what am i trying to protect? - grassroots radio conference · a secure team collaboration solution,...
TRANSCRIPT
• Threat modeling
• What am I trying to protect?
• What am I trying to protect?
• Who am I trying to protect it from?
• What am I trying to protect?
• Who am I trying to protect it from?
• How likely is it that I will need to protect it?
• What am I trying to protect?
• Who am I trying to protect it from?
• How likely is it that I will need to protect it?
• How bad are the consequences if I fail?
• What am I trying to protect?
• Who am I trying to protect it from?
• How likely is it that I will need to protect it?
• How bad are the consequences if I fail?• How much trouble am I willing to go through to prevent the potential consequences?
Secure communicationsVoice and Chat
• End-to-End encryption
• Can verify device fingerprints
• Voice and video calls
• Two-person and group chats
• File sharing
• End-to-End encryption
• Voice and video calls
• Two-person and group chats
• File sharing
• Cross-platform
Signal Private Messenger
WhatsApp Messenger
Wire Secure Messenger
•SecurityPrivacyGlobal public resourceTransparencyEnsure public benefitCommunity-based processesAccountabilityTrustEnrich lives of individual human beings
Tor users• Survivors of domestic abuse• People who want to learn about a
medical condition or a controversial topic
• Law enforcement / Military• Researchers• Companies• Dissidents and other people in
countries with oppressive political regimes
• Political activists• Journalists
Tor usage considerations
Tor usage considerationsYou can destroy your own anonymity with Tor if you use it incorrectly
To use Tor correctly:• Use Tor Browser Bundle or Tails
• Don’t log into services like Google and Facebook
• Stick with the default settings
• Don’t open downloaded documents while using Tor
• Don’t use BitTorrent with Tor
Portland Privacy• Techno-Activism 3rd Mondays (TA3M)
https://www.meetup.com/Portlands-Techno-Activism-3rd-Mondays
• PDX Privacyhttps://www.pdxprivacy.org
Secure communicationsVoice and Chat
Email. The most utilized electronic function in the world. Still. And the biggest security hole of them
all.
We kinda know that email is a cluster …Spam, scams, identity theft, misforwarding, reply all, typos – the list of things that can go wrong in
email is ….. countless. And yet everybody uses it. Especially those of us who are not spring
chickens
There are things we can do. Encryption. Partial encryption. Common sense. Let's start with
common sense.
Common sense precautionsTwo factor authentication
Long complex password changed every six months
Autoset not for reply allUse the drafts function
Don't ever email credit cards, SS#, bank account info and if sensitive street addresses
Have an email address that is not firstname.lastname available.
Partial encryptionHigher, not highest security
Email services from Proton Mail (Switzerland), Tutanota (Germany). Free services and paid.
List servicesRiseUp
National Security Letters
Good points. Lets you use email pretty much as you have been used to using it. Bad points, not
life and death reliable.
Do you need to step it up a notch? That is where full encryption comes in.
Notes.
Encryption is a pain. It's not 100% bulletproof. The safest kind of electronic communcation is no kind. Meet in person. Leave no trail. Deep throat was
right. But if you must have substantive commmunication with real danger - encryption provides email anonymity beyond needle in a
haystack
The principle. A public key is the alpha. A private key is the beta. When alpha meets beta, you can read a message. That's the only way. So it is all
about keeping that private key secure.
Two protocols. PGP – Pretty Good Privacy
GNUPG - GNU Privacy Guard
Then you need an encryption friendly email client. Usual choice is Mozilla Thunderbird with an add-on extension
which in Thunderbird is Enigmail.
Then you generate your public and private keys. Your public key is published. Your private key is as secure as
you can make it.
If you expect your laptop could get captured by the government, then guess what. If you have a
file on it called my private key – no more encryption.
So respond to your threat model and be as crafty as possible about hiding your key (NOT IN THE CLOUD) while having it accessible enough that
you can cut and paste it to read emails
Encrypted Tip Lines
If your outlet wants to have a tip line that you can promise is safe, there are two options:
1. Signal Tip Line. Lets people download Signal and then text you with full encryption
2. Secure Drop from Freedom of the Press Foundation
Privacy and Surveillance
Commercial SurveillanceLaw Enforcement Surveillance
Advertising vs Safety
Commercial surveillance feeding law enforcementNSL
Metadata/AT&T PipesLocation Data
Databases – ALPR/CLEAR
Regulation Principles
TransparencyLegislative Oversight
Definition of Appropriate Use/Inappropriate UseAuditing/ReportingCivil Rights Impact
Surveillance Transparency Ordinances
Focused on law enforcement usesPassed in Oakland, Berkeley, Davis, Seattle, Palo Alto, Santa Clara County, Nashville, Somerville and BART
Statewide CA – twice attempted
What you can do:
Information Gathering/Public RecordsCrypto Parties and Digital Security WorkshopsModel Good Security Practices – Be a Privacy
AmbassadorAsk questions
Report on Privacy and SurveillanceLook for Inappropriate Use and Lack of Transparency
What you can do:
Information Gathering/Public RecordsCrypto Parties and Digital Security WorkshopsModel Good Security Practices – Be a Privacy
AmbassadorAsk questions
Report on Privacy and SurveillanceLook for Inappropriate Use and Lack of Transparency
Oakland Privacy – www.oaklandprivacy.org
Portland Techno-Activism Third Mondays (TA3M)
ASD Police Surveillance Projecthttps://www.aaronswartzday.org/police-surveillance-project/
· WhatsApp - https://www.whatsapp.comEnd-to-end encrypted chat by Facebook that uses Signal's encryption protocol
· Wire - https://wire.com/enSecure messaging, file sharing, voice calls and video conferences protected with endto-end encryption.
