Cryptoparties, danger, and why you (the hacker) should help.

Recently, cryptoparties have “gone viral” the world over. In short, they are gatherings where people with knowledge of crypto take the opportunity to spread that knowledge to others who has a need and/or interest, such as journalists, activists etc.

However, I hear from one of the originators, Asher Wolf, that the wiki has been changed by “experts”, who claim that “crypto is dangerous” in various ways. I will attempt to address these concerns quickly:

  • Crypto, done wrong, leads to a false sense of security

This is definitely a concern, which is why these cryptoparties are good. They should teach not only what crypto can hide, but also what they cannot, and what you gain and lose from various kinds of crypto. Further, crypto done wrong is usually either strictly better than the alternative (plain text) or quickly discovered (through attackers or bungled demonstrations due to broken crypto).

  • Teaching, and learning crypto is a political statement

This is a very dangerous mindset. In some sense, yes, crypto is political, because it posits that there are things that ought to remain private (such as communication between two individuals), but much more important is the blatant rise of authoritarianism that very few people openly welcomes. Crypto, like the ideas of a free press and independent judiciary, is something that few people can find fault with existing, as long as it’s ‘their’ side that is the persecuted one that benefits from it.

In other words, while crypto might be political, it is always political in favour of the current underdog. And unless you are sitting pretty atop a billion in gold bullion and a private army, chances are you or your descendants are going to be there at some point.

  • Even showing up for a cryptoparty will put you on a government watchlist of some sort

This is probably the easiest argument to refute in theory, but the hardest in practice, as this is a simple matter of fear. Fear that your government will react badly to an independent person, making his own decisions and living her own life away from the prying eyes of the “state”. However, if your government has reached the point where even the simple act of learning about crypto would put you on a watchlist, then two things have happened: (1) Your government is acting against the best interests of the people, and (2) far too few people are using and learning about crypto. Solution: more cryptoparties! Tell your friends! Spread the knowledge and use of crypto at work, at school, everywhere you can reach! Supersaturate the surveillance net with crypto users, so that they actually have to use intelligent ways to find criminals instead.

  • Everything is already compromised, so any crypto use will only give a false sense of security.

There are a large amount of mathematical proofs about trapdoor functions, information theory and general cryptographic findings that refute this directly and indirectly. Yes, keeping the government entirely in the dark is going to be hard. It might even be impossible, if you are planning things like large demonstrations or have been infiltrated somehow. Still, that is not a reason to deny the use of personal crypto, to prevent eavesdropping of your own conversations (through the use of OTR) or the use of GPG to keep things authenticated, or the use of TOR as an anonymising proxy for that matter.

Why you (the hacker) should help

So, you have received a request from some local journalist, activist or what-have-you to come to a cryptoparty and talk about crypto for a bit. Why should you care? Why bother interacting with noobs who use Windows and think they are going to be secure using that? Why indeed?

Because you can, and because, most likely, there are few others. As hackers, technologists, engineers and tinkerers, we have been blessed (or cursed) with brains that have already ingested quite a volume of technical know-how. More than likely, you know at least a little about how cryptography works and what is and is not implied by various security measures. Perhaps you have sniffed plaintext passwords off open wireless networks. Perhaps you have implemented a simple hashing of user passwords. Regardless, you are in a significantly better position to learn more about crypto than almost anyone, and you are definitely a good person to have on hand at a cryptoparty.

Finally, though you are most likely in a rather affluent position, or at least unlikely to go jobless for an extended period of time, and though your political beliefs might align with the current government enough that your position is probably safe from political shufflings, consider that (a) other people may not be so lucky, and (b) you may gain an enemy (or friend) in the future who would require you to use encrypted communications. If use of encryption is endemic, then such a thing would be natural, easy and uncontroversial, for both you and those you would communicate with.

In sum (or TL;DR if you prefer that notation):

Use crypto, teach crypto and spread crypto. It will be a good thing for you, for your friends, and for society.

4 thoughts on “Cryptoparties, danger, and why you (the hacker) should help.”

  1. This should be a standard letter for all those interested in Crypto and the increasingly vulgar and obtrusive eye of the nation states. All the plebiscite can do now is educate one and other, nothing more.

    Very good read.

  2. I have modified the wiki and added the paragraph of which you speak – titled “Crypto is dangerous”.

    I stand behind the statement “Crypto, done wrong, leads to a false sense of security”. Cryptography is EASY to do wrong. Indeed, that is why the crypto parties have been established.

    I disagree with your statement “Further, crypto done wrong is usually either strictly better than the alternative (plain text) or quickly discovered”. It is discovered, yes, by the experts working for the adversary. It is this very false sense of security I was warning about.

    As for the other statements – “Teaching, and learning crypto is a political statement”, “Even showing up for a cryptoparty will put you on a government watchlist of some sort” and “Even showing up for a cryptoparty will put you on a government watchlist of some sort” – I did not put these in and they are not part of the wiki right now, as I write this comment. In fact, I have went through the page history and I cannot find any mention of these statements you’ve made. Could you please mention their precise source and wiki revision?

    – Arik

  3. I did not mean to quote specific statements from the wiki changes, to be honest, merely to respond to frequently voiced opinions on why associating with various cryptological tools and groups would not be in a persons interest.

    As for your response: I think you overestimate the resources of the adversary. Crypto experts are hard to come by, and their time is valuable. If your goal is to stay somewhat safe from casual mass surveillance, then any sort of crypto is significantly better than going plaintext. If, however, you have reason to suspect that you are already the target of surveillance of some sort, then of course the picture changes dramatically, and you should definitely not believe that sitting behind the proverbial seven proxies will protect you.

  4. Dear Petter,

    As a person who works for a security company and has been involved in the security industry and community for over 15 years, I “pull rank” here. You don’t need to be an expert to defeat “bad security practices / crypto”. Also, hiding from mass surveillance by using “bad security practices / crypto” has all the disadvantages of using crypto (it is more cumbersome) and all the disadvantages of not being really secure.

    Another aspect of it: Let’s say that today all you want to do is avoid mass surveillance – and use bad security practices. No one will bother defeating your security practices because there is no motivation. Then after a year, something happens. Perhaps you acquired a competitor, perhaps you got into a messy legal case, perhaps you are trying to run to public office and tabloids are trying to uncover the skeletons in your closet. All of the sudden people do care, and since the information has already been generated and retained – they WILL put the effort and they WILL break your crypto.

    – Arik

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>