Revolutionary social movements which challenge power can be dangerous, as power structures can be broad, far reaching, and have different components. The General Defense Committee of IWW holds that broad structures can only be effectively challenged by mass and broad movements themselves, and this is how movement security is upheld. Having comrades within a vibrant social movement that have your back when you need them is infinitely more vital than a paranoid security culture. Strong relationships fight power in ways that physical tools can not, and security culture alone cannot defend on every front or make strong actions lasting and relevant.
Recognizing different parts of power have different tools and reach is key. Flexibility and specialized education is necessary to confront different types of hurdles – social, technological, or otherwise. That being said, the digital landscape is foreign and unfamiliar to many, and some understandings of strengths and weaknesses in this landscape may not be representative or complete. This document is focused on technology security and serves as an educational map and how-to in defensive methods and awareness for readers confronting power, particularly in methods you don’t need years of education to understand, or simple substitutions for insecure services.
In today’s paranoid climate, everybody is a target for surveillance and repression, but if there was ever a time where elevated surveillance were to occur, confronting power would be that time. For example, the cell phone spying at the 4th precinct in Minneapolis (http://nstarpost.com/17486/159855/a/cellphone-surveillance-used-on-black-lives-matter-protesters-at-fourth-precinct) is proof of it’s existence beyond all doubts. Because of this and other similar situations, the Twin Cities GDC wrote this document to give a few practical tips:
Tech things you have no excuse not doing:
Google is known to be cooperating with PRISM (a corporate and government joint surveillance program) in turning over warrantless user data to the National Security Agency (NSA). It’s also well established that the NSA is monitoring search engine data traffic through a secondary access point. Everyone should assume that anything you do through Google is being tracked, and that data is accessible by both large power structures and anyone with access to your account.
Use DuckDuckGo or Disconnect.me for searches, and don’t send any sensitive data through gmail, or any unencrypted (the digital equivalent of unlocked) email for that matter.
LOCK YOUR DEVICES
Devices such as laptops and cell phones that have personal information can easily be stolen through physical means, giving complete control to an attacker with technical skills.
Do not leave devices unattended. Put at least a simple password on your phone and laptop when you close it – it won’t stop people who really know what they’re doing, but it does prevent the simplest forms of data theft without much hassle for you. Do not use fingerprint unlocking on your phone! Fingerprints unlocking is imprecise and can be easily stolen, spoofed, and turned over to the authorities by companies like Apple, while preventing authorized users who are not you from accessing your phone if they need to do so.
AVOID PUBLIC FACEBOOK LEAKS
Facebook is king of unintended information leaks, hands down. Surveillance doesn’t need to be complex if you give all your data away for free.
Review your privacy settings on Facebook very carefully. If you have some kind of semi-public persona, it might be best to clean your friends list and make a separate page for that. Isolation is easier to enforce than reviewing security on every post. As a rule of thumb, similar to google accounts, do not send sensitive information through Facebook at all. Facebook is also a member of PRISM, so do not assume any sort of privacy from large power structures.
AVOID TEXT MESSAGES
Plain SMS (Short Message Service), also known as text messages, are unencrypted by default. Anybody with access to the cell phone network you’re on has full and complete access to anything you send through regular text (SMS) or multimedia (MMS) messages. This includes local police with fake cell towers.
Use an app called Signal if you have iOS or android. Signal encrypts your text data end-to-end before sending, which prevents any man in the middle from viewing it, and has an option to encrypt voice calls as well. Please note that it does not prevent anyone with access to your phone or your recipient’s phone from viewing your messages, nor does it prevent cell phone tracking! If you do not have the ability to get this app, sending sensitive information through SMS could be dangerous: wait for an opportunity to relay this information in person, or use some other method.
AVOID WEAK & REUSED PASSWORDS
Having weak and reused passwords is a great way to get accounts stolen. If you worry that your password may be weak or has been reused, rebuild and change your password immediately.
Use a mnemonic to remember passwords that don’t contain English words (for example, create a sentence including capitalized proper nouns and use the first letter from each word), use lower case, upper case, numerals, and punctuation in your sentence, and add in a part to your password or sentence to the place you are using it for so that your exact same password does not get reused. For example, Ga!TIwt1RFab33lob. could be a password from “Google account! Today I went to 1 Rainbow Foods and bought 33 loaves of bread.”. (DO NOT USE THIS EXAMPLE VERBATIM) The sillier or otherwise more meaningful the sentence, generally the easier it is to recall.
Alternatively, if you have many sensitive accounts, I might recommend using a password manager application (such as KeePassX).
AVOID STOCK BROWSERS
An internet browser from a fresh install (either Firefox or Chrome) will be vulnerable to all kinds of attacks, so it’s best to install a few extensions before viewing anything.
