How to use corporate tech infrastructure in a safer and more secure way

From DevSummit
Jump to: navigation, search

How to use the corporate technology infrastructure more securely? – Bron

Go round: What brings you to this session?

  • Want to be able to recommend tools to social justice orgs and movements
  • I want to meet the users I want to serve where they are. Is it possible when it comes to infrastructure?
  • While others build a though-out movement infrastructure, what can we do with what we have now?
  • Want to support folks who use corporate infrastructure to b safer
  • Concerned about the security of supporter data
  • What are the things to consider when we use corporate tech infrastructure?
  • Our volunteers in older demographics have difficulties with learning clunky secure tech processes and are used to corporate infrastructure
  • How can people who barely use computers to learn all this?
  • AWS is so convenient. What can I do though?
  • Using corporate tools makes a lot of sense to activists who would be targeted for using so called secure tech tools
  • How to get email encryption for our legal team using Windows?

Your threat model is key in this discussion.

Corporate tools do a pretty good job with security. But then privacy is a whole other issue.

Even if we put all our money and funds into an alternative to Google, we could never literally compete with it.

And even in that case we would likely have to play by rules of capitalism, which we might not comfortable with, ;-)

AWS is at the top of the empire right now. After that,Google and Microsoft.

EFF has a Who Has Your Back list, with corporations who would have your back in a sub poena.

There are tools that you can use even on these platforms, on top of it, and secure yourself. You can use all these services pasasitically and use them only for their infrastructure.

What have folks done so far with collaborative documents?

What is threat model here? Corporate espionage? (pro-active) Subpoena to have access to your data? (post-facto)

In what legal jurisdiction you would like the servers you use to be? It depends on your threat model.


Best practices:

  1. No automated log-in
  2. Have a data retention policy: Have a policy to delete emails after a certain number of weeks/months
  3. Keybase: they have encrypted Git repo. You can put your public key there, and your private key only on your own machine(s).
  4. Using Google Apps, but in parallel with Thunderbird, so I can have email encryption if I want, depending who I am writing with
  5. Messaging: Some use Signal, otthers Wire, others Threema https://threema.ch/en
  6. You can now share your Signal contact without sharing your number.
  7. Knowing what are the access threats to the tool you use is a fundamental part of your threat assessment
  8. Backups
  9. Beware of data retention of backups
  10. Are your backups encrypted?
  11. Are your backups in a corporation-managed data center? Are on your own hardware?
  12. Not only non-tech-savvy people need to know how to use corporate tools more securely: also tech-savvy people who don't have the bandwidth to do differently need this info.
  13. Conference video calls: Not ideal for big groups, but Jitsi is ok with 5-6 person groups. And you also self-host it (e.g. the Calyx Institute has a self-hosted Jitsi that works well)
  14. Qs: How you use your tools and when? Note: you/ your org might have *different* threat models.
  15. Some participants, with elders in their families, have written down essential steps in a paper notebook. It is ok if in their threat model there is no risk to have the police getting to their home to get their data.

Tools participants have been experimenting with (not yet fully endorsed, they are still testing them out):

  1. NextCloud (spin off of OwnCloud). In theory you can use Libre Office with it to have a sort of Google Doc, but it does not really workflow
  2. EtherCalc: open source Google Sheet replacement
  3. Mailvelope: Encryption in the browser
  4. FlowCrypt https://flowcrypt.com/ (formerly CryptUp): You store your private key in the browser, and that is terrfying. It is very sketchy
  5. Read recently: There is a mechanism to have all your data on Slack, but you need to go through legal action. Beware of Slack.

Resources re how to use corporate tools more securely: Sadly, not a lot.

  1. Surveillance Self Defense – EFF. If you don't find that it is the right fit for your volunteers/supporters/users, you can use it as a baseline to write your own. Most essential learnings to start from: start from password managers, 2 factor auth
  2. Resources to explain What is sketchy/ what you need to be aware of when using corporate tech? Check out the EFF website. E.g. article explaining the differences and pros and cons between WhatsApp and Signal https://www.eff.org/deeplinks/2016/10/where-whatsapp-went-wrong-effs-four-biggest-security-concerns