Goal

Understand what a complete capstone looks like through a detailed example, review the required deliverables, and complete your cypherpunk journey.

Prerequisites: Week 12b (Planning & Integration)

This is Part 3 of 3 - Covers example, deliverables, and course completion.

1. Deliverables and Evaluation

Required Deliverables

1. System Documentation (Markdown format)

Must include:

  • Architecture diagram
  • Threat model (assets, adversaries, threats)
  • Tool choices and justifications
  • Setup procedures (reproducible)
  • Recovery procedures (tested)
  • Maintenance schedule

2. Working Implementation

Demonstrate:

  • At least 5 skills from different weeks integrated
  • System actually running and tested
  • Security controls verified and working
  • No critical vulnerabilities (Lynis scan, review logs)

3. Testing Report

Document:

  • Tests performed (minimum 3 threat scenarios)
  • Results and findings
  • Issues discovered and fixed
  • Remaining known limitations

4. Reflection Essay (500-1000 words)

Answer:

  • What was hardest to integrate?
  • What trade-offs did you make and why?
  • What would you do differently next time?
  • How does this compare to your pre-course setup?
  • What’s your plan for ongoing maintenance?

Self-Evaluation Rubric

Excellent (90-100%):

  • Integrates 7+ skills from different weeks
  • Thorough threat model with realistic adversaries
  • All deliverables complete and well-documented
  • System tested against multiple threat scenarios
  • Thoughtful reflection on trade-offs

Good (75-89%):

  • Integrates 5-6 skills from different weeks
  • Clear threat model with identified adversaries
  • All deliverables complete
  • System tested against 2-3 scenarios
  • Documented security decisions

Adequate (60-74%):

  • Integrates 3-4 skills
  • Basic threat model
  • Most deliverables complete
  • Some testing performed

2. Example Capstone: Journalist Source Protection

This is a complete walkthrough of Path A to show what “done” looks like.

Threat Model

Assets:

  1. Source identities (CRITICAL)
  2. Leaked documents (HIGH)
  3. Communication metadata (HIGH)
  4. Draft articles (MEDIUM)

Adversaries:

  1. State intelligence (NSA-level capabilities)
  2. Law enforcement with legal compulsion
  3. Corporate adversaries

Realistic Threats:

  1. Device seizure at border or raid
  2. Network traffic analysis
  3. Malware in emailed documents
  4. Coercion to reveal sources

Mitigations:

  • Full disk encryption (defense against seizure)
  • Tor for all communication (defense against traffic analysis)
  • Firejail for document analysis (defense against malware)
  • Airgap for source list (defense against both remote and coercion)

Architecture

┌─────────────────────────────────────────────────────┐
│ ANALYSIS LAPTOP (Hardened, Portable)               │
│ ┌────────────┐  ┌──────────────┐  ┌─────────────┐│
│ │ Tor Browser│  │ OnionShare   │  │ Thunderbird ││
│ │ (anonymity)│  │ (drop system)│  │ (GPG email) ││
│ └────────────┘  └──────────────┘  └─────────────┘│
│ ┌────────────────────────────────────────────────┐│
│ │ Firejail Sandbox (PDF/Document Analysis)       ││
│ └────────────────────────────────────────────────┘│
│ ┌────────────────────────────────────────────────┐│
│ │ Encrypted Storage (gocryptfs)                  ││
│ │  ├─ Leaked Documents (GPG encrypted)           ││
│ │  ├─ Draft Articles                             ││
│ │  └─ Public GPG Key Only                        ││
│ └────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────┘
                         ↕ (QR codes only)
┌─────────────────────────────────────────────────────┐
│ AIRGAP DEVICE (Never networked)                    │
│ ┌────────────────────────────────────────────────┐│
│ │ Source Contact List (encrypted text file)      ││
│ │  - Real names, Signal numbers, XMPP addresses  ││
│ │  - Never in digital form on networked device   ││
│ └────────────────────────────────────────────────┘│
│ ┌────────────────────────────────────────────────┐│
│ │ Master GPG Private Key (for decrypting docs)   ││
│ └────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────┘
                         ↕ (Physical transfer)
┌─────────────────────────────────────────────────────┐
│ ENCRYPTED BACKUP (Off-site)                        │
│  - Weekly encrypted snapshots                       │
│  - No source list (only on airgap)                  │
└─────────────────────────────────────────────────────┘

