Professional Documents
Culture Documents
Online Security For Activists
Online Security For Activists
Online Security For Activists
crane@riseup.net
Whatssecurity?
Stoppinganadversaryfromdoingsomething thatyoudontwantthemtodo Theresalwaysanadversaryinvolved.Maybe morethanone.
Example:anemailtoafriend cri8cizingthegovernment
Doesthegovt.havetheabilitytointercept youremail? Wouldtheywantto? Cantheyreadit? Ifnot,cantheylearnwhothesenderand recipientsare? Willtheyfollowyoumorecloselynow?
Example:storinglesonalaptop
Isthelaptopkeptsomewheresafe? Doyouneedapasswordtoreadtheles? Canthelesbeaccessedremotely? Arethereothercopiesoftheles? Doesanyoneknowyouhaveinteres8ngles? Whatwouldhappeniftheleswereread?
BadSecurity:PalinEmailHack
Howdidthehackergetin?
UsedrecoverpasswordfeatureonYahoo Itaskedhimforbirthday,zipcode,andwhere Palinmetherhusband Answerstotheseques8onsfromWikipedia, USPostOce,andonlinebiography
Howwasthehackercaught?
PostedscreenshotshadURLstar8ngwith ctunnel.com
Also...
Hackerpostedamessageon4chan.orgunderthe namerubico thisaccounthademailrubico10@yahoo.com Thisemailaddressconnectedtorealnamevia YouTubeprole
BothPalinandthehackerprac8cedbadsecurity.The adversarywoninbothcases.
HowToThinkAboutSecurity
Whoistheadversary? Whatthreatsdotheypresent? HowcanIprotectmyselffromthesethreats? Whatwillitcostme?Whatwillitcostthe adversary?
Securityismostlyabouthabits. Itssomethingyoudo,notsomethingyousetup.
Thingsthatcanbethreatened
Invisibility:adversarycanbecomesuspicious ofsomethingyouaredoing Contacts:adversarycanlearnwhoyouare talkingto Anonymity:adversarycanlearnwhoyouare Privacy:adversarycanlearnwhatyouknow Opera;ons:adversarycanstopyoufrom ac8ng,bothonlineandoine
Securingyourcomputer
Ifthebackdoorisopen,itdoesntma]erifthe frontdoorislocked. Ifyourcomputerisntsecure,yourcommunica8on securitydoesntma]er(much). Needstobeimpossibletocontrolitremotely. An8virussobware An8spywaresobware(bewarekeyloggers!) Networkrewall
Physicalsecurity
Arewalldoesnthelpwhensomeonestealsyour computer Orreadsyouremailwhileyoureatlunch. Putapasswordonyourcomputer! Iftheinforma8onreallyisimportant,encryptthe disk! Usetheopera8ngsystemstools,orPGPWhole DiskEncryp8on,orTrueCrypt
Passwordsecurity
Phishingisbyfarthemostcommonwayto getpasswords. Dontuseshortpasswords,wordsinthe dic8onary,orpersonaldata(likeyourbirthday orpetsname.) Usedierentpasswordsondierentsites. Neversharepasswordsbetweenpeople!Get themtheirown.
Phishing
Afakewebsitethatasksforyourpassword Mostcommonly:anemailoramessagethat saysyouneedtologinsomewhere,withalink toclickon. AlwaysreadtheURLbeforeenteringa password,ortypeityourself.
PhishingExample
h]ps://
Q:WhocanreadwhatIsendontheinternet? A:Everyonewhorunsacomputersomewherein themiddleofthepaththatcommunica8on takes. ISPs,Telcos,governments... Unless:yousendthedataencrypted.Onthe web,encryptedsitesstartwithh]ps
Dontmakeiteasy.
Nevertypeanysensi8veinforma8onintoa webpagethatdoesnotstartwithh]ps
SecurityisAboutPeople
Hackingissexy,butinrealitypeoplearethe weakpoint.
ignorance,scams,socialengineering,mistakes gegnglazy:sharingpasswords,usinginsecure channels...
Wouldyougiveupyourpasswordif...
theythreatenedtoreyou? theyputyouinjail? theykidnappedyourmother?
Whatdotheywatch?
