[liberationtech] FW: The security and ethics

Danny O'Brien DObrien at cpj.org
Sun Feb 13 04:40:27 PST 2011 

As I think many of these replies indicate, there are plenty of guides like this -- including the tactical tech guides, the Sesawe guides, various files on cypherpunk/activist sites, the EFF guide, the RiseUp guides, etc etc.  I'm just finished writing for a chapter in CPJ's general guide for journalists in dangerous situations that follows the same pattern. I think every technical person working in the human rights space has either written one of these, been asked to review one of these, or been name-checked in funding requests to get a grant to write one of these.

We're all, I would hope, getting better at writing them. I would say though that these guides are low-hanging fruit, and those branches have largely already been well and truly plucked. The problem we're trying to deal with, though, is that we have the following equation:

number of people these guides help = number of total activists in the world * fraction of activists who know enough to care about digital security * fraction of activists who know these guides exist * fraction of people who find a guide that's actually got good, up-to-date advice * fraction of people that read it through to the end and understand it * fraction of people who after doing so successfully implement its recommendations without picking up the TrueCrypt interface (one of the rather better ones, I might say) and throw it bodily through the nearest window

I'd say that all of those fractions are <0.5, often *very* below 0.5, and I bet there are a few more force-unmultipliers in that equation. And that's for activists. I work with journalists, and they generally don't think about being at risk of surveillance or digital sabotage until they are under it or being screwed over by it, because (even in dangerous regimes) they see themselves as journalists, not as radicals in need of military-grade digital self-defense.

I am entirely sympathetic for the need for this kind of guidance, and heartily support and will continue to work  on both "teach a person to fish" and T-CLOCK style guides. I think almost all of those fractions have nowhere to go but up. But in part, I think thinking this is an important solution is kind of like thinking that what PGP really needs is a better man page. That's almost certainly true, but if you've got to the point where you're reading the PGP man page, you're probably already in the set of people who will be okay. Similarly, if you've got to the point where you're looking for a security guide, I'm really not too worried about you, because there are a lot of pretty good security guides out there, and you've probably got the smarts to critically appraise the ones you see.

My main concern continues to be the vast vast majority of people including activists who are using, say, Facebook chat to exchange dangerous information. A security guide will touch a tiny tiny fraction of those people. It may be the best we've got, but if so, we're doing well. But I suspect it isn't -- I suspect a better use of a technologists' time is working out how we can continue to make IM + OTR,  TrueCrypt, Tor bundles etc work to the point that they don't scare very very brave people more than their local secret police does. Which if you've ever sat in a room trying to help frontline activists install this stuff, it clearly does.

Actually, (and I'm thinking out loud here) perhaps what we most need aren't guides, they're slogans. Probably the phrase "Writing an email is like writing a postcard" did more to convey good security ideas than any of a thousand volumes of explanation (it did some damage too -- I'm sure there's people out there using Facebook chat instead of email because, hey, noone said anything about Facebook being postcards).  If it's longer than a slogan, maybe it's not going to help me hit the people that I want to hit.

d.


On Feb 13, 2011, at 5:10 AM, Ian Young wrote:

You've made me think there may be cause for two distinct guides with different target audiences. Many of the topics you suggest are concepts that *everyone* who uses a computer should understand (a lofty goal, but still). I wonder if the EFF has looked into such a project, or would be interested?

However, I think there's a separate guide possible for motivated, competent people who need or want a primer on security fundamentals - a goal of the "teach a man to fish" sort. Not enough to make someone a security researcher, but enough to help them skeptically evaluate the claims of a service or software based on its actual strengths rather than the marketing.  Along those lines, here's a quick outline I came up with in an off-list discussion:

Basic security considerations
 - Determining your threat model
 - End runs around strong crypto
   - Social engineering
   - Coercion (the rubber hose method of password retrieval)
   - Trojans, evil maid, etc
   - Importance of physical security

