Evolving approaches to organizational digital security as part of larger movements for community safety

From DevSummit
Revision as of 22:05, 25 November 2021 by Gunner (talk | contribs) (Created page with "Evolving approaches to organizational digital security as part of larger movements for community safety * Why are folks here: ** E: Security is a big issue with people's onli...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Evolving approaches to organizational digital security as part of larger movements for community safety

  • Why are folks here:
    • E: Security is a big issue with people's online words & actions bleeding into the real world.
    • R: security very important for grassroots & folks they center
    • C: Would like to implement best security practices
    • K: prioritizing community safety
    • J: security for all
    • M: work on digisec help line, org digisec support, build resources, share

/!\ if we need to take stack: raise hand in zoom or chat "stack"

J: particularly interested in taking digital security / organizational security discussion into community safety/security

experience from community safety teams

  • demos, events, parties/gatherings
  • incident response w/o cops

2016 connected the community safety + digital security work

Vision, Change, Win

9 month security school - crash course in community security/safety

  • building security teams, verbal de-escalation, transformative justice, and more
  • to be brought back to orgs

rapid response program

  • for orgs, groups/communities
  • event, home, org security

[?] how well do folks change behavior to be more safe/secure? what's made it more/less successful?

protocols & practices around physical, organizational, digital safety often get de-prioritized (given not the main focus of orgs/groups)

dedicated folks on staff make it more possible

-> harm reduction framing/approach


need to ensure changes don't negatively impact their work

need to study & understand their work to find appropriate suggestions

behavior change is culture change

Makes a difference to reframe things. Sometimes folks w more privilege scoff at talking about security, but when it's about safety, you can communicate to people how important it is to pay attention, be invested. Ppl sometimes can't see the need for safety beyond their own situation.

Find the people who are interested to help propogate the security/safety efforts

finding champions within orgs/groups/communities who can show that behavior change doesn't negatively impact work, may be more following the news (fear)

  1. let's talk about fear!

reality is scary!

framing orgsec as process, not tech

  • the org itself knows the best re: sec/safety risks, already have practices
  • helps translate these topics to framing they already understand & use

example: community was already tracking & aware of local PDA

understanding/confirming who the likely adversaries are

threat modelling / risk assessment


^ problematic terminology

  • connections to militaristic, govt repression

"safety assessment" - better

  1. Easy wins:
  • password managers, makes password management easier
    • Utilize day-to-day analogies: password management is a file cabinet. You know what's in there, but you don't know the details of each file and didn't have to -- it's there when you need it, like your password! Just have the one key to unlock the file cabinet, like the password managers. That tactic helps small wins!
  • Signal - just anoter text messaging app, but w better features
  • https://haveibeenpwned.com
    • collection of info from data breaches (username/email + password)
    • makes clear the importance of using unique passwords!
  • Alchemer / SurveyGizmo - encrypted survey solution (preferred over google forms, surveymonkey)
  • 2fa / two-factor authentication, and then needing to use 2fa to set up VPN
  • https://cryptpad.fr - collaborative docs, spreadsheet, presentation, polls
  • modern (Small Office Home Office) NAS (network-attached storage) devices (such as synology) - can do Windows authentication on local network, now container-capable, dynamic DNS (duckDNS?)
  • anti-phishing training
  • breaking up the shared social media account of the org via sharing just one password; 2fa helps break that habit in a good way, a double-win.
  • not easy but most important: relationship building with the group or organization; creating shared expectations, understanding not everything will be resolved.
    • You might wind up being someone the group comes back to even though you didn't sign up for ongoing support, but those relationships matter and help
  • https://www.systemli.org/en/service/index.html -- SystemLi is an autonomous tech organizations -- being connected with those types of orgs are excellent, e.g. Riseup.net
    • more locally-based autonomous tech orgs might be better fits for you


  • list of radical autonomous tech collectives

easy wins end up also being most common recommendations

  • systemli.org and others -- how do we know they are definitely who they say they are, that the tools are doing what they say they are?
    • What happened with Protonmail shows difference between companies and more autonomous, movement-based organizations, and which will be more helpful to communities in which contexts
    • The autonomous providers share their codebases with each other, they want more autonomous providers to be created, they're invested in seeing them grow

orgsec.community mailing list! place to discuss further

(website talking about it is currently down :/ ) https://web.archive.org/web/20200929005519/orgsec.community/display/OS

if you are not part of this mailing list and interested in joining email me! I will add you: michael@accessnow.org

thanks for hosting this awesome space :)

Thank you to everyone who participated!!! --Jack