Data Privacy for Activists
-
Upload
greg-stromire -
Category
Technology
-
view
90 -
download
1
Transcript of Data Privacy for Activists
Data Privacy For Activists
◎ Name for Today◎ Preferred Pronouns (e.g. they, them, their)◎ What brought you here? What do you want
from this workshop?
IntroductionsAround the Room
Hello!I am Greg Stromire (he, him, his)
I work for a data privacy company. I participate in activism.
I am not an expert in either.And I am not a lawyer.
But I can still offer some tips.
Helpful ToolsUseful technologies to better safeguard yourself and other members.
Crypto 101Whiteboard activity! Encryption is a powerful tool in maintaining privacy, but only when used correctly. Some cryptography fundamentals can help you make smart choices.
Why We’re HereWhat is data privacy, what it means for activists, and some key concepts for context.
Put in PracticeHands-on practice using new tools and best practices to establish good habits when performing organizing tasks.
Common AttacksOverview of some of the most common threat vectors for activists -- which overlap with personal and professional use.
Threat ModelingUtilizing a basic framework for security assessment to prevent and prepare.
Agenda
1.Why We Are HereWhat is data privacy, and why does it matter for activism?
Important Concepts
PrivacyAnonymity Authenticity
PrivacyUnhindered agency to express oneself selectively, with direct control over one’s own information and explicit boundaries.
AnonymityThe ability to exist, and especially communicate, in a manner that does not reveal any personally identifiable information about the source.
Important ConceptsAuthenticityProvide, with a high level of confidence, an assurance of the identity of an individual through reliable and verifiable means.
“Arguing that you don't care about
the right to privacy because you have nothing to hide is no
different than saying you don't care about free speech because
you have nothing to say.◎Edward Snowden
Activists… have something to say.
JFK Airport - Craig Ruttle / AP Photo
2.Threat ModelingA basic framework for security.
Threat Modeling
◎Who would be most likely to target us?
Threat Modeling
◎Who would be most likely to target us?◎How much money, time, and skill do they
have to dedicate to targeting us?
Threat Modeling
◎Who would be most likely to target us?◎How much money, time, and skill do they
have to dedicate to targeting us?◎What would they most likely want from us
(i.e. money? incriminating information? access to trusted contacts?)
Threat Modeling
◎Who would be most likely to target us?◎How much money, time, and skill do they
have to dedicate to targeting us?◎What would they most likely want from us
(i.e. money? incriminating information? access to trusted contacts?)
◎What would happen to us if they were successful?
Threat Modeling
http://web.mit.edu/tweilu/www/eff-ssd-mockup/threatmodel.html
GovernmentsSurveillance state and law(less) enforcement
IndividualsUSB drives, webcams, and (spear) phishing
CorporationsBreaches, metadata, and (de)anonymization
COINTELPRO (COunter INTELligence PROgram) A series of covert, and often illegal, projects conducted by the United States FBI aimed at surveilling, infiltrating, discrediting and disrupting domestic political organization.
Some of the Groups Targeted by the FBI’s COINTELPRO
Zinn Ed Project
Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community, Just in
Time for Trump
The Intercept
WhiteIs the color of milk and fresh snow, the color produced by the combination of all the colors of the visible spectrum.
BlackIs the color of coal, ebony, and of outer space. It is the darkest color, the result of the absence of or complete absorption of light.
Databases
Breaches
Online services lose user’s private
information
haveibeenpwned.com
“
The GuardianDecember 15, 2016
DEMOHas my account info ever been leaked?
https://haveibeenpwned.com
Place your screenshot here
DEMOWhat does my online “fingerprint” look like?
https://panopticlick.eff.org/
Place your screenshot here
3.Common AttacksGet to know some frequently used threat vectors.
TrustAt some point, you must
concede a level of trust in the components of the
devices in your life
KeyloggerCould be wireless, could be physically between keyboard and cpu.
USB DrivesNot so innocent. Can provide an attacker with control of the machine with ease.
RootkitPrograms that can control the device. Hard to detect. Hard to get rid of.
MITMMonkey in the Middle. Someone in between the intended sender and recipient, without either know it. Could be just listening, but could also be modifying messages.
(Spear) PhishingMessages meant to coerce a user into entering their credentials into a spoofed site. Spear- is targeting one person specifically
Common Attacks
Brute ForceCommon, weak, or reused passwords. May include theft of actual device. May be open Wifi or bluetooth.
PhishingAttempting to get you to enter your own credentials.
