Surveillance Self Defense

From DevSummit
Revision as of 23:07, 21 November 2016 by Jucsanch (talk | contribs) (Created page with "Training module for local chapters of a large NGO ;LevelUp : curriculum resource and adult learning framework ==Overview of session:== * Beginning questions * Teach people h...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Training module for local chapters of a large NGO

curriculum resource and adult learning framework

Overview of session:

  • Beginning questions
  • Teach people how to use existing tools
  • Point them to the right guides
  • Teach people how to teach
  • Understanding why it's important to have data privacy, accessible
  • Good ways to work with people who have trouble with PGP
  • New threat model of Trump presidency

Those who are doing trainings
Those who are getting the skills but not accustomed to training
Those who want to be trained in these tools

If you are someone who wants to be trained as a trainer, what kind of things do you want to know?

  • technology and threat models change all the time; tons of tools all the time
  • they go out of date, and it's hard to tell if it's still current
  • evaluation model to make sure that you are sending people to good resources
  • a beginning evaluation model as a trainer
  • basic hygiene (not putting too many things on PGP keyservers)
  • maintenance slot - checkin, touchup
  • holding people's hands more
  • trying to introduce this stuff. explain the tools to different people.
  • training one person to be a point person for a community to mitigate some of the questions. presentation skill
  • a good model of a hands on training. starts with the basics and carries on into the maintenance. (video?)
  • so many things that a trainer might not know as a trainer.
  • not just surveillance self-defense. example of spear-phishing. what kind of attacks you might expect from trainers.
  • Threat modeling alienating for people to use those tools.
  • "Risk assessment" instead of saying "threat modeliing"
  • Threat modeling as a jargon term
  • Tools for people who are being surveilled for the first time.

Navigating through that. What to do when they're scared for the first time.

  • "I have no idea what the surveillance capabilities are that I should be worried about." " I don't understand what tools I should be wanting."
  • In that instance, there are Individuals and organizations who have better understanding than the people themselves. e.g. Reporters Committee.
  • Depict the landscape of surveillance backdoors.

Mostly unknown unknowns when they're thinking about their threats. Put them in the position to own their tools, and their information.

  • Landscape discussion to bridge those two gaps.
  • Potential brainstorm. What are the professionals ethical duties to their clients. Ethical duties are a way to spread encryption. (e.g. bar associations, lawyers, medical professionals).
  • What type of tactics trainers use.
  • A tech event is not actually about tech. Especially if you're working with a beginner group. Information landscape exercise. Whatever form it takes. Positioning things that already maps on to the landscape and operating structure. What happens if you lose access to ___? Positioning it in a way where you're encouraging people to think about why they're using the things that they do.
  • Don't say "cryptoparty" -- nobody knows what it is.
  • Trainers
  • People
  • What tactics we've used in different contexts - Trainers
  • Tips on good training practices

Train trainers

  • How do you become a trainer
  • How will you sustain it
  • What if this is not your main gig
  • How will you sustain training people as part of whatever else you're doing
  • To scale, you're going to have to train other people
  • How is that sustainable? What needs to be in place to make it sustainable?


  • Talk about when these events should be, exchange contact information.
  • Exchange tips. Overlap with guidelines.
  • Connecting with people. What's an event. They'll learn how to be a trainer.
  • Becoming a trainer.
  • Refine pedagogy of what's worked for us.

Session split up into two sessions:

  1. how to become a trainer
  2. refining teaching practices

Refining teaching practices

What materials helped and what didn't.

Those aren't training resources. They're informational - SSD. "You're facing shit, this is what you need." Not for trainers.

Very interesting that Level Up doesn't come up more. They come up as very polished. Don't feel like we can do very much with it.

How to update the guides in a way that makes sense to everyone.

Modifiable materials.

Lots of examples of training on encryption. On full

Digital society, wouldn't exist if it wasn't for Level Up.

Web resource

Meant to be a growing resources. People pick it up and modify it. No info back. Would be huge to get that.

Trainings here and there.

LGBT Middle East + African trainers have said the Tactical Tech stuff is too white male. Too focused on ___.

Many guides are very white male.

Problem of calling "threat modeling" -- very infosec-y. Using terms in different contexts.

What are use cases that will come in trainings. Offering a use case.

Until you can use the application. Same thing in training context.

Stories of failure. Use cases. to make it sticky. Use a storytelling approach when you teach a tool. How can they avoid messing up?