Install these add-ons: HTTPS Everywhere (automatically uses secure transfers when supported), Privacy Badger (prevents you from being tracked by certain methods), uBlock Origin (prevents intrusive advertisements and some forms of trickery), and perhaps cryptocat (simple chat rooms with end-to-end encryption).
For more security at the price of seriously learning both terms and how to use other tools, we might also suggest the following: uMatrix (or alternatively noscript, both are domain blocking extension for browsers), a proxy server (some such as disconnect.me are available freely but have mixed records on turning over access logs. We might also recommend buying one from a dealer called Private Internet Access if you want more proxy options and better safety), pidgin + OTR (a generic IM program with encryption through any protocol), VeraCrypt (deniable generic data encryption), and if you absolutely must transfer anything highly sensitive outside of physically handing the data over, please look into the tor project, a distributed communications systems project far beyond the scope of this letter. Do note however that these tools are only as useful as your understanding of them—do not let their existence on your hard drive lull you into a false sense of security.
It’s important to understand that your data security and information pipeline doesn’t affect only you, but everyone who you are in contact with. Please take some time to consider your own connections or behaviors that could be exploited—if not for your own safety, then for the safety of your friends, loved ones, and everyone else you’ve been in contact with.
For more information on action planning, threat modeling, and more in-depth information on tools that require more education to use effectively, please contact the Twin Cities IWW General Defense Committee Local 14 about an upcoming Information Security Training 101, or contact your local GDC about providing this training.
Stay safe everyone,
Twin Cities IWW General Defense Committee Local 14
4 thoughts on “On Tech Security in 2016”
You might also be interested in checking out some of these links:
The EFF is of course one of the most respected Privacy orgs around. Here they score different apps:
Here’s the EFF’s Surveillance Self-Defense Page:
So far, Backslash seems limited to proof of concept stuff, but promising:
And, of course, Cell411, which allows users to send out customizable alerts and notifications to a trusted group: http://safearx.com/
Hi. So glad to see this being talked about within the IWW. I have a few thoughts on this article and security in the IWW in general.
First, I think a lot of the advice in this article is good, but I wonder if it’s maybe a bit unfocused. The most important factor in determining good security practices is the threat model you’re working with. While it’s true that the NSA is passively surveilling internet traffic, I don’t think that surveillance is a huge threat to the IWW at this time. It’s solid advice and a good thing to be aware of, but in general, if the NSA if part of your threat model, it’s best to avoid the internet entirely. A bigger threat right now towards IWW campaigns would be local or state law enforcement, bosses, hostile co-workers, and even fellow wobblies who may not be so security-conscious. The capabilities of these actors are very different compared to the NSA. The NSA apparatus could easily be directed towards surveilling woblies and there’s nothing wrong with being aware of that and adjusting one’s habits to avoid it. To a certain extent, though I think worrying about the NSA too much sort of muddles the whole issue. And presenting some of the suggestions provided here in a vacuum so to speak(e.g., use duckduckgo instead of Google) does not really paint an adequate picture when it comes to user security. I think we should get people thinking about more proximal and direct threats before we have them thinking about the NSA.
With regards to unencrypted email and SMS, I think it’s relatively safe to discuss union business over these mediums. Using encryption is generally better than not and it should be encouraged, but what’s more important in these cases is good operational security. It’s more about who you are talking to and how you are talking to them. A bigger problem in my experience with the union was people talking too much with too many people about sensitive information. We not only need to get people to use computers differently in encouraging them to use secure software, but we also have to people to think differently about how they talk to to people. Encryption is no good if you’re talking to somebody who is either going to inform on you to bosses or law enforcement, or is going to be careless with the information you give them and let it eventually fall into the wrong hands. While eavesdropping are threats to take seriously, ideally with a very specific threat model, I think that things like careless talk, document theft, and information theft through things like malicious access to computers or facebook/email accounts that have been left logged in or have known/easy to guess passwords are much more common and often-overlooked threats
I know this is an article about computer security, but I really want to emphasize the importance of operational security as well. I think it’s something that is hugely lacking in the union. If you are developing security trainings, I hope you will cover this as well. I think the friendly and social aspect of the union encourages some bad habits that will seriously compromise the union’s ability to succeed grow a mass base. Naturally people like to talk about the work they’re doing, for discussion, input, or for recognition. But like I said, we need to get people to think differently about how they interact and share information within the union. Just basic opsec practices, like only telling people with a direct need-to-know before info has gone public, would go very far.