Implementation Steps

Step 1: Harden analysis laptop (Week 11)

sudo apt install lynis
sudo lynis audit system
# Fix issues, apply kernel hardening

Step 2: Set up encrypted storage (Week 4)

sudo apt install gocryptfs
gocryptfs -init ~/SecureFiles.encrypted
gocryptfs ~/SecureFiles.encrypted ~/SecureFiles

Step 3: Configure GPG (Week 3)

# Generate keypair on airgap device
gpg --full-generate-key
# Import public key only on analysis laptop

Step 4: Set up Tor and OnionShare (Week 7)

sudo apt install onionshare
onionshare --receive  # Share .onion with sources

Step 5: Sandbox PDF analysis (Week 11)

sudo apt install firejail
firejail --net=none --private evince suspicious.pdf

Step 6: Build airgap device (Week 9)

# Old laptop with Wi-Fi removed
# Encrypt source list with GPG symmetric
gpg --symmetric --cipher-algo AES256 sources.txt
shred -u sources.txt

Testing Results

Test 1: Device seizure

  • Analysis laptop shut down → all data encrypted
  • No plaintext source names found
  • Source list only exists on airgap (not seized)

Test 2: Malicious PDF

  • Opened in Firejail sandbox
  • Could not access ~/.ssh or ~/.gnupg
  • Could not establish network connection

Test 3: Recovery from backup

  • Restored encrypted files from backup
  • Could decrypt with GPG key from airgap
  • Source list maintained separately (by design)

Reflection (abbreviated)

What was hardest: Integrating Firejail with GPG was tricky—solved by whitelisting GPG agent socket in custom profile.

Trade-offs: Chose convenience of gocryptfs over Tomb for faster daily workflow.

Ongoing maintenance: Monthly Lynis audit, weekly encrypted backups.

3. Final Checklist

Before You Begin

  • Completed Weeks 1-11
  • Chosen a project path (A, B, C, D, or E)
  • Set aside 8-15 hours for implementation

During Implementation

  • Document as you go
  • Test incrementally
  • Save all configs to encrypted git repo

Before Calling It “Done”

  • All required deliverables completed
  • System tested against threat scenarios
  • Security audit passed
  • Documentation complete and usable
  • Recovery procedures tested
  • Reflection essay written

Final Steps

  • Journal entry reflecting on entire course
  • Signed git commit with capstone documentation

4. Beyond the Capstone

You’ve Completed Cypherpunk School 101!

You now have:

  • Solid foundation in applied cryptography
  • Practical experience with privacy tools
  • Working secure environment tailored to your needs
  • Ability to threat model and design security systems
  • Skills to continue learning independently

Next Steps

1. Maintain Your System

  • Set calendar reminders for maintenance tasks
  • Keep threat model updated as life changes
  • Iterate and improve based on real usage

2. Explore Advanced Modules

  • Post-Quantum Cryptography
  • Shamir Secret Sharing
  • Zero-Knowledge Proofs
  • Self-Sovereign Identity
  • Metadata-Resistant Messaging

3. Join the Community

  • Share your capstone (redacted!) for feedback
  • Help others on their cypherpunk journey
  • Contribute to open source privacy tools

4. Keep Learning

  • Follow security researchers and tools
  • Practice CTF challenges
  • Read papers on new cryptographic primitives
  • Stay updated on adversary capabilities

Journal & Git Commit

echo "Week 12: Completed capstone project integrating skills from Weeks 1-11. Built [your project description]. Documented threat model, architecture, setup procedures, and recovery plan." >> notes/week12_journal.md

git add .
git commit -S -m "Week 12 - Capstone project complete"

Additional Resources

Capstone Project Inspiration:

  • r/privacy, r/privacytoolsIO - Community projects
  • EFF Surveillance Self-Defense - Real-world guides
  • Micah Lee’s articles on The Intercept - Journalist security
  • Glacier Protocol - Bitcoin cold storage (advanced example)

Integration Guides:

  • Tails documentation - See how they integrate tools
  • Qubes OS docs - Compartmentalization examples
  • Whonix wiki - Tor integration patterns

Key Takeaways

  • Capstone = Integration - Combine 5+ weeks into one working system
  • Document everything - Architecture, threat model, setup, recovery
  • Test against your threats - Simulate realistic attack scenarios
  • Trade-offs are learning - Document why you chose X over Y
  • Security is ongoing - Maintenance schedule is part of the project
  • This is the beginning - Continue learning, building, contributing