wiki:doc/SponsorOModules

Sponsor O Curriculum Modules

The content below was authored in August 2014, during the week of the 11th. Modules 1 & 4 were written by K. Misata, and 2 & 3 were written by C. Childs. This content will not be used to replace any current existing documentation, but rather to create slides / content for the Sponsor O training curriculum.

We agreed on the modules below as they are some of the most frequently asked questions / frequently taught applications (Tor Browser, Tails, etc..).

Below, you will find the content for the Sponsor O train-the-trainer curriculum.

Module 1: Introduction to Tor

TIME: estimated time to teach = 60 minutes with 20 minutes Q&A for live lectures.

TECH REQUIREMENTS: none - this is an introductory lecture.

GOAL: This module will cover how The Tor Project came into existence, its mission, an overview of the community, and will introduce Tor's ecosystem.

OBJECTIVES: Upon on completion of this module participants will understand the following concepts 1) History of The Tor Project 2) Tor's Mission and Community Structure 3) What is Anonymity Anyway? 4) The Tor Ecosystem of Technologies and How They Work

LECTURE NOTES

The following are lecture notes designed to help guide the presenter through the module. These notes will also lay the foundation for the script for the online learning modules. Last, each section will have areas in BOLD, these key points will be the basis for the slides. Suggestions on images for slides are also included and indicated by [IMAGE: X]

History of The Tor Project

  • Original Onion Routing Technology

In 2002, Tor's founders Roger Dingledine and Nick Matthewson were students at MIT when they were introduced to Paul Syverson of the Naval Research Labs. The three worked together on the design, implementation, and deployment of the third-generation onion routing project of the U.S. Naval Research Laboratory. The primary purpose of onion routing was to protect government communications. Today, it is used every day for a wide variety of purposes by everyday people, the military, journalists, law enforcement officers, activists, and many others.

  • Community Formed;
  • Global Need Developed;
  • Fueled by over 6000 volunteers donating bandwidth;
  • Open Source technology that relies on the work and research of the larger Tor community to keep it viable.

Three Points to Remember - this may be used as a quiz:

  • Tor is not an acronym - through the technology is based on the onion router, The Tor Project is not an acronym for The Onion Router. This is often misrepresented in the media. Tor is our name with the first letter only being capitalized.
  • Tor's Technology is Free - as mentioned above The Tor Project is an open source project and the software is available to all.
  • Tor's Network is Run by Volunteers

What is Onion Routing Technology?

The Onion Routing program is made up of projects researching, designing, building, and analyzing anonymous communications systems. The focus is on practical systems for low-latency Internet-based connections that resist traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routing servers themselves). Onion Routing prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the onion routing network.

Tor's Mission

Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. We build innovative, sustainable technology solutions to help people take control of their lives and be free. Keeping the doors to freedom of expression open is what Tor does best.

Community [IMAGE: Crowd]

Who uses Tor:

  • Researchers
  • Military
  • Law Enforcement
  • Activists
  • Journalists
  • Everyday people...

Who is The Tor Project?

Many people often think we are either an enormous organization with offices all over the world or a small group of hackers sitting in a basement somewhere coding. Actually, we have a very diverse team.

  • Technology Experts - our team and community is comprised of the most talented experts in technology and digital security.
  • Advocates - Additionally we have countless supporters and advocates around the globe who help us not only with our technology but in getting the word out to people.
  • Researchers - we would not be where we are today without our extensive research community committed to staying ahead of the threat curve and ensuring Tor's technology stays cutting-edge.
  • Employees, Contractors - Currently we have 9 full-time employees, approximately 30 contract employees,
  • VOLUNTEERS! - and over 6,000 volunteers who contribute to our technology and our research.
  • Real People - our organization and our extended community is made up of regular people in over 90 countries around the world.

How Tor Makes a Difference

  • Protecting Online Privacy for All
  • Partnering with Academics and Research Institutions
  • Working with Policy Makers
  • Protecting Journalists, Advocates and General Internet Users
  • Defeating Censorship
  • Fighting Domestic Violence

Commonly Asked Questions

  • How Safe is Tor?
  • What do you do about the bad actors who use Tor?
  • How do you respond to events in the news about Tor?
  • Who are the relay operators?

What does anonymity really mean?

