Is true mobile phone security a lost cause? With the increasing popularity of mobile messaging applications with weak security practices, the escalation of sim card registration requirements, and the nearly antiquated legal definitions of the ways that mobile phones are used by citizens, securing mobile phone communications is a multi-faceted problem.
I’ve done mobile security trainings for a number of years now. And one of the biggest challenges that emerges with thinking through mobile security is all of the different areas where threats can emerge: the technical infrastructure of GSM networks, the personal information that’s needed to obtain a sim card, the location tracking capabilities of phones, and the list goes on.
During RightsCon, I had the opportunity to chat with the following rockstars about the current state of mobile security and what can be done to make improvements:
Last friday I was gatecrashing the Investigative Reporters and Editors Computer-Aided Reporting conference up in Baltimore. Super cool conference; I’ll write it up more generally later. I was asked to share a bit about NDI’s perspective from the field on how we work with political activists and citizen journalists to be aware of the risks they face when using the internet for organizing or communications.
Sometimes in life it’s hard to know what to say (a buddy’s unsuitable engagement, a breakup convo, comments on a friend’s poor artistic performance) and one of them for me are 10-minute digital security discussions. You can’t dive into the details of a complicated tool like GPG. You can scare the pants off of them, but playing dead is not a valid defense mechanism online. So we tag-teamed it. Susan started things off with a quick “how the internet works” - and therefore where you can be attacked - while Jennifer focused on some core software of use in newsrooms like Tor, password managers and Cryptocat.
I decided to take a slightly different tack and talk about really boring stuff. Seems like a presentation winner, right? READ MORE »
Auditing of software of both the license and the source code is nothing new, especially of tools that are new to the digital security plethora of tools. But what about software whose use is widely recommended, but where little is known about the licensing decisions and the differences between original code and platform-specific applications? This is the impetus for the audit of the encryption software TrueCrypt.
TrueCrypt allows you to create an encrypted container on your computer's hard drive to store sensitive files, that to the untrained eye, appear like any other file you might find on a user’s computer. TrueCrypt storage “volumes” are typically made to look like a large video file (and hey, we even have a tutorial on how to make one that actually plays part of a video).
Despite being an open-source licensed project, there are legal and technical limitations to its openness.
While TrueCrypt’s source code is publicly available, the binaries (what makes TrueCrypt function without any installation process), are not. This matters because use of these binaries could potentially have security flaws that are unknown and unfixed. As cryptographer Matthew Green points out, the majority of TrueCrypt users only run and install it through the binaries, and while the source code sems trustworthy, it’s unclear if the binaries are. READ MORE »
I thought it was a brand of athletic shoes, but apparently I was wrong.
I was recently at a training-of-trainers with some of the best digital security experts in the business. We’re working with a crop of young trainers from around the world eager to improve their skills in teaching others the critical - and timely - topics of safety and privacy online.
We’re not children anymore. (I, at least, am nowhere close.) That means, in part, that we don’t learn in the same way that children do - and a lot of the teaching methodologies we’re brought up on don’t work well for adults. We are building out a set of digital security training materials and in the process I’ve been learning about a pedagogical approach called ADIDS. I’ve also been learning how to pronounce “pedagogical.”
ADIDS stands for Activity, Discussion, Inputs, Deepening, Synthesis. It’s a proven approach based on experimental results and sound learning principles - and entirely new to me. This may explain much of my academic career. In any case, by taking a topic and approaching it through these five lenses, one gives a broad audience of adult learners the best chance possible to absorb new, complex information.
People don’t learn everything all at once. It’s a frequent sin in digital security trainings to blast through a complicated topic, say “any questions?,” nod in satisfaction, and move on confident that the information has been absorbed and will be faithfully lived from that day forward.
Earlier this month, I had the opportunity to participate in an event to determine how human rights defenders might approach an emergency alert mobile app given their diverse risks, and to ensure that activists first consider their risks before adopting such a tool.
The following is a summary of this event, written by Alix Dunn of the Engine Room and Libby Powell of Radar.