From: <[email protected] >
Sent: Friday, Sept. 30, 2016 10:31 AM
To: <employee name>
Subject: Email Account Update
Due to migration to a new Open Source Email Collaboration Solution (SunsetGates), it is mandatory that you update your Stanford University information immediately, using the update link below:
http://update.sunsetgates.com/update/server/admindesk/index.htm
Failure to update, will result to closure of your account.
Thanks for your Co-Operation.
Email Admin Desk
Spear PhishingTargeted toward a specific person.
From: "[email protected]" (link sends e-mail)Sent: Sat, 2 Jan 2016 09:58:07 GMT To: <recipient's name removed>@ce.berkeley.edu (link sends e-mail) <[email protected]> (link sends e-mail)
Dear Dr. <recipient's name removed>;
I recently read your last article and it was very useful in my field of research. I wonder, if possible, to send me these articles to use in my current research:
1-http://auth.berkeley.eduh.in/<link removed>
2-http://www.sciencedirect.com/science/article/pii/S1644966515000825
Thanks for you Cooperation in Advance. John DoeDepartment of Civil and Environmental Engineering University of Alberta Phone: (XXX) XXX-XXXX
Machine in the Middle
Eve
Bob
E: “Hey Bob! It’s Eve!”
Machine in the Middle
Eve
Bob
B: “Hi Eve!”
Machine in the Middle
Eve
Bob
E: “When is the direct action?”
B: “It’s Feb 4th, at the Courthouse!”
Machine in the Middle
Eve
Bob
Machine in the Middle
Eve
Alice
Bob
Machine in the Middle
Eve
Alice
Bob
Machine in the Middle
Eve
Alice
Bob
E: “Ok thanks!”
Machine in the Middle
Eve
Alice
Bob
E: “Ok thanks!”
E: “Which members?”
Machine in the Middle
Eve
Alice
Bob
E: “Ok thanks!”
E: “Which members?”
B: “Here’s the list.”
“Found” USB Drives
Consider ALL unsafe.
KeyLoggerCaptures
keyboard input.
Brute Force Password Cracking TimeNumber of Characters (A-Z, a-z) (A-Z, a-z, 0-9) (A-Z, a-z, 0-9, !
@#$%^&*)
6 8 sec 3 min 13 min
8 3 hr 10 days 57 days
10 169 days 106 yrs 928 yrs
12 600 yrs 108k yrs 5m yrs
14 778k yrs 1bn yrs 5bn yrs
Brute Force Password Cracking
Brute Force Password Cracking
Actual actual reality: Nobody cares about his secrets. (Also, I would be hard pressed to find that wrench for $5) .https://xkcd.com/538/
Questions so far?
Useful technologies to better safeguard yourself and your organization.
4.Helpful Tools
MaintainedHas it been updated recently? Have there been fixes to bugs or other security vulnerabilities?
AuditedHas a security audit been performed on this program?
Open SourceIs the full source code available for inspection?
Guidelines for Selecting Quality Tools
Post-It NotesWebcam attacks are real. Attackers can gain access and control the webcams on your laptop for spying, and sometimes the best solutions are the simplest -- cover your camera with tape or sticker.
Password ManagerOne of the best tools for protecting accounts. Popular password managers (e.g. Lastpass, 1Password) can generate unique, super-strong passwords for you. Use for every account you have.
Privacy BadgerAnother browser plugin to limit trackers. Also provides a “Do-not-track-me” mode that should be respected.
HTTPS EverywhereBrowser plugin that can help prevent Man in the Middle. Some sites will start on HTTP before being promoted to HTTPS.
uBlock OriginBlocks ads. Useful because many are trackers themselves, but also could be vulnerable to attacks. Helps to limit attack surface.
Browsing Online
2-Factor AuthAnother great tool for protecting accounts, this one can help even if your password is leaked or cracked. Check out twofactorauth.org for more info.
VPNVirtual Private Networks re-route and disguise your traffic. Consider mandatory for open networks (e.g. coffee shops). Some VPN services are better than others, so do some research.
Tor“Anonymizes” your traffic by bouncing off multiple nodes in between source and destination. Some skepticism as to efficacy without critical-mass adoption, so proceed with caution.
Protecting your network activity
DemoProtected Network!
Place your screenshot here
VoiceSignal and WhatsApp have voice encryption capability, but quality can be lacking. Not sure about other options.
Text / ChatSeveral options out there, notably Signal and WhatsApp. Both are end-to-end encrypted as well. Some controversy around WhatsApp “vulnerability.” More like design decision, but I prefer Signal’s approach.
