It’s (crypto)party time!

With our advanced free democracies resembling George Orwell’s “1984” more and more (your TV is spying on you, NSA global mass-surveillance, pre-crime repression of free speech  etc), there surely couldn’t be a better time to throw a CryptoParty!

Where?

New Academic Building
Goldsmiths, University of London
New Cross
London SE14 6NW
(OpenStreetMap)

When?

Saturday 30th November, 11am onwards

Cost/audience

The event is free & open to the public. Anyone who worries about the privacy and ultimately freedom of expression of their loved ones should attend.

Great lineup of speakers/presenters – check out the event schedule!

I will be doing a few workshops on mobile device privacy, encrypted Internet phone calls and using a computer without leaving any traces behind.

If you’re around on the 30th, join us for a day of practical tinkering with privacy tools!

…and here are the slide decks of the workshops I ran:

Qubes OS – a secure operating system: https://apapadop.files.wordpress.com/2013/12/qubes1.pdf

TAILS – This session never happened: https://apapadop.files.wordpress.com/2013/12/tails1.pdf

VoIP- Private voice calls: https://apapadop.files.wordpress.com/2013/12/voip1.pdf

Mobile privacy – how to keep your smartphone communications private: https://apapadop.files.wordpress.com/2013/12/mobile5.pdf

OTR – a gentle introduction to chatting Off The Record: https://apapadop.files.wordpress.com/2013/12/otr1.pdf

False claims by Avast! antivirus

It’s particularly disturbing when products that are supposed to protect you, actually mislead you into a false sense of safety, hence endangering you.

Take this bold claim by the otherwise quite good free antivirus software Avast!

Here, Avast! directly claim that nobody can listen in on your Voice over IP (VoIP) calls (like Skype or Viber) if you use the Avast! VPN service.

This is patently false.

There is absolutely no way of stopping the government from getting the content of your VoIP calls directly from Microsoft (Skype), or Viber themselves.

All a VPN (Virtual Private Network) service can achieve is thinly disguise your physical location when you connect to the Internet.

Advanced networking with QubesOS: VPN proxyVM

According to http://theinvisiblethings.blogspot.co.uk/2011/09/playing-with-qubes-networking-for-fun.html we can setup multiple ways for our AppVMs to reach the Internet.

AppVMs can:

• have direct access to the Internet
• be forced to go through a Tor proxy, tunnelling all their traffic through the Tor network
• be forced to go through a VPN proxy, tunnelling all their traffic through the VPN.

The beauty of this setup is that once we have our proxyVMs setup, we don’t need to worry about the configuration of any network-level data leaks of the AppVMs that use the proxies.

Example: setting up a Tor proxyVM and then assigning this as the netvm of 5 different AppVMs will force all network traffic from all 5 AppVMs through the Tor network, with no configuration/awareness in the AppVMs themselves! This setup is covered quite well already in http://qubes-os.org/trac/wiki/UserDoc/TorVM

Creating the setup

How to setup a “workvpn” proxyVM that allows us to tunnel any “work” related AppVMs we have through work’s (in this case Cisco) VPN gateway as shown here:

1. From Qubes Manager: VM -> Create AppVM
2. Name: workvpn. Select the ProxyVM radio button and OK.
3. In a couple of seconds your new VM is created. Go to the “K” menu and fire up a terminal in your new workvpn VM.
4. Create the file vpn.conf with the following contents, substituting your VPN provider’s values:

   Xauth username xxxxxxxxxxxxxxxxxxx
   IPSec gateway xxxxxxxxxxxxx.xxxxxxx.xxx
   IPSec ID xxxxxxxxxxxxxxxxxx
   IPSec secret xxxxxxxxxxxxxxxxxxxx

5. Create the file start_vpn.sh with the following contents:

   #!/bin/bash
   sudo /usr/sbin/vpnc /home/user/vpn.conf
   sleep 2
   sudo /usr/lib/qubes/qubes_setup_dnat_to_ns

6. Create the file stop_vpn.sh with the following contents:

   #!/bin/bash
   sudo /usr/sbin/vpnc-disconnect
   sleep 2
   sudo /usr/lib/qubes/qubes_setup_dnat_to_ns

7. Make both scripts executable:

   chmod +x *.sh

8. Now tell your work-related AppVMs to use workvpn as their network VM. To do this, right-click on the AppVMs in Qubes VM Manager and select “VM Settings”. In the “Basic” tab ensure that “NetVM” is set to “workvpn”
9. You’re all set.

Using this setup

When you fire up any of your AppVMs that need to use the VPN, workvpn will automatically start. You will then need to fire up a terminal in workvpn and type

./start_vpn.sh

(of course after the first time you can just hit the “up” arrow and the command will be there for you)
This will connect you to your work’s VPN and allow all AppVMs that use this as their netvm to seamlessly talk to internal work systems, while leaving the rest of your QubesOS AppVMs unaffected, reaching the Internet either directly or through Tor.