How can an app developer make sure that an app doesn’t do more harm than good? For Amnesty International, that question could be one of life or death for human rights defenders using their new Panic Button app. READ MORE »
We work with civil society organizations around the world that are facing increasingly sophisticated cyber attacks against them from relenteless, well-resourced, and tecnically extremely savvy adversaries that attempt to curtail, surveil, and otherwise hinder their work. We are routinely called to assist our partners in preventing and mitigating denial-of-service attacks against and hacking of websites and online services, expecially during political events such as elections. Our partners are under threat in myriad ways, ranging from account compromises, social media takedowns to regime trolls and spammers, and malware.
ACCESS Now, a US-based advocacy organization focused on internet governance and digital security has just compiled the first in a series of reports focused on these threats to civil society organizations. The first assessment focused on fake domains when an adversary creates a similar-looking website or social media profile to one of a civil society organizations. These fake domains are used to dilute or confuse the message of the organization and subvert their effectiveness by drawing readers from the original site, or in order to serve malware to specifically target the audience of the original website. READ MORE »
NDItech was recently at an event on Our Digital Future: Ideas for Internet Research hosted by The George Washington University’s Elliott School of International Affairs. A diverse panel of experts in the field were invited to the discussion: Matthew Reisman, a Senior Manager at Microsoft, Milton Mueller, Professor at the Syracuse University of Information Studies, Brian Bieron, Senior director with eBay, and Carolina Rossini who serves as Project Director for the Latin American Resource Center.
Panelists made a number of interesting observations about the status and power of the internet in today’s global society. Matthew Reisman pointed out that Microsoft, in particular, is interested in studies of how government regulatory policies are affecting the ability of entrepreneurs to conduct business online - which would be most easily measured by conducting econometric research on internet policies enacted around the world. As trade and services burgeon online, governments are creating barriers that complicate the ease of doing international business. It is important for those researching the modern impact of the internet to consider just how these barriers are affecting businesses, economies, and people, especially in a world where eCommerce has grown to encompass over 6 percent of the global retail sector over a period of ten years. Milton Mueller further asserted that developing an understanding of intimate relations between technology and social relations is essential, including how [we] are going to govern newly implemented technologies, and what the global impact of this governance will be.
The internet is global and as such has particular impact on the economic possibilities for developing countries. We hope to see tangible data from conversations such as this that makes the point wht the internet - in economic and political terms - is a vital resource for countries worldwide.
There is a new report by Hibah Hussein, a researcher at the New America Foundation that sharply critiques the lack of privacy and security considerations in mobiles-for-development projects. As readers of this blog know, mobile phones are proliferating as a communications and information delivery channel in international development - in health care projects, those focused on economic development and livelihoods, and also in social accountability and transparency work. We here at NDI have certainly extensively used mobile phones in systematic election monitoring, for citizen outreach and delivering civic information, and for citizens to hold their elected officials accountable.
But, as Hussein poses, mobile phones are inherently insecure channels easily surveilled and monitored by design (after all, telcoms charge by usage and thus watch closely what you do), poorly regulated if at all with meaingful privacy protections in most developing countries, and thus inherently subject to deliberate or inadvertent privacy and security breaches. Since mobile projects in development often target the most vulnerable and marginalized populations and much of development happens in countries with poor governance all the way to outright dictatorships, this combination, Hussein argues, is a recipe for disaster. She notes that international development projects lack privacy and security procols and guidelines and proposes a framework for them to consider in their projects.
Cyberspace and all communications associated with the Internet was once idealized as a free and open space in which communications could flow back and forth at liberty. This idea has slowly changed in the last 25 years and we are now seeing the Internet and cyberspace as a “Fierce Domain” in which states engage in hostile actions against one another and increasingly against their own citizens. We wondered what normative changes have occurred over the last 15 years in cyberspace and what the implications of this change has been on democrats around the world.
