Tracking trollers

Bootstrapping Your Hacktivist Community

Kiwicon 6 2012Liz Henry @lizhenry

Wednesday, May 1, 13

I will now tell you how to make a hacktivist

community


HAHAHAHA


What is “hacktivism”?

• Legal or lower risk hacking:

• Reporting, citizen journalism (maybe)

• Outing people for something

• Protest, petition, policy, law changes

• Civil disobedience (maybe)



Sometimes“hacktivism”looks like this


And “community”?

• For community, you need trust


Trust is nice


Lower Risk “hacktivism”

• Publicity. Use all possible social capital.

• Get consent, protect privacy, personal security, personal data if possible.

• Rhizomatic spread. Don’t wait for the boss.

• Action plan. Group chat. Collectively edit some documents. Needs list. Schedule.

• Report on what is effective. Ask for more.


Emergency power!

• Hurricane Sandy

• Existing communities, social capital among disabled people online

• Incredibly fast mobilization, public call, in-person help from friends of friends of friends, nearly random strangers


Higher risk

• Reporting or citizen journalism (maybe)

• Infiltration, espionage

• Leaking military or other secret info

• Messing with governments, huge corporations, organized crime


Who will you piss off?

• Professional reputation/status?

• Stalkers or other hostile individuals?

• Intellectual property, legal, hacking laws

• Repressive government, military?

• Mexican drug cartel? Russian mafia?

• In short, what are you risking?


Example: Editing the Zetas

• What’s the threat level if you want to edit some Wikipedia pages about Mexican drug cartels?

• Where are you?

• Not-Mexico: Make persona, use Tor + VPN

• Mexico or near: Maybe that’s not enough


Nuevo Laredo carspotting

• Chat rooms to report on dangerous stuff

• Green Chevy at corner of 9th and Main every afternoon

• Roadblock on the west road out of downtown


sms blogging

• blog from burner phones

• vojo.co has all-phone setup


Risks, maybe

• Someone shoulder surfs you in a cafe and shoots you in the head later

• Keylogging, insecure connection

• Site you’re on is run by gangsters. Oops!

• Or is on phpBB or something scarier

• (narcomensajes, torture, murder)


Consider Risk

• Are you’re risking your freedom?

• Or your life

• Or other people’s lives

• Make sure it’s what you want to risk

• For a good reason!


There are good reasons


Why?

• What are your reasons and goals

• Publicity? (Then stick to lower risk)

• Personal studliness? (Don’t!)

• Expose truth?

• Freedom fighter?


How to make a hacker community


Don’t!


Or, first...

• At least pause

• Ethics of encouraging others to do high risk things on some crappy Windows machine with LOIC or whatever. Yeah.

• Learn security, anonymity, privacy

• Put them into practice

• Practice!


Before y’all do this. . .


Totally pause



Feminist Hackers

• Bunch of women hackers talking

• Why is there a “false accusers” wiki run by MRAs, but no “rapists” wiki run by rape survivors? Unfair and wrong!

• OMG Haxxors!

• Retaliation (identity/safety/DDoS)

• Defamation, legal threats



Pick your cool haxxor names!

• We thought of some great ones

• Most of them were totally contaminated

• Anyway, they sounded like roller derby names

• And we were telling them to each other, which was dumb, but we realized that about 2 minutes in


• So I can never secretly be “Louise Boat”. This makes me very sad.


Test for leaks


Testing each other

• We looked at what info we were leaking by accident, and what we knew or could deduce or find about each other.

• Some of us were better at it than others.Wednesday, May 1, 13

We found a lot of leaks


Some hackers are more equal than others

• We all had some practice, because we are all women talking in public and thus, present more attack surface

• Various factors made some of us more vulnerable than others: queer, trans, people of color, homeless, have kids, domestic violence survivors...

• Those factors often encourage more practice in privacy, anonymity, pseudonymity


Check your privilege

• If you’re hacking in a high risk way you’re risking everyone around you.

• The others in your “hacktivist community” may be at risk merely by being associated with you

• Protect your contacts


Learn to attack


Learn to spy


Be a trickster


Be Paranoid


Trust no one


Make personas within personas


Don’t contaminate your personas


Don’t boast


Ops checklist

• Safer computer, software (encrypt)

• Physical security (for your computer!)

• Safer connection (Tor, then VPN?)

• Persona management.

• Shut your pie hole!


More leak vectors to consider

• Location, time, time zone. Avoid patterns!

• Password hygiene

• Paying for stuff

• clicking links someone sends... (don’t)

• Panopticlick (browser fingerprinting)

• Tor, then VPN(s)


Study security, privacy, anonymity guides

• EFF guide

• Internews, CPJ guides

• TOR, crypto.is

• Study together

• That’s still not good enough


You must be flawless


Consciousness Raising

• Bootstrapping new hackers is hard.

• Consider your personal identity and what attack surface you present.

• This will take some discussion and thought.

• You will get a community that is capable of hacking something for some reason someday. Maybe in a crisis.

• It’s political consciousness raising


That isn’t very glamorous


But neither is jail


Or the Ecuadorian Embassy


Medium risk hacking• There’s still things to do that probably

aren’t super super super risky...


SRS Business

• Hollaback. Cell phone pics of street harassment.

• Public callouts of public bad behavior, whether pseudonymous or real name

• Twitter hashtags, mockery

• ShitRedditSays started reporting on public misogyny. “Outing” and “doxxing” of violentacrez ... ie “googling” and “his beer buddy told on him”.


FERT was born

• Feminist Emergency Response Team!


Lower risk high risk hacker activity

• Neighbor in domestic violence crisis, we found her husband in her Yahoo email and her phone

• Ex-pat Syrian journalist getting death threats. Looked at email headers, IP and told her it was not obviously a local threat or a threat from within Syria

• Palestinian activist convinced site was hacked by Israeli govt. Were able to show them it was just a spambot, php/sql injection

• Advised feminist blogger undergoing 4chan raidWednesday, May 1, 13

“Stay Safe” (or not)


Create possibilities


Documents

Tracking trollers