From da9fe108b07ff07d6e11fff3820386877fd2fee0 Mon Sep 17 00:00:00 2001 From: Varac Date: Fri, 29 Dec 2017 11:55:05 +0100 Subject: Add generated slides --- platform-workshop/slides/slides.html | 892 +++++++++++++++++++++++++++++++++++ 1 file changed, 892 insertions(+) create mode 100644 platform-workshop/slides/slides.html (limited to 'platform-workshop/slides/slides.html') diff --git a/platform-workshop/slides/slides.html b/platform-workshop/slides/slides.html new file mode 100644 index 0000000..38fe82d --- /dev/null +++ b/platform-workshop/slides/slides.html @@ -0,0 +1,892 @@ +
+
+ +

+ +

LEAP Encryption Access Project

+

Provider installation workshop

+ + + +
+
+ +

+ +

LEAP Provider installation workshop

+ +

If you want to use Vagrant during this session
+please start right away with downloading the
+“LEAP/jessie” vagrantbox:

+ +
vagrant box add LEAP/jessie
+
+ +
+
+
+ +

+ +

LEAP Encryption Access Project

+ +

@ Anarchist Assembly, Hall 2, Komona Cluster
+IRC: #leap @ irc.freenode.net

+ +
+
+ +

What to expect

+ + + + + +
+
+
+ +

+ +

Introduction to LEAP

+ +
+
+ +

Goals

+ +
    +
  • “Provider in a box”
    • +
  • Make encryption as easy to use as possible
    • +
  • Strict client encryption
    • +
+ +
+
+ +

Increase User experience

+ +

+ +
+
+ +

Protect the provider

+ + + +

https://mayfirst.org/en/2012/fbi-returns-server/

+ +
+
+ +

What we have

+ +
    +
  • Bitmask client: A client that works smoothly with any LEAP provider.
    • +
  • LEAP Platform: A toolkit to make it easy for you to run a federated service provider.
    • +
  • New protocols: So that users don’t need to trust the provider.
    • +
+ +
+
+ +

Current Services: VPN

+ +
    +
  • Route all your internet traffic through an encrypted channel.
    • +
  • Prevent eavesdropping (thiefs in the public network, police, …).
    • +
  • Circunvent censorship, surveillancec and geoblocking
    • +
  • Prevent leaks (DNS, IPv6, …).
    • +
+ +
+
+ +

Current Services: email

+ +
    +
  • Transparent end-to-end encryption using OpenPGP.
    • +
  • Automatic key discovery and validation.
    • +
  • Service provider has no access to user data.
    • +
  • Strong protection for metadata, whenever possible.
    • +
  • Cloud synchronized for high availability on multiple devices.
    • +
+ +
+
+ +

Bitmask client

+ +

+ +
    +
  • Currently available for Android (VPN) and Linux (VPN + Email)
    • +
  • Windows and MacOS coming soon (with your help even faster!)
    • +
  • Formerly Python 2, Twisted and QT
    • +
  • Rewritten with Python 2, Twisted and Javascript (React)
    • +
+ +
+
+ +
+
+ +

Bitmask client

+

VPN

+ +

+ +
+
+ +

Bitmask client

+

VPN

+ +

+ +
+
+ +

Bitmask client

+

VPN

+ +

+ +
+
+ +

Bitmask client

+

VPN

+ +
--- ~ » curl -s ipinfo.io
+{
+  "ip": "198.252.153.83",
+  "hostname": "No Hostname",
+  "city": "Seattle",
+  "region": "Washington",
+  "country": "US",
+  "loc": "47.6062,-122.3321",
+  "org": "AS16652 Riseup Networks",
+  "postal": "98194"
+}
+
+ +
+
+ +

Bitmask for Android

+

VPN

+ +

+ +
+
+ +
+
+ +

Bitmask client

+

Encrypted Mail

+ +

+ +
+
+ +

Bitmask Mail

+ +

+ + + +
+
+ +

Bitmask Mail

+ +

+ +
+
+ +

Bitmask Mail

+

Composing

+ +

+ +
+
+ +
+
+ +

Key management

+ +
    +
  • Automated keylookup and validation.
    • +
+ +
+
+ +

Keys, Keys, Keys

+ +
--- » gpg --search-keys snowden
+gpg: data source: https://ntzwrk.org:443
+(1)	Snowden
+	  4096 bit RSA key 0xE941A4612E67D76A, created: 2017-03-24
+(2)	This Is Snowden
+	  4096 bit RSA key 0xBB44DF1AFC479844, created: 2017-03-20
+(3)	Edward Snowden <trump2020buildawall@gmail.com>
+	  4096 bit RSA key 0xA15DD46C59051BDB, created: 2017-03-12, expires: 2022-03-11
+(4)	Edward Snowden <trump2020buildawall@gmail.com>
+	  4096 bit RSA key 0xE64ECB1548116AEB, created: 2017-03-10, expires: 2022-03-09
+(5)	Snowden <sfogert@gmail.com>
+	  3072 bit RSA key 0xE643E968226937A1, created: 2017-03-10
+(6)	Edward Snowden <joshing@protonmail.com>
+	  4096 bit RSA key 0x2C3C1EFA83946932, created: 2017-01-20, expires: 2021-01-20
+(7)	Edward Snowden (Very secret) <ed_snowden2016@outlook.com>
+	  2048 bit RSA key 0xDC245D84A0F97A17, created: 2016-12-14
+(8)	Edward Snowden
+	  4096 bit RSA key 0xFAD43291D0951541, created: 2016-12-10
+(9)	Edward Joseph Snowden <snowden@edwardsnowden>
+	  4096 bit RSA key 0x34BD314D37015D55, created: 2016-11-02, expires: 2020-11-02
+(10)	snowden <snowdenet@163.com>
+	  3072 bit RSA key 0xFD764233079ACE40, created: 2016-10-11
+(11)	Edvard Snowden <lordkott1987@gmail.com>
+	  2048 bit RSA key 0xF5BE6495E2210CE1, created: 2016-10-07
+Keys 1-11 of 146 for "snowden".  Enter number(s), N)ext, or Q)uit >
+
+ +
+
+ +
+
+ +

LEAP Platform

+ +
    +
  • Configuration Management using puppet
    • +
  • Installs and configures the servers
    • +
  • leap_cli is the tool to deploy to the servers
    • +
+ +
+
+ +

LEAP Platform Example: Setup single node email provider

+ +
sudo gem install leap_cli
+leap new example --domain workshop.bitmask.net
+cd example
+leap add-user --self
+leap cert ca
+leap cert csr
+leap node add workshop \
+  services:couchdb,webapp,soledad,mx ip_address:1.1.1.3
+leap init node
+leap deploy
+
+ +
+
+ +

LEAP Platform: Install and configure the server(s)

+ +
    +
  • Email: Postfix, spamassassin, clamav
    • +
  • Database: couchdb, stunnel
    • +
  • Webserver: apache
    • +
  • Encrypting remailer: leap-mx
    • +
  • Synchronisation: soledad
    • +
  • Account management, issue tracking: leap-webapp
    • +
  • Firewall: shorewall
    • +
  • Monitoring: nagios, check_mk
    • +
    • +
+ +
+
+
+ +

Server-side techstack

+ + + +
+
+ +

Client-side techstack

+ + + +
+
+ +

Soledad

+ + + +
+
+
+ +

LEAP Webapp

+ +
    +
  • API for user registration and authentication
    • +
  • User Management
    • +
  • Integrated Issue Tracker
    • +
  • Payment processing
    • +
  • Customisable
    • +
+ +
+
+ +

LEAP Webapp Main Page

+ +

+ +
+
+ +

LEAP Webapp Account Management

+ +

+ +
+
+
+ +

+ +

LEAP Encryption Access Project

+

Platform Workshop

+ +
+
+ +

System requirements

+ + + + + +
+
+ +

Tutorials

+ + + +
+
+ +

Install prerequisites

+ + + + + +
+
+ +

Ruby

+ +

Debian / Ubuntu

+ +
$ apt install rubygems
+
+ +

Mac OS

+ +
$ brew install ruby
+
+ + + +
+
+ +

Install the LEAP command-line utility

+ +
$ sudo gem install leap_cli
+
+$ leap --version
+leap 1.9.2, ruby 2.3.3
+
+ +
+
+
+ +

Create provider config

+ +
$ leap new --domain workshop.bitmask.net ./workshop
+  Create directory /home/dev/workshop ? y
+  = created /home/dev/workshop/
+
+  The name of the provider: |Example| Workshop demo
+  File path of the leap_platform directory: |/home/dev/leap_platform| 
+  Default email address contacts: |root@workshop.bitmask.net| 
+
+  The platform directory "/home/varac/dev/projects/leap/leap_platform" does not exist.
+  Do you want me to create it by cloning from the
+  git repository https://leap.se/git/leap_platform.git? y
+  …  
+
+ + + +
+
+ +

leap_platform master branch build status

+ +

Leap Platform Build Status: Build Status

+ +

see https://0xacab.org/leap/platform/

+ +
+
+ +

Optional: Use latest release tag for stable version

+ +

If the build status of current leap_platform:master failed we need to checkout the last stable version of the leap_platform:

