(Informal/open) Mobile Security Clinic today @ Berkman 4:30-5:30pm

I am informally launching my weekly hands-on mobile security clinic today at Berkman, around 4:30pm, in the Fellows conference room at 23 Everett.

While some might say a mobile phone is only secure once its been microwaved, smashed by a hammer, and buried in concrete, the truth is, most of us can’t escape the shiny, buzzing tracking device in our pocket.

What I can offer are some, free, practical solutions, that can go along way in reducing the likelihood that what you do on your mobile will get hoovered up into an never expiring log somewhere, or plastered across 4chan. Whether you want to encrypt your calls, messages or photos, ensure sensitive personal or project information is not leaking to any app that asks for it, or deal with more advanced concerns related to surveillance or proprietary app ecosystems, I am happy to go there, and find a solution, if it exists.

If you want a small idea of some of the solutions I can offer, visit this link: https://guardianproject.info/howto/

In return, I get to hear your stories and challenges, as well as aspirations for what a brighter, more secure mobile computing future might be. Like I said, this is a weekly effort, and these types of interactions are a key part of my work as a Fellow here this year.

Assessing the Impact of Five Years of Mobile Security Problem Solving (and Planning for Five More…)

Below is the text of my successful application to the Berkman Center 2015 Fellows program, including the concept for my fairly ambitious project that I look forwarding to finding some allies and collaborators on during the year.

***

In a recent leak from the Snowden files, one of the mobile security apps I have developed, Orbot (Tor for Android), showed up in an NSA powerpoint slide explaining the different forms that the Tor anonymity and circumvention software takes. Next to the app’s name was a comment that stated it was “easy to use!”. It was a strangely gratifying moment to know that I had done a good enough job building a mobile version of Tor that it both showed up on the radar of an NSA analyst, and that it merited a positive comment about its usability. It also triggered a good deal of reflection on the impact my efforts were having in the world, and just who was paying attention out there.

It was in the Fall of 2009 that I began work on the Guardian Project, an effort to research and develop open, free security software for mobile devices, with a particular focus on solving problems for people living and working in high-risk, high-surveillance situations. I had recently seen a group of my friends working as undercover journalists in a hostile country, get tracked down, arrested and temporarily imprisoned due to use of their mobile phones to organize and communicate. I was determined to come up with software that would defend against such an situation occuring again in the future. I knew the undertaking was significant, and so I set my horizon five years out, and came up with a feature roadmap that I hoped to fulfill.

That milestone is now looming, and coincidentally it also times well with the beginning of this fellowship opportunity at Berkman. At this point in the project, I and my team have developed and release a number of open-source apps for Android, and recently iOS, that enable encryption and circumvention features for voice calls, mobile messaging and mobile web access. We’ve also come up with some clever ideas like a camera app that automatically blurs faces detected in a photo. There have been millions of downloads, resulting in a hundreds of thousands of active users, around the globe. We have received grant funding from a diverse set of sources, recruited a brilliant team of talented engineers and designers, and generally done well delivering on our promises. The original feature roadmap I set out to build, has largely been fulfilled.

I seek then, some time, a context and community in which to reflect on the work I have done, to asses its merit, worth and impact, and to begin planning for the next five years. Beyond a collection of really amazing, moving emails and anecdotes from real users in difficult places, I still have trouble answering “Who are we helping, and how much?”. I want to ensure we are doing more harm, than good, and that we are actually reaching the types of users we hoped to in the beginning. I seek to understand better the different global, legal, and cultural contexts in which tools for privacy, security and expression are utilized for social change. This can be easily boiled down to questions I often receive when I am giving a mobile security training in some far flung location in the world – “Is this legal for me to use?” and “Can I be arrested for having this on my phone?”. While there is no simple answer, it is also true that there is a huge disconnect between the Internet idealists perspective “If it is not legal, it should be, so you should use it anyways”, and the on the ground reality of being detained and incriminated because of some digital bits in your pocket.

While the tool builders goal is to develop and provide a tangible tool for someone to fight back against oppression and corruption with, they are often unwittingly turning those they want to help into practioners of a type of civil disobedience without explaining to them what the risks of that are. Does the net benefit of the increased mobile privacy, ability to avoid traffic surveillance, and to general keep your plans and dreams confidential to yourself and others you trust, a net positive benefit, versus the increased scrutiny or exposure to incrimination by association one might face? Is it actually safer and more powerful for an activist or organization to operate transparently, in the open, and not expect to have any communications privacy outside of close physical proximity?

These type of questions need to be both researched and explored within an authoritarian state context, as well as within our own democratic (self-inflicted?) surveillance states, as increasing lobbying pressure from law enforcement on legislation might turn my team and I into outlaws quite soon. In other words, the axom “No one has ever been arrested for using Tor” may need to be refreshed soon. The concept of “lawful intercept” is a globally fungable term more better expressed as state-required eavesdropping for corporations seeking to do business in a certain region. Whether the interception is just or not, is the important question, when seeking to develop and deploy tools that improve and empower a community of users.

During my fellowship, I hope to reach out to legal and research resources within the Berkman community to assist in building a global map overlaying lawful intercept laws and capabilities with the robustness of the larger rule of law. Additional layers of data could include records of persecution based on possession or use of cryptography or other advanced communication tools, whether real name registration is required for mobile network use, data on user groups in the area that are known to be using mobile security tools, and information about surveillance infrastructure known to be use at telcos and internet service providers in the region. If possible, details on collaboration or collusion by corporate communications hardware and software companies could also be useful to display. I see this resource both as an effort to bring a spotlight on these issues, and as an active resource for any advisor, trainer, activists or journalists traveling to an area, who wants to understand the challenges they might face in using a particular type of software, or promoting its use to local communities.