Jeffrey Legro’s definition of norms as “collective understandings of the proper behavior of actors” is helpful to illustrate how norms have evolved in cyberspace. So then, what are the specific norms we would like to see in cyberspace as a democracy support organization? There are currently very clear trends of norms that we wish we didn’t see.
First we see a significant inrease in offensive and defensive state-level cyber capabilities and a growth in state censorship and surveillance. The data globally, as illustrated through sample data taken from censorship monitoring projects such as the Berkman Center’s Herdict Project (Image Right), illustrate an increase in reports of online censorship. Although this data is based on citizen reporting and may not also be state-generated, the enormity of reports of censorship is staggering.
Along with censorship comes its closely related counterpart, surveillance, and the reports of individuals being surveilled in their online activities is only increasing. Furthermore as indicated by experts in tracking censorship and surveillance such as Ronald Deibert at the Munk School of Global Affairs’ CitizenLab surveillance is getting worse. Globally we almost certainly passed the statet when only a few states were using the Internet as a means of censorship and surveillance against their own citizens. States are increasingly socializing, demonstrating, and institutionalizing censoring and surveillance behavior.
The Washington Post and others have reported extensively on the now declassified secret court opinion from 2011, which claims that the National Security Administration (NSA) has been illegally gathering tens of thousands of electronically-based communications among American citizens for several years now. An internal NSA audit conducted in May 2012 reported 2,776 incidents of unauthorized collection, storage, access to and distribution of legally protected communications from April 2011 to March 2012.
As part of their bulk surveillance program, the NSA has put pressure on numerous companies to release information about their customers. In early August, Lavabit, an email service used by Snowden and approximately 400,000 other people, shuttered its operations after rejecting to comply with a court order to help the US government spy on its clients. Founded in 2004 and owned by Ladar Levison, Lavabit email services used asymmetric encryption to provide a significant level of privacy and security for its users -significant enough that US intelligence agencies could not crack it. Under gag order, Levison was prevented from discussing in detail the reasoning behind his company’s shutdown. On the Lavabit website Levison left a cryptic message for users regarding his decision:
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise.”
As sentiment that internet freedom is increasingly being threatened worldwide is on the rise, details on the extent of how censorship is conducted at a technical level is often unavailable. At the USENIX Free and Open Communications on the Internet (FOCI) workshop today in Washington, D.C. two papers provided this information in two countries. The first by Zubair Nabi focused on increases in Internet Censorship efforts in Pakistan, and the second by Simurgh Aryan, Homa Aryan, and J. Alex Halderman examined in detail the rigorous censorship regimes present in Iran. Both papers can be found here and both illustrate a disturbing trend in state repression of information. READ MORE »
Distributed Denial of Service (DDoS) attacks are an increasingly popular method used against NGO and independent media websites to make them inaccessible during key political moments.
How do they work?
The term DDoS in popular lexicon represents in reality a range of different types of attacks. Largely these attacks deal with the way in which computers and servers handles connection requests. The easiest way to think about DDoS attacks is to imagine your home telephone. If you receive one phone call at a time you can answer, talk, and communicate with ease. If, however, 50, 100, or 1,000 people all called you at the same time not even the best call waiting service would really suffice for your average home telephone. While computers and webservers can handle hundreds and at times even thousands of calls at the same time, they eventually reach a point were they are unable to respond adequately and give a busy signal. This busy signal prevents people from accessing content on your site, system, or online service. READ MORE »
Digital security can be quite challenging for activists working in conflict zones or similarly difficult environments. The SKeyes Center for Media and Cultural Freedom has produced the "Journalist Survival Guide", a series of animated videos aiming to provide journalists and citizen journalists operating in dangerous zones with the most essential recommendations on how to protect their physical and online safety.
Our favorite videos include "How to Protect your Computer against Hacking and Malware" ...
...as well as "How to Get a Secure Internet Connection".
Want to see more? All videos as well as accompanying scripts are available in English and Arabic. Enjoy!
