Data Privacy For Activists

◎ Name for Today◎ Preferred Pronouns (e.g. they, them, their)◎ What brought you here? What do you want

from this workshop?

IntroductionsAround the Room

Hello!I am Greg Stromire (he, him, his)

I work for a data privacy company. I participate in activism.

I am not an expert in either.And I am not a lawyer.

But I can still offer some tips.

Helpful ToolsUseful technologies to better safeguard yourself and other members.

Crypto 101Whiteboard activity! Encryption is a powerful tool in maintaining privacy, but only when used correctly. Some cryptography fundamentals can help you make smart choices.

Why We’re HereWhat is data privacy, what it means for activists, and some key concepts for context.

Put in PracticeHands-on practice using new tools and best practices to establish good habits when performing organizing tasks.

Common AttacksOverview of some of the most common threat vectors for activists -- which overlap with personal and professional use.

Threat ModelingUtilizing a basic framework for security assessment to prevent and prepare.

Agenda

1.Why We Are HereWhat is data privacy, and why does it matter for activism?

Important Concepts

PrivacyAnonymity Authenticity

PrivacyUnhindered agency to express oneself selectively, with direct control over one’s own information and explicit boundaries.

AnonymityThe ability to exist, and especially communicate, in a manner that does not reveal any personally identifiable information about the source.

Important ConceptsAuthenticityProvide, with a high level of confidence, an assurance of the identity of an individual through reliable and verifiable means.

“Arguing that you don't care about

the right to privacy because you have nothing to hide is no

different than saying you don't care about free speech because

you have nothing to say.◎Edward Snowden

Activists… have something to say.

JFK Airport - Craig Ruttle / AP Photo

2.Threat ModelingA basic framework for security.

Threat Modeling

◎Who would be most likely to target us?

Threat Modeling

◎Who would be most likely to target us?◎How much money, time, and skill do they

have to dedicate to targeting us?

Threat Modeling

◎Who would be most likely to target us?◎How much money, time, and skill do they

have to dedicate to targeting us?◎What would they most likely want from us

(i.e. money? incriminating information? access to trusted contacts?)

Threat Modeling

◎Who would be most likely to target us?◎How much money, time, and skill do they

have to dedicate to targeting us?◎What would they most likely want from us

(i.e. money? incriminating information? access to trusted contacts?)

◎What would happen to us if they were successful?

Threat Modeling

http://web.mit.edu/tweilu/www/eff-ssd-mockup/threatmodel.html

GovernmentsSurveillance state and law(less) enforcement

IndividualsUSB drives, webcams, and (spear) phishing

CorporationsBreaches, metadata, and (de)anonymization

COINTELPRO (COunter INTELligence PROgram) A series of covert, and often illegal, projects conducted by the United States FBI aimed at surveilling, infiltrating, discrediting and disrupting domestic political organization.

Some of the Groups Targeted by the FBI’s COINTELPRO

Zinn Ed Project

Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community, Just in

Time for Trump

The Intercept

WhiteIs the color of milk and fresh snow, the color produced by the combination of all the colors of the visible spectrum.

BlackIs the color of coal, ebony, and of outer space. It is the darkest color, the result of the absence of or complete absorption of light.

Databases

Breaches

Online services lose user’s private

information

haveibeenpwned.com

“

The GuardianDecember 15, 2016

DEMOHas my account info ever been leaked?

https://haveibeenpwned.com

Place your screenshot here

DEMOWhat does my online “fingerprint” look like?

https://panopticlick.eff.org/

Place your screenshot here

3.Common AttacksGet to know some frequently used threat vectors.

TrustAt some point, you must

concede a level of trust in the components of the

devices in your life

KeyloggerCould be wireless, could be physically between keyboard and cpu.

USB DrivesNot so innocent. Can provide an attacker with control of the machine with ease.

RootkitPrograms that can control the device. Hard to detect. Hard to get rid of.

MITMMonkey in the Middle. Someone in between the intended sender and recipient, without either know it. Could be just listening, but could also be modifying messages.

(Spear) PhishingMessages meant to coerce a user into entering their credentials into a spoofed site. Spear- is targeting one person specifically

Common Attacks

Brute ForceCommon, weak, or reused passwords. May include theft of actual device. May be open Wifi or bluetooth.

PhishingAttempting to get you to enter your own credentials.

From: <mailadmin@stanford.edu >

Sent: Friday, Sept. 30, 2016 10:31 AM

To: <employee name>

Subject: Email Account Update

Due to migration to a new Open Source Email Collaboration Solution (SunsetGates), it is mandatory that you update your Stanford University information immediately, using the update link below:

http://update.sunsetgates.com/update/server/admindesk/index.htm

Failure to update, will result to closure of your account.

