Security and tools for organising
We need to update this page from testing these tools on the ground. Some tools have worked, some have not.
In the meantime, see the Tools guide – July 2020 by Glenn Todd
This guide was created to strengthen Community organising and to support individual organisers.
These community groups are leveraging the benefits of digital technologies such as social media and databases that are leading to some big wins in addition to the inspiration of overseas revolutions such as the Arab spring. Digital technologies enable organisers to reach out to more people and organise their events the most effectively than ever.
This potential, also comes with its drawbacks. Our systems increase the government’s ability to undermine our work and to target individuals with in our systems.
We have had a history of government and corporate informants and agents infiltrating community movements and targeting individuals within these networks to gather intelligence. Our Government have passed laws such at the mandatory data retention scheme to improve their intelligence-gathering capabilities. By applying big-data and data-mining techniques to the retained metadata, it is viable to map the members of an organisation, even if the content of the communication was encrypted.
On a federal level, the government is a partner in the massive Echelon spying system and on a local level, WikiLeaks revealed the NSW police spent $2 million on targeted spy/hacking software called FinFisher. (Source SMH, ABC)
Then we have Facebook and Google who have created the most sophisticated personal profiling engines ever built. Our government relies on the data hoarded on these social networks as shown in the annual reports published by Facebook and Google themselves (Source CW, FaceBook, Google)
Edward Snowden has given us hope that we can protect ourselves from spying by revealing security systems such as encryption are working. The Director of National Intelligence (US) claimed that his revelations advanced encryption by seven years. (Source)
Using this Guide
This guide outlines the basic functions used by digital organisers and offers safer alternative tools. These tools must also be used in conjunction with safer general working practices within your groups, also called operational security or #opsec.
Although OPSEC is related to technology, it is a higher-level concept. It is a set of practices for protecting information and the operation of a community group. For a general introduction, read The Grugq’s intro on Opsec-for-hackers.
Please note that the safety of tools can change suddenly if we learn of new exploits or risks with tools. Also remember if your device or that of your friends has been compromised with a backdoor at a system level, this will also compromise some of these tools.
Backdoors like FinFisher will log your keystrokes, take screenshots or turn on the microphone. Signal will not protect your messages if a backdoor is running on your device. Please use these recommendations in context with some healthily cynicism and common sense.
Typical collaboration activities to secure:
- Conference Calls
- Media releases (may include sensitive stuff like dates and locations)
- Internal documents
- Media, photos, video
- Public information such as Leaflets, posters
- List of participants or interested people and their contact details
- Spreadsheets (xls, google)
- Newsletter database
- Hosted tools: NationbuilderBuilder, Action Network, Mailchimp etc
Disclaimer: The following list attempts to suggest tools and practices based on the typical collaboration activities the community groups do. This list does not try to be comprehensive, nor provide 100% protection. The recommendations might contain errors and may get outdated fairly quickly. We suggest you to study these tools and be aware of their weaknesses and limitations – and you make the ultimate decision whether these tools can help you in your unique situation or not.
- All users must be on protonmail for it to be secure – encryption only works between Protonmail users
- Free option avilable
- Other options: Riseup, Tutanota
- A good OPSEC practice is to delete emails from the inbox, sent and draft folders as frequently as possible. Make sure the bin is also emptied. If your email account is compromised, the attacker will not be able to read your sent or received email archive.
Communication – Chat – Conference calls
It is important to know that regular phone conversations or popular VoIP tools like Skype or Google Hangouts have wiretapping capabilities built-in. Authorities can request Microsoft to record and hand over conversations with a warrant.
- They protect the content of the communication – end-to-end encrypted
- Metadata will reveal who belongs to the same network of people
- Both supports video calls
- Wire supports group chat
- Wire supports group audio calls
- Wire also stores the list of people you have ever contacted (Source)
- Preferred platform:
- iOS and Android
- Avoid installing the apps on PC if possible
- Make sure you turn the disappearing message on (might be able to retrieve with forensics analysis)
As a community activist, you need to write documents and collaborate with others to write or review them. Google Docs and similar tools are not encrypted: authorities can request Google to hand over who contributed to a document and what the content of the document is.
This is a secure, end-to-end crypted document editor. The big difference to Google is the encryption: the server hosting CryptPad cannot peek into the content of the documents.
- End-to-end encrypted document editor
- Backdoored computer => Check ‘Advanced Security’
- Metadata can reveal who contributed to a document (but not the content of the document)
- Apply the combination of both:
- Use the Tor browser, or check ‘Advanced Security’ for Tails
- Self-host CryptPad on a server (e.g. rent a VPS server in Switzerland)
- Apply the combination of both:
- Need to create and manage an inventory of the secure URLs
- How to send the Url’s to each other
Dropbox, OneDrive and similar tools are not encrypted: authorities can request the hosting companies to hand over who contributed has accessed a shared file and what the file is. Dropbox transparency report reveals the number of warrants presented.
We should use end-to-end encrypted services like Sync, where although the metadata can still link the collaborators together, the content of the files are safe from the prying eyes at the service provider.