A standard security toolkit
 - Full-disk encryption
 - Tor
 - PGP

PGP/Asymmetric crypto
 - What are public/private keys?
 - How to manage keys
   - Trusting a key
   - Signing a key
      - Web of Trust
   - Revocation
 - What a signature guarantees
  - It needs *your* private key
 - What encryption guarantees
   - It needs *their* public key
   - Encryption does not imply signature

Browsing security
 - How eavesdropping works and who can do it
 - How MITM works and who can do it
 - How your activity can be tracked, now and later
   - IPs
   - Cookies
   - Other methods
 - Special considerations on wireless networks
 - What SSL guarantees

There are probably some important topics to cover on mobile phones, SMS, 4G, etc, but honestly I'm not knowledgeable enough in that area to offer useful suggestions. Ditto on how to use social networks to organize without getting nailed.

Ian


On Sat, Feb 12, 2011 at 10:15 AM, Michael Rogers <m-- at gmx.com<mailto:m-- at gmx.com>> wrote:
Yes, I think it's possible if we set realistic bounds on what we're
trying to achieve. Keeping the T-CLOCK analogy in mind, let's not try to
create a comprehensive training course in computer security - let's just
identify a small number of points with maximal impact on people's
security. For example:

1) Keep your antivirus software up to date. (Free antivirus software is
available from X, Y, Z.)

2) Every password should include upper and lower case letters, digits
and punctuation, and should not be based on a dictionary word.

3) Don't reuse passwords between different accounts.

4) Configure your computer to require a password. (Here's how.)

5) Use separate accounts for sensitive and non-sensitive communication.

6) Use separate phones for sensitive and non-sensitive communication -
using separate SIM cards isn't enough.

7) Remove the battery from your phone before visiting sensitive locations.

8) If you're using Firefox, install HTTPS Everywhere. (Here's how.)

9) Configure your browser to delete all history when you close the
browser. (Here's how.)

10) Empty the recycle bin after deleting sensitive files. (Here's how.)

11) Store sensitive files on a removable USB stick that can be destroyed.

...any other ideas? Are any of the above points bad advice or low
priority? Can we come up with a catchy acronym?

We could also think about writing short guides for specific tasks - how
to set up an anonymous email account, etc - but I feel like the Tactical
Technology Collective has that approach covered already, so maybe it's
better to just point people to their guides:

https://security.ngoinabox.org/en/

Cheers,
Michael

On 10/02/11 10:12, P.A.Bernal at lse.ac.uk<mailto:P.A.Bernal at lse.ac.uk> wrote:
> That sounds like exactly the sort of thing that I'd be looking for
> too. Is it actually possible?
>
> Paul
>
>
> -----Original Message----- From:
> liberationtech-bounces at lists.stanford.edu<mailto:liberationtech-bounces at lists.stanford.edu> on behalf of Michael
> Rogers Sent: Thu 2/10/2011 9:58 AM To: Ian Young Cc:
> liberationtech at lists.stanford.edu<mailto:liberationtech at lists.stanford.edu> Subject: Re: [liberationtech] FW:
> The security and ethics
>
> On 10/02/11 01:23, Ian Young wrote:
>> Do guides roughly equivalent to TCLOCK exist for digital
>> security/crypto?
>
> Hi Ian,
>
> Thank you - I think that's exactly the question we should be asking.
>
> If there's a short, accessible guide to practical digital security
> that the techies on this list can get behind then let's identify it.
> If there isn't then let's write it.
>
> Cheers, Michael _______________________________________________
> liberationtech mailing list liberationtech at lists.stanford.edu<mailto:liberationtech at lists.stanford.edu>
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you
> click above) next to "would you like to receive list mail batched in
> a daily digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list
> moderator.
>
> Please don't forget to follow us on
> http://twitter.com/#!/Liberationtech<http://twitter.com/#%21/Liberationtech>
>
>
> Please access the attached hyperlink for an important electronic
> communications disclaimer: http://lse.ac.uk/emailDisclaimer


_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu<mailto:liberationtech at lists.stanford.edu>

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110213/7d73ccf3/attachment.html>

More information about the liberationtech mailing list