US,UK,Iran,Chinesegovernmentsknownto haveextensiveelectronicsurveillance. Emails,IM,generalinternettrac Facebook,Google,Yahoo,etc.allservice millionsoflawenforcementrequestsperyear. Phonesdontneedtobetapped.Itsalldone throughthenetworknow. Basically,youhavetoassumethatall communica8onsaremonitored.
Whatelsecantheywatch?
Creditcards,bankingtransac8ons Securitycameras Studentcards,smartcards,any8meyouuse anycard... Na8onalgovernmentscanaskforanyofthis data. Willgovernmentscooperateoninterna8onal cases?Maybe.
Securingwebemail
Gmailalwaysusesh]psnow So,thecommunica8onfromyourcomputerto Googlescomputerissecure. ButthenGooglesendstheemailtothe recipientsserverwithoutencryp8on! Think:wheredoesthismessagego?Where arethecomputersphysicallylocated?
WheretheEmailgoes
gmail.com yahoo.com
WhatifwebothuseGmail?
Be]er! Nowtheemailisneversentunencrypted. ButGooglecans8llreadit... WhendoesGooglereademails?WhentheUS governmenttellsthemto.Millionsofrequestsper year. WillGoogletellothergovernments? Maybe.Yahoohas.
Keepingemailprivate,really
YouneedtousesomethingcalledPGP(pre]y goodprivacy)toencryptmessages. Abittricky.ForFirefox,atoolcalledFireGPG makesthiseasier. Iftheemailisencryptedproperly,noonebut thereceivercanreadit,evenifits intercepted. Tutorialhere:
h]p://www.irongeek.com/i.php?page=videos/using GPGPGPFireGPGtoencryptandsignemailfromgmail
TheInternetisMorethanTheWeb
Therearelotsofwaystocommunicatethatdonotinvolvethe web: Appsonyourphone instantmessagingprograms EmailthroughOutlook,Thunderbird,etc. Skype Twi]erclients etc.
h]pswonthelpforthese,becauseitsonlyforwebpages.
Skype
Skypeusesstrongencryp8onandisgenerally consideredsafe. Skypecompany(EU)knowswhoyouretalkingto, butnotwhatyousay.Willtheytell? BUT DonotuseChineseTOMSkypeorclone! Inten8onallyinsecure!Watchesforkeywordsand sendsdatatoChinesegovt!
SimplesecureCommunica8on: IntstantMessengerplusOTR
OTRmeansotherecord.Itsapluginfor instantmessengerprograms. Easy! JustuseyournormalIMaccount,andaccessit fromaprogramwhichsupportsOTR AllOSs:usePidginplustheOTRplugin Mac:useAdium
Mostlysecureisnotsecure (likeusingcondoms)
Ifyouneedsecurecommunica8ons,setupIM +OTRrightnow. Communica8onsthataresome8messecure areworsethanuseless. Thatoneunencryptedmessagecancause problemsinmanydierentways. Itonlytakesoneleaktoruininvisibilityor anonymity. Dontbelazy.
Important!
Encryp8onpreservesprivacy,butnotanonymity.
Theycantreadit, buttheyknowwhoImtalkingto.
Encryptedcommunica8ons(likeIM+OTR)protectprivacy,but notinvisibilityoranonymity.
Anonymity
Everycomputerontheinternethasaunique number,calledtheIPaddress IPmeansinternetprotocol.Thisishowyour dataknowshowtogettoyou. MostserverslogtheIPaddressofeveryone whousesthem. YourISPsellsyoutheIPaddress,soitknows whoyouare.
HidingyourIPAddress
Canuseananonymousproxy
Butdoestheproxykeeplogs?Whocanread them?
Trus8ngaproxy
Anyonerunningaserverhastogivetheirlogs tolawenforcementintheirjurisdic8on E.g.aserverinCanadamustreporttothe Canadiangovernment. Isthisaproblem?Maybe. Whatiftheproxyishackedbytheadversary? Whatiftheproxyisactuallyrunbythe adversary?
