Saturday, July 29, 2017

Web Security Action Plan for Artists and Activists Under Siege (part 1)

By: Candace Williams Head of Community Operations by day. Poet by night (and subway ride). Forever @TeacherC.

It’s imperative that folks under siege (POC, LGBTQ+, Indigenous folks, immigrants, Muslims, folks with disabilities, etc), especially artists and activists, take steps to protect their data and privacy online.

These are just suggestions This list is not exhaustive or the only way to secure your data.
Web security is like a tree. A young tree can be snapped by a fist. As trees grow layers and roots, they require knowledge, equipment, and energy to cut down. I’m trying to help you add layers of security to your daily routines. I don’t like the words “secure” or “safe” because nothing fits into those categories. The only thing we can do is become safer and more secure. Each bullet point is a layer, a step another person or agency has to take, to access and trade your information. I’ve tried to choose the layers that have the highest return on your investment in time and money. Think about your situation and resources and create your own action plan.

Identifying assumptions that underlie this article:
  • Taking a small, first step lowers your mental barriers.
  • Changing workflows is hard and takes practice. Go at your own pace and be easy on yourself.
  • COINTELPRO (and similar programs) didn’t just “happen”. It’s been happening and will ramp up.
  • Government and non-governmental bodies already have you on their radar: They know you disagree with some element of the status quo and that you’re a person under siege (black, POC, Muslim, queer, a person with physical or intellectual disabilities, a recent immigrant, indigenous, etc).
  • Many of your private communications are sitting on the email accounts and devices of your friends and family.
  • Surveillance capitalism is dangerous. We don’t know the implications of how tech companies extract value from their customers’ data. Most people don’t understand what corporations like Facebook and Google know about them, how the data is used/bought/traded/aggregated/sold/deployed, and if corporations have already handed over information to government groups. 
  • Lack of transparency + colonialism/capitalism + technological supremacy = STRANGER DANGER.
SOLUTIONS
  • Withdraw $10–$40 of cash from your bank.
  • Buy a Starbucks gift card with the cash.
  • Use the gift card to purchase 1 month to 1 year of VPN access on https://www.privateinternetaccess.com (or a comparable service of your choosing. Ask around or read online reviews. Make sure the service doesn’t keep logs of your activity). Keep in mind: It’s better to purchase VPN with a credit/debit card than to purchase none at all. Furthermore, this is just a small layer and it’s still possible to figure out which VPN service you’re using.
  • Download and start to use Tor as your primary browser. Be sure to follow the instructions and security warnings here: https://www.torproject.org/download/download-easy.html.en#warning
  • Since it’s impossible to follow all of the warnings and there are limitations to Tor, it’s a good idea to also use a VPN. If you don’t use a VPN, using Tor + Chrome/Firefox with the HTTPS Everywhere extension is a good start.
  • Download Signal on your phone and encourage all folks you communicate with privately to use it as well. Use it instead of iMessage, SMS, WhatsApp, Facebook Message, etc. You can also make calls. The desktop version can be used in lieu of Skype, Slack, etc.
  • Enable 2 Factor Authentication on all email, financial, etc services.
  • Do an info security audit — Begin to brainstorm how you use social media, email, mobile devices, and cloud storage. How do you use these services? Which communications need to be moved to secure channels? Are sensitive documents saved in the cloud? Can you quit Facebook, Twitter, Google, and Amazon altogether?
