Defense Against the Dark Arts and Mr. Robot’s Netflix ‘n’ Hack (rebooted) at Recurse Center

Last Saturday, I hosted another Mr. Robot’s Netlfix ‘n’ Hack session at the Recurse Center. I’ve been doing these weekly for three weeks now (here is a link to last week’s), and this time was the first week when the new set of batchlings were in the space. To better include them, we rebooted the series and re-screened the first episode of the show.

Last week was also the national elections in the United States. The outcome of that election was that Donald Drumpf was voted into office as President and over the course of the week he began selecting self-described white nationalists into positions of power in his upcoming administration. In light of these events, I’ve spent most of my waking hours fielding incoming requests for help about “what to do” in a number of different areas.

This election changes very little for me, personally. I have already been aware that we live in a police state, controlled by fascists and white supremacists. I’ve been preparing for worse and prepared for this eventuality for a long time. What this election changed, for me, was the fact that everyone around me was suddenly treating me like the things I was doing made sense, rather than being treated like some overly paranoid weirdo. So, that’s nice.

This also means that I’ve been getting lots of questions about digital security, privacy, anti-surveillance and censorship circumvention techniques. Y’know, commsec, opsec, and security culture stuff. In light of these events, I decided to kick off the new round of Mr. Robot’s Netflix ‘n’ Hack sessions with a whirlwind crash course of the defensive aspects of computer security techniques. Basically, I ran a very compressed CryptoParty.

Someone suggested that we call this a “Defense Against the Dark Arts” session, and I liked the analogy well enough to take the suggestion. Like the other Mr. Robot’s Netflix ‘n’ Hack nights, this one was well attended. We filled the session room to the max. It was probably between 15 or 20 of us to start with, and then it dwindled down to about 10 for the actual screening and post-screening discussion.

In my paradoxical, eternal optimism, I somehow had the idea that we could complete this lightning CryptoParty, which included install fests of Signal and the TorBrowser, within thirty minutes. I was wrong; we went over by about 30 minutes, and the screening of Mr. Robot started late. But so many (all?) of the attendees got set up with Signal and the TorBrowser, and that was really great.

As promised, I wanted to make sure that everyone had links to the reference guides and other resources presented in this defense-focused super quick “Defense Against the Dark Arts” session. To do so, I sent a follow up email with links to those resources. A portion of that email is presented verbatim, here:

In addition to these primers and the links included in them, additional useful resources are:

  • PrivacyTools.io – Simply start at the top and read down the page. This is as guided an introduction to privacy issues and what to do about them as it gets.
  • EFF’s Surveillance Self-Defense Handbook – A thorough treatment of anti-surveillance software, along with tutorials for how to get them installed and working on your system.
    • If you’re feeling overwhelmed by all of this already, consider spending just a little bit of time to walk yourself through the SSD’s Security Starter Pack.
  • PRISM-Break! – An overwhelmingly large digital reference card for all the privacy-enhancing tools available to you for a particular platform, purpose, or protocol. Be cautious here, some of the listed tools are experimental, not audited, or worse.
  • Security in a Box – A slightly dated, but still generally solid, resource website featuring much of the same content as the EFF’s Surveillance Self-Defense guide, but with a regularly updated blog. Created and maintained by the TacticalTech.org collective.

There’s a ton of stuff in there, and learning about how to defend yourself from governments, corporations, or malicious individuals on the Internet is more involved than simply picking up one or two tools. But a few well-chosen tools does give you a really, really good start. Taking some time to familiarize yourself with the above guides will hopefully help you become even more capable.

Following the install fest, we finally screened Episode 1 of Mr. Robot again. I already posted our list of tools, techniques, and procedures from the first week, and this didn’t change much. With a different audience, however, the discussion we had post-show did change quite a bit.

Unlike the first week, when people were interested in Tor onion routing and the dark/deep Web, this time people wanted to know about social engineeering and password cracking. So our discussion focused on sharing resources for social engineering, and books such as Kevin Mitnick’s “Art of Deception” and Robert Cialdini’s “Influence: The Psychology of Persuasion” came up. (So did Freedom Downtime, a documentary about Kevin Mitnick’s persecution by the FBI.)

After that, we also talked about the mechanics of password cracking. I gave an overview of the process from exploitation to data exfiltration, but focused on using the hash-“cracking” (really guessing) tool called Hashcat to demo finding the plaintext of hashed passwords. A lot of time in the discussion was spent showing the practicalities of how hashing (i.e., “trap door functions” or “one-way functions”) works by using md5 and shasum commands on the command line. Then I showed the syntax of the hashcat command to run a dictionary attack (with the infamous “rockyou” wordlist) against simple unsalted MD5 hashed passwords from a very old data dump file (hashcat -a 0 md5sums.txt wordlists/rockyou.txt). Have another look at the SecLists project on GitHub to find wordlists like these useful for password cracking.

We also talked about some common mistakes that application developers make when trying to secure their applications, and that users often make when trying to secure their passwords:

  • Try to generate per-user, instead of per-site, salt.
  • Don’t just double-hash passwords (i.e., hash(hash($password)), because this reduces the entropy used as input for the final result, and increases the chance of hash collisions. Instead, iterate the hash function by concatenating the original input (or a salt, or something) back into the resulting hash as well (i.e., hash($salt . hash($salt . $password))). This iteration also slows down an offline attack, but again, only if done correctly in code.
  • Don’t use multiple dictionary words as a password, even a long one, because these are easy to guess. For instance, contrary to popular belief, “correct battery horse staple” is a bad password, not because it lacks entropy, but because all of its components are likely to be in an attacker’s wordlist. Use a password manager and generate random passwords, instead.

Next week, we’ll return to our regularly-scheduled Mr. Robot’s Netflix ‘n’ Hack format: a demo/show-and-tell/exercise of a tool, technique, or procedure (TTP) featured in Episode 1, followed by a screening of Episode 2, and ending with a discussion about Episode 2’s TTPs. I thought that since we’ve done Onion services already, I would change gears and show an online attack similar to some of the ones Eliot used in the show by demoing a tool called Hydra. Another participant also said they may demo hiding data inside of audio CDs using a steganographic tool called DeepSound, also featured in episode 1.

However, this upcoming Saturday is a number of anti-Trump and anti-surveillance organizing meetings and workshops, so I may have to skip this week’s Mr. Robot’s Netflix ‘n’ Hack myself. If not, we may switch to Sunday just for the week. Time will tell. :)

4 comments

  1. 38
    maymay says:

    What do you mean by Diceware? I’m not familiar with it.

    As for encrypting something, just start somewhere. Get your peeps to use Signal and drop Facebook Messenger. That’s a start.

  2. 38
    maymay says:

    Getting people to start using Signal implies buying smartphones for a few people. […] Better not to leave anyone behind.

    Yes, but your question was about encryption. Unless you’re going to make the flip-phone users do AES-256 on paper, you’re not going to have encryption in some circumstances. There is no way around that.

  3. 38
    maymay says:

    As for Diceware, if you don’t trust the pseudo-random number generator in your software, choosing an actually random method that constructs some passphrase is fine, but if you’re that worried about your software generally and you’re not actually fixing bugs in the software you’re using, I can’t really imagine you would feel comfortable enough using any computer at all, so maybe you’re not asking a question about software and are actually trying to ask one about emotion and fear, and that’s not a question I can answer for you by giving you a technical answer about appropriate sources of entropy for passwords.

Comments are closed.