This is a difficult question and one we suspect will be on many people's minds for a long time to come. However we can begin to look at it in these ways.

Is it just wishful thinking?:

  • “You can’t prove it to me!”
  • “Promise you won’t look.”
  • “Promise you won’t remember.”
  • “Promise you won’t tell.”
  • “Isn’t the Internet already anonymous?”

Often people want answers to what anonymity means including:

  • Prove it.... it’s a strong word with lots of meanings - statistical analysis allow suspicion to become certainty.
  • Promise you won’t tell/look/remember... does everyone have the same incentives, abilities and integrity?
  • The Internet is already anonymous... think we all know the answer to this today.
  • I'm not doing anything wrong so why should I be anonymous... people often feel that if they aren't doing anything bad or secret then why should they use tools like Tor. Well, we like to remind people that both benign and malicious actors can be looking and collecting information about you and though that may seem OK today, we don't have the crystal ball to the future telling us how that information may be used accurate or in a skewed manner against us.

But how do we make sense of all of this? Try and think of anonymity this way...

  • Anonymity Loves Company - hiding in the crowd of other people
  • Look like the rest of the crowd - if we all look the same we will all be protected.
  • Hides who is communicating with whom - if you want to have a truly private conversation with someone using tools to achieve that is necessary in today's digital environment.
  • Inputs, outputs and in-between - it's important to remember we can just look at protecting what is being sent or who it's going to. Lots of sophisticated eavesdroppers look at the traffic flows before they reach their destination.
  • Use Tor...

In the end, though, good information security is rarely about fending off sophisticated cyber attacks and Hollywood-style hackers. It’s about understanding the motives and capabilities of those who might want to attack you, and developing consistent habits based on those assessments.

Module 2: The Tor Browser

TIME: Estimated - 60 minutes, with 15 minutes of Q&A.

TECH REQUIREMENTS: Laptop running a current version of Linux, Windows or OSX (if hands-on). Must be x86-based.

GOAL: For all participants to feel comfortable installing, verifying and running the Tor Browser. Also, all participants should feel comfortable with retrieving and using both custom and built-in bridges.

How the TBB protects your privacy

The Tor Browser is based on Mozilla's Extended Support Release (ESR) Firefox branch. We have a series of patches against this browser to enhance privacy and security. Browser behavior is additionally augmented through the Torbutton extension, though we are in the process of moving this functionality into direct Firefox patches. We also change a number of Firefox preferences from their defaults.

Downloading the TBB

Verifying the TBB

Why?

How do you know that the Tor program you have is really the one we made? Many Tor users have very real adversaries who might try to give them a fake version of Tor — and it doesn't matter how secure and anonymous Tor is if you're not running the real Tor.

What?

Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc". These .asc files are GPG signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get. For example, tor-browser-2.3.25-13_en-US.exe is accompanied by tor-browser-2.3.25-13_en-US.exe.asc.

How?

Windows: http://gpg4win.org/download.html

Once gpg4win is installed, use GnuPG to import the key that signed your package. Since GnuPG for Windows is a command-line tool, you will need to use cmd.exe. Unless you edit your PATH environment variable, you will need to tell Windows the full path to the GnuPG program. If you installed GnuPG with the default values, the path should be something like this:

C:\Program Files\Gnu\GnuPg\gpg.exe.

Erinn Clark signs the Tor Browser Bundles. Import her key (0x416F061063FEE659) by starting cmd.exe and typing:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659

After importing the key, you can verify that the fingerprint is correct:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x416F061063FEE659

You should see:

    pub   2048R/63FEE659 2003-10-16
          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
    uid                  Erinn Clark <erinn@torproject.org>
    uid                  Erinn Clark <erinn@debian.org>
    uid                  Erinn Clark <erinn@double-helix.org>
    sub   2048R/EB399FD7 2003-10-16

To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run:

"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\tor-browser-3.6.3_en-US.exe.asc C:\Users\Alice\Desktop\tor-browser-3.6.3_en-US.exe

The output should say "Good signature":

gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
    gpg: Good signature from "Erinn Clark <erinn@torproject.org>"
    gpg:                 aka "Erinn Clark <erinn@debian.org>"
    gpg:                 aka "Erinn Clark <erinn@double-helix.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659 

Notice that there is a warning because you haven't assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