For sharing files on an ad-hoc manner:
OnionShare operates over the Tor network, which conceals of the metadata related to the file share. It can keep the linkage between the two partners concealed, assuming these partners are only using Ricochet to communicate with each other over the Internet. Any other method (Signal, PGP) can establish a link between the two parties.
Slack, Google and similar tools are not encrypted: authorities can request the hosting companies to hand over the user list and the chat logs. Even if you delete a message on Slack, we cannot be sure Slack actually deletes them from their servers or their backups.
- Good compromise of security vs usability
- Similar to Slack (look and feel)
- End-to-end encrypted
- Metadata may reveal the network of people
Matrix Riot – for advanced security
- End-to-end encrypted
- Self hosted (requires tech skills
- You can use a hosted version at Riseup Crabgrass.
This area is a MASSIVE GAP in secure organising. Read about the issues here. Many organisations are moving to hosted solutions such as Nationbuilder and Mailchimp (just to name two). Current open-source or secure options are are losing seen to be less advanced and user friendly. Having your data hosted on a private company’s servers allows law enforcement access, and requires you to trust this companies ethics and ability to secure their system.
Potential applications are:
Email list management
The servers hosting the email list management software contain the list of all email subscribers. Ideally, all subscribers should use a brand-new email account solely dedicated for receiving emails from the email list.
Computers and Phones
- The technical bar of installing a backdoor is very low
- Computers as well as smartphones are both affected
- Typically installed with a phishing email or MMS
- Phishing email/MMS either contains a link pointing to a Windows/Mac/Linux/iOS/Android exploit
Or contains a file attachment that downloads and installs the backdoor silently in the background
Typically the backdoors are distributed through phishing emails or MMS messages
- The content is typically tailored to you (e.g. Iranian human rights activist receives an email saying that prisoners are tortured in a prison. They are asked to open a .doc file for the details)
- If you can, install a Linux VM in virtualbox and take a snapshot. Open links and attachments within the virtual machine. Once you finished, power off the VM and restore the snapshot.
Basic computer security
These won’t protect you from Finfisher, but provides some protection from mischevious hackers / casual attackers:
Install Kaspersky anti-malware (paid) – Windows
- Has basic anti-keylogger feature
- Notifies you if the camera / microphone is turned on
- Has ransomware protection
- Has basic phishing protection (only protects from cyber criminals, doesn’t protect you from state sponsored phishing!)
Bitdefender, Kaspersky – OSX
- Many features are missing
- Consider installing additional software
Turn on two-authentication where possible – twofactorauth.org
Turn on disk encryption AND login passwords AND auto-screen lock
- Preferred, least painful: buy Windows 10 professional and use Bitlocker => one click install
- Open source (Windows, Linux): VeraCrypt
- OSX: FileVault
- Physical damage is frequent in action
- Older phones have lots of vulnerabilities – not recommended
- Can be unlocked
- Stingrays / IMSI
- Assume that all regular phone calls are wiretapped
- Although unlikely, your web traffic can be intercepted and backdoor can be deployed by injecting iOS/Android exploits into your web traffic. This is usually used to hunt down high-profile persons of interests, it’s unlikely you will targeted be with this exploit.
- Location data (based on celltower information) is retained for two years as part of the metadata retention scheme
Rely on OPSEC (Operational Security) practices
If possible, leave all your electronic devices home. Don’t use Opal cards and bank cards linked to your name.
- (if possible) Buy a new/used phone from eBay and never use it for personal stuff ever
- Do factory reset
- Buy SIM card
- Activate SIM card with fake details
- Travel SIMs from the airport ?
- Buy activated SIMs from eBay (may not be an Australian number)
- Don’t store numbers in the address book
- If you are using Wire instead of regular phone calls:
- Create a new throwaway Wire account for the event
- Don’t link your own personal Wire account with the new one ever
- Don’t add any of your friends personal Wire account
- Same goes for Signal
- Do not use SMS or regular phone calls if possible – they can be sniffed with IMSI catchers on the spot. If your phone starts using the 2G (the classic GSM) network, your traffic is almost likely is being intercepted.
- Do not connect to any Wifi access points
Remember, reception may be jammed in critical situations
- Never use the Wire account ever again
- Throw away SIM card
- Factory wipe phone
- Your IMEI number will not change. Never reuse the phone again.
New Wire account
- May need a working phone number => Buy a VOIP number
Personal smartphone OPSEC
- Snowden: smartphones are spying machines
- Leave the smartphone home (protests, organiser meetings)
Notes: walkie-talkies are not secure either
You can consider installing video streaming or recording apps on your phone to document what is happening around you.
- Periscope, Facebook Live and YouTube Live streams the video immediately to the Internet
- Video evidence apps burn things like the GPS coordinates and the time/datestamp onto the video
- It’s Your Right to Film the Police. These Apps Can Help (American but we also have the right to film Police)
Even if you’re using Cryptpad, the computer might be backdoored by the authorities. Live in the 60s again, meet in-person instead and use the good old pen and paper combo
Use Basic OPSEC hygene:
- Never open web links and files received people you do not know
- Be suspicious with web links and files even if they are sent by people you know