Encrypted email
· OpenPGP (Pretty Good Privacy) - https://www.openpgp.orgAn encryption program that provides cryptographic privacy and authentication fordata communication and is used for signing, encrypting, and decrypting texts,emails, files, directories, and whole disk partitions.
· GNU Privacy Guard - https://gnupg.orgA complete and free implementation of the OpenPGP standard, which is the non-proprietary protocol created to allow encrypting email using public key cryptographytechnology.
· Mozilla Thunderbird - https://www.thunderbird.net/en-USA free and open-source, cross-platform, email client, news client, RSS and chat clientdeveloped by the Mozilla Foundation.
· Enigmail - https://www.enigmail.netA data encryption and decryption extension for Mozilla Thunderbird that providesOpenPGP public key e-mail encryption and signing.
· Tutanota - https://tutanota.comAn open-source, end-to-end encrypted, email software and freemium-hosted, secureemail service who's business model excludes earning money through advertisement,relying solely on donations and Premium subscriptions.
· ProtonMail - https://protonmail.comAn end-to-end encrypted email service that uses client-side encryption to protectemail contents and user data before they are sent to ProtonMail servers.
· Rise Up - https://riseup.net/enA volunteer-run collective providing secure email account, email list, VPN, onlinechat, and other online services.
Website encryption
· Let’s Encrypt - https://letsencrypt.orgA free, automated, and open Certificate Authority that gives people the digitalcertificates they need in order to enable HTTPS (SSL/TLS) for websites in the mostuser-friendly possible.
Password managers
· KeePassXC - https://keepassxc.orgA free, encrypted, cross-platform, and open-source, password manager.
· Bitwarden - https://bitwarden.comBitwarden is…
· Dashlane - https://www.dashlane.comA password manager app and secure digital wallet.
Virtual Private Networks (VPNs)
· Hotspot Shield https://www.hotspotshield.com/benefits/A VPN utility developed by AnchorFree, Inc. used for securing Internet connections,often in unsecured networks; was used to bypass government censorship during theArab Spring protests in Egypt, Tunisia, and Libya.
· Express VPN - https://www.expressvpn.com/A virtual private network service, offered by the British Virgin Islands-based companyExpress VPN International Ltd., that encrypts users’ web traffic and masks their IPaddresses.
· IP Vanish - https://www.ipvanish.comA commercial VPN service, based in the United States that provides end-to-endnetwork encryption and masks its user's true IP address.
Proxy servers
· Startpage - https://www.startpage.comA search engine that allows you to do private Google searches and view resultingpages via a web proxy
· Privoxy - https://www.privoxy.orgA non-caching web proxy with advanced filtering capabilities for enhancing privacy,modifying web page data and HTTP headers, controlling access, and removing ads.
Anti-tracking software
· HTTPS Everywhere - https://www.eff.org/https-everywhereA browser extension for Firefox, Chrome, and Opera that automatically encryptswebsites, using a more secure HTTPS connection instead of HTTP, if they support it.
· Privacy Badger - https://www.eff.org/privacybadgerA browser extension for Firefox, Chrome, and Opera that blocks spying ads andinvisible trackers.
· Ghostery - https://www.ghostery.comA privacy and security-related browser extension and mobile browser application thatenables its users to easily detect and control JavaScript "tags" and "trackers".
Location Data
· OpenStreetMap - https://www.openstreetmap.org/An open source and more private alternative to Google maps. ckers".
Team collaboration tools
· Semaphor - https://spideroak.com/semaphorA secure team collaboration solution, using private blockchain encryption, for groupmessaging and file sharing without the risks of email or off-the-shelf tools.
· Rocket.Chat - https://rocket.chatA free, open source, enterprise team chat software for desktop and mobile use.
· Riot - https://riot.imAn open source chat tool that offers voice and video conferencing and is available fordesktop and mobile use, and you can host your own server for complete control oruse theirs; end-to-end encryption is currently in beta.
· Mattermost - https://www.mattermost.orgAn open source, self-hosted alternative to proprietary SaaS (Software as a Service)messaging systems.