The recent revelations about large-scale NSA surveillance point to a pervasive problem facing democracy and human rights activists around the world. They face intense surveillance on a daily basis for working for universally accepted human rights and democratic and accountable governance. Those who thought of the internet as a space for free expression and a place where ideas are able to transit the globe unencumbered by now have realized that the reality of the Internet is not too dissimilar from that of the physical world. The great public square that is the internet is closely watched and increasingly controlled by governments and their spies. We wonder increasingly: How can democracy and human rights activists still use this space to continue the good fight? What are the implications for democracy and human rights activists following the revelations of surveillance programs such as Prism and large-scale meta data dragnets? Are we becoming fast the cyberlosers as the world is moving towards compromised internet governance, national internets, and pervasive surveillance?
The bottom line is this: The online public square is depply compromised. Of course, this surely is not a great surprise. READ MORE »
If your Twitter client didn't explode with the news about PRISM, here are the highlights, courtesy of the Washington Post:
An internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 articles last year. According to the briefing slides, obtained by The Washington Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.
The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.
Dropbox, the cloud storage and synchronization service, is described as “coming soon.”READ MORE »
WhatsApp has become a very popular (read: FREE) alternative to traditional text messaging. Over the past few years, many smartphone users have shifted from using BlackBerry Messenger and other instant messaging apps to WhatsApp. This is especially true for activists in much of the Middle East and Sub-Saharan Africa.
The growing popularity is understandable considering that this cross-platform instant messaging application for smartphones only costs $0.99 for iPhone users and nothing for other platforms. With more than 200 million active users monthly, WhatsApp CEO Jan Koum boasted that “We’re bigger than Twitter today,” at a conference in April. According to company statistics, WhatsApp users are quite active - sending 12 billion and receiving 8 billion messages per day.
With WhatsApp you can send free messages to friends, family, colleagues, etc. anywhere in the world. In addition to messaging, you can create groups and exchange an unlimited number of images, video and audio media messages. Sounds pretty great, right? READ MORE »
Enter Snapchat, an app available on iOS and Android that allows users to take a photo, send it to a friend, and is deleted after 10 seconds. (It's so easy, even Stephen Colbert can do it). Sounds pretty great, right?
Snapchat photos appear to live "beyond the grave" in the memory of smartphones (perhaps making the Ghost logo all the more appropriate).
Decipher Forensics recently investigated if Snapchat photos actually are deleted, or if the image and any associated metadata with such photos can be recovered. Report author used two Android devices to send and receive Snapchat photos, and found that: READ MORE »
Elections and other political events can be a time in less transparent environments when there is increased internet monitoring and censorship. With notable elections coming up in the next few months, particularly in countries with a history of internet monitoring and filtering, utilizing circumvention technologies ahead of these events become extremely important. Circumvention technologies enable you to route your internet connection to an IP address outside of your country, allowing you to view otherwise filtered content. One of the best circumvention technologies is Tor.
However, in countries such as Iran and China, known Tor IP addresses (or "relays") had been intermittently blocked in the past, making it unusable. Expanded use of capabilities such as Deep Packet Inspection have even made it possible for some regimes to determine if internet traffic is being routed through Tor. READ MORE »
Tech Tools for Activism (TTFA) has just released the latest version of it's handbook, with information and instructions for tools any activist can use. The handbook is not filled with flashy, sexy programs, nor does it give you THE one comprehensive answer that takes care of all your security needs. What the handbook does well, however, is to give you a simple explanation about why your security is at risk, and give you free programs that will help keep you safe. Both the easy to read layout and educational explanations make this handbook a good primer for activists, their partners, and for anyone who has a general interest in security while using communications technology.
Computer security is unpleasant. It's inconvenient. It's confusing. It makes your life harder, prevents you from accessing what you want when you need it, and requires being very thoughtful and careful at all times. All together, it's no wonder that so many people don't do what they should even when they know it's the right thing to do. You have to make choices to keep yourself safe and anonymous, and we all go with the easy default settings at times, or slip up occasionally.
What we really need is a system that makes people Do the Right Thing without taking any special, onerous action.
