“YOU are the best anti-virus!”



Staying safe on your computer, phone and online isn’t about having the latest security tools or paying lots of money to other people to keep you safe. By far the most powerful defense is to change your own behavior. Explore this site to learn how to keep yourself and your friends and family safer…and be your own Cyber Superhero.

(Informal/open) Mobile Security Clinic today @ Berkman 4:30-5:30pm

I am informally launching my weekly hands-on mobile security clinic today at Berkman, around 4:30pm, in the Fellows conference room at 23 Everett.

While some might say a mobile phone is only secure once its been microwaved, smashed by a hammer, and buried in concrete, the truth is, most of us can’t escape the shiny, buzzing tracking device in our pocket.

What I can offer are some, free, practical solutions, that can go along way in reducing the likelihood that what you do on your mobile will get hoovered up into an never expiring log somewhere, or plastered across 4chan. Whether you want to encrypt your calls, messages or photos, ensure sensitive personal or project information is not leaking to any app that asks for it, or deal with more advanced concerns related to surveillance or proprietary app ecosystems, I am happy to go there, and find a solution, if it exists.

If you want a small idea of some of the solutions I can offer, visit this link: https://guardianproject.info/howto/

In return, I get to hear your stories and challenges, as well as aspirations for what a brighter, more secure mobile computing future might be. Like I said, this is a weekly effort, and these types of interactions are a key part of my work as a Fellow here this year.

Assessing the Impact of Five Years of Mobile Security Problem Solving (and Planning for Five More…)

Below is the text of my successful application to the Berkman Center 2015 Fellows program, including the concept for my fairly ambitious project that I look forwarding to finding some allies and collaborators on during the year.


In a recent leak from the Snowden files, one of the mobile security apps I have developed, Orbot (Tor for Android), showed up in an NSA powerpoint slide explaining the different forms that the Tor anonymity and circumvention software takes. Next to the app’s name was a comment that stated it was “easy to use!”. It was a strangely gratifying moment to know that I had done a good enough job building a mobile version of Tor that it both showed up on the radar of an NSA analyst, and that it merited a positive comment about its usability. It also triggered a good deal of reflection on the impact my efforts were having in the world, and just who was paying attention out there.

It was in the Fall of 2009 that I began work on the Guardian Project, an effort to research and develop open, free security software for mobile devices, with a particular focus on solving problems for people living and working in high-risk, high-surveillance situations. I had recently seen a group of my friends working as undercover journalists in a hostile country, get tracked down, arrested and temporarily imprisoned due to use of their mobile phones to organize and communicate. I was determined to come up with software that would defend against such an situation occuring again in the future. I knew the undertaking was significant, and so I set my horizon five years out, and came up with a feature roadmap that I hoped to fulfill.

That milestone is now looming, and coincidentally it also times well with the beginning of this fellowship opportunity at Berkman. At this point in the project, I and my team have developed and release a number of open-source apps for Android, and recently iOS, that enable encryption and circumvention features for voice calls, mobile messaging and mobile web access. We’ve also come up with some clever ideas like a camera app that automatically blurs faces detected in a photo. There have been millions of downloads, resulting in a hundreds of thousands of active users, around the globe. We have received grant funding from a diverse set of sources, recruited a brilliant team of talented engineers and designers, and generally done well delivering on our promises. The original feature roadmap I set out to build, has largely been fulfilled.

I seek then, some time, a context and community in which to reflect on the work I have done, to asses its merit, worth and impact, and to begin planning for the next five years. Beyond a collection of really amazing, moving emails and anecdotes from real users in difficult places, I still have trouble answering “Who are we helping, and how much?”. I want to ensure we are doing more harm, than good, and that we are actually reaching the types of users we hoped to in the beginning. I seek to understand better the different global, legal, and cultural contexts in which tools for privacy, security and expression are utilized for social change. This can be easily boiled down to questions I often receive when I am giving a mobile security training in some far flung location in the world – “Is this legal for me to use?” and “Can I be arrested for having this on my phone?”. While there is no simple answer, it is also true that there is a huge disconnect between the Internet idealists perspective “If it is not legal, it should be, so you should use it anyways”, and the on the ground reality of being detained and incriminated because of some digital bits in your pocket.

While the tool builders goal is to develop and provide a tangible tool for someone to fight back against oppression and corruption with, they are often unwittingly turning those they want to help into practioners of a type of civil disobedience without explaining to them what the risks of that are. Does the net benefit of the increased mobile privacy, ability to avoid traffic surveillance, and to general keep your plans and dreams confidential to yourself and others you trust, a net positive benefit, versus the increased scrutiny or exposure to incrimination by association one might face? Is it actually safer and more powerful for an activist or organization to operate transparently, in the open, and not expect to have any communications privacy outside of close physical proximity?

