Protecting Human Rights Activist Who Use Mobile

From DevSummit
Revision as of 17:47, 5 May 2015 by Vivian (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Guardian project makes open source mobile applications secure by design.

Have a team of contractors. Funded by private and public sources.

Open source software gets a lot of peer review for its encryption software.

How is it possible to make anything secure on a cell phone?

Carriers have different possibilities.but best bet is getting a data only plan and use that for text and the private carriers for voice.

They can track where you are, so how does this work?

The idea is that we should see the cell phone as hostile,just as we have already assumed for other networks.

We should assume that voice links are open. Data is simply noise. Yes, they do know there is a tower.

We assume that we don't have an attack on to our platform level.

The "baseband" is under the control of your provider not the application developer. There is a secondary microphone on your phone that is under the control of the provider that you can't stop from being managed externally.

In the U.S. there are laws against this, but there is contemplation that there may be warrants issued for doing this.

A long diversion into the question of a case about a gps device that went in without a warrant. Supreme Court ruled against on the basis of trespass. But there is no trespass with tracking the location of a cell phone based on cell towers (and gps?).

Guardian deals with the application level, not the baseband. WeChat for example is unencrypted.

Because the underlying rom is not controlled by the app developer, are there links in the rom bios that act as a back door to grab data from the guardian app?

Not necessarily, we use peer to peer technology to confirm identities and encrypt communications

SQL Cipher - is a tool for locking data on the device.

You buy a prepaid sim card, on a preexisting cell phone. They can see an unknown user on the network that is using data, but they don't know much about it. That works as long as there isn't a signature that indicates that someone is using tor. But then you can move to a different approach, and use a tor bridge into the tor network to hide that.

Maybe the next level is to get a bunch of non-activist users using so that you hide in.

Best practices are to bring your phone into a country without a battery.

Is RIM blackberry enterprise server secure? Debatable. They've done some good things but they have given encryption keys to some countries.

SSL is compromised by the state in some places: Iran for example.

Guardian project is trying to address this kind of risks.

What can we do as users who are interested in creating a crowd of users

Orbot - is a tor client. Tor is an anonymizer client through different tor servers.

You can install a root on your phone, like galaxy iii and anonymize all your traffic. All the nexus series are the easiest to change.least locked down. The Samsung galaxy phones also can be done.


Some cheap android phones work, but it can be sketchy on some sites to download an exe for your phone. Sites are unnecessarily "elitist" in that you have to know too much about this to implement.


Anonymous browser and anonymous chat.

We have to assume that with the cheapest hardware

OSTN OSTEL.ne project is a public voip that will give you peer to peer authenticated secure call phones. This is under development

Android, IOS, blackberry and Symbian are supported. You can only call some other smartphones and there are fiefdoms.

Do you have to know if the other person is using.

Constituents:

Corporates trying to avoid espionage

Activists

And then people that don't want to be spied on.

Is there a possibility of using advocacy to get legal protections?

Android is adding secure disks into its app.

Secure by default is important, but developers don't think about it when it's about getting something up quickly.


Security in box from tactical tech explains best practices.


Using text secure doesn't work well phones that are not smart. Is it possible to make it available and then disappear? No. too many limitations with a non smart phone.

Interesting alternative is an sms app, but only with computers with a data connection that are secure.


Push to talk to text needs an encryption piece.

Tactical Tech learned that it's an arms race. You can get security for a while, but it might be broken. Face to face might be a better solution. In Iran, tor really works because everyone uses it to get to facebook.

Threat modeling is the technique for assessing the risk.

You can use your cell phone over the wifi network for voice and drop the carrier connection completely.

Turn off your carrier service until you need it.

Baseband is not well understood even in the academic community.

There is a google free android software. Blandroid from the open source project.

Mozilla is working on firefox os which will be a mobile operating system. In alpha stage, and phone should be coming next year that is optimized for it.

New name for boot to gecko. No java app in it.

Are some people using the game platform for message communications. Hiding in plain site. Not much going on there tho.

What about writing a game that is of interest and gets people to proliferate it.