diff options
Diffstat (limited to 'leap33c3/index.html')
-rw-r--r-- | leap33c3/index.html | 534 |
1 files changed, 534 insertions, 0 deletions
diff --git a/leap33c3/index.html b/leap33c3/index.html new file mode 100644 index 0000000..10ce86e --- /dev/null +++ b/leap33c3/index.html @@ -0,0 +1,534 @@ +<!doctype html> +<html lang="en"> + +<head> + <meta charset="utf-8"> + + <title> + Introduction to LEAP & Pixelated + </title> + + <meta name="description" content="" + <meta name="author" content="kali kaneko"> + + <meta name="apple-mobile-web-app-capable" content="yes"> + <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"> + + <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> + + <link rel="stylesheet" href="css/reveal.css"> + <link rel="stylesheet" href="css/theme/sky2.css" id="theme"> + + <!-- Theme used for syntax highlighting of code --> + <link rel="stylesheet" href="lib/css/zenburn.css"> + + <!-- Printing and PDF exports --> + <script> + var link = document.createElement( 'link' ); + link.rel = 'stylesheet'; + link.type = 'text/css'; + link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css'; + document.getElementsByTagName( 'head' )[0].appendChild( link ); + </script> + + <!--[if lt IE 9]> + <script src="lib/js/html5shiv.js"></script> + <![endif]--> +</head> + +<body> +<div class="reveal"> + +<div class="slides"> +<section> + <section data-markdown> + # Introduction to LEAP & Pixelated + ### meskio && zara && varac && kali @Hamburg + ### 33c3 - Dec 2016 + </section> + + <section data-markdown> + ### Pixelated hands-on: 28th 1100 HALL C4 + ### Platform hands-on: 28th 1700 HALL C2 + </section> + + <section> + <img src="images/intersection.png"> + </section> + + <section> + <img src="images/jump.png"> + </section> + + <section data-markdown> + ## here to provide + easy-to-use software for end-to-end encrypted communication between individual users + </section> + + <section> + <video autoplay="false" width="800" controls="controls" loop src="video/fbi.mp4"></video> + </section> + + <section> + <img src="images/lavabit.png"> + </section> + + <section> + <img src="images/bitmask2.png"> + <br/> + <img src="images/bitmask-logo.svg" width=30% height=30%> + </section> + + <section data-markdown> + ## decentralization & privacy + will NOT be magically achieved! + * must be built from below and regained + * federation is at stake (even if it means less traction or control!) + * services have costs + * "demand" is a two-way game + </section> + + <section> + <img src="images/crimson.jpg" alt="the crimson permanent insurance"> + </section> + + <section> + <img src="images/monster.jpg" alt="a monster with many eyes - complexity creeps in any project"> + </section> + +</section> + +<section> + <section> + <video autoplay="false" width="800" controls="controls" loop src="video/gpgforjournalists.mp4"></video> + </section> + + <section> + <img src="images/pizarra.jpg"> + </section> + + <section> + <video autoplay="false" width="800" controls="controls" loop src="video/my-first-email.avi"></video> + </section> + + + <section data-markdown> + ## why [greenwald] can't encrypt? (since 2005!) + * encryption difficult to use + * encryption difficult to provide + * security and privacy not possible without usability + * security and privacy not possible without usability + * security and privacy not possible without usability + * was that point already clear? + * do not overwhelm or scare the user + * provide sensible defaults + * convenience trade-offs: fail close! + </section> + + <section> + <img src="images/pgp.png"> + </section> + + <section> + <img src="images/serrapelada.jpg"> + </section> + + <section data-markdown> + ## "WE WANT CRYPTO + ## BUT ROSES TOO" + </section> + + <section data-markdown> + ## break down the problem + 1. server-side infrastructure + 2. usable client software + 3. protocols for sync + </section> + + <section> + <img src="images/holygrail.jpg"> + </section> + + <section data-markdown> + ## what $user sees + * VPN client + * Application proxies + * Key management + </section> + + <section data-markdown> + ## native apps, really? + * user can do... + * ...if incentives aligned + * first tunnel, then mail thru secure channel. + * opportunistic mail encryption + * eip: encrypted internet proxy (VPN) + * cross-device synchronization + * VPN helps to fight commoditization! (provider can monetize) + </section> +</section> + +<section> + <section> + <img