Evolving approaches to organizational digital security as part of larger movements for community safety
Evolving approaches to organizational digital security as part of larger movements for community safety
- Why are folks here:
- E: Security is a big issue with people's online words & actions bleeding into the real world.
- R: security very important for grassroots & folks they center
- C: Would like to implement best security practices
- K: prioritizing community safety
- J: security for all
- M: work on digisec help line, org digisec support, build resources, share
/!\ if we need to take stack: raise hand in zoom or chat "stack"
J: particularly interested in taking digital security / organizational security discussion into community safety/security
experience from community safety teams
- demos, events, parties/gatherings
- incident response w/o cops
2016 connected the community safety + digital security work
Vision, Change, Win
- bringing community safety practices (that were maybe more prevalent in NYC, other place) more broadly across communities
- https://www.visionchangewin.com/services-and-programs/community-safety/
- Audre Lorde Project, FIERCE, Sylvia Rivera Law Project, Queers for Economic Justice
9 month security school - crash course in community security/safety
- building security teams, verbal de-escalation, transformative justice, and more
- to be brought back to orgs
rapid response program
- for orgs, groups/communities
- event, home, org security
[?] how well do folks change behavior to be more safe/secure? what's made it more/less successful?
protocols & practices around physical, organizational, digital safety often get de-prioritized (given not the main focus of orgs/groups)
dedicated folks on staff make it more possible
-> harm reduction framing/approach
need to ensure changes don't negatively impact their work
need to study & understand their work to find appropriate suggestions
behavior change is culture change
Makes a difference to reframe things. Sometimes folks w more privilege scoff at talking about security, but when it's about safety, you can communicate to people how important it is to pay attention, be invested. Ppl sometimes can't see the need for safety beyond their own situation.
Find the people who are interested to help propogate the security/safety efforts
finding champions within orgs/groups/communities who can show that behavior change doesn't negatively impact work, may be more following the news (fear)
- let's talk about fear!
reality is scary!
framing orgsec as process, not tech
- the org itself knows the best re: sec/safety risks, already have practices
- helps translate these topics to framing they already understand & use
example: community was already tracking & aware of local PDA
understanding/confirming who the likely adversaries are
threat modelling / risk assessment
https://sec.eff.org/topics/threat-modeling
^ problematic terminology
- connections to militaristic, govt repression
"safety assessment" - better
- Easy wins:
- password managers, makes password management easier
- Utilize day-to-day analogies: password management is a file cabinet. You know what's in there, but you don't know the details of each file and didn't have to -- it's there when you need it, like your password! Just have the one key to unlock the file cabinet, like the password managers. That tactic helps small wins!
- Signal - just anoter text messaging app, but w better features
- https://haveibeenpwned.com
- collection of info from data breaches (username/email + password)
- makes clear the importance of using unique passwords!
- Alchemer / SurveyGizmo - encrypted survey solution (preferred over google forms, surveymonkey)
- 2fa / two-factor authentication, and then needing to use 2fa to set up VPN
- https://cryptpad.fr - collaborative docs, spreadsheet, presentation, polls
- modern (Small Office Home Office) NAS (network-attached storage) devices (such as synology) - can do Windows authentication on local network, now container-capable, dynamic DNS (duckDNS?)
- anti-phishing training
- breaking up the shared social media account of the org via sharing just one password; 2fa helps break that habit in a good way, a double-win.
- not easy but most important: relationship building with the group or organization; creating shared expectations, understanding not everything will be resolved.
- You might wind up being someone the group comes back to even though you didn't sign up for ongoing support, but those relationships matter and help
- https://www.systemli.org/en/service/index.html -- SystemLi is an autonomous tech organizations -- being connected with those types of orgs are excellent, e.g. Riseup.net
- more locally-based autonomous tech orgs might be better fits for you
https://riseup.net/en/security/resources/radical-servers
- list of radical autonomous tech collectives
easy wins end up also being most common recommendations
- systemli.org and others -- how do we know they are definitely who they say they are, that the tools are doing what they say they are?
- What happened with Protonmail shows difference between companies and more autonomous, movement-based organizations, and which will be more helpful to communities in which contexts
- The autonomous providers share their codebases with each other, they want more autonomous providers to be created, they're invested in seeing them grow
orgsec.community mailing list! place to discuss further
- collection of people who do organization/group security auditing, assessments
- also has folks who are part of SAFETAG project https://safetag.org
- folks who created these interesting resources: https://www.theengineroom.org/new-toolkit-orgsec-practitioners/
(website talking about it is currently down :/ ) https://web.archive.org/web/20200929005519/orgsec.community/display/OS
if you are not part of this mailing list and interested in joining email me! I will add you: michael@accessnow.org
thanks for hosting this awesome space :)
Thank you to everyone who participated!!!