CryptoParty Albuquerque: A Gentle Introduction to Threats and How To Defend Against Them

One of the unique things about CryptoParty Albuquerque was simply the diversity of participants. Not only was CryptoParty Albuquerque the largest cryptoparty I’ve had the pleasure to host (it began with over 35 people, check out this blog post to get a debrief on what you may have missed), but it was also the only one that didn’t have a pre-existing audience specifically in mind. What I mean is that, prior to this cryptoparty, the other cryptoparties I’ve hosted have all been for a single community—queer activists, or reporters, for example—rather than being aimed at “everybody.”

This means that, unlike other cryptoparties that functioned almost like anti-surveillance boot camps, this one really was a party in addition to being a skills-building workshop. The fact that we had ongoing educational activities that were set up kind of like museum exhibits (that you could touch, of course) in the center of the social and food spaces was really helpful. But it also meant that it was bit more difficult to set the stage for the event at the beginning, because we didn’t really know who was going to be there or what they wanted to focus on.

My co-host and I knew we wanted to start the event in one large group, because we wanted to make sure that everyone who participated was exposed to the most foundational concepts and immediately useful information. We decided that this meant we wanted to at least touch on these three things before we split up into breakout sessions:

  • threat modeling,
  • politics, and
  • digital “Know Your Rights” training.

What we ended up doing was back-to-back presentations at the start of the cryptoparty in which I gave a presentation on the first two bullet points, combining an inrtroduction to theat modeling with the political importance of what we are doing. This made sense to us because it is specifically the fascistic politics of the current Amerikkkan surveillance state that threatens the livelihood and pursuit of liberty of most people (of color) around the globe, obviously.

In my usual style, I created a fast-paced visual slideshow and distilled numerous different sources of information into a speech covering the bare essentials of threat modeling and surveillance politics that clocked in at under ten minutes. Unfortunately, my presentation was not recorded live at the cryptoparty itself, but I’ve recreated it in this video embedded below. What follows is the re-created video of my introduction to CryptoParty Albuquerque and an aspirational transcript of my welcome speech:

Are. You. Ready. To. CRYPTO?


Welcome, welcome everybody to CryptoParty Albuquerque, the first crypto party in New Mexico! Thank you to our hosts, thank you to my co-host and co-organizers, to everyone who’s been working so hard this past week to make this event happen. And, of course, thank YOU all for coming!

So, the tagline of this event is “Learn how to protect your data from prying eyes,” and that’s what we’ll be doing during the CryptoParty. You’ll have the opportunity to participate in a hands-on digital safety training, some privacy workshops, and if you take a look around, you’ll see we’ve set up numerous educational activities around the space at our “activity stations.” We’ll talk more about all of these in a just a little bit.

But when we say “learn how to protect your data from prying eyes,” the obvious next question is: “Whose eyes?” In other words, who are we protecting our data from? Well, broadly speaking, there are three main categories of adversaries one might want to protect one’s data from. They are:

  • Governments,
  • Corporations,
  • and malicious individuals.

When it comes to governments, I like to quote Taylor Swift, who says, “Mass surveillance is the elegant oppression, a panopticon without bars. Its cage is small but out of sight, behind the eyes—on the mind.”

Swift is talking here about the global and domestic mass spying conducted by the NSA. And, okay, maybe this isn’t a real Taylor Swift quote, but you get the idea.

If this is a bit too abstract for you, remember that just this week we learned that the Department of Homeland Security has been monitoring the Black Lives Matter movement since anti-police protests erupted in Ferguson, Missouri last summer. DHS agents are even producing minute-by-minute reports on protesters’ movements, even for the most mundane of community events. This shit is real, my friends!

With regards to corporate adversaries, we see plenty of examples of abuse and privacy violating behavior. In November of 2014, for example, Josh Mohrer, the general manager of Uber New York, was busted for using an internal Uber tool called “God View” that shows the company’s execs the real-time location of every single customer and driver. Mohrer was using the tool track the movements of a journalist, without her permission or consent. And just one month before that, in October 2014, two bombshell stories in the New York Times detailed how PR firms representing the oil and gas industry have been openly plotting campaigns of dirty tricks against anti-fracking activists and opponents of the Keystone XL pipeline.

And then, of course, there are malicious individuals:

A normal Wednesday afternoon, this Colorado man is playing his favorite shooting game: heavily armed SWAT teams battling are criminals, when suddenly the imaginary world broke into reality—quite literally.

“I think we’re getting SWAT’ed. What in the world?”


The gamer, known as Kootra, was swatted.

This is a new kind of prank called swatting. This term stands for a mean prank: anonymous hackers reporting feet hostage situations and other violent crimes, all just to see SWAT teams rush in on innocent victims.

Swatting. I also call this: “attempted murder by cop.” So these are some examples of WHO you might want to protect your data from, and why.

Now, you might be thinking to yourself, “Okay, that’s great, but…how?”

The answer to that is: Encryption.

Encryption is just math. But don’t worry! You don’t need to know any math—not even basic addition—because a bunch of very smart people already worked the math out, and a huge community of free software advocates encoded the mathematical algorithms in computer software programs. All you have to learn is how to use the software, and that’s what we’ll do here during the CryptoParty.