Secure document sharing
· SecureDrop - https://securedrop.orgAn open-source software platform for secure communication between journalists andsources.
Operating systems
· Tails - https://tails.boum.orgA live operating system that you can start on almost any computer from a USB stickor a DVD and which aims to preserve your privacy and anonymity.
· Qubes OS - https://www.qubes-os.orgA security-oriented operating system (OS) that aims to provide security throughisolation using virtualization.
Cloud storage
· NextCloud - https://nextcloud.com/aboutA suite of client-server software for creating and using file hosting services, similar toDropbox, but free and open-source, allowing anyone to install and operate it on aprivate server.
· Spider Oak - https://spideroak.comA US-based collaboration tool, online backup and file hosting service that allowsusers to access, synchronize and share data using a cloud-based server.
· Tresorit - https://tresorit.comAnd online, end-to-end encrypted, cloud storage for businesses, where files areencrypted before being uploaded to the cloud.
· OwnCloud - https://owncloud.org/A suite of client–server software for creating and using file hosting services, similarto Dropbox, but the Server Edition of ownCloud is free and open-source, and therebyallows anyone to install and operate it without charge on a private server.
Two-factor authentication
· YubiKey - https://www.yubico.comA hardware authentication device manufactured by Yubico that supports one-timepasswords, public-key encryption and authentication, and the Universal 2nd Factor(U2F) protocols, allowing users to securely log into their accounts by emitting onetime passwords or using a public/private key pair generated by the device.
USB security
· USG - https://github.com/robertfisk/USG/wikiUSG is a firewall for your USB ports, isolating bad USB devices from your computer,while still passing through the data you need.
· Aegis Secure Key - https://www.apricorn.com/flash-keysAn encrypted storage device that provides a secure way to store and transfer data.
Privacy organizations
· Electronic Frontier Foundation (EFF) - https://www.eff.orgA leading nonprofit organization defending civil liberties in the digital world, based inSan Francisco, CA.
· Electronic Privacy Information Center (EPIC) - https://www.epic.orgEPIC is a public interest research center in Washington, DC focusing on emergingprivacy and civil liberties issues and protecting privacy, freedom of expression, anddemocratic values in the information age.
· Privacy International - https://privacyinternational.orgA registered charity based in London that works at the intersection of moderntechnologies and rights.
· American Civil Liberties Union (ACLU) - https://www.aclu.org/A nonprofit organization whose stated mission is "to defend and preserve theindividual rights and liberties guaranteed to every person in this country by theConstitution and laws of the United States.
Threat modeling and security scenarios
· Seattle Privacy Coalition threat modeling guide - https://seattleprivacy.org/introducing-threat-modeling-for-seattlitesA guide on how to think about privacy more holistically and to assess whatthreats exist.
· EFF Security Scenarios - https://ssd.eff.org/module-categories/security-scenariosSample risk scenarios to help analyze possible risks and threats to our data.
Educational resources
· Defend our Movements - https://defendourmovements.orgA web-based clearinghouse of the most up-to-date and useful information aboutprotecting your devices and data—whether on the Internet, through cell phonecommunications, or in your home or office.
· Surveillance Self Defense - https://ssd.eff.orgAn expert guide with Tips, Tools and How-tos for Safer Online Communications tohelp protect you and your friends from online spying.
· Tactical Technology Collective - https://www.tacticaltech.orgA Berlin-based non-profit organization working at the intersection of technology,human rights and civil liberties.
· PEN America’s Online Harassment Field Manual - https://pen.org/research-resources/online-harassment-field-manualA guide that equips and empowers writers, journalists, and all those active onlinewith practical tools and tactics to defend against online hate and harassment.
· A First Look at Digital Security - https://www.accessnow.org/cms/assets/uploads/2018/03/A-first-look-at-digital-security-digital-copy.pdfThis booklet provides a friendly and personable first look at digital security forpeople at risk — activists, journalists, human rights defenders, and people inmarginalized communities.
Your Presenters
· Oakland Privacy https://www.oaklandprivacy.org
Oakland Privacy is a citizen’s coalition that works regionally to defend the right to privacy and enhance public transparency and oversight regarding the use of surveillance techniques and equipment.. As experts on municipal privacy reform, we have written use policies and impact reports for a variety of surveillance technologies, conducted research and investigations, and developed frameworks for the implementation of equipment with respect for civil rights, privacy protections and community control.
· Portland Techno-Activism https://www.meetup.com/Portlands-Techno-Activism-3rd-Mondays/
Portland's TA3M connect software creators and activists who are interested in censorship, surveillance, and open technology.
· Media Alliance https://www.media-alliance.org
Media Alliance is a Northern California democratic communications advocate. MA was founded with the belief that in order to ensure the free and unfettered flow of information and ideas necessary to maintain a truly democratic society, media must be accessible, accountable, decentralized, representative of society’s diversity and free from covert or overt government control and corporate dominance.