Crypto parties.

Once uppon a time

When AsherWolf coined the term Crypto Party, there was an actual need for a specific part of the population to get trained to use encryption tools. We were in the middle of all the revelation of censorship done in the Maghred dictatorship and dictators were thrown out on an almost weekly basis.

I started to do them with journalists. I got in touch with Reporters without borders and we set-up some session to train a specific part of the population: journalists, field activists, netizens – as RWB keeps calling them.

This is where I learned a lot about GPG/PGP, the advanced use of Tor and of full-disk encryption. Doing those workshops and training did helps me to taught myself how thsoe tools works, what is operational security and threat modelling. I still have a lot to learn on those topics, but that’s how I started it, and that’s also why I did run the first CypherPunk workshop at Le Loop hackerspace.

I did’t have the idea at the time that it will works so well. Then Snowden makes me not a paranoid guy anymore. Things gets crazy, mass-media were screaming on loud that there’s no way you can have privacy online, that rogue agencies were going after each and any of us and everyne gets paranoid. Not careful, paranoid. Everyone lose focus on threat modelling.

Cryptography became hype, I heard speaking about Tor, LUKS, and other things on TV and in the press. I did my share of speaking to journalists, learning how the media works on the field, I did makes mistakes in communication, but in the end I tried to get the message that yes, there’s privacy issue, and no, crypto-geeks aren’t the one with the solution but citizens – people in fact – are the one with solutions.

The local cryptoparty group kept growing. People I used to train were now the trainers, and that’s fracking nice. We gathered more and more people, we tried to get out of the hackespace and to go meet people, creating the Privacy Café, in local bars, with diverse people with all their own problematics.

How we failed the people

And we basically failed them. I once wrote about the Responsability of teaching because I thought we were missing a point. When we set-up those workshops, we have a responsability toward the people who’ll eventually come. We need to give them all the necessary key to understand the problematics, we need to reassure them because most of them are not in a case where they face being jailed by a governement due to a tweet they sent.

The thing is, I wanted the crypto party to be able to function without a central person. Also, I was going through – and I’m still into it – a big depression so I needed to take some step out of things I’m doing, so I let it go its way, because I think it’s the only sane way to do things.

Also, I was growing tired of doing all the same workshops. I wanted something else, playing with new tools, learn new things, experiments new paradigms.

And I think that doing those workshop is not thesolution. I learned that a bit late maybe, but having time to go to a workshop, with your own hardware and a will to develop new skills is a privilege a lot of people cannot afford, I’ll send you to this blog entry wrote by a pop star doing infosec for reference: [A story about Jessica][1]

And fear of internet was more and more used as a teaching tool. And Fear is clearly the worst tool to use if you want people to learn. And I witnessed the militarisation fo the languages which bugs me. A lot. I even done a conference on this topic because we need to not scare the people away from the internet, or the Internet will die and we really need to be inclusive.

And being inclusive means we need to provide security by default. And it means, we need to build network and protocols who’ll take care of that. And that’s one point of strong disagreement with a part of the team. Some of them think that if you’re not able to run command line tools, then you do not deserve to be protected. They think that an interface to a tool necessarily implies a weaker security.

I do agree with that, command line tools with all their flags, are the best way to have a crypto disaster for instance (yes, command line IS an interface). The thing is, we do have some tools with good cryptography AND no interface at all (or almost no interface at all). For instance the Tor Browser Bundle. You launch it, it connects, it disapear and you’ll never hear about it and still you’re connected to the privacy network – and if it can’t connect you can’t use it therefore you can’t put yourself at risk.

Yes, Enigmail – and PGP – is a mess. As well as everything that’s based on key management. For one part because key management is about identity, and a lot of people want anonimity – so no identity – also because no one knows what a good key management solution is. The interface sucks, because the tool it’s based on sucks.

And we could build a mail solution where GPG will disappear, working more or less like TLS, with a warning when the key looks weird, or when youhave no encryption. But we – as the crypto party collective – prefers tell people they’re not good enough to use cryptographic tools.

Well, in fact I stopped teaching GPG in the cryptoparties. I prefer have them use OTR for instance, and install XMPP servers everywhere I can, with strong TLS setup, and have them configure OTR to autostart. It works, they do not even need to worry about it (except the color of the OTR button). Neither they need to worry about authenticate (some people might – depends on the threat model) their contact.

But still, I do have a lot of issues with this attitude I see in this group of people that they know best, they do not question their knowledge. They use fear as a tool, they think that you need to work to deserve protection not that we – as experts, geeks, technicians, whatever – need to build a community oriented and driven network of people with anonimity built at its core – yes, it’s supposed to be what internet is.

And that brings me to this tough issue, wether I should continue working on cryptoparties, or try to do something else. I think it’s easy to quit, to let them be. It’s harder to try to do something with the people who are willing to, and to move forward with them. But there is things in what they say that makes me thinking that we do have a gap in what we want to do with those cryptoparties.

Not being inclusive, not understanding the principles of privileges and discrimination, using fear and militarisation of your vocabulary. All of those are no go for me. And I did not find a way to discuss about that yet, tried the mailing lists but git no answer, tried to meet AFK, but no answer either.

So I’m wondering, maybe I should stop fighting for that and quit. Give the admin access to the lists for them to go the way they want to go and start something else. It’s not easy, but maybe it’s a failure.

I should probably just quit.