OnionRou8ng
Usemul8pleproxies. NosingleproxyknowsboththeIPaddressof bothendsoftheconnec8on
TOR:TheOnionRouter
torproject.org Interna8onalprojecttobuild ananonymitytool. Thebestanonymityyoucancurrentlyget. Alsojumpsoverrewallsveryreliably! Slow...thenetworkisnotlarge. Youcanhelp!RunaTornode!
Thingsthatbreakanonymity
Dontpostyourname,city,email,etc.! Dontlogintoyourregularemail,Facebook, etc.overananonymousconnec8on! Timinga]ack:ifyourealwaysusingTorwhen anewpostappearsonananonymousblog, theycantellitsyou. Used8medelayedpos8ngfeaturetoavoid this. Anonymityishard!Ifyouneedit,studyit.
Phones
Theloca8onofeveryphoneiscon8nuously loggedbythetelco,towithinafewmeters. ChangingSIMcardswontmakeyou anonymous,becausethephonehasanIMEI number. Textmessagesarelogged. Calldes8na8onand(some8mes)audioare logged. Phonesareveryinsecure!
Bewarehiddeninfoindocuments!
WhenyousaveaWordorPDFle,itincludes yourusernameandotheriden8fying informa8on. Thisiscalledmetadataandwillgiveyouaway! Useaplaintexteditortoavoidthis(Notepad, TextEdit) Orsani8zethedocumentbeforereleasing.See NSAprocedures:
h]p://www.nsa.gov/ia/_les/support/I733028R2008.pdf
AvoidingSuspicion
Decidecarefullywhichac8vi8esarepublicand whichareprivate.Speakoutdeliberately,not randomly. Ifyouonlyhaveencryptedcommunica8ons withcertainpeople,theadversaryknows exactlywhoyouareworkingwith! Useencryp8onwheneverpossibleforyour regulartrac.
Summary
Howtothinkaboutsecurity
Whatareyoutryingtoaccomplish,whois tryingtostopyou,andhowcantheydoit? Designyoursecuritytoprotectagainstspecic threats. Thingsthatcanbethreatened:invisibility, contacts,anonymity,privacy,opera;ons. Securityissomethingyoudo. Itchangesfast!Keeplearning!
WhatToDo
Makeasecurityplan! Secureyourcomputers:an8virus,an8spyware, rewalls Secureyourcomputersphysically:locks, passwords,diskencryp8on Usestrongpasswords.Dontsharethembetween peopleoraccounts. Usesecurecommunica8ons. Sani8zereleaseddocuments! Keeplearning!
Privatecommunica8ons
ThesimplestmethodIknowforprivacy: UseinstantmessengerplusOTR(always!) NeverIMfromyourphone! Communica8onbetweentwousers@gmailis secondbestwaybutitkeepslogs,and dependsonGoogleandUSgovtbeingonyour side.
Anonymouscommunica8ons
Ifyouneedanonymityaswellasprivacy: SignupfornewIMaccountsanonymously dontgiveyouremailorreuseausername. SetyourIMclienttoroutethroughTOR AlwaysuseTOR.Theone8meyoudont,the adversarygetsyourIMhandleandknowswho youtalkto.
Anonymousemailaddresses
gmail.comnowrequiresaphonenumber,sonot anonymous. riseup.netisbest,butyouwillneedtobeinvited bysomeonewhoalreadyhasanaccount. hushmail.comisfreeandverygood.Cansend encryptedmessagestopeoplewithout encryp8onsobware. Donteverlogintoyouranonymousemailaccount withoutTor!Otherwiseanyonewatchingyour connec8onwillknowitsyou!
Ihaventtalkedabout...
Securingyourwebserver. Denialofservicea]acks:howtokeepyoursite up(assumingthegovernmentcantjustorder youtostop.) Smugglingdata. Opera8onalsecurity:whodoyoutrustinthe realworld?Whoknowsyourplans?Whogets passwords? Therearemanydierenttypesofsecurity.
Keeplearning!
NGOsecurityguide(readit!)Detailedtutorialsonevery toolmen8onedhere: h]p://security.ngoinabox.org/ AnonymousbloggingwithWordpressandTOR h]p://advocacy.globalvoicesonline.org/projects/guide/ HowtogetaroundtheGreatFirewall: h]p://www.randomwire.com/howtobypassthegreat rewallofchina/