src="images/cryptorally.png"> + </section> + + <section data-markdown> + # interoperability is a must + ### many projects converging for massive adoption of crypto + ## Keep tuned for AUTOCRYPT: Enigmail, K9, Mailpile, Pixelated, Bitmask + </section> +</section> +<section> + + <section data-markdown> + ## LEAP platform + ### A toolkit to make it easy for you to run a federated service provider. + </section> + + <section data-markdown> + * Configuration Management using puppet + * Installs and configures the servers + * leap_cli is the tool to deploy to the servers + * Provider confiduration is stored on admin laptop + </section> + + <section> + <h2>LEAP Platform Example: Setup single node email provider</h2> + +<pre><code class="hljs" data-trim contenteditable> +sudo gem install leap_cli +leap new example --domain example.org +cd example +leap add-user --self +leap cert ca +leap cert csr +leap node add raspberry \ + services:couchdb,webapp,soledad,mx ip_address:1.1.1.3 +leap init node +leap deploy +</code></pre> + </section> + + <section data-markdown> + ## LEAP Platform: Install and configure the server/s + * Email: Postfix, spamassassin, clamav + * Database: couchdb, stunnel + * Webserver: apache + * Encrypting remailer: leap-mx + * Synchronisation: soledad + * Account management, issue tracking: leap-webapp + * Firewall: shorewall + * Monitoring: nagios, check_mk + </section> + + + <section data-markdown> + ## Server-side techstack + + * PLatform: Puppet + * leap_cli: ruby + * leap_web: Ruby on Rails + * leap_mx, soledad: Python Twisted + </section> + + <section data-markdown> + ## Other LEAP components + * SOLEDAD + * Bonafide (registration, auth, pass change...) + * Current Services: VPN, Encrypted Email + </section> + + + <section data-markdown> + ## LEAP Webapp + + * API for user authentication + * Help Tickets + * User Management + * Payment processing + * Customisable + </section> + + <section> + <img src="https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/leap-webapp1.png"> + </section> + + + <section> + <img src="https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/leap-webapp2.png"> + </section> + + <section> + <img src="https://rawgit.com/leapcode/leap_presentations/master/rgsoc2016_leap_overview/images/leap-webapp-tickets.png"> + </section> + </section> + + <section> + + <section data-markdown> + ## the client: Bitmask + * basically an encryption proxy + * protocol specific for mail + * linux (deb, bundles), [windows, osx] + * android client + </section> + + <section> + <img src="images/bitmask1.png"> + </section> + + <section data-markdown> + ## show me the code! + <a href="https://github.com/leapcode/">https://github.com/leapcode/</a> + * ~30 repos + * GPL code + </section> + +</section> + + +<section> + <section data-markdown> + ## threat model + * Active or passive adversary + * Avoid the recovering of Communications Plaintext + * Avoid the recovering of the Social Graph (*) + </section> + + + <section data-markdown> + ## trust model + * do *not* trust the provider too much + * passwords never reach the server in cleartext (srp + encrypted keys) + * TOFU for key and certificate discovery + * encrypted data + * minimize metadata! + </section> + + <section data-markdown> + ### backwards compatible + * vpn + * OpenPGP + * imap, smtp (clientside proxies) + </section> + + <section data-markdown> + ## VPN + + * prevent eavesdropping. + * circunvent internet censorship. + * firewall: prevent leaks (DNS, IPv6, ...). + * static portable builds, mbed SSL + * targeting home routers too (openwrt port) + * autoconf, reconnect, fail close + * obsproxy integration + </section> +</section> + +<section> + <section data-markdown> + ## SOLEDAD + * Synchronization of Locally Encrypted Data Among Devices + * auth: srp + * kdf: scrypt + * AES-256-GCM + * built on top of canonical's u1db + * vector clocks + * clientside: sqlcipher backend + * serverside: couchdb cluster (+ distribuded fs?!) + </section> + + <section data-markdown> + ## Problem: Attachments + * Syncing blobs in a convoluted store + * Pluggable BlobsIO backend for server (in dev) + * FS as MVP, others welcome! + * Follow the "git-annex" model + </section> + +</section> + + + +<section> + <section> + <img src="images/schema.jpg"> + </section> + + <section> + <img src="images/soledad.jpg"> + </section> + + <section> + <img