These type of questions need to be both researched and explored within an authoritarian state context, as well as within our own democratic (self-inflicted?) surveillance states, as increasing lobbying pressure from law enforcement on legislation might turn my team and I into outlaws quite soon. In other words, the axom “No one has ever been arrested for using Tor” may need to be refreshed soon. The concept of “lawful intercept” is a globally fungable term more better expressed as state-required eavesdropping for corporations seeking to do business in a certain region. Whether the interception is just or not, is the important question, when seeking to develop and deploy tools that improve and empower a community of users.

During my fellowship, I hope to reach out to legal and research resources within the Berkman community to assist in building a global map overlaying lawful intercept laws and capabilities with the robustness of the larger rule of law. Additional layers of data could include records of persecution based on possession or use of cryptography or other advanced communication tools, whether real name registration is required for mobile network use, data on user groups in the area that are known to be using mobile security tools, and information about surveillance infrastructure known to be use at telcos and internet service providers in the region. If possible, details on collaboration or collusion by corporate communications hardware and software companies could also be useful to display. I see this resource both as an effort to bring a spotlight on these issues, and as an active resource for any advisor, trainer, activists or journalists traveling to an area, who wants to understand the challenges they might face in using a particular type of software, or promoting its use to local communities.

For example, as a journalist working in a region, I might want to know if I should encourage my sources to use mobile security software that would protect my communications with them, but also increase their chances of coming under greater scrutiny by network operators? If I am a labor organizer supporting exploited workers, I also need to make sure I don’t radically increase the chance they will lose their job or be otherwise because they got caught using an app. I will research and document these type of user stories, and test them against the resources, to understand the value of this research.

I want the software I develop to work, and to be helpful, useful and empowering. I do not want to just solve for threat X, and not think properly about threats Y and Z. I also know that my work is just one small part of a sea of solutions both free and commercial, attempting to enhance privacy and security for mobile users. The work I am proposing for this fellowship aims to help that larger community of tool builders to think about the use, deployment and realization of their efforts in a more complete way, so that the result can be what we all hope for. It also aims to ensure our users can make the best decisions about the threat they face, and whether or not using a piece of mobile communications software is ultimately beneficial for their situation.

Finally, I envision the output of this work not to be a static report, but a dynamic, shared dataset, that any website or application could clone or tap into. I would ideally also develop a default mobile website or app that would give users a “sixth sense”, warning them of potential risks, by cross-refering their devices network operator, geographic location, and installed applications, with the data available in the networked mobile security risk database.

I cannot think of a better place to pursue this work than at the Berkman Center, within a community of fellowship to help tune, improve and realize this complex effort. I expect there to be good amount of overlap with other communication infrastructure mapping efforts. I also realize that there exists a great deal of expertise well beyond my own into the legal aspects of the issue. This work would greatly benefit from access to these efforts and skills, and I from a supportive network of like-minded colleagues, and thus humbly ask for your consideration of my application.

QRAnime aka Blipverts aka Snowcrash

animated qrcode

Make your own and learn how to read this here: https://github.com/n8fr8/qranime/

/** HOW TO READ **/

1) Install the Android Barcode Scanner app

2) Enable the "Bulk Mode" scanning under Menu->Settings

3) Activate and point the scanner at the animated code for awhile.

4) Press the Menu->History option to read the collected lines of text

Redesigning the Camera Phone to Protect Privacy

Have you ever wanted to post a photo to Facebook from your mobile phone, but weren’t sure if someone in that photo would mind their face going online? Did you take a great picture of your kid at the playground that you want to tweet out to the world, but caught some other kid in the shot, and are worried about their parent freaking out about online predators? Maybe you are worried about all the data that is being logged in your photos, like the exact GPS coordinates of where you took the picture, and don’t know how to disable that feature. If any of these thoughts have ever crossed your mind, and you have an Android phone, then you should try out a new app my team at the Guardian Project just launched called ObscuraCam.

In short, the app integrates with your camera and gallery, to allow you to remove, pixelize or disguise faces of people in your photos, before you upload them to Facebook, Twitter or elsewhere. It also cleans out all the secret, hidden extra data that gets stored in your photos, like your GPS location, the make and model of the camera phone and sometimes even a unique serial number identifying your phone. While our original goal was to build an app that supported human rights activists in places like Iran and China, we really do think this app has broader relevance to everyday people (like YOU!) who want to have a bit more power of controlling what gets revealed, analyzed and indexed when they share their photos online.

Read the post on the Guardian Project blog, to get a more in-depth idea about what we’ve done, and where we are going with this project. This “v1” release is just for still photos, but we are quickly moving on to support video, as well as additional obscura filters too!

ObscuraCam is pretty powerful, in that it can automatically detect multiple faces in a photo, and then allow you to selectively choose how to filter those faces. You can also filter out t-shirts, signs, sensitive documents on a desk or just about anything you don’t want a human or machine to be able to see.

You can even have some fun putting on a silly disguise, which may still allow a human to recognize the person in the photo, but would most likely stop Facebook or Google’s current recognition software from figuring out who you are.

So, please – try it out, have some fun, and post some pictures.

Just search for “Obscura” in the Android Market or install it directly from the web.