Thanks for your Co-Operation.

Email Admin Desk

Spear PhishingTargeted toward a specific person.

From: "john.doe@ulberta.ca" (link sends e-mail)Sent: Sat, 2 Jan 2016 09:58:07 GMT To: <recipient's name removed>@ce.berkeley.edu (link sends e-mail) <john.doe@ulberta.ca> (link sends e-mail)

Dear Dr. <recipient's name removed>;

I recently read your last article and it was very useful in my field of research. I wonder, if possible, to send me these articles to use in my current research:

1-http://auth.berkeley.eduh.in/<link removed>

2-http://www.sciencedirect.com/science/article/pii/S1644966515000825

Thanks for you Cooperation in Advance. John DoeDepartment of Civil and Environmental Engineering University of Alberta Phone: (XXX) XXX-XXXX

Machine in the Middle

Eve

Bob

E: “Hey Bob! It’s Eve!”

Machine in the Middle

Eve

Bob

B: “Hi Eve!”

Machine in the Middle

Eve

Bob

E: “When is the direct action?”

B: “It’s Feb 4th, at the Courthouse!”

Machine in the Middle

Eve

Bob

Machine in the Middle

Eve

Alice

Bob

Machine in the Middle

Eve

Alice

Bob

Machine in the Middle

Eve

Alice

Bob

E: “Ok thanks!”

Machine in the Middle

Eve

Alice

Bob

E: “Ok thanks!”

E: “Which members?”

Machine in the Middle

Eve

Alice

Bob

E: “Ok thanks!”

E: “Which members?”

B: “Here’s the list.”

“Found” USB Drives

Consider ALL unsafe.

KeyLoggerCaptures

keyboard input.

Brute Force Password Cracking TimeNumber of Characters (A-Z, a-z) (A-Z, a-z, 0-9) (A-Z, a-z, 0-9, !

@#$%^&*)

6 8 sec 3 min 13 min

8 3 hr 10 days 57 days

10 169 days 106 yrs 928 yrs

12 600 yrs 108k yrs 5m yrs

14 778k yrs 1bn yrs 5bn yrs

Brute Force Password Cracking

Brute Force Password Cracking

Actual actual reality: Nobody cares about his secrets. (Also, I would be hard pressed to find that wrench for $5) .https://xkcd.com/538/

Questions so far?

Useful technologies to better safeguard yourself and your organization.

4.Helpful Tools

MaintainedHas it been updated recently? Have there been fixes to bugs or other security vulnerabilities?

AuditedHas a security audit been performed on this program?

Open SourceIs the full source code available for inspection?

Guidelines for Selecting Quality Tools

Post-It NotesWebcam attacks are real. Attackers can gain access and control the webcams on your laptop for spying, and sometimes the best solutions are the simplest -- cover your camera with tape or sticker.

Password ManagerOne of the best tools for protecting accounts. Popular password managers (e.g. Lastpass, 1Password) can generate unique, super-strong passwords for you. Use for every account you have.

Privacy BadgerAnother browser plugin to limit trackers. Also provides a “Do-not-track-me” mode that should be respected.

HTTPS EverywhereBrowser plugin that can help prevent Man in the Middle. Some sites will start on HTTP before being promoted to HTTPS.

uBlock OriginBlocks ads. Useful because many are trackers themselves, but also could be vulnerable to attacks. Helps to limit attack surface.

Browsing Online

2-Factor AuthAnother great tool for protecting accounts, this one can help even if your password is leaked or cracked. Check out twofactorauth.org for more info.

VPNVirtual Private Networks re-route and disguise your traffic. Consider mandatory for open networks (e.g. coffee shops). Some VPN services are better than others, so do some research.

Tor“Anonymizes” your traffic by bouncing off multiple nodes in between source and destination. Some skepticism as to efficacy without critical-mass adoption, so proceed with caution.

Protecting your network activity

DemoProtected Network!

Place your screenshot here

VoiceSignal and WhatsApp have voice encryption capability, but quality can be lacking. Not sure about other options.

Text / ChatSeveral options out there, notably Signal and WhatsApp. Both are end-to-end encrypted as well. Some controversy around WhatsApp “vulnerability.” More like design decision, but I prefer Signal’s approach.

EmailBest solution is to encrypt end-to-end.This means a setup like Thunderbird (email client) and Enigmail (crypto add-on). Keep in mind: Content is encrypted. Metadata and subject is in the clear.

