X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=en%2Fworkshops.html;h=30ce3481cbbdc1bfeb8d2db4672b615c0e576ff9;hb=e5e235bef3aa7bfd8d999988085b7dc192bdf053;hp=35365f0664998b45026af284007b0cef3b9f2daa;hpb=0a76364f6b897b095fa4c820cdb324318c676180;p=enc.git diff --git a/en/workshops.html b/en/workshops.html index 35365f06..30ce3481 100644 --- a/en/workshops.html +++ b/en/workshops.html @@ -1,384 +1,403 @@ - - - - - Email Self-Defense - a guide to fighting surveillance with GnuPG encryption - - - - - - - - - - - - - - - + +
+
- -
-
- -
-

#0 Why GnuPG?

+ +
-

NSA whistleblower Edward Snowden once famously wrote , "Encryption works." When he chose to leak his information to film maker Laura Poitras, he put his trust in the GNU Privacy Guard , and it didn't let him down. Although “encryption works,” even the most perfect software and algorithms still fail when the underlying system is not secure, or if the user doesn't understand how to properly make the software work for them.

+

-

Setting up a secure computer and understanding how it works is a daunting task, even for many advanced users. Simple mistakes lead to disaster, and many people who would benefit from using GnuPG don't simply because the process sounds too complex. GnuPG is a powerful and versatile program, and it's sad that more people don't use it.

+

#1 Get your friends or community interested

-

If you already love GnuPG, do your part to help increase herd immunity to mass surveillance by helping your friends and neighbors master the challenges GnuPG poses. Help them keep their digital love letters private, and teach them the benefits of free software. Oftentimes, users over-calculate the complexity of setting up GnuPG, when all they really need is a ally to sit down with them and help them get started. Go be that friend!

+

If you hear friends grumbling about their lack of privacy, ask them if +they're interested in attending a workshop on Email Self-Defense. If your +friends don't grumble about privacy, they may need some convincing. You might +even hear the classic "if you've got nothing to hide, you've got nothing to +fear" argument against using encryption.

-

To fully benefit from this guide, please read it in its entirety before proceeding.

+

Here are some talking points you can use to help explain why it's worth +it to learn GnuPG. Mix and match whichever you think will make sense to +your community:

-
-
-
- - -
-
- -
-

#1 Plan The Workshop

-

When you hear friends bemoaning their lack of digital privacy, ask them if they're interested in attending a workshop to on email self-defense. Once you've got a handful of people interested, pick a date and start planning out the event. Tell participants to bring their computer, their ID (for signing each other's key) and a flash drive.

- -

The success of each workshop requires understanding and catering to the unique background and needs of each group of participants. Workshops should stay small, so that participants receive more individualized instruction. If more than a handful of people want to participate, keep the participant:facilitator ratio low by recruiting more facilitators, or by facilitating multiple workshops. Ideally, facilitators should be known and trusted members of the participants' community. Small workshops among friends work great!

- -

Many activists, journalists, whistleblowers, businessfolk, academics, and dissidents use the OpenPGP standard, so participants might unknowingly know of a few people who use it already. If possible, make a list of people and organizations that use OpenPGP which participants will likely recognize by searching for "BEGIN PGP PUBLIC KEY BLOCK" + keyword.

-
- - -
-
-

Step 2.A: Make a Keypair

-
-
-

Step 1.a Space and Preparation

-

Make sure the location you select has an easily accessible internet connection, and make backup plans in case the connection stops working on the day of the workshop. Try and get all the participants to set up an Enigmail-compatible email client before the event. Direct them to their organizations IT department or help page if they run into errors. Estimate that the workshop to take at a minimum 30 minutes plus about five to 10 minutes for each participant. Plan extra time for glitches and questions.

- -
-
- - -
-
+
+
+
+ -
-
- -
-

#2 Follow The Guide

-

Have the participants work through the Email Self-Defense guide a step at a time on their own computers. Make sure all participants complete each step before the group moves on to the next step. Talk about each step, but be sure not to overload the participants with minutia. Pitch the bulk of your instruction to the least tech-savvy participants. Consider holding a secondary workshop afterwards for the outliers in either direction.

