Notes from security/privacy/surveillance workshop for activists

security for activists whiteboard for topics with dot-voting

Yesterday (Saturday, December 20, 2014), we held a workshop for activists about security, privacy, and surveillance. The goal was to share information so that we were out there making the world a better place, we are aware of the ways that we can be tracked and what can be done about it.

Introductions included the usual (name plus preferred gender pronoun) and also security topics that people are interested in or could speak about. It became pretty clear there was a lot of interest in a variety of topics. So we next spent a few minutes writing topics on a whiteboard, grouping similar topics together, and then dot-voting on topics. In the end, we only covered the top three topics: tracking, best practices for operational security, and alternatives to tools that track us a lot. We spent the last half hour helping each other install secure tools and exchanging contact information.

whiteboard from security for activists workshop

A few things were clear:

  • There’s a lot to cover, and we need more workshops.
    * It’s really good to focus on specific needs. For example, it would be nice to have a focus workshop on collaborative tools that can be kept private and secure within the group that is working together.
    * We should spend more time helping people do things such as encrypting their phones, computers, and other devices; talking about the usage of encryption; installing tools like TextSecure, RedPhone, Tor, and VPNs.

We will definitely be holding more trainings/workshops/skillshares. In the meantime, here are the notes that we ended up taking (for those curious, we were using an EtherPad posted by riseup.net; collaborative editing w/o logging).

Security/privacy/surveilance discussion
12/20/14

Tracking (time limite 30 mintues)

  • Your phone is always tracking where you’re at, even after you disable “Location Services.” It does this to let cell phone towers know where you are. You can turn off GPS tracking…
    If you have a flip phone, they can only tell your location by cell phone tower. But it’s within a couple hundred feet. However multiple cell phone towers can triangulate your locaiton.
    – Every phone that does GPS, you’re actually hitting satellites, sometimes. This gives your relative position….. that gets reported to Google, Apple and whatever other services you’re connected to. Connecting your phone to wifi can give a fairly precise location.

  • One way to make your WiFi’s location not get stored by Google is to add _nomap to the end of the SSID (network name)

  • Riseup also povides free VPN services, aside from email and etherpad
    – Servers hosted by May 1st
    -Riseup etherpad link: https://pad.riseup.net/
    Riseup doesn’t keep logs on it servers for users, so if anyone comes asking for info, they won’t have anything to give them.

  • Most servers/websites do logging. It’s intended for troubleshooting… diagnostic logging, but it can be used for tracking, even inadvertently

Ways we are tracked:
– Cell phones
a) SIM card, each one contains unique identifiers that can be tracked by provider and the state
b) Call data records (metatdata.
c) Listening to calls – keyword monitoring
d) Can remotely turn on microphone or camera
e) Apps (on smartphones). App permissions … What types of data do apps collect?
f) All phone apps can access your mic (i.e. Facebook messaging app)

  • Videotaping… videos has identifying info. Unique pattern in image grain that can be used to put together a profile of you…
    – When your phone is off, how much can you be tracked?
    – Sharing photos and online backup servirces. This data is out there. For Android phones, we know Google has this info.

  • Face recognition in public

Who does tracking? Why?
– NSA – huge servers to store everything. They can go back in the future and search through saved data.
– Private Corporations and entities, third-party apps, etc.
– Even if using encryption, if someone wants to crack it they could do that in the future potentially.
– Data science, taking data and finding information from it, building a profile on based on statistical patterns, and diverse human habits and features,etc.
– Marketing companies… doing it to make money. But they are making tools that makes it easier for other organizations like the NSA to track you.
– Keyboard tracking…
– Smartphone photos are automatically backed up to the cloud

What do we do about tracking?
Does turning off your phone and keeping it away from your physical location, does this mean you are not being tracked? Apparently you can go online and reasearch making a Faraday Cage to avoid this. Snowden put his cell phone in the freezer/refrigerator – an operational anti-surveillance tactic – that avoided broadcasting any info.

For texting: see “Codes? What are they Good For?” discussing how codes have been used by different groups, try to create patterns, don’t let any silent periods happen that may raise a flag or suspicion? Use mundane terms instead of relying on codes that stick out like a sore thumb

SilkRoad articles: http://arstechnica.com/series/the-silk-road-bust/

Alternative communication/tools

Some text encryption apps are good for one on one, others for group texting
Cryptocat – it sets up on the spot encryption, it doesn’t keep logs, has a phone app, too – https://crypto.cat/
TextSecure for Android (and it has a beta for iPhone?) – you can verify in person that their public key is authentic. It is pretty user friendly if you don’t want to set up a private key as listed below. This can be done for your phone. It has a central server.
Redphone (for phone calls) – https://whispersystems.org/
Signal (for iPhone right now but working on an Android version)
OTR messaging
ixquick, (also called Startpage) – alternate search engine, based in EU, doesn’t track
Duckduckgo (search engine that doesn’t track your searches)
SpiderOak – an alternative to Dropbox, Dropbox encrypts on transit but it is not encrypted st site of origin or final destination
TOR browser
Pond – and encryption tool; has a steep learning curve at the moment, but watch out for it, in beta.
Adium, includes encryption

