From CryptoParty
Jump to: navigation, search


= ceasing operations soon

"PrivacyBox reached end of life status

PrivacyBox service was launched in 2008 by German Privacy Foundation e.V. (GPF) and gathered many users since then. Now the software is both conceptually and technically outdated.

At the moment GPF has no plans for developing a new version. There is no fixed date yet when we will close the PrivacyBox service, but we will inform you in good time in advance."

You may want to periodically check their site so when they pull it you can pull the reference at and any other pages here.

Kangarooanus (talk) 23:15, 27 April 2013 (MIST)

.------------> | Recommends: .------------>

HUGE Security Resource+ - version 6000 - 08/31/2012 -

Several Paged HTML Article: - Network Forensics Evasion: How to Exit the Matrix (Google for it, some of the info is dated, but its well rounded)

Tor OPSEC: - -

Guide(s): "The Gentleperson's Guide To Forum Spies" (Forum OPSEC) -

Article: "Nobody Seems To Notice and Nobody Seems To Care – Government & Stealth Malware" -

.------------> |Suggestions: .------------>

Remove Hushmail as an option, because....

Schneier on Security: Hushmail Turns Data Over to Government

HackBB? http://clsvtzwzdgzkjda7.onion

Rawlobster (talk) 12:09, 8 October 2012 (MIST)

Article mentions a court order and a 2007 Java vuln; any more recent info? - Papers (talk) 08:17, 5 December 2012 (MIST)

Please keep only tools & resources on this page. I have removed the Farces section because it is unsubstantiated and off-topic, even though I appreciate the sentiment, it is unnecessary to the task(s) at hand.

I removed "infosec resources" it contained links to 'softpedia' which is a BAD IDEA... binaries? From an untrusted 3rd party? Without open source? Also generic links to github are not useful for addressing the security of stuff.

OWASP. I'm not against linking to OWASP, but I think perhaps contextualise the links, a general link to 'OWASP' is not great, perhaps reference material held there, or put it under 'Organisations'.

Removed the discussion of Operating Systems in the context of disk encryption etc, we don't want to give the idea that Linux itself has some sort of 'magic' security thing about it. Tails is there because it is spercifically designed for users in really desperate situations in a way that, Pirate Linux is not. I don't mean to say anything bad about Pirate Linux, but I don't think it is trying to claim it is of the order of security of something like Tails etc.

Sorry, but I removed a large section discussing PTPP and VPNs. Sorry, VPNs are not 'anonymous': your VPN provider knows who you are... you are essentially trusting them to be a benevolent MITM'er. PTPP has MANY bugs that have been publicly identified. And recommending proprietary software from Microsoft that is not open source is a bad idea for security, since if there is a bug, it's really really hard to see, change and patch. - djon3s Supporting evidence "Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over." - Bruce Schneier (1998), also, just check Wikipedia for PTPP

Virtual Private Networking section needs to be re-instated

There has to be a section on VPNs - they do use encryption

Even Tor does *not* offer full anonymity in all circumstances.

Commercial VPNs are sometimes available where Tor is blocked e.g. in China

As the first hop to a more secure or more anonymous computer at a different location, VPNs can be are a perfectly valid tool, under many threat models.

VPNs are essential if you are going to use WiFi in a public place

VPNs are definitely valuable technology, both the VPN and the Virtual Private Network sections are referring to the same thing and both seem to confuse encryption and a vague idea of 'privacy' which seems to really be referring to anonymity (which isn't the same as privacy).

Moxie Marlinspike has recently demonstrated serious weakness in MS-CHAPv2 which underpins the authentication of PPTP which is a very widespread system used for VPNs [1]

The value of VPNs is very specific in providing encrypted communications between remote end points. This may not have obvious application in personal data security or web browsing anonymity but does in many other instances (remote access to LAN resources from public networks, connecting private LANs or other resources across the Internet).

Dananimal (talk) 22:37, 6 September 2012 (MIST)

Made a considerable edit to the VPN section to remove the confusion over VPN use and focus on describing what VPNs are and how they are used.

The big red problems with MS PPTP remain

Dananimal (talk) 23:14, 6 September 2012 (MIST)


I guess we should just make the sort of threat models absolutely clear.

The concept of a threat model itself needs to be examined and explained.

Dananimal (talk) 23:19, 6 September 2012 (MIST)

This entire page requires extensive review

Read the section I inserted about the dangers of cryptography. This page is a fine example of the type of information that is not useful to a newbie and highly inaccurate. It has to be extensively newbified and factual errors must be corrected. Arikb (talk)

Table of Contents / Intro page

I divied up the page, how does this look? User:Bobhoward/Resources Hopefully people can focus on sections at a time instead of an entire, confusing page.
Bobhoward (talk) 04:46, 7 September 2012 (MIST)

AES - suggest removing the non-AES specific paragraphs

I propose removing these two paragraphs from the current edit of the AES section some of which belongs perhaps in the Public Key section.

Symmetric ciphers such as AES are useful because they are fast, reliable and nonspecific. A file encrypted via AES can be shared widely and decrypted by everyone with the same key. This is in stark contrast to public-key encryption methods, where encryption is targeted to the owner of a private key only. A real-world example of this approach is the distribution by Wikileaks of an "insurance" file, which appears to be AES encrypted. The distribution of this file means that Wikileaks have leverage over more powerful enemies, as they can release a small key to unlock a large, and presumably high-impact, file.

Is is normal for public-key (asymmetric) and symmetric cipher methods to be combined to take advantage of the strengths of both. In the popular PGP encryption format, a message or file is encrypted first with a symmetric cipher (usually AES), and the AES encryption key is then encrypted with the recipients' public keys. The encrypted AES key for each recipient is then attached to the message and the entire block can be sent. Because AES is faster at encrypting and decrypting large files or bodies of text, this saves considerable time and bandwidth compared to encrypting entire messages with public keys and distributing a different copy of the message to each recipient. For recipients, only the AES key needs to be decrypted with the private key, saving time, and the rest can be decrypted with AES; a faster cipher.

Wikileaks provides several examples of good practice in the use of cryptography and anonymity techniques but they have also made some appalling, unprofessional blunders.

Since the Wikileaks "insurance" file (about 1.4 GB), has not actually been decrypted in public (the accidental / incompetent release of the Cablegate "crown jewels" is a different file) and since it was distributed firstly via USB pen drives and then through peer to peer file sharing, Wikileaks could have used any other symmetric cipher algorithm, not just AES.

They could even have used a theoretically unbreakable One Time Pad to protect their "insurance file". The fact that the encryption/decryption key would have been the same size (1.4 GB) as the ciphertext would not have been a problem in this situation. although it is impractical for say, email or web browsing etc.

The mud puddle test?

Not sure if to put this under basics or somewhere else. But it's a simple metaphor that people generally get.


Wanted to introduce

Our project might be of interest for you here. is a webbased, end to end encrypted messaging tool.

Its still in development state, but you can already start a private shared key based (group)chat and register to receive pm's to your inbox.

We would love feedback of all sort, give a visit. it's completely not commercial...developed by my friend andrew who is master of informatic and does the programming and me doing the frontend.

Its thought to be an quick and easy way to have private conversations. Thanks for reading, <


I'm seeing a lot of random links scattered throughout the article, with no connection to cryptography or security at all, like a link to the definition of a job offer. I'm going to go ahead and delete those. Saicotic (talk) 16:05, 10 March 2013 (MIST)

Personal tools

../images/crypto2.png);" href="/wiki/CryptoParty" title="Visit the main page">