+

--> +
+
-
+

Strength in numbers

- -
-
-

Try it out.

-
-
-

Step 2.a Public and Private Keys key

-

Make sure all the participants have a conceptual understanding of the relationship between public and private keys in a keypair. It's normal for people to not understand public-key cryptography on the first try. Use analogies to help explain the concept.

+

Each person who chooses to resist mass surveillance with encryption makes +it easier for others to resist as well. People normalizing the use of strong +encryption has multiple powerful effects: it means those who need privacy +the most, like potential whistle-blowers and activists, are more likely to +learn about encryption. More people using encryption for more things also +makes it harder for surveillance systems to single out those that can't +afford to be found, and shows solidarity with those people.

+ +
+
+ +

People you respect may already be using encryption

+ +

Many journalists, whistleblowers, activists, and researchers use GnuPG, +so your friends might unknowingly have heard of a few people who use it +already. You can search for "BEGIN PUBLIC KEY BLOCK" + keyword to help make +a list of people and organizations who use GnuPG whom your community will +likely recognize.

+ +
+
+ +

Respect your friends' privacy

-
-
+

There's no objective way to judge what constitutes privacy-sensitive +correspondence. As such, it's better not to presume that just because you +find an email you sent to a friend innocuous, your friend (or a surveillance +agent, for that matter!) feels the same way. Show your friends respect by +encrypting your correspondence with them.

+ +
+
+ +

Privacy technology is normal in the physical world

+ +

In the physical realm, we take window blinds, envelopes, and closed doors +for granted as ways of protecting our privacy. Why should the digital realm +be any different?

+ +
+
+ +

We shouldn't have to trust our email providers with our privacy

+ +

Some email providers are very trustworthy, but many have incentives not +to protect your privacy and security. To be empowered digital citizens, +we need to build our own security from the bottom up.

- -
-
-

Section 5: Use it Well

-
-
-

Step 2.b Diceware and Passphrases

-

Sufficiently strong passphrases can't easily be brute forced, and thus protect the private key even if it falls into the wrong hands. Recommend participants use the diceware method , and have dice and the wordlist available for them to use. Participants who choose to use diceware should keep their passphrase with them at all at all times until they memorize it. Stress the importance of creating and backing up revocation certificates, especially to participants who write down their diceware passphrases.

- -
-

Disclaimer

-
-
Diceware and Licensing
-
Something here about diceware's relationship with free software, or something.
-
-
- -
-
- - -
-
- - - -
-
- -
-

#3 Sign Keys

-

Emphasize the distinction between trusting a person subjectively, and seeing whose keys they've signed objectively. Without a proper understanding of trust, the beautiful transative trust properties of the web of trust are lost. Since trust is an internal and subjective thing, it's unnecessary for participants to share how much they trust another participant with anyone else.

- -

Have the participants download each other's keys, read out their own fingerprints, and present their IDs to each other. Help participants navigate the interface to sign each other's keys, and encourage participants to assign each other trust levels if they already know each other.

- - - -
- - -
-
-

Section 4: Web of Trust

-
-
-

Step 4.a Sign a key

-

In your email program's menu, go to Enigmail → Key Management.

-

Right click on Edward's public key and select Sign Key from the context menu.

-

In the window that pops up, select "I will not answer" and click ok.

-

Now you should be back at the Key Management menu. Select Keyserver → Upload Public Keys and hit ok.

-

You've just effectively said "I trust that -Edward's public key actually belongs to Edward." This doesn't mean much -because Edward isn't a real person, but it's good practice.

- - - - -
-
- - -
-
-

Important: check people's identification before signing their keys

-

Before signing a real person's key, always make sure it -actually belongs to them, and that they are who they say they are. Ask -them to show you their ID (unless you trust them very highly) and their -public key fingerprint -- not just the shorter public key ID, which -could refer to another key as well. In Enigmail, answer honestly in the -window that pops up and asks "How carefully have you verified that the -key you are about to sign actually belongs to the person(s) named -above?".