For example, If you want to browse the Internet anonymously or bypass online censorship, use Tor, a special Web browser that helps keep your physical-world location secret while you explore the Internet. Or perhaps you want to send a private text message? Use an app called TextSecure. Share a file without revealing your location? OnionShare. Chat secretly? There’s an app for that, too. Software called the GNU Privacy Guard or GPG for short can secure your email, and you can install browser add-ons like Mailvelope to use it with your existing GMail account.

We’ll learn more about all of these tools tonight, during the CryptoParty. But with so many tools to learn, how do we decide what to use? And which one do we use, and when? For that, we need a “threat model.”

A threat model is just a way of narrowly thinking about the sorts of protection you want for your data, and how to go about actually protecting it. Whenever you begin assessing threats to you or your data, ask yourself some basic questions about your situation, like:

  • What do you want to protect? We call things you want to protect “assets.” Assets can be physical, like your laptop or phone. But assets can also be information, like some information in an email, or knowledge of your home address.
  • Who do you want to protect it from? We just talked about adversaries: they are the people or organizations attempting to undermine your security or violate your privacy.

There are also some other questions involved in assessing threats, but the answers to all of these questions are personal and subjective. They’ll be different for different people. And we’re not here to tell you what to think or how to feel. That, obviously, is your government’s job.

So what we’re going to do is introduce a simple framework that you can understand and use to make better informed choices about the technology you use so that you can take steps to protect your privacy, confidentiality, and integrity. Remember, after all, that different people have different assets to protect from different adversaries.

Threat Pyramid

Importantly, different adversaries pose different kinds of threats, based on what capabilities they have. For example, an individual with a grudge may be able to send you harassing e-mails, but they don’t have access to all of your phone records, so they can’t use those against you. Your mobile phone provider, however, does have all your call logs, and therefore has the capability to use that data in harmful ways. Your government has even stronger capabilities.

Notice, also, the number of adversaries who can pose major threats is much smaller than the number who can pose only mild threats or annoyances. The power to do the most harm is concentrated in governments and some multinationals with extremely sophisticated capabilities. The more of a threat these capable adversaries can pose, the more power they have over everyone below them on the pyramid.

Now, it is specifically this hierarchy, where the most resourced governments and corporations have more surveillance capability than everyone else, this situation is sold to us as “security.” And the issue is not that no measure of security can be had from this arrangement. The issue is that whatever so-called “security” this set-up does happen to offer you is a matter of benevolence from everyone above you in the pyramid.

Let’s take a second look at these. What are these things?

Cameras mounted on a wall.

I bet at least half of you are thinking to yourselves, “Those are security cameras,” aren’t you? But these cameras do not, themselves, provide security. These are surveillance cameras. They collect data about everything they can see. That data—that video record—only increases your security if the person who controls the video record has your best interests at heart. Otherwise, the data collected by these cameras only help the people controlling the cameras; think about the huge difference between cameras on cops, and cops on camera.

So the people who perform the most powerful surveillance in the world are at the top of the pyramid—that would be the USA, and the UK, etc. Anyone who chooses to rely on such surveillance for their “security” is putting blind trust in everyone who performs more powerful surveillance than they can.

A common fallacy is that with total surveillance comes security. That is, they say that after you give up your privacy, they will give you security. But what we see in reality is that even with that total surveillance, you still have the Westgate Shopping Mall terrorist attack in Kenya, you still have the Boston Marathon bombing, you still have the Emanuel African Methodist Episcopal Church shooting in downtown Charleston, and it is not stopped. Not to mention things like SWAT-ting, abusive phone calls from your evil ex, and the constant small harassments normal people deal with on a daily basis. And these attacks are not stopped because surveillance, itself, is not security.

Surveillance brings the ability to control some people some of the time, because “When we know we might be under surveillance, our behavior changes. We might decide not to go to a political meeting, to censor what we tell friends, family, and colleagues, thinking it might fall into the wrong hands or simply be made public. Under surveillance we may decide not to become a whistleblower.” Surveillance erodes privacy, which is a necessary condition for thinking and expressing oneself freely. But it still does not make us safe.

So our privacy is violated, our ability to express ourselves is controlled. Meanwhile, violent attacks on random individuals are rarely stopped. Our security is far from guaranteed. The people who benefit from surveillance are the people behind the video camera, not the people in front of it.

If we can’t rely on big, powerful surveillance states with sophisticated technology to have our best interests at heart—and we can’t—what can we do to keep ourselves safe and secure?

In the digital realm, we can encrypt, because encryption doesn’t depend on anybody else’s good will. It depends solely on math. No amount of physical force can coerce or threaten math. The police cannot beat up encryption algorithms with a nightstick. Encryption, like an idea, is literally bulletproof.

At this point, maybe some of you are thinking, “Yeah! Encrypt ALL the things!” And maybe some other people in the audience are sitting here thinking, “Augh! This sounds hard!” To you folks, I want to say: Take a deep breath, relax. Remember that you don’t have to be perfect at this. Remember that all things are difficult before they are easy. Remember that you don’t have to encrypt all the things immediately, today. There is a lot to learn!

So pick one thing, just one thing to start out with based on your personal threat model, because every little bit does help. The more encrypted data there is out there, the safer everyone who uses encryption is. And even if all you do is encrypt your apple strudel recipes when you send emails to your mother, you’re still helping by making it harder and more expensive for the adversaries of political dissidents, activists, journalists, friends, colleagues, and family, to target them.

So choose a tool you’re interested in knowing more about, go to a breakout session, and above all else, remember: KEEP CALM AND ENCRYPT.

Thank you all for listening.