OS X: https://gpgtools.org/

Once gpgtools is installed, use GnuPG to import the key that signed your package. Erinn Clark signs the Tor Browser Bundles. Import her key (0x416F061063FEE659) by starting the terminal (under "Applications") and typing:

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659

After importing the key, you can verify that the fingerprint is correct:

gpg --fingerprint 0x416F061063FEE659

To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run:

gpg --verify /Users/Alice/TorBrowser-3.6.3-osx-i386-en-US.zip{.asc,}

The output should say "Good signature":

gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
    gpg: Good signature from "Erinn Clark <erinn@torproject.org>"
    gpg:                 aka "Erinn Clark <erinn@debian.org>"
    gpg:                 aka "Erinn Clark <erinn@double-helix.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

Notice that there is a warning because you haven't assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

Linux: Most Linux distributions come with gpg preinstalled, so users who want to verify the Tor Browser for Linux (or the source tarball) can just follow along with the instructions above for "Mac OS X".

Successfully use the TBB

Windows

  1. Visit https://www.torproject.org/projects/torbrowser.html.en
  2. Download the latest stable Tor Browser for "Microsoft Windows"
  3. Download the associated signature ('(sig)' link)
  4. Follow the signature verification steps in 'Verifying the TBB'.

Linux

  1. Visit https://www.torproject.org/projects/torbrowser.html.en
  2. Download the latest stable Tor Browser for "Linux"
  3. Download the associated signature ('(sig)' link)
  4. Follow the signature verification steps in 'Verifying the TBB'.

OSX

  1. Visit https://www.torproject.org/projects/torbrowser.html.en
  2. Download the latest stable Tor Browser for "Mac OS X"
  3. Download the associated signature ('(sig)' link)
  4. Follow the signature verification steps in 'Verifying the TBB'.

Successfully acquire / use bridges with the TBB

How to use built-in bridges

When to use

  • If you cannot reach the Tor network

When you launch the bundle, select the option to configure additional settings, and navigate to the bridge page. Once you reach the bridge page, you should see a drop-down menu that contains "obfs3", "fte", and "FlashProxy".

Custom Bridges

When to use

  • If you cannot reach the Tor network
  • If using Tor is dangerous in your region

How to acquire

How to use custom bridges

When you launch the bundle, try selecting the option to configure additional settings, and navigate to the bridge page. Once you reach the bridge page, you should see a text box; this is where you enter the bridges you have retrieved using one of the previous methods.

Support

Still need help?

If you have any questions, trouble connecting to Tor network, or need to talk to a human, please contact our support team at:

  • help@… for English
  • help-ar@… for Arabic
  • help-es@… for Spanish
  • help-fa@… for Farsi
  • help-fr@… for French
  • help-zh@… for Mandarin

Module 3: Tails

Module 3: Downloading and running Tails

Time: ?? (this is going to be a long one, I would need to test-drive this before having any idea how long it will take with a group)

TECH REQUIREMENTS: Laptop running a current version of Linux, Windows or OSX (if hands-on). Must be x86-based.

Goal: For everyone to feel comfortable downloading, verifying and burning/"installing" Tails. Also, all users should feel comfortable with the process for using bridges within Tails.

How to download / verify Tails

First, visit https://tails.boum.org/download/index.en.html#first_time and read through this page. It is extremely helpful for new Tails users, and is important that they read / understand it. (Possibly pull content from this page for slides, it is very well done)

How to successfully boot Tails

Burning:

The Tails documentation recommends following Ubuntu's guide at https://help.ubuntu.com/community/BurningIsoHowto, it covers all major platforms and has images to help guide users.

Booting:

This process will be different per-machine, due to differences in bios utilities. In general, follow the steps below:

Selecting "boot" menu:

  1. Reboot your machine with the Tails disk in the tray.
  2. Some machines have a "boot menu" that can be accessed during start up, which allows you to modify which device you want to boot from without changing the boot order permanently. If your machine supports this, you should see a message saying "Press F12(or some other key) for boot menu", or a similar message.
  3. Press the key for the boot menu, and select your CD/DVD tray.
  4. Tails should now boot.