Data in Transit - Digital Communication

DemoEncrypted email!

Place your screenshot here

VeraCryptSuccessor to TrueCrypt, offers a lot options. Downside: offers a lot of options. Usually best to stick with defaults. Bonus: VeraCrypt offers ability to create “Hidden Volumes”

GPG / KeybaseCommand-line tools have proven their worth, but also proven hard to use. Some new developments on the horizon, but these are usually for those with more experience.

Stock OS AppsGreat for full drive encryption:macOS: FileVault Windows: BitLockerOnly basic features for for files and folders:macOS: Disk UtilityWindows: Encrypted File Service

Data at Rest - Secure Storage

QubesOS“A reasonably secure operating system.” Essentially runs a fresh virtual machine for each process, then burns it down when you’re done.

TailsA privacy-oriented OS. Custom Linux build with privacy settings maxed-out. Still experimental.

Additional Security

5.Put in PracticeDeveloping secure habits while organizing

◎Think about what info is on the phone

◎Disable fingerprint◎Protect with passphrase◎Backup data◎Put in airplane mode◎Pictures or video without

unlock◎Consider a “dumb” phone,

or a “burner” with no identity info attached

Mobile Security

◎ They know you called a gynecologist, spoke for a half hour, and then searched online for the local abortion clinic’s number later that day. But nobody knows what you spoke about.

◎ They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.

◎ They know you received an email from a digital rights activist group with the subject line “52 hours left to stop SOPA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion.

Mind your Metadata

https://ssd.eff.org/en/module/why-metadata-matters

Verify Keys!

Eve

Alice

Bob

Out-of-Band

◎ Passwords on Everything (and don’t share!)◎ Always lock and know where your devices are.◎ Signal is pretty solid◎ Thunderbird+Enigmail is too◎ Get a VPN, but know its limits◎ Legal in Oregon to record law enforcement◎ 2-Factor Auth goes a long way◎ So does a password manager◎ Never provide passwords over email◎ Look for HTTPS◎ Mind your “cloud” accounts

Some final tips, recap, & recommendations

A word on digital security

But it can make a big difference. Especially if you share your knowledge.

One workshop does not a private activist make.

https://ssd.eff.org/en

Hands OnLet’s get set up!

Place your screenshot here

Thanks!Any questions?

You can find me at:greg@tozny.comPGP: 0x317DCBC8

Special thanks to these resources:◎ Electronic Frontier Foundation◎ Freedom of the Press Foundation◎ American Civil Liberties Union ◎ Ctrl-H in Portland, Or◎ Presentation template by SlidesCarnival◎ Diagram featured by poweredtemplate.com

Credits

Special thanks to these articles:◎ https://www.theguardian.com/us-news/2015/may/22/edward-snowden-nsa-reform◎ https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-warrantless-data-to-e

ntire-intelligence-community-just-in-time-for-trump/◎ https://www.aclu.org/blog/whats-government-doing-targeting-civil-rights-leaders◎ https://www.aclu.org/blog/shhhh-what-fbi-doesnt-want-you-know-about-its-racial-profiling-

program?redirect=blog/criminal-law-reform-racial-justice-national-security/shhhh-what-fbi-doesnt-want-you-know-about

◎ http://www.oregonlive.com/politics/index.ssf/2015/11/black_lives_matter_oregon_just.html◎ https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-a

ccounts-breached◎ https://uit.stanford.edu/phishing◎ https://tozny.com/blog/10-unnerving-privacy-fails-thru-data-aggregation/

Credits

Special thanks to these articles:◎ https://security.berkeley.edu/news/phishing-example-spear-phishing-attack-articles◎ http://www.theverge.com/2016/12/13/13940514/dnc-email-hack-typo-john-podesta-clint

on-russia◎ https://thehackernews.com/2015/08/lenovo-rootkit-malware.html◎ http://securityaffairs.co/wordpress/49999/hacking/found-usb-drive-hack.html◎ http://geeknizer.com/top-usb-hacks-pwn/◎ https://www.inetsolution.com/blog/june-2012/complex-passwords-harder-to-crack,-but-it

-may-not◎ https://www.skyhighnetworks.com/cloud-security-blog/you-wont-believe-the-20-most-po

pular-cloud-service-passwords/◎ http://imgur.com/gallery/iVHfwLc◎ http://lifehacker.com/truecrypts-security-audit-is-finally-done-with-mostly-1695243253◎ https://tails.boum.org/◎ https://www.qubes-os.org/

Credits