Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Digital Harm Reduction by Floh & Cleve (Perverscité 2016)

Ba0668208a6e892c6849d75e083c4b41?s=47 FHV
August 06, 2016

Digital Harm Reduction by Floh & Cleve (Perverscité 2016)

Slides + notes (a lot of the content was built during the workshop)

Ba0668208a6e892c6849d75e083c4b41?s=128

FHV

August 06, 2016
Tweet

Transcript

  1. digital harm reduction: an intro to online privacy floh &

    cleve perverscité 2016
  2. ✴ Introductions (us & you) ✴ Building personas & scenarios

    ✴ A dive into technology ✴ Solutions (for our personas & scenarios)
  3. harm reduction approach ✴ security vs convenience ✴ priorities ✴

    improbable ✴ parallel to physical security
  4. personas: pick one or build your own ✴ There is

    no universally useful security advice ✴ Preserve some anonymity in this group ✴ Breakout into small groups
  5. example personas: jean-pierre Jean-Pierre is a teenager going to high

    school and living at home with his conservative family. He has recently started exploring his sexuality online and in person and thinks he might be gay. He is bullied by his brother and his brother’s tech-savvy friends. What risks does Jean-Pierre face? browser history, fb privacy settings, breaking into fb or email, physical phone security, fear of being outed, fake grindr profile, being pranked, check network traffic, forums/porn access disk encryption, ublock origin, privacy badger, VPNs or Tor, good passwords
  6. example personas: alex Alex is a porn performer and sex

    worker. They also go to graduate school part- time. They use mobile apps for communicating with clients. They’ve been harassed by cops on multiple occasions but never arrested or charged. Many of their family, friends, and classmates do not know they are a sex worker. They recently had a bad breakup with someone who is very vindictive. What risks does Alex face? phone number to legal name lookup, malicious disclosure to school, grants revoked because of additional income, separating banking info, risks of using the same device for multiple personas, crossing borders, being tracked via gps using Tor for work, Signal (or WhatsApp, not Telegram), disk encryption (bitlocker or filevault), good passwords (&change them!), review logged in devices in gmail and facebook
  7. example personas: marina Marina is a trans fashion blogger with

    a large Youtube, Twitter, Instagram following. She also works at a Big Name Corp where she is not out. Recently, trolls have begun harassing her online, making all kinds of horrible threats that she is not sure are credible. What risks does Marina face? bank account info linked to google account, threat of transphobia generally, shitty dynamics at work, linking pseudonym (?) to real life, trolls finding where she works,getting doxxed, accounts getting hacked, physical risk after being doxxed, doxxing leading to toxic work situations, ads if using work computer, culture of putting all your info into the world, and not being able to revoke it later, real name policies, how social media companies deal with harrassment google yourself! (identity management), wayback machine, ad blocker, good passwords, exif removal from photos (gps), separate your identity chains (e.g. which email is your backup for your twitter), if she owns a domain, whois protection
  8. example personas Lara is a community worker and activist who

    works with at-risk youth, who may be undocumented, drug users, or in abusive family situations. She is worried about receiving compromising information from them. What risks does Marina face?
  9. example personas … (some things that didn’t make it in

    here: organizing demos, criminalization of HIV transmission)
  10. risks: jean-pierre ✴browser history ✴fb privacy settings ✴brother & friends

    breaking into fb or email ✴physical phone security ✴fear of being outed ✴fake grindr profiles (brother & friends, gangs, even cops in places where being gay is illegal) ✴being pranked ✴brother & friends (or parents) check network traffic ✴discovery of forums/porn access
  11. risks: alex ✴phone number to legal name lookup ✴malicious disclosure

    to school ✴grants revoked because of additional income ✴separating banking info ✴risks of using the same device for multiple personas ✴crossing borders ✴location-tracking (GPS, etc)
  12. risks: marina ✴bank account info linked to google account ✴threat

    of transphobia generally ✴shitty dynamics at work ✴is she using a pseudonym? risk of linking pseudonym to real life ✴ trolls finding where she works ✴getting doxxed (address published online) ✴accounts getting hacked ✴physical risk after being doxxed ✴doxxing leading to toxic work situations ✴targetted ads if using work computer ✴culture of putting all your info into the world, and not being able to revoke it later ✴real name policies (e.g. FB) ✴how social media companies deal with harrassment
  13. A dive into the technology…

  14. what happens when you visit a webpage?

