Surveillance Self Defense

From DevSummit
Revision as of 23:20, 30 November 2016 by Willowbl00 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Training module for local chapters of a large NGO

curriculum resource and adult learning framework

Basic Take-Aways

  • Beginning questions
  • Teach people how to use existing tools
  • Point them to the right guides
  • Teach people how to teach
  • Understanding why it's important to have data privacy, accessible
  • Good ways to work with people who have trouble with PGP
  • New threat model of Trump presidency


  • Those who are doing trainings
  • Those who are getting the skills but not accustomed to training
  • Those who want to be trained in these tools

If you are someone who wants to be trained as a trainer, what kind of things do you want to know?

  • technology and threat models change all the time; tons of tools all the time
  • they go out of date, and it's hard to tell if it's still current
  • evaluation model to make sure that you are sending people to good resources
  • a beginning evaluation model as a trainer
  • basic hygiene (not putting too many things on PGP keyservers)
  • maintenance slot - checkin, touchup
  • holding people's hands more
  • trying to introduce this stuff. explain the tools to different people.
  • training one person to be a point person for a community to mitigate some of the questions. presentation skill
  • a good model of a hands on training. starts with the basics and carries on into the maintenance. (video?)
  • so many things that a trainer might not know as a trainer.
  • not just surveillance self-defense. example of spear-phishing. what kind of attacks you might expect from trainers.
  • Threat modeling alienating for people to use those tools.
  • "Risk assessment" instead of saying "threat modeling"
  • Threat modeling as a jargon term
  • Tools for people who are being surveilled for the first time.

Navigating through that. What to do when they're scared for the first time

  • "I have no idea what the surveillance capabilities are that I should be worried about." " I don't understand what tools I should be wanting."
  • In that instance, there are Individuals and organizations who have better understanding than the people themselves. e.g. Reporters Committee.
  • Depict the landscape of surveillance backdoors.

Mostly unknown unknowns when they're thinking about their threats. Put them in the position to own their tools, and their information

  • Landscape discussion to bridge those two gaps.
  • Potential brainstorm. What are the professionals ethical duties to their clients. Ethical duties are a way to spread encryption. (e.g. bar associations, lawyers, medical professionals).
  • What type of tactics trainers use.
  • A tech event is not actually about tech. Especially if you're working with a beginner group. Information landscape exercise. Whatever form it takes. Positioning things that already maps on to the landscape and operating structure. What happens if you lose access to ___? Positioning it in a way where you're encouraging people to think about why they're using the things that they do.
  • Don't say "cryptoparty" -- nobody knows what it is.
  • Trainers
  • People
  • What tactics we've used in different contexts - Trainers
  • Tips on good training practices

Train trainers

  • How do you become a trainer
  • How will you sustain it
  • What if this is not your main gig
  • How will you sustain training people as part of whatever else you're doing
  • To scale, you're going to have to train other people
  • How is that sustainable? What needs to be in place to make it sustainable?
  • Talk about when these events should be, exchange contact information.
  • Exchange tips. Overlap with guidelines.
  • Connecting with people. What's an event. They'll learn how to be a trainer.
  • Becoming a trainer.
  • Refine pedagogy of what's worked for us.

Refining teaching practices

What materials helped and what didn't.

Those aren't training resources. They're informational - SSD. "You're facing shit, this is what you need." Not for trainers.

Very interesting that Level Up doesn't come up more. They come up as very polished. Don't feel like we can do very much with it.

How to update the guides in a way that makes sense to everyone.

Modifiable materials.

Lots of examples of training on encryption. On full

Digital society, wouldn't exist if it wasn't for Level Up.

Web resources

Meant to be a growing resources. People pick it up and modify it. No info back. Would be huge to get that.

Trainings here and there.

LGBT Middle East + African trainers have said the Tactical Tech stuff is too white male. Too focused on ___.

Many guides are very white male.

Problem of calling "threat modeling" -- very infosec-y. Using terms in different contexts.

What are use cases that will come in trainings. Offering a use case.

Until you can use the application. Same thing in training context.

Stories of failure. Use cases. to make it sticky. Use a storytelling approach when you teach a tool. How can they avoid messing up?

Groups might be in touch with human rights defenders families,

  • journalists, etc. - Completely unaware that they might be doing harm by open communications. Not thinking about someone looking at what they're doing in a bad way.

Simple approach, not too technical approach, not too frightening. Increasing consciousness. Being careful in their communications.

Real time use cases. We as trainers can learn from. Ongoing exercise.

Agencies are constantly going after new tools.

Using trainings as a way to organize action work. Threat landscape as trainers. Put people in a position to feed back what they're finding on the ground. Get reports back.

Need for solution.

Rating system for a lesson? How?

Building a network

  • Network of trainers.
  • Informal network of contacts, Through which we can reach out. EFA.
  • Dangerous to centralize?
  • Grouping is helpful if it's really specific.
  • Connecting US trainers who are concerned about new people coming in.
  • Lots of communities facing this in other countries. Now us too.
  • There isn't that much focused on the United States.
  • This is a moment where it needs to be much more US focused.
  • EFA - Electronic Frontier Alliance
  • A website with several specific lists?

Flexible materials for uploading and remixing. Teachers.

  • SSD created after PATRIOT Act as a series of guides. Relaunched by EFF's International Team. Relaunched in 2014. Tripling of traffic to the site, solely from the US.
  • Getting used to the idea of threat modeling without using that phrase.
  • This is what I understand. This is what I need to think about.
  • Would love to see "if you need to understand better how to do training, here's a resource called Level Up."
  • Complement and look at those materials. This does work, send people here. Or take some of that material and modify it for what we see is needed for people to change.

Here's some ways to modify it easily and talk about SSD and piggyback out:

  • A page on SSD collecting the other guides that we know of. An open door. "Yes and" Pointing something for trainers. Referral for people to use.
  • Are people looking for trainers? How do we have a pool of trainers that we can call upon quickly?
  • Most trainers are coming into this as responsive to shit that's happening in their community. "My community is fucked, I need to figure this out so that I can figure out how to help my community."
  • What hasn't worked "here's a pool of trainers"
  • Trainers that are international and called upon.

What could trainers be better at

  • Constantly want to be sharing notes on what is effective training.
  • What works instead of trainings.

Overwhelmed point

  • Building in breaks is really helpful.
  • Don't want didactic style.
  • Build exercises into the trainings. Collaborative and effective. Come back to the group.
  • Switching of the situations.
  • Constant learning in hierarchical fashion.
  • Building in to the trainings themselves.
  • 4 hours max.
  • Trainers are trained to be a facilitator of a workshop. Write the outline of the workshop. Gather the data of the group. Brought into the goals and objectives. Bring in the subject matter expert. Facilitate the process with the subject matter expert. Trainer sets the global scope of the session. Content delivery given by the hands-on of users.
  • It's all in person.


  • Prep - being really focused on knowing participants and understanding what their needs are.
  • If you don't have the opportunities to do that. Think about the exercises you can do first off so that you know it first off. Focus on needs of participants and then go into the tools.
  • Teach you about this tool, or " when do you say no to using technology"
  • Have to have a game plan at the beginning of the room.
  • Have to have print outs.
  • Beforehand have to predict the threat modeling ahead of hand. Get them to do the threat modeling as part of the training. What they're most at risk.

You're giving them a framework for them understanding what is most at-risk. What they most need to protect.

We've got this database. How do we protect it. What tools are we going to use.

Sometimes when giving a training, people don't know what they can get out of it. Also explain to them what we can do. So much more to that that they can apply to their everyday lives.

Now that you're thinking about threat modeling, what other questions do you have. What's a third tool you can use.

We try to respond to what threats people have in mind. Have question feedback before the training actually happens.

What's different for a typical security training.

Divergent paths

  1. Threat modeling
  2. Password management, underlies a lot of other subjects
  3. Other branches


So many paths, tends to become less solid and more unplanned.

Remixable modules.

  • How do we get people to show their remixes.
  • It being too polished. Confidence in terms of information you can rely on.
  • Training outlines.
  • Curriculum outlines.
  • On any level.
  • Videos for someone to watch the video. By modules.
  • Many small workshops for 6 or 8 meetings. Record it. Make it available for people who couldn't attend on a particular night. A zoom meeting. Everyone can share the screen. You can ask a student to demonstrate the same thing. See what mistakes they make and demonstrate in a group.
  • Having a trainers help desk.
  • Building their confidence. Having one on ones with trainers. And being able to say to people that would work. Or that wouldn't work.

Second Group

Lots of places to learn, but they’re all out of date Trainers know what’s out of date When you see a guide, find out who wrote it Find them on twitter / whatever, and ask them to put a Exp. Date on it / update it / take it down

Trainer can be anyone who knows more — you don’t have to be an expert

Koop: I Follow InfoSEC twitter

Matt: @GeminiiMatt - I follow “The List” and that’s informative folks If you reach out to me, I will follow you Also check out @MicahFLee. He has a / some really good post(s)

SSD Security Self Defense SSD.EFF.ORG <http://SSD.EFF.ORG>

Pick a playlist. Pick a random one as a trainer (e.g., I'm a journalist)

Security in a Box hasn’t been updated a lot recently… but it has been translated to many languages, so it’s at least a good start for folks on other languages. But it has tools that don’t exist any more.

Evan: I can’t even find SSD if I type in “security training EFF”

Matt: LevelUp is a good resource as well, but finding dropped off. Starts to answer: "How can I approach training?”

Koop: Don’t necessarily teach tools Start with Threat modeling and security thinking That doesn’t go out as date quickly as an individual tool

Analogy: If you’re a doctor, first teach people about washing their hands And tell them “now you’re good” You don’t tell them about cancer or diabetes Same here. Teach “Basic Security Hygiene" first

As trainers we need to publish threat models Because there are like 10

1: What would you like to keep private, safe, secure 2: How much resources are your threat realistically going to spend to find your data e.g., your colleague vs. a nation state hacker - very different 3: What is the real risk if someone gets that data? 4: How can I mitigate that risk?

Q: Where is the roundup? We want a roundup!

TacticalTech wrote a guide It’s pwd protected but tweet at Matt and Also, during lunch Koop and I will write a 10m blog post

Q: What about Slack?

There is MatterMost. It’s open source slack Has android and iPhone app It’s not the most secure thing in the world But a good replacement for Slack and free

There’s also Semaphore, by SpiderOak It’s not perfect but it is secure Mobile for iOS and Android, Linux Desktop Their Roadmap looks solid You can share pics + