Learning Security


Aside from the necessary logistical and methodological differences mentioned above, and a few variations on content described at the end of this section, the first five workshops of each track adhered to the same curriculum. (The drop-in workshop series did not have a sixth session.) Since the vast majority of our participants were Mac/OSX and iOS users, most of the platform-specific curriculum described below focuses on Mac/OSX tools. Throughout both workshop tracks, however, we also provided one-on-one assistance to our handful of Windows users16

Session 1: Creating and Maintaining Strong Passwords

In this session, we attempted to explain and simplify the “rules” for choosing strong passwords. We also addressed the difference between online and offline password attacks, including the importance of configuring two-step authentication for services that support it. We discussed how to evaluate the security claims of various password managers and discussed the risks inherent in browser-based systems. Finally, we introduced students to KeePassX, a secure password manager, and practiced using it to store different sorts of credentials. All students left with a portable version of KeePassX on a USB stick, along with an encrypted password database.This workshop included a live demonstration of a brute-force password attack on Android and iOS smartphones.We also used this session as an opportunity to gather baseline information about who had and had not configured certain security features on their devices, including Apple’s FileVault full-disk encryption, Microsoft’s Bitlocker full-disk encryption, and Apple’s TimeMachine backup software.

Session 2: Secure Data Storage and Backup

In this session, we addressed the fact that while strong passwords are a dependency for encrypted file storage, the two concepts are not equivalent and a log-in password alone is not enough to secure data at rest. We covered full-disk encryption on MacOS, Android, and iOS devices but focused primarily on FileVault for full-disk encryption and DiskUtility as a way to encrypt external media (which we discussed in the context of secure backup habits).We also introduced students to Apple’s TimeMachine backup software. We spent the bulk of our hands-on time working with the TrueCrypt file encryption tool, including its plausible deniability feature, which we contextualized using stories about reporting in high risk countries, generally, and about border crossings and checkpoint threats in particular. In addition, however, students went home with instructions on how to create their first encrypted TimeMachine backup, and—for those who felt comfortable enabling FileVault before our next session—a reminder to record their FileVault recovery code in KeePassX, along with the TrueCrypt passwords they created during the workshop. (Several students visited us during our office hours to request additional help with these steps.)

This workshop included a live demonstration of how little protection even a strong password provides, in the absence of encryption, against an adversary with physical access to the device in question. Because our participants all had MacOS devices, we used TargetMode for this demo. And, because there were students in the class who had not set a log-in password of any kind, we also demonstrated a malicious USB attack capable of pulling sensitive documents from an unlocked computer in just a few seconds.

Session 3: Connection Security, Online Censorship, Metadata, and Anonymity

In this session, we explained the difference between symmetric and asymmetric encryption, then discussed the concept of end-to-end encryption as it applies to HTTPS, virtual private networks (VPNs), instant messaging (IM), email, etc. We covered HTTPS certificate warnings, Man-in-the-Middle attacks, the HTTPS-Everywhere browser extension, and threats related to metadata and traffic analysis, starting with the basics of how an IP address can be linked to a real-world identity. As a prelude to hands-on practice with RiseUp VPN and Tor Browser, we discussed the concept of centralized versus decentralized trust, the circumvention- and privacy-related uses of anonymity tools, onion services (“the deep web”), and the importance of HTTPS even when using a tool like Tor Browser. Credentials for a new VPN account were stored in KeePassX.This workshop included a live demonstration of a local network attack through which an adversary could sniff the Columbia University password of any student, faculty member, administrator, or staff person who had not applied at least one of the techniques covered in the workshop.

Session 4: Encrypted Chat

In this session, we focused on encrypted chat, including practical techniques for introducing sources and colleagues to relatively easy-to-use secure communication tools. We covered asymmetric encryption—specifically the Diffie-Hellman key negotiation protocol—in greater detail. We also devoted significant time to the issues of authentication and cryptographic fingerprint verification, with an emphasis on helping students understand when their real-world intuition about “verifying identity” does and does not apply to the context of secure digital communication. For the hands-on portion of this workshop, we practiced using Off-the-Record (OTR) chat encryption with both CryptoCat and Pidgin/Adium. Students used Tor Browser to access the onion service version of CryptoCat and those who created new XMPP (chat) accounts, for use with Pidgin/Adium, stored their passwords in KeePassX.The session began with a brief presentation that used color-mixing as a metaphor to explain how the Diffie-Hellman key negotiation protocol works and how proper authentication can prevent Man-in-the-Middle attacks.

Session 5: OpenPGP Encrypted Email

It was quite challenging to fit a complete, hands-on OpenPGP session into three hours, so we covered very little else during this workshop. Fortunately, we had already addressed many related issues in previous workshops, including symmetric versus asymmetric encryption, cryptographic fingerprint verification, and end-to-end encryption. High-level topics discussed in this workshop were limited to the basics of how public key encryption works, the risks associated with OpenPGP’s lack of perfect forward secrecy, and the importance of local key signatures as a way to avoid exposing one’s network of contacts. Students left the session having installed GPGTools; configured a new or existing email account to work with Apple’s Mail application; uploaded their public keys to a keyserver; located and downloaded one another’s keys; and practiced sending and receiving encrypted messages (including attachments).During the last thirty minutes of the session, students practiced verifying and (locally) signing one another’s public keys.