  15. what happens when you visit a webpage? hosting provider datacenter

    ISP … national borders, literal oceans nicerecipesite.com beautifulgayunicorns.com subversivesite.org
  16. what happens when you use an app? hosting provider datacenter

    ISP … national borders, literal oceans grindr tinder facebook twitter pokemon go
  17. how can someone “hack” you?

  18. how can someone “hack” you? interception

  19. how can someone “hack” you? interception • wifi • creepy

    sysadmin • stingrays • request to ISP
  20. how can someone “hack” you? impersonation

  21. how can someone “hack” you? impersonation • password cracking •

    stealing your laptop • social engineering/password reset
  22. how can someone “hack” you? breach provider

  23. how can someone “hack” you? breach provider impersonate sysadmin/dev

  24. how can someone “hack” you? breach provider some other dark

    magic
  25. how can someone “hack” you? ask the provider nicely (law

    enforcement)
  26. what about metadata? hosting provider datacenter 74.59.127.65 43.250.192.3

  27. how can i protect my data? ✴ protect your account

    (passwords!) ✴ use a trusted provider ✴ encryption ✴ reduce your metadata
  28. can i trust my provider? ✴ values/mission statement ✴ business

    model ✴ security capacity
  29. types of encryption ✉ ✉

  30. types of encryption ✉ ✉ ✉

  31. types of encryption ✉ ✉ ✉ ✉ ✉

  32. transport encryption (https) sees gibberish ✉ ✉ ✉ X

  33. transport encryption (https) sees gibberish X ✉

  34. “at rest” encryption sees gibberish X ✉

  35. “at rest” encryption sees gibberish, unless he can get the

    key X ✉
  36. “end to end” encryption ✉ ✉ Xsees gibberish

  37. “end to end” encryption … is not magic ✉ ✉

  38. tools & solutions reviewing the scenarios

  39. password tips ✴ do not reuse — especially for important

    accounts ✴ make it long — words can be easier than symbols, especially on mobile ✴ make it random (no 1337 substitutions of your favourite book — if you think it’s a clever strategy, it probably isn’t!) ✴ try a generator: random.org, https://passphrases.peerio.com, Diceware ✴ password managers: keepassX (free), 1password () ✴ two-factor authentication where available (e.g. google/gmail)
  40. harm reduction: jean-pierre ✴good passwords!!!! ✴disk encryption (bitlocker for windows

    — howto, filevault for mac — howto) ✴phone disk encryption (default on latest ios, has to be set up on android) ✴(auto-)locking phone and computer ✴adblocker (e.g. ublock) & privacy badger to protect against malware and unwanted ads ✴https everywhere to prevent some traffic sniffing (domain can still be seen, and some sites don’t have HTTP) ✴anonymize connection to prevent traffic sniffing ✴Tor (free, trusted, but slow for video) ✴VPNs (you have to put your faith in it, but fast. There are many, look with those that don’t keep logs of your activity. e.g. tunnelbear, PIA)
  41. harm reduction: alex ✴use Tor for sex work (e.g. posting

    ads), maybe separate computer with always-on Tor connection (but not a burner phone because that is HARD and not that useful) ✴Signal (or WhatsApp, not Telegram) for communicating with clients ✴disk encryption ✴phone disk encryption, locking phone when crossing borders ✴good passwords (& change them if worried ex might have them!) ✴review logged in devices in gmail and facebook
  42. harm reduction: marina ✴identity management: ✴ google yourself / doxx

    yourself — name, old usernames, other identifying data ✴ use the wayback machine to find sites you thought didn’t exist anymore ✴ if she owns a domain, make sure the registrar has whois anonymization (otherwise your address is easy to look up) ✴ adblocker to prevent unwanted ads on work computer ✴ antivirus/ being careful with attachments ✴ good passwords (esp. for sensitive accounts) ✴ remove exif from photos (gps coordinates — guide) ✴ separate identities (don’t link work email to youtube) ✴ don’t use the same email as password reset backup for all your accounts! (single point of failure)
  43. resources ✴ RiseUp.Net, Communications Security https://help.riseup.net/en/security ✴ Hygiene in the

    digital public square: https:// hygiene.digitalpublicsquare.com/ (especially the Identity section!) ✴ EFF, Surveillance Self Defense https://ssd.eff.org/ ✴ Tactical Tech, Security in a Box https://securityinabox.org/en ✴ Freedom of the Press Foundation, Encryption Works https://github.com/ freedomofpress/encryption-works/blob/master/encryption_works.md ✴ Tactical Tech, Gender and Security https://gendersec.tacticaltech.org/ wiki/index.php/Main_Page