src="images/mx.jpg"> + </section> + + <section> + <img src="images/architecture.png"> + </section> +</section> + +<section> + <section data-markdown> + ## TRANSITIONAL KEY VALIDATION + generic rules for automatic key management, transition from TOFU to more advanced ruleset. + * bind key <-> email address + * key directory + * endorser (provider) + * binding info: evidence for "educated guess" + * verified key transition (automatic) + </section> + + <section data-markdown> + ## keymanager current rules + # TOFU (yes, but*) + ### with a bunch of exceptions + </section> + + <section data-markdown> + ## 1. First Contact + + When one or more keys are first discovered for a particular email address, the key with the highest validation level is registered. + </section> + + <section> + <h2>2. Regular Refresh</h2> + + <p>All keys are regularly refreshed to check for modified expirations, or new subkeys, or new keys signed by old keys.</p> + <p><small>This refresh SHOULD happen via some anonymizing mechanism.</small></p> + </section> + + <section> + <h2>3. Key Replacement</h2> + + <p>A registered key MUST be replaced by a new key in one of the following situations, and ONLY these situations:</p> + <ul> + <li class="fragment">Verified key transitions.</li> + <li class="fragment">If the user manually verifies the fingerprint of the new key.</li> + <li class="fragment">If the registered key is expired or revoked and the new key is of equal or higher validation level.</li> + <li class="fragment">If the registered key has never been successfully used and the new key has a higher validation level.</li> + <li class="fragment">If the registered key has no expiration date.</li> + </ul> + + <aside class="notes"> + verified key transtion == signed by the previously + </aside> + </section> +</section> + +<section> + <section data-markdown> + # Validation levels + + low == less trust on the source + </section> + + <section data-markdown> + ## 1. Weak Chain + <sub>ej: sks key servers, email attached key, OpenPGP header, ...</sub> + </section> + + <section data-markdown> + ## 2. Provider Trust + <sub>ej: webfinger, provider mailvelope</sub> + + Note: + * Certified by the provider + * Not auditable + </section> + + <section data-markdown> + ## 3. Provider Endorsement + <sub>ej: NickNym</sub> + + Note: + * auditable + </section> + + <section data-markdown> + ## 4. Historical Auditing + <sub>ej: CONIKS, google's transparent keyserver</sub> + </section> + + <section data-markdown> + ## 5. Known Key + <sub>client pinned keys</sub> + </section> + + <section data-markdown> + ## 6. Fingerprint + <sub>manual verification</sub> + </section> +</section> + +<section> + <section data-markdown> + ## users wants a webmail? + </section> + + <section data-markdown> + ## give them a webmail + ## (kudos to pixelated!) + </section> + + <section> + <img src="images/pixelated-user-agent.png"> + </section> + + <section> + <img src="images/pix.png"> + </section> +</section> + +<section> + <section data-markdown> + ## developments ahead + * Torbirdy integration + * NEXTLEAP/PANORAMIX + * AUTOCRYPT! (in-band opportunistic key encryption) + * MEMORYHOLE (protecting most mail headers while in transit) + * mix networks + </section> +</section> + +<section> + <section> + <h2>thanks! questions?</h1> + <img src="images/contact-QR.png" alt="QR with info contact for kali & leap"> + <h3>BE23 FB4A 0E9D B36E CB9A B8BE 2363 8BF7 2C59 3BC1</h2> + </section> +</section> + +</div> + <script src="lib/js/head.min.js"></script> + <script src="js/reveal.js"></script> + + <script> + + // More info https://github.com/hakimel/reveal.js#configuration + Reveal.initialize({ + /*parallaxBackgroundImage: 'images/rainforest.jpg', */ + /*parallaxBackgroundSize: '2400px 1758px',*/ + controls: true, + progress: true, + history: true, + center: true, + + transition: 'slide', // none/fade/slide/convex/concave/zoom + + // More info https://github.com/hakimel/reveal.js#dependencies + dependencies: [ + { src: 'lib/js/classList.js', condition: function() { return !document.body.classList; } }, + { src: 'plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } }, + { src: 'plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } }, + { src: 'plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } }, + { src: 'plugin/zoom-js/zoom.js', async: true }, + { src: 'plugin/notes/notes.js', async: true } + ] + }); + + </script> + + </body> +</html> |