The Gang Learns About Digital Security for Activists

On May 27th, 2022 Tabs Discord member @Here Max facilitated a workshop on basic digital security and threat modeling for Today in Tabs subscribers. The session was held in a voice channel on the Discord, and you can review it here in several formats:

• Audio Recording (mp3, 52:02)

• Video Render (mp4, 52:02)

• Audio with synced text transcript (via rev.com)

• Automated Text Only Transcript (PDF)

Recordings and transcripts are all courtesy of Ian Servin. Thanks Ian! What follows is Max’s notes and outline, and some resources mentioned in the talk.

Preamble: 

Buttoning up your personal digital safety can be a step on your path, but it doesn't have to be the first one. You can get out and meet your neighbors, join a mutual aid society, donate money to a cause you believe in, volunteer time with a group you respect—all within the risk profile of your average everyday life. Don't be like the Uvalde cops and US Marshals, valuing your safety over the lives of children who were calling 911. But don't be a goober and leap into the breach unprepared. Here's what I recommend:

1. Do something right now. Don't let some bogeyman doxing fear hold you up.

2. Make an action plan to improve your security foundation. Make those improvements.

3. Go do bigger things.

Credentialing:

Why should you trust me? You shouldn't.

What are we doing:

1. Safe basics

2. What's a threat model

3. How do you apply it to your situation.

4. Not specifically about preventing getting doxxed

1. Safe Basics: pyramid o’ things - think Maslow's hierarchy of needs

• Base: Backups - protection against flood, fire, children & ransomware

• Then: Password Manager (and check https://haveibeenpwned.com)

• Then: Multi factor authentication/two factor authentication - any MFA is better than no MFA

• Then: End to end encrypted messaging: Signal is currently the best bet

• Then: Encrypt your disks

• Then: Hardware keys: e.g. Yubikey

• Then ever so rarely: Encrypted email but really encrypted email is like a hairsbreadth below enlisting a specialist because you are a likely target of Nation State or Non State Actors.

Note that "VPN" isn't on this list in 2022, where it was in previous years.

2. Threat Modeling: aka A Piano Could Fall From The Sky But Mostly One Doesn't

• REMEMBER THE GOAL: create a sufficient sense of safety to go do the things you want to do

• REMEMBER THE ANTIGOAL: don’t just cosplay some sort of hacker spy and justify withdrawing from the world

• What do you have that you want to protect?

• Who do you think you need to protect it from?

• What happens if it is compromised? What are the consequences?

• How likely is it to happen?

• How can you address the most likely/high impact risks?

2(a). What do you have that you want to protect?

• Information - no one can access what you have

• Integrity of information - no one has changed the information or destroyed it

• Integrity of identity - no one is pretending to be you

• Location - not just stored addresses - travel pattern for people and goods

• Pattern of communications

  • What you communicate

  • Who you communicate with

• What you are reading or researching

• Information about friends, family and associates - the superhero weakness

2(b). Who do you want to protect it from?

• Your employer - Your future employers

• Internet trolls

• Thieves

• Family

• Nation State Actors/Non-state actors

2(c) What are the consequences?

• Who is harmed, and in what way?

• Would it be possible to make up for a loss after the fact?

• Risk adjusted cost of reacting may be less than cost to protect:

  • YOLO?

  • Even bad publicity is good?

2(d) How likely is it to happen?

• Will they just stumble on it in the garbage/facebook (no equivalence implied 😉)

• Groups that are likely to be targeted

  • Women and non-binary

  • Public figures

  • Ethnic or religious minorities

  • In the US: Black, Indigenous and Asian people bear particularly high risks

• What resources can your adversaries bring to bear?

  • Nosy great uncle with a lot of time on his hands

  • Nation State Actors/Non-state actors

  • 'Natural aggregators' - Uber, FB, IRS <— (this bullet is particularly dated. Where data aggregation once appeared to be a side effect of doing business, it increasingly has become the business.)

2(e). How can I address the most likely/high impact risks?

• Don't abandon good processes for ‘perfect’ (WhatsApp may be fine)

• Look for tweaks to current habits (shredder in front of the recycle bin)

• Be realistic about costs:

  • Time

  • Education

  • Equipment - a second phone, a cheap laptop

  • Attention - making everything just a little bit harder every day

  • Reduction in connectivity

2 (Appendix). Terminology you will see as you read up on Threat Modeling: 

Assets, Adversaries, Threats, Adversaries’ Capabilities, Mitigation & Acceptance. Don't get scared off by the vocab. It's just the stuff we've talked about here.

3. Giving yourself a safe foundation:

• Do this exercise on paper in private. Make an action plan. Shred your notes

• Consider 1 to 3 sessions with a lawyer or counselor, not because they'll help, but because they're legally prohibited from retelling your stories. $1 and an engagement letter goes a long way.

Resources

In 2022, many of these are three years old. Always look for dates, this stuff changes all the time!

• NYT mass-market media guide

• Surveillance Self-Defense (EFF)

• Freedom of the Press Foundation has great, well written resources

• FPF on preparing for online harassment

• Addressing Identity Theft (Consumer Reports, 2019)

• Access Now

• Access Now’s Digital Security Helpline

• Choosing a VPN (EFF)