Groups might be in touch with human rights defenders families,

  • journalists, etc. - Completely unaware that they might be doing harm by open communications. Not thinking about someone looking at what they're doing in a bad way.

Simple approach, not too technical approach, not too frightening. Increasing consciousness. Being careful in their communications.

Real time use cases. We as trainers can learn from. Ongoing exercise.

Agencies are constantly going after new tools.

Using trainings as a way to organize action work. Threat landscape as trainers. Put people in a position to feed back what they're finding on the ground. Get reports back.

Need for solution.

Rating system for a lesson? How?

1) Building a network

  • Network of trainers.
  • Informal network of contacts, Through which we can reach out. EFA.
  • Dangerous to centralize?
  • Grouping is helpful if it's really specific.
  • Connecting US trainers who are concerned about new people coming in.
  • Lots of communities facing this in other countries. Now us too.
  • There isn't that much focused on the United States.
  • This is a moment where it needs to be much more US focused.
  • EFA - Electronic Frontier Alliance
  • A website with several specific lists?

2) Flexible materials for uploading and remixing. Teachers.

  • SSD created after PATRIOT Act as a series of guides. Relaunched by EFF's International Team. Relaunched in 2014. Tripling of traffic to the site, solely from the US.
  • Getting used to the idea of threat modeling without using that phrase.
  • This is what I understand. This is what I need to think about.
  • Would love to see "if you need to understand better how to do training, here's a resource called Level Up."
  • Complement and look at those materials. This does work, send people here. Or take some of that material and modify it for what we see is needed for people to change.

Here's some ways to modify it easily and talk about SSD and piggyback out:

  • A page on SSD collecting the other guides that we know of. An open door. "Yes and" Pointing something for trainers. Referral for people to use.
  • Are people looking for trainers? How do we have a pool of trainers that we can call upon quickly?
  • Most trainers are coming into this as responsive to shit that's happening in their community. "My community is fucked, I need to figure this out so that I can figure out how to help my community."
  • What hasn't worked "here's a pool of trainers"
  • Trainers that are international and called upon.

What could trainers be better at:

  • Constantly want to be sharing notes on what is effective training.
  • What works instead of trainings.

Overwhelmed point:

  • Building in breaks is really helpful.
  • Don't want didactic style.
  • Build exercises into the trainings. Collaborative and effective. Come back to the group.
  • Switching of the situations.
  • Constant learning in hierarchical fashion.
  • Building in to the trainings themselves.
  • 4 hours max.
  • Trainers are trained to be a facilitator of a workshop. Write the outline of the workshop. Gather the data of the group. Brought into the goals and objectives. Bring in the subject matter expert. Facilitate the process with the subject matter expert. Trainer sets the global scope of the session. Content delivery given by the hands-on of users.
  • It's all in person.


  • Prep - being really focused on knowing participants and understanding what their needs are.
  • If you don't have the opportunities dtod do that. Think about the exercises you can do first off so that you know it first off. Focus on needs of participants and then go into thte tools.
  • Teach you about this tool, or " when do you say no to using technology"
  • Have to have a game plan at the beginning of the room.
  • Have to have print outs.
  • Beforehand have to predict the threat modeling ahead of hand. Get them to do the threat modeling as part of the training. What they're most at risk.

You're giving them a framework for them understanding what is most at-risk. What they most need to protect.

We've got this database. How do we protect it. What tools are we going to use.

Sometimes when giving a training, people don't know what they can get out of it. Also explain to them what we can do. So much more to that that they can apply to their everyday lives.

Now that you're thinking about threat modeling, what other questions do you have. What's a third tool you can use.

We try to respond to what threats people have in mind. Have question feedback before the training actually happens.

What's different for a typical security training.

Divergent paths:

  1. Threat modeling
  2. Password management, underlies a lot of other subjects
  3. Other branches


So many paths, tends to become less solid and more unplanned.

Remixable modules.

  • How do we get people to show their remixes.
  • It being too polished. Confidence in terms of information you can rely on.
  • Training outlines.
  • Curriculum outlines.
  • On any level.
  • Videos for someone to watch the video. By modules.
  • Many small workshops for 6 or 8 meetings. Record it. Make it available for people who couldn't attend on a particular night. A zoom meeting. Everyone can share the screen. You can ask a student to demonstrate the same thing. See what mistakes they make and demonstrate in a group.
  • Having a trainers help desk.
  • Building their confidence. Having one on ones with trainers. And being able to say to people that would work. Or that wouldn't work.