Encryption – Private and Public keys – you have a direct line to someone sharing a secret password, a key that someone gives you to send them an encrypted message (You can generate a key from your own computer and send it to someone by mutual and secret consent, and it can be verified face to face that there was nobody in the middle to intercept,

Tor –
It hides your ip address, and you receive signals from peer-to-peer activities,
It will not give out any location or id information about your computer, it’s connected by a Virtual Private Network of servers all over the world. Uses a proxy to hide your IP through the network. The router only knows the last id. Onion network, which has multiple layers. There are a lot of people helping to create this virtual network. It’s really useful in other countries where there is more censorship of websites. It’s important to be careful how you use it. It’s easy to screw up the anonymity of this tool if misused…

Virtual Private Network – Photon VPN or VPS, this is using\
This would be a good start for a toolkit

A good VPN Service (check other customer comments, make sure they don’t keep logs and that they state they will not provide files to the gove or others. AirVPN, Mullvad.net can be looked at.
* VPNs recommended by Lifehacker: http://lifehacker.com/5935863/five-best-vpn-service-providers
TextSecure
Redphone

Scial media: Fake messages; authenticity

Pond – https://pond.imperialviolet.org/
protects metadata – no usernames, only connects through tor, no insecure mode, sends fake empty messages to make metadata hard to analyze
Not yet easy to use

Flip phones cannot encrypt text messages. You can use duress codes. Code phrase for things, that for example, went well, or didn’t go well, or went really well.

Make sure you encrypt your smartphone and set a secure passcode.

Try to do full disk encryption for computers/laptops, so that your data cannot be accessed without your password.

Operational Security
https://grugq.github.io/blog/2013/12/21/codes-what-are-they-good-for/
How to use codes more effectively – good for flip phones
Tips, Tools and How-tos for Safer Online Communications: https://ssd.eff.org/

In online chats you can use pseudonyms instead of your name…

Scenario for an action: get a lot of people to an action at a certain time, without public knowing ahead of time.

Another scenario: action to shut down OPD for four and a half hours. Avoided communicating over any networks. No notes, shut off phones and put them in another room. No one group knew everything that was happening. People know things on a “need to know” basis. In the end, you don’t talk about all the action details. Afterwards on’t post everyone’s photos on facebook and tag them or have clear agreement on how that is to be handled afterwards. Not a lot of things were being documented. Built on trusted relationships. Code words. Sucessful element of suprise.

Jail support team will collect name, contact info and any spescific info you will need help with if you get arrested.

Think about the contents of your wallet before an action.

Bring a sharpy. Write National Lawyers Guild number on your skin, like your arm.

Make sure you account for everyone. We each should be keeping track of someone else, and someone else keeping track of us.

Sometimes it’s good to not be too curious about something being organized. Try to know just what you need to know.

Shared agreements about communication channels. (i.e. don’t put plans online. But once action starts, groups will blast it out online. Not be tagged or photographed.
Talking in person only.)

But it’s hard for everything to be private if the goal of an action is to be public.

If you’re always prepared for an action. Chains, steel pipes. If you stay ready, you don’t have to get ready.

Have a saftey team / support people for yourself.

It’s really good to have allies.

If you’re not part of an action, than it’s good to not know info. Don’t pry if you’re not involved.

It’s really good to know what your goals are. What are the security requirements? They might be different during the planning of an action verses after the actions starts and you’re trying to get the word out to the world.

Be aware of interrigation techniques. They might pretend that someone in your group already told them everything, in order to get you to start sharing info.

Stingrays can read traffic between phones. They can intercept communication and change the text of a message between phones. If you use encryption for text, it’s harder for them to see the content of your text messagse.

Before an action, it’s good to pick who will be arrestable, and it’s good if this person knows the least about the action. This better protects folks from giving out information about the action during an interrogation.

What two tools would be good to use for privacy, if you cannot have face to face conversation?
– Redphone
– Cryptochat, then use TextSecure to communicate URL.
– Prepartion before hand, like doing secure communications trainings.