One of the most common tropes in the world of development is the Training of Trainers, or ToT. Training is expensive; if you run the math it can seem terribly costly to give 12 people a grounding in, say, principles of party platform development. However, if instead it's Training of Trainers then hey presto! You're not just training 12 people; you're indirectly training perhaps 120, and they'll train 1200, and before you know it your aunt from Albuquerque will be eagerly calling you to share the basics of party platforms.
Suffice it to say that is easier said than done. Nonetheless, that's what I was attempting last week with a group of citizen journalists on the topic of digital security; here's a few thoughts.
Teaching is hard, as those of you who have done it before know. I've learned from the best and the worst (yes, I'm looking at you, Professor Goldfeather). In my case, last week it was doubly challenging to keep everyone engaged: if your audience has built their career on social media they're not going to enjoy entirely unplugging for you.
Training trainers is a twofold challenge:
They need to truly understand the skills.
They need the ability to pass them on.
To achieve the first we spent half our time focused on the content and hard skills. In this case, the topic was tools and techniques to keep yourself safe online (thanks, Tactical Tech Security-in-a-Box!). READ MORE »
NDI is embracing Google Plus internally as part of our migration to the 'plex's set of tools. However, for those of us in the democracy support world social media presents risks to others beyond the standard fear of drunken holiday party pics. This post shares some of the dangers we need to bear in mind.
"Man is by nature a social animal," as some dude observerved about 2300 years ago. Given our nature, it's not surprising that social media platforms such as Facebook and now Google Plus act like crack for our psyche. On these pages we tend to focus on activists fighting against authoritarian regimes, but it works for them precisely because it works for my aunt. Facebook as a purely revolutionary platform would not only have been unprofitable (I doubt the RiseUp collective is mulling an IPO at $100 billion) but it would also have been ineffective, as activating and informing average joes is where the real power lies.
All that hagiography is old hat, so today I'm going to focus on another aspect that needs to be in our minds alongside the astonishing statistics and inspirational stories: the dark side of social media. READ MORE »
Digital security has become a part of everyday life. We all know about computer viruses, email scams and Facebook privacy settings and how they can run amok with our information. But for those who use these channels to advocate for democracy, digital security goes beyond protecting our embarrassing photos and banks accounts. It can serve as a connection to the outside world and a line of defense against harassment and arrest faced by activists around the world.
But security goes beyond anti-virus software, encryption and circumvention measures. Security has to be part of a complete solution, where tools are only part of the process. And each solution will be unique. Some of the steps and tools for tailoring a custom security solution I've found in my time at NDITech are: READ MORE »
Pseudonymity is a growing issue of importance, particularly when it comes to social media. Many activists who rely on social media platforms to organize action and share pictures or video prefer to operate under the cover of a pseudonym in order to add a layer of protection to their activities. While Twitter does enable its users to maintain a pseudonym, Facebook and Google + require their users to register for accounts using real names, a policy that has received a lot of criticism particularly when prominent digital activists have their accounts deactivated, which subsequently sparked a broader dialogue on the issue. READ MORE »
Last week the Senate Foreign Relations Committee published a report [PDF] on Latin American governments and their need to embrace social media and technology. As a avid follower of news from this region, I inhaled the 15-pager.
The report presents data on broadband, bandwidth, and mobile subscription in the region as well as information on how Latin American countries have used technology to engage with citizens - and what the United States' role should be in this process. While highlighting some examples, it finds that Latin American governments have been slow on the social media uptake.
In our own experience here at NDI, we've found real benefits to social media as a space for two-way communication to occur between citizens and governments in the region. Some of our blog readers might remember an earlier NDI's Mexico office uses Twitter to engage political party leaders engaged with their constituents.
Yet, the most interesting takeaway amid the wealth of data was the need for more digital literacy training to help ensure that citizens can use these social technologies and remain safe while doing so. The Foreign Relations report emphasized the "critical risks that come with connectivity and access to social media resources." READ MORE »