EmailBest solution is to encrypt end-to-end.This means a setup like Thunderbird (email client) and Enigmail (crypto add-on). Keep in mind: Content is encrypted. Metadata and subject is in the clear.
Data in Transit - Digital Communication
DemoEncrypted email!
Place your screenshot here
VeraCryptSuccessor to TrueCrypt, offers a lot options. Downside: offers a lot of options. Usually best to stick with defaults. Bonus: VeraCrypt offers ability to create “Hidden Volumes”
GPG / KeybaseCommand-line tools have proven their worth, but also proven hard to use. Some new developments on the horizon, but these are usually for those with more experience.
Stock OS AppsGreat for full drive encryption:macOS: FileVault Windows: BitLockerOnly basic features for for files and folders:macOS: Disk UtilityWindows: Encrypted File Service
Data at Rest - Secure Storage
QubesOS“A reasonably secure operating system.” Essentially runs a fresh virtual machine for each process, then burns it down when you’re done.
TailsA privacy-oriented OS. Custom Linux build with privacy settings maxed-out. Still experimental.
Additional Security
5.Put in PracticeDeveloping secure habits while organizing
◎Think about what info is on the phone
◎Disable fingerprint◎Protect with passphrase◎Backup data◎Put in airplane mode◎Pictures or video without
unlock◎Consider a “dumb” phone,
or a “burner” with no identity info attached
Mobile Security
◎ They know you called a gynecologist, spoke for a half hour, and then searched online for the local abortion clinic’s number later that day. But nobody knows what you spoke about.
◎ They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
◎ They know you received an email from a digital rights activist group with the subject line “52 hours left to stop SOPA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion.
Mind your Metadata
https://ssd.eff.org/en/module/why-metadata-matters
Verify Keys!
Eve
Alice
Bob
Out-of-Band
◎ Passwords on Everything (and don’t share!)◎ Always lock and know where your devices are.◎ Signal is pretty solid◎ Thunderbird+Enigmail is too◎ Get a VPN, but know its limits◎ Legal in Oregon to record law enforcement◎ 2-Factor Auth goes a long way◎ So does a password manager◎ Never provide passwords over email◎ Look for HTTPS◎ Mind your “cloud” accounts
Some final tips, recap, & recommendations
A word on digital security
But it can make a big difference. Especially if you share your knowledge.
One workshop does not a private activist make.
https://ssd.eff.org/en
Hands OnLet’s get set up!
Place your screenshot here
Special thanks to these resources:◎ Electronic Frontier Foundation◎ Freedom of the Press Foundation◎ American Civil Liberties Union ◎ Ctrl-H in Portland, Or◎ Presentation template by SlidesCarnival◎ Diagram featured by poweredtemplate.com
Credits
Special thanks to these articles:◎ https://www.theguardian.com/us-news/2015/may/22/edward-snowden-nsa-reform◎ https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-warrantless-data-to-e
ntire-intelligence-community-just-in-time-for-trump/◎ https://www.aclu.org/blog/whats-government-doing-targeting-civil-rights-leaders◎ https://www.aclu.org/blog/shhhh-what-fbi-doesnt-want-you-know-about-its-racial-profiling-
program?redirect=blog/criminal-law-reform-racial-justice-national-security/shhhh-what-fbi-doesnt-want-you-know-about
◎ http://www.oregonlive.com/politics/index.ssf/2015/11/black_lives_matter_oregon_just.html◎ https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-a
ccounts-breached◎ https://uit.stanford.edu/phishing◎ https://tozny.com/blog/10-unnerving-privacy-fails-thru-data-aggregation/
Credits
Special thanks to these articles:◎ https://security.berkeley.edu/news/phishing-example-spear-phishing-attack-articles◎ http://www.theverge.com/2016/12/13/13940514/dnc-email-hack-typo-john-podesta-clint
on-russia◎ https://thehackernews.com/2015/08/lenovo-rootkit-malware.html◎ http://securityaffairs.co/wordpress/49999/hacking/found-usb-drive-hack.html◎ http://geeknizer.com/top-usb-hacks-pwn/◎ https://www.inetsolution.com/blog/june-2012/complex-passwords-harder-to-crack,-but-it
-may-not◎ https://www.skyhighnetworks.com/cloud-security-blog/you-wont-believe-the-20-most-po
pular-cloud-service-passwords/◎ http://imgur.com/gallery/iVHfwLc◎ http://lifehacker.com/truecrypts-security-audit-is-finally-done-with-mostly-1695243253◎ https://tails.boum.org/◎ https://www.qubes-os.org/
Credits