  • Choose strong and distinct passphrases. The Intercept has a handy guide here: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
  • @AllBetzAreOff recommends using non-cloud-based password manager to generate and secure your passwords. More info here: https://securityinabox.org/en/guide/keepassx/windows
  • It’s important to turn on software auto-updates so you’re protected from known software vulnerabilities. (Thanks to Dan Sullivan, Ph.D. for this advice! Check out his excellent comment for more information.)
  • Encrypt your mobile devices. iPhones are automatically encrypted but many use access codes that are inadequate. Reset your code to a long, random string of numbers (make sure you write this down while you’re committing it to memory). Android users can enable encryption in the Settings app.
  • Encrypt your computer using BitLocker (Windows) or FileVault (Mac).
  • If you have (or want) a website, database, or app, join an encrypted hosting service like MayFirst.
  • Purchase a physical safe (like the SentrySafe SFW123DSB) for your important documents, hard drives/USB keys, and artwork. You can split this cost with folks who live nearby. If your artwork is larger than a common household safe, and you’re interested in chatting, ping me. We need to brainstorm how to help artists under siege keep their art safe from destruction. Research the safe to make sure electronics won’t oxidize or buy Silica Gel Dehumidifier Desiccant packets/special sleeves.
  • Purchase a hard drive that can store your digital files. Encrypt it. In the future, consider purchasing multiple drives and keeping your most valuable information in multiple places. If you bought a safe, keep your hard drive there. You should also prepare for a time when Internet access or your information stored online is completely unavailable to you.
  • Audit your cloud storage. Where are you files stored? What kind of information is stored? Where’s the most sensitive information?
  • Begin to break your dependence on cloud storage (when possible): iPhoto, Google Photos, Google Drive, DropBox, etc. Structure your filesystems in ways that are easy to navigate without Google’s search capabilities.
  • See if you can minimize your use of Chrome/Firefox/Safari/etc by the end of the month. Dennis Cahillane says:
NOTES:, Using a Firefox add-on you install yourself is not recommended. Recommend downloading the Tor Browser bundle directly from the Tor Project here https://www.torproject.org/download/download Using the Tor Browser bundle is easy for non-technical users, but you will quickly become frustrated by its limitations. When you aren’t using Tor, Also recommend Firefox or Chrome with the following add-ons: HTTPS Everywhere, uBlock Origin.”
  • Download all of your files to your computer + external hard drive. This might take awhile so you can do a batch a day. Start with the most sensitive information. (This is just a start. There are ways to have access to encrypted cloud storage, I think folks can consider this after the New Year after they’ve done the initial transfer and have broken their dependence on easy to use cloud services).
  • If you’d like, choose an activist email provider you’ll use instead of Gmail (or a service like ProtonMail). You’ll also need to loop in your friends and family. Jamie McClelland, Co-Founder of MayFirst/PeopleLink says:
NOTES: “Using Gmail is definitely a bad idea. Under Obama we had a huge
expansion in the federal government spying infrastructure and they
definitely target the big corporate providers — either by compromising
them or simply sending them a subpoena. And now all of that will belong
to Trump.