+ +
git clone -b version/0.10.0 https://leap.se/git/leap_platform \
+  ../leap_platform
+
+ +
+
+
+ +

Add your ssh key

+ +
$ leap user add --self
+
+ +
+
+ +

SSL certificates

+ +

Create a SSL certificate authority and a certificate signining request:

+ +
$ leap cert ca
+$ leap cert csr
+
+ + + +
+
+
+ +

Single node VPN provider

+ +

Tutorial: https://leap.se/en/docs/platform/tutorials/single-node-vpn

+ +
$ export OPTS=(services:webapp,couchdb,openvpn openvpn.gateway_address:37.218.245.4)
+
+ + + +
+
+ +

Single node email provider

+ +

Tutorial: https://leap.se/en/docs/platform/tutorials/single-node-email

+ +
$ export OPTS=(services:webapp,couchdb,soledad,mx)
+
+ +
+
+
+ +

Generate diffie-hellman parameters for openvpn

+ +
$ leap cert dh
+
+ + + +
+
+
+ +

Add an existing remote server

+ +
$ leap node add blackbox ip_address:37.218.245.94 $OPTS
+
+ +
+
+ +

Option B: Create a new server in the cloud

+ + + +
$ leap vm add blackbox services:webapp,couchdb,soledad,mx
+$ leap vm status
+
+ + + +
+
+
+ +

Time to deploy !

+ +
$ leap list
+
+$ leap node init blackbox
+
+$ leap deploy blackbox 
+
+ + + +
+
+
+ +

DNS

+ +
leap compile zone
+
+ +

Use the listed entries in our DNS provider.

+ +

These are for workshop.bitmask.net (in this workshop’s case):

+ +
@                     IN A      37.218.245.94
+blackbox              IN A      37.218.245.94
+api                   IN A      37.218.245.94
+nicknym               IN A      37.218.245.94
+@                     IN MX 10  blackbox
+@                     IN TXT    "v=spf1 MX ip4:37.218.245.94 -all"
+234072283e._domainkey IN TXT    "v=DKIM1;h=sha256;k=rsa;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApdCDTAuRJJa0yx8T3Z7d" "f2NLE0oOvKysLqHqtvJk92Zf8RHYO6/RzpvJ5s51fPfOfyLnAjEzGs3gBL5GkWNV" "hLyMB9TzYnuQ9lmnz3ep3Hyh8U9yPVmNu1YZDrMYGaeoHE6FZXkmvrtBUOv3XAZw" "4BNQwdcHCa/Z9iWgMDtBx0h+56DRDTOrJvr7M/7qGxknBo0FnnQ/Qhw9GQjkTg0h" "UmFZjuvx3BmgN/9lCMkrjxC7qfADvGYMIYer3iPt0wI7cqAvgWN0a+7iqm2PU+aB" "wLPWOSmWsl3e6wzHW4jFS7EchilGXjHiGQ5WC9anRC6WWr3SomL/cxKZNCjTCfBy" "dwIDAQAB"
+
+ +
+
+ +

DNS

+

Option A: Fake DNS for new provider

+ +

We are using a domain here without proper DNS, so we need to override our DNS resolution.

+ +
    +
  • Open another terminal and: + 
    cd ~/workshop
+leap compile hosts
+
    +
    • +
+ +

You need to edit your hosts file with admin privileges and add the output of above command to it.

+ +
    +
  • Linux: sudo editor /etc/hosts +
    • +
  • MacOS: sudo nano /etc/hosts +
    • +
+ +

see Quick start tutorial/Setup DNS for details.

+ +
+
+
+ +

Download Bitmask client

+ + + + + +

Questions ?

+ +
+
+ +

Let’s encrypt certificates

+ +

For proper, free-of-cost TLS certificates issued
+by https://letsencrypt.org/:

+ +
$ leap cert register
+$ leap cert renew workshop.bitmask.net
+$ leap deploy --tags x509 --fast
+
+ +

Check https://workshop.bitmask.net in browser afterwards.

+ +
+
+ +

Test if things work correctly

+ +
$ leap test
+
+ +
+
+ +

Use Bitmask

+ + + + + +
+
+ +

Try more

+ + + +
+
+ +

Contribute

+ + + +

https://leap.se/en/docs/get-involved
+https://leap.se/en/docs/get-involved/project-ideas

+ + + +
+
+ +

Thanks!

+ + + +
+
+
+ +

Etc

+ +
+
+ +

Bitmask Schema

+ +

+ +
+
-- cgit v1.2.3