I’ve noticed a lot of carelessness in a lot of areas in my time in the union: People are careless about information on conference calls. Even if they use code names for companies or avoid names for organizers, it can be easy to discern who and what they’re talking about. GHQ can be careless in their email correspondence. People are often careless with posts on Facebook. Way too much information is shared in GOBs that doesn’t really provide much utility for the average member and could easily be provided by GHQ on an individual basis. Last year GHQ published the names of every delegate *and the city they live in.* When this was pointed out, there were some platitudes about transparency and some sneering about paranoia thrown about. I think transparency can be a good thing, but there’s no point in talking about it if you’re not discussing the specifics. This is something that could easily, very easily, lead to some of the most active people in our union losing their jobs. The current GST, who I think has otherwise done a lot of great work in the union, commented that we didn’t need to worry because we’re not “maoist guerillas.” But we’re talking about very basic information and operation security practices that any serious organization of any nature, much less a revolutionary union with an adversarial relationship with powerful sections of society, needs to adhere to. Forgive me for ranting a bit, but it’s a constant frustration of mine within the IWW and I hope it’s something that more security-minded members will address. Poor infosec/opsec is not necessarily one of the primary problems facing the organization right now, but I know that the union will never be able to seriously grow and advance if it’s not addressed.
Another way in which operational security should be applied is to communication between union bodies. We shouldn’t be paranoid to the point that it hinders cooperation and productive work, but we should be careful in how we talk to different bodies in the union and mindful of the information we share. People should be trained to only share the minimum amount of information with bodied like GHQ and the ODB and made aware that, once any piece of information leaves their hands, they can’t be sure who the people they share it with are going to tell or what they’re going to do with it. We talk a lot about sabotage as an industrial tactic, but too often is the idea that people might join the union with intentions of sabotaging or informing dismissed as paranoia. I think the casual, social, and friendly nature of a lot of IWW interactions plays into this. Personally, although we were friendly, I hardly knew the people in my branch, doubly so for the distant wobs I may have known through facebook, email, or conference calls. A revolutionary union should be the kind of of organization that wants to be in a position to attract saboteurs and informants, and should act accordingly.
One last thought, about the passwords section of the article. I thought your advice was solid, but another good method worth suggesting for creating safe passwords is combining a series of four or more unrelated words. This is another way to generate passwords that are still reasonable secure and as easy or easier to remember than a mnemonic. Adding numbers or special characters(but taking care not to replace certain letters with obvious numbers) will increase the security of this method. It might also be a good idea to discuss what makes a bad password beyond just being short. It’s worth pointing out why things like names, dates, places, and common letter-number replacements should be avoided. My old branch had the name of an old wobbly in the area and a common labor term with the vowels replaced by numbers as its email and twitter password respectively. Extremely easy to guess.
Anyway, thank you for writing this and thanks for reading. I hope I didn’t come off as too critical. It’s good to see people talking security in the IWW and it’s great to hear that you’re developing information security training. I hope you might consider some of these things I’ve talked about when developing training materials. Outside of the things I mentioned, I think this article has solid advice and is accessible to beginners.
LikeLiked by 1 person
Hey OpsecAnimals, thanks for the feedback!
I was the original author of this document, and I think your comments are incredibly on point. I’ve been trying to explain the importance of modeling your security measures to specific threats to people in my branch, and I think this idea has finally caught on in our local GDC. Once the general membership of the IWW overall understand this modeling concept, I think it will prevent a lot of harm as we grow again. Like you have guessed however, the intended scope of this letter isn’t really to provide a complete and thorough guide at that level; this letter is really just for tech things you can do without having to learn anything about them or modeling to specific threats.
Threat modeling and general information security are a large part of the training I’m developing after witnessing some issues first hand that could be addressed. As a former greyhat, I’m actually frightened at some of the stories I’ve heard both here and otherwise, mixed with some personal interactions I’ve had. About 1/3 to 1/2 of the training will be about modeling and general infosec/social engineering methods, 1/3 or less on how some tech works and addressing misconceptions, and 1/3 on practicing using the tech given. I understand and agree that the social and information theft part is far more relevant than this letter alone may lead you to believe.
Finally, for some specifics you mentioned, I think duckduckgo is better than google for more than just NSA things – it also doesn’t log to an account, which is more applicable to people who could do something like steal a password. Like you were saying, if your main adversary is the NSA, you’re likely screwed anyway. As for the passphrase over password, I really do like that system a lot, but I have concerns advocating for it when there are still enough sites/systems out there that require your password to be a small number of characters. It’s frightening and bad, but maybe we can readdress this in a couple years when this problem becomes less relevant.
From the types of issues you’ve raised alone, you seem very knowledgeable on this subject. Would you ever consider giving early feedback on the upcoming training?
LikeLiked by 1 person