OR

Changing boot order:

  1. Reboot your computer with the CD/DVD in the tray.
  2. When your machine turns back on, there will likely be something that reads "Press F12(or some other key) to enter setup", or a similar message. Press this key.
  3. Once your bios setup comes up (this should be pretty obvious, usually says 'bios' in some form at the top), look through the menus for 'boot order'.
  4. Change the boot order to have your CD/DVD tray first, so your computer will boot from Tails instead of your HDD.
  5. Save and exit.
  6. Tails should now boot.

How to successfully acquire / use bridges in Tails

Module 4: Tips and Tricks to Improve Digital Safety

TIME: estimated time to teach = 60 minutes with 30 minutes Q&A for live lectures.

TECH REQUIREMENTS: none - this is not a hands-on lecture.

GOAL: This module is intended to be the final in the series and touches on topics spanning beyond Tor in order to provide participants with a broader understanding of digital safety and where the knowledge they acquired from the first 4 modules fit in.

OBJECTIVES: Upon on completion of this module participants will understand the following concepts

  1. Additional technologies which can improve digital safety - including OTR, Orbot
  2. Changes in behavior to increase digital safety or put someone at risk
  3. Understanding more key terms including encryption, PGP, OTR, etc.
  4. Recommendations on where to go next for more information.

LECTURE NOTES

The following are lecture notes designed to help guide the presenter through the module. These notes will also lay the foundation for the script for the online learning modules. Last, each section will have areas in BOLD, these key points will be the basis for the slides. Suggestions on images for slides are also included and indicated by [IMAGE: X]

In this final module of our introductory series we will discuss other key technologies, behaviors, and familiarize you with terminologies to help you raise your digital safety even higher. We encourage you to contact some of the resources mentioned in this module for further instructions and insights. This module is intended to be the final in the series and touches on topics spanning beyond Tor in order to provide participants with a broader understanding of digital safety and where the knowledge they acquired from the first 4 modules fit in.

Humans in the System

When we are discussing digital security, it is important to remember that there are humans in the system and by design we are all flawed.

What are we putting out in the wild?

First, before even thinking about technology solutions being more aware of what you put out there into the wild is important. Though you may not be doing anything nefarious, someone may still be watching and waiting. Sharing all parts of our personal and professional lives on social media and the Internet is becoming so common place that people are almost unconscious. Many strongly believe that what they put on Facebook can only be seen by certain people and that by putting inappropriate content on the Internet with the intention of being "funny" may not be in the long run.

What technologies are you using?

Do your own inventory and look at what technologies you are using and how. This should offer a glimpse of where security / privacy awareness should or can be increased.

  • Emails
  • Instant Messaging
  • Phones
  • Internet Browsing?

When we are talking about communication and in today's world it isn’t just a single bucket - the lines are constantly being blurred. Consider communications with sources, conducting research, personal contacts, and professional activities - how are they all connected, where do overlaps exist which may create risk, what devices are being used?

No such thing as 100% security

Though there are many products out there that offer the "best" security or "100%" security it's critical to remember that nothing can be completely secure. For all the reasons discussed above - when there are humans in the system there will always be flaws either in design or in use. Also, human beings are unpredictable and many people spend a lot of energy focusing on the bad actors in the world. Our recommendation is to educate yourself on where you are vulnerable and adopt either technologies or changes in behavior to offset those risks.

Top 5 things to remember

  • Anonymity Loves Company

Over a 1/2 million people every day use Tor and other anonymity tools. Are some of those people malicious? Probably, but the majority are not. We are working to help ensure that anonymity no longer is a dirty word implying that someone is doing something nefarious.

  • Technology is Constantly Evolving

The threats are changing as well. The ease of entry with a high degree of impact is increasing, but you don't have to have a PhD in computer science to stay safe. Keep an eye out for updates related to the security systems you are using. We post all of our security updates and improvements on our blog. It's also a great place to learn more about our community.

  • Stay Balanced

Stay balanced between being aware and being afraid is important to keeping your sanity. Are there bad actors our there - ABSOLUTELY! Can we stop or protect ourselves from all of them? Probably not. But we can reduce our risk by increasing our awareness of the threats to our digital lives and arm ourselves with tools like Tor to be better protected.

  • Know where your data is...

Know where you are online and be cautious with how much information you give out there to the world. Though not every one eavesdropping is looking to harm you - we still should not leave our privacy and confidentiality in the hands of others.

  • Use Tor
Last modified 3 years ago Last modified on Sep 25, 2014, 9:20:44 PM