-
-
- - - -
-
- - -
-
- -
-

#4 Explain the pitfalls

-

Remind participants that encryption works only where it's explicitly used; they won't be able to send an encrypted email to someone who hasn't set up encrption already. Also remind them to make sure encryption is selected before hitting send. Explain metadata to the participants, and advise them to use bland-sounding subject lines.

- -

Advocate for free software, for without it, we can't meaningfully resist invasions of our digital privacy and autonomy. Explain the dangers of running a proprietary system, and why GnuPG can't begin to mitigate them.

-
- - -
-
- - - - -
- - -
- - - - - - - - - - - - - - +
+
+
+ + +
+ + +
+ +

#2 Plan The Workshop

+ +

Once you've got at least one interested friend, pick a date and start +planning out the workshop. Tell participants to bring their computer and +ID (for signing each other's keys). If you'd like to make it easy for the +participants to use Diceware for choosing passwords, get a pack of dice +beforehand. Make sure the location you select has an easily accessible +Internet connection, and make backup plans in case the connection stops +working on the day of the workshop. Libraries, coffee shops, and community +centers make great locations. Try to get all the participants to set up +an Enigmail-compatible email client before the event. Direct them to their +email provider's IT department or help page if they run into errors.

+ +

Estimate that the workshop will take at least forty minutes plus ten minutes +for each participant. Plan extra time for questions and technical glitches.

+ +

The success of the workshop requires understanding and catering to +the unique backgrounds and needs of each group of participants. Workshops +should stay small, so that each participant receives more individualized +instruction. If more than a handful of people want to participate, keep the +facilitator to participant ratio high by recruiting more facilitators, or by +facilitating multiple workshops. Small workshops among friends work great!

+ +
+
+ + +
+ + +
+ +

#3 Follow the guide as a group

+ +

Work through the Email Self-Defense guide a step at a time as a group. Talk +about the steps in detail, but make sure not to overload the participants +with minutia. Pitch the bulk of your instructions to the least tech-savvy +participants. Make sure all the participants complete each step before the +group moves on to the next one. Consider facilitating secondary workshops +afterwards for people that had trouble grasping the concepts, or those that +grasped them quickly and want to learn more.

+ +

In Section 2 of the guide, make +sure the participants upload their keys to the same keyserver so that +they can immediately download each other's keys later (sometimes +there is a delay in synchronization between keyservers). During Section 3, give the participants the option to +send test messages to each other instead of or as well as Edward. Similarly, +in Section 4, encourage the participants +to sign each other's keys. At the end, make sure to remind people to safely +back up their revocation certificates.

+ +
+
+ + +
+ + +
+ +

#4 Explain the pitfalls

+ +

Remind participants that encryption works only when it's explicitly used; +they won't be able to send an encrypted email to someone who hasn't already +set up encryption. Also remind participants to double-check the encryption icon +before hitting send, and that subjects and timestamps are never encrypted.

+ +

Explain the dangers +of running a proprietary system and +advocate for free software, because without it, we can't meaningfully +resist invasions of our digital privacy and autonomy.

+ +
+
+ + +
+ + +
+ +

#5 Share additional resources

+ +

GnuPG's advanced options are far too complex to teach in a single +workshop. If participants want to know more, point out the advanced subsections +in the guide and consider organizing another workshop. You can also share +GnuPG's and +Enigmail's +official documentation and mailing lists. Many GNU/Linux distribution's Web +sites also contain a page explaining some of GnuPG's advanced features.

+ +
+
+ + +
+ + +
+ +

#6 Follow up

+ +

Make sure everyone has shared email addresses and public key fingerprints +before they leave. Encourage the participants to continue to gain GnuPG +experience by emailing each other. Send them each an encrypted email one +week after the event, reminding them to try adding their public key ID to +places where they publicly list their email address.

+ +

If you have any suggestions for improving this workshop guide, please +let us know at campaigns@fsf.org.

+ +
+
+ + + + + + + + + +