter, etc. check https://twofactorauth.org)
use Authy instead of SMS 2FA so that you don't need a phone signal to login

Signal

protects against:

SMS messages from being intercepted

what to do:

install Signal on your phone

100% security is not possible

tangent: zero-days

crypto is inconvenient. why?

threat modeling

some real-world scenarios

security is not just about computers

HTTPS/SSL

VPN

Password managers

tangent: password hacking

2-factor authentication

Signal

other topics we probably won't have time for

stay safe!