For email, stick with activist providers. And *everyone* has to do it.
If you are having a group conversation and just one person is on gmail,
then everything goes to gmail.


If everyone is on MF/PL, then it never leaves our servers and it is far
more difficult to intercept. If some people are on Riseup and some are
on MF/PL it’s also good — since MF/PL and Riseup will encrypt messages
between servers.


However… even with all of these protections, I would advise against
relying on email for anything sensitive.


If you haven’t already, I would suggest replacing whatever program you
use to send SMS messages with Signal (https://whispersystems.org/). It’s
on both iPhone and Android. It’s easy to use and it’s very secure.
I would also suggest using Jabber (see the MF/PL page here:
https://support.mayfirst.org/wiki/how-to/jabber).



Both signal and jabber work on your phone and provide much better
encryption and privacy than email ever will.


A note about email: Dan Sullivan, Ph.D. left a relevant criticism of activist email accounts in the comments:

Also, infosec is largely a battle of technical skills and resources. Google has more of both than any email or other cloud provider I know of. I use Gmail with two factor authentication and will stick with it. Sure, an agency may get a warrant for emails at Google but there is less chance of successfully hacking the Google infrastructure to get those emails than hacking another provider with fewer resources.

Response::
Email seems impossible to secure. I’m already starting to drift away from email as my primary means of communication. Although I might use an end-to-end encrypted service, PGP, etc. 95% of my contacts do not have access to this technology. So the question is: where do I want my unencrypted emails and metadata to sit? Who do I trust more — Google or activist groups? Although activist groups draw attention to themselves, I trust Riseup and MayFirst’s track record of resisting subpoenas from US grand juries, US agencies, and many other governments/legal systems around the world. Because of the identity and ideologies of dissident artists, the government already knows we’re activists. I’d rather collaborate with groups that have been working on this issue for quite some time. I’m also leery of surveillance capitalism because it goes hand in hand with the surveillance state. COINTELPRO and other surveillance projects that impacted POC-led movements is in the back of my mind as I make these decisions. Google has the money and the know-how but they don’t give a shit about me or my struggle. They aren’t going to go to the mattresses for me. I don’t like the demographic and psychometric data providers like Google and Facebook gather (and the lack of transparency for how that information is used). I’m a dissident artist who is willing to spend the effort to divest as much as I can and become a contributing member in political tech groups.
Here’s a short clip of a training given at at Eyebeam about email encryption.
There are a countless number of situations where Tails could be an invaluable tool for your privacy. Activists looking to organize in spite of government surveillance can use Tails to effectively communicate. People being tracked by predatory abusers can use Tails to access the internet without risking their physical location or data. Someone that wants to utilize public computers or internet networks can do so while still having their privacy protected. Any time you want to be maximally private in your activity and your data, Tails is an incredible tool to have at your disposal!





Friday, July 28, 2017

Throttling on Mobile Networks Is a Sign of Things to Come, Unless We Save Net Neutrality Now

July 27, 2017
Major mobile carriers are slowing down video streams, a net neutrality violation that heralds things to come if they get their way and roll back legal protections against data discrimination.
Recent reports on Reddit from Verizon Wireless customers have drawn attention to video streams being throttled, which Verizon claimed were caused by a temporary test of a new video “optimization” system. If that sounds familiar, it's because it's not the first time a carrier has throttled certain content sources while claiming to optimize them.
We’ve previously reported on how T-Mobile tried to pass off throttling as optimization with their Binge On “feature.” T-Mobile’s Binge On has evolved since we last wrote about it, but hasn’t abandoned throttling: it now throttles video for customers on their unlimited plan, and charges them extra to not be throttled, which is also against the principles of net neutrality.
Similarly, AT&T makes use of a “just-in-time” delivery technique (aka “Buffer Tuning”) for video streams. The carrier explains that with just-in-time, “a sufficient amount of video is delivered to the device so that the user can start viewing the video, and the remainder of the video is delivered just in time to the device as needed for uninterrupted viewing.” But using just-in-time means the video will stop playing more quickly if you lose reception, rather than larger portions being buffered in advance as they would on a neutral network that wasn’t observing and throttling your traffic. Although AT&T claims that just-in-time delivery helps customers by stopping them from paying for data they don’t actually use, it doesn’t give customers the choice to disable this “feature.” Sprint also makes use of the neutrality-violating just-in-time technique.
Right now, these throttling technologies seem to be used to slow down video data generally, rather than to favor the ISP’s content over competitors, but it is a trivial matter to flip that switch and make the net neutrality violation more serious, and more harmful to competition and speech.
Net neutrality allows carriers to engage in “reasonable network management,” but throttling a class of traffic does not satisfy this standard. A more reasonable technique (that Sprint also employs) is transcoding, a technique where the quality of the stream is modified in real time to match the network’s condition. For example, if the network slows down, the video quality decreases so as to still be able to deliver video at the same rate, and vice versa.
We’ve reached out to Verizon asking for more details about the “optimization” tests it’s running. Since optimization is a technical term which implies attempting to tune a system to maximize or minimize specific measurable criteria, we’re wondering what those criteria are and if Verizon will share them with the subjects of its tests. Also, given that mobile carriers have historically had trouble differentiating between streaming video traffic and other uses of their networks, we’re curious what technical means Verizon is using to identify video, and what steps it’s taken to make sure other uses aren’t affected.
Rolling back net neutrality rules could open the door to many unfair practices like site blocking and throttling. While we can't predict exactly what changes carriers will make, it’s alarming to see them already rolling out throttling infrastructure. Without net neutrality protections, little will stop them from using that same infrastructure to discriminate against competitors, speech they dislike, or your favorite app.