Interrogation handbook:
http://rageuniversity.com/PRISONESCAPE/GROUP%20SECURITY/Ask-Me-No-Questions-NO%20LIES.pdf

TODO:
* secure text messaging
* Secure phone calls
* encrypt phones
* encrypt laptops (FDE)
* Autodestruct
* VPNs including Tor
* encrypt emails

Other topics (write down anything you want to learn about that’s not on the board):
* Drones (Alameda County has 3 drones, but also hobbiests have them too.)
* fake towers
*

NOTE: As I observe the conversation I see that what may be more targeted to protect the activist moves, instead of going into the whole vast

Today! Queer Care Winter 2014: NOURISH

Queer Care Winter 2014: NOURISH is taking place at LOL today. Come visit and hang out with herbalists, including Shootingstar Botanicals, who practice out of LOL! Event runs from 1p to 5p. Check the Facebook event for more info.

Sorry for not posting earlier … we tend to promote things over Facebook and Twitter and sometimes neglect the web site (need to kick that habit). Photos soon!

Indiegogo campaign ends on Wednesday!

mapping

We’re in the last few days of the LOL Indiegogo campaign, and are hoping to finish strong. Thanks to our absolutely wonderful supporters, we have already raised enough money to pay for basic operating expenses for about half of 2015. We are hoping to be able to extend that so we can expand our hours and give access to more people.

We originally started this space because we couldn’t find any hacker or maker spaces where we could look around and see other people like us. At the time, most spaces came out of hacker culture, and, like tech in general, most spaces were dominated by straight cis white (and sometimes Asian) men. Things have gotten better since then, especially for women — Mothership Hackermoms opened around the same time we did, and feminist hacker space Double Union opened last year, and Sudoroom in Oakland has made a concerted effort to be inclusive — but we are still the only space where you can go to any event and mostly see people of color (also more than half of our members are women, and a significant number are queer and trans folks).

Please consider supporting us by:

  • Contributing to our campaign on Indiegogo!
  • Sharing our campaign w/ friends and people who share our vision!
  • Liking the LOL Facebook page — it’s where we post most updates the most frequently, and liking the page means you will occasionally see our posts (if Facebook decides that’s okay; they will guarantee it, though, if we pay them; funny how that works)

Thanks so much!

Saying goodbye to Eno

black

Eno, one of our members, passed away recently. She was a participant in our Hack Nights and also a coordinator for the BAAITS Beading and Regalia Making nights. She’ll be dearly missed.

There will be a farewell ceremony for Eno on Sunday (8/31) at 5 p.m. Come by if you knew her and want to share with others she touched.

Friday, 11/29 is Make Everything Day at LOL!

2012-12-15 16.08.34

Image

We had a lot of fun at last year’s Winter Make-A-Thon, and so we’re bringing it back! This time, it’s going to be on Black Friday, 11/29 from noon until 5 PM.

Come join us! It would be really great to make stuff together and enjoy a nice relaxing day. The perfect alternative to the stressful frenzy that is the hallmark of Black Friday.

Just like last year, there will be several making station set up. We are planning on having stations for making jewelry from recycled bicycle parts, indoor gardening, 3-D printing, candlemaking, pie baking, and electronic cutting (and other paper arts).

We are open to suggestions on additional activities, too, so if you have something that you would like to do please suggest it to us and we can set aside some space for it!

We are also still looking for volunteers. It’s actually going to be pretty easy, really just showing up with a project you want to work on and being willing to share tools and knowledge with others.

Hope to see you there! If you’re  on Facebook, please RSVP on the Make Everything Day event page and help us promote it!

Is Community Owned Energy Possible in San Antonio & Fruitvale?

SELC’s Resilient Communities Legal Cafe is happening Wed., Nov. 6! This time there will be a teach-in on Community Owned Energy presented by the Energy Solidarity Cooperative.

Free Walk-in Legal Advice starts at 4:30pm. Community Owned Energy Discussion starts at 6:00pm.

Here’s a short video featuring Ricardo from SELC, Ashoka from ESC, and Cass from LOL!

Also, here’s the flyer for the event (click to download PDF):

2013.11.06_ESC_LOL_Teachin

 

Mentor women from Africa and Middle-East w/ TechWomen

TechWomen mentorship 2013

Screenshot_7_25_13_11_12_PM

A friend just forwarded this message from Beth Garriott of the Institute of International Education:

The TechWomen program, managed by the Institute of International Education and funded by the Department of State, is currently looking for women living in the Bay Area who are passionate about Africa to get involved as Cultural Mentors for our program in October. I’ve included more details below and a flyer attached… The application deadline is August 1st.

Here’s the flyer.

LOL on the radio!

kpfa

Image

I (Jen-Mei) was recently interviewed for a show on integrating healing into queer activism on KPFA’s Women’s Magazine that was originally broadcast on Pride Sunday. I talked a bit about the space, intersectionality, taking time to build stuff on our own schedule instead of as a reaction to stupid mean stuff someone else is doing, and some of our upcoming events such as our AMC 2013 report back on Saturday, July 20 (2 PM to 6 PM).