For example, as a journalist working in a region, I might want to know if I should encourage my sources to use mobile security software that would protect my communications with them, but also increase their chances of coming under greater scrutiny by network operators? If I am a labor organizer supporting exploited workers, I also need to make sure I don’t radically increase the chance they will lose their job or be otherwise because they got caught using an app. I will research and document these type of user stories, and test them against the resources, to understand the value of this research.

I want the software I develop to work, and to be helpful, useful and empowering. I do not want to just solve for threat X, and not think properly about threats Y and Z. I also know that my work is just one small part of a sea of solutions both free and commercial, attempting to enhance privacy and security for mobile users. The work I am proposing for this fellowship aims to help that larger community of tool builders to think about the use, deployment and realization of their efforts in a more complete way, so that the result can be what we all hope for. It also aims to ensure our users can make the best decisions about the threat they face, and whether or not using a piece of mobile communications software is ultimately beneficial for their situation.

Finally, I envision the output of this work not to be a static report, but a dynamic, shared dataset, that any website or application could clone or tap into. I would ideally also develop a default mobile website or app that would give users a “sixth sense”, warning them of potential risks, by cross-refering their devices network operator, geographic location, and installed applications, with the data available in the networked mobile security risk database.

I cannot think of a better place to pursue this work than at the Berkman Center, within a community of fellowship to help tune, improve and realize this complex effort. I expect there to be good amount of overlap with other communication infrastructure mapping efforts. I also realize that there exists a great deal of expertise well beyond my own into the legal aspects of the issue. This work would greatly benefit from access to these efforts and skills, and I from a supportive network of like-minded colleagues, and thus humbly ask for your consideration of my application.

Six Easy Tips: Essentials of Digital Security for Targeted News Organizations

Below is a quick reference, distilled list of six easy tips for any news organization employee at risk of being targeted by malicious adversaries. These tips come the Safe Travels Online campaign that the Tibet Action Institute has been developing over the last two years, to assist Tibetan exile human rights organizations, and it has proven effective in reducing the amount of successful “cyberattacks”, and minimizing impact of successful attacks to only a single infected machine (instead of the entire organization).

The recent story on cyberattacks against the NYTimes indicates that email attachments infected with malicious code was likely the source of the infiltration. These types of attacks have been a common pattern that the Tibetan exile of community has experienced for years, and I am happy to now to share of their painfully-acquired wisdom with all of you. With each tip, I have also included a link to a short public service announcement video on the TibetAction YouTube channel.

1. Use HTTPS to Stay Secret, Safe & Secure: You should always keep your network traffic secure to online services and applications, whether at the office, home or traveling abroad
https://tibetaction.net/knowledge/tech/https-eng/

Thumbnail
httpS Keeps You Secret, Safe & Secure!

Thumbnail
Keep your secrets safe using HTTPS

2. Detach from Attachments: Email attachments are a plague on the information age. There are many better, safer and more effective ways to share files in the 21st century
https://tibetaction.net/detach-from-attachments/

(this is one of our most popular tips, so I’ve embedded it for easy viewing!)

Detach from Attachments!

3. Keep Your Enemies Out Of Your Inbox: Google provides the best set of tools for defending against intrusion, or at least knowing when you may have been compromised
https://tibetaction.net/knowledge/tech/keep-enemies-out-of-your-inbox/

Thumbnail
Keep your enemies out of your inbox!

4. Don’t Share Drives: The culture of sticking a USB flash drive in any old USB slot, must end; it’s like having sex without protection; again, there are better ways to share files
https://tibetaction.net/knowledge/tech/dont-share-drives/

Thumbnail
Don’t Share Drives!

5. Strong Password (keep you safe online): You must use better passwords, enable features like Google’s two factor authentication, and use services like LastPass or KeePass
https://tibetaction.net/knowledge/tech/strong-passwords/

Thumbnail
Strong Passwords!

6. Think Before You Click: Hyperlinks have revolutionized our lives, but when they come inside an email message, they can lead to a whole world of hurt.
https://tibetaction.net/think-before-you-click/

(this is our latest tip, and as it is quite relevant here, I’ve embedded the video)


Think Before You Click!

… and here is just one of the great posters available for printing and posting at your workplace, available at https://tibetaction.net/safetravels. Yes, it has Tibetan writing on it, but that makes it even more legit, doesn’t it?

 

 
Tashi Delek!

An extraordinary hacker and activist

Dear friends, family and colleagues… when I get annoyed by you for using the label “hacker” in a negative, nonconstructive, anti-productive manner or to refer to malicious adversaries, it is because there are people like Aaron out there who are true examples of what a hacker is… who use their basic, unstoppable curiosity of deeply technical subjects to change power structures in society, in order to address issues of injustice, basic rights and information freedom. He was also one of the only hackers, consider his brilliant direct action tactics against closed profiteering journal databases, who would have been equally at home at an SFT or Ruckus activist camp, as he would at a hackerspace. RIP.

From danny:

Aaron’s art was an amazing ability to focus on the truly important. When he left, just as when Len left, he left an obligation on the rest of us to keep what each of us have of him, and put it to good use. Between us, I believe we still have a massively parallel, distributed version of Aaron, one unique part of his life shared with each of us alone. The part I’ll remember for us is just how funny he was, and how serious change sometimes requires a light touch, and a sense of the absurd.

 

https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz

http://www.oblomovka.com/wp/2013/01/12/he-was-funny/

http://rememberaaronsw.tumblr.com

and for eternity: www.aaronsw.com