[liberationtech] FW: The security and ethics

Ian Young ian.greenleaf at gmail.com
Sat Feb 12 14:10:38 PST 2011 

You've made me think there may be cause for two distinct guides with
different target audiences. Many of the topics you suggest are concepts that
*everyone* who uses a computer should understand (a lofty goal, but still).
I wonder if the EFF has looked into such a project, or would be interested?

However, I think there's a separate guide possible for motivated, competent
people who need or want a primer on security fundamentals - a goal of the
"teach a man to fish" sort. Not enough to make someone a security
researcher, but enough to help them skeptically evaluate the claims of a
service or software based on its actual strengths rather than the
marketing.  Along those lines, here's a quick outline I came up with in an
off-list discussion:

Basic security considerations
 - Determining your threat model
 - End runs around strong crypto
   - Social engineering
   - Coercion (the rubber hose method of password retrieval)
   - Trojans, evil maid, etc
   - Importance of physical security

A standard security toolkit
 - Full-disk encryption
 - Tor
 - PGP

PGP/Asymmetric crypto
 - What are public/private keys?
 - How to manage keys
   - Trusting a key
   - Signing a key
      - Web of Trust
   - Revocation
 - What a signature guarantees
  - It needs *your* private key
 - What encryption guarantees
   - It needs *their* public key
   - Encryption does not imply signature

Browsing security
 - How eavesdropping works and who can do it
 - How MITM works and who can do it
 - How your activity can be tracked, now and later
   - IPs
   - Cookies
   - Other methods
 - Special considerations on wireless networks
 - What SSL guarantees

There are probably some important topics to cover on mobile phones, SMS, 4G,
etc, but honestly I'm not knowledgeable enough in that area to offer useful
suggestions. Ditto on how to use social networks to organize without getting
nailed.

Ian


On Sat, Feb 12, 2011 at 10:15 AM, Michael Rogers <m-- at gmx.com> wrote:

> Yes, I think it's possible if we set realistic bounds on what we're
> trying to achieve. Keeping the T-CLOCK analogy in mind, let's not try to
> create a comprehensive training course in computer security - let's just
> identify a small number of points with maximal impact on people's
> security. For example:
>
> 1) Keep your antivirus software up to date. (Free antivirus software is
> available from X, Y, Z.)
>
> 2) Every password should include upper and lower case letters, digits
> and punctuation, and should not be based on a dictionary word.
>
> 3) Don't reuse passwords between different accounts.
>
> 4) Configure your computer to require a password. (Here's how.)
>
> 5) Use separate accounts for sensitive and non-sensitive communication.
>
> 6) Use separate phones for sensitive and non-sensitive communication -
> using separate SIM cards isn't enough.
>
> 7) Remove the battery from your phone before visiting sensitive locations.
>
> 8) If you're using Firefox, install HTTPS Everywhere. (Here's how.)
>
> 9) Configure your browser to delete all history when you close the
> browser. (Here's how.)
>
> 10) Empty the recycle bin after deleting sensitive files. (Here's how.)
>
> 11) Store sensitive files on a removable USB stick that can be destroyed.
>
> ...any other ideas? Are any of the above points bad advice or low
> priority? Can we come up with a catchy acronym?
>
> We could also think about writing short guides for specific tasks - how
> to set up an anonymous email account, etc - but I feel like the Tactical
> Technology Collective has that approach covered already, so maybe it's
> better to just point people to their guides:
>
> https://security.ngoinabox.org/en/
>
> Cheers,
> Michael
>
> On 10/02/11 10:12, P.A.Bernal at lse.ac.uk wrote:
> > That sounds like exactly the sort of thing that I'd be looking for
> > too. Is it actually possible?
> >
> > Paul
> >
> >
> > -----Original Message----- From:
> > liberationtech-bounces at lists.stanford.edu on behalf of Michael
> > Rogers Sent: Thu 2/10/2011 9:58 AM To: Ian Young Cc:
> > liberationtech at lists.stanford.edu Subject: Re: [liberationtech] FW:
> > The security and ethics
> >
> > On 10/02/11 01:23, Ian Young wrote:
> >> Do guides roughly equivalent to TCLOCK exist for digital
> >> security/crypto?
> >
> > Hi Ian,
> >
> > Thank you - I think that's exactly the question we should be asking.
> >
> > If there's a short, accessible guide to practical digital security
> > that the techies on this list can get behind then let's identify it.
> > If there isn't then let's write it.
> >
> > Cheers, Michael _______________________________________________
> > liberationtech mailing list liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you
> > click above) next to "would you like to receive list mail batched in
> > a daily digest?"
> >
> > You will need the user name and password you receive from the list
> > moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list
> > moderator.
> >
> > Please don't forget to follow us on
> > http://twitter.com/#!/Liberationtech
> >
> >
> > Please access the attached hyperlink for an important electronic
> > communications disclaimer: http://lse.ac.uk/emailDisclaimer
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110212/707c87f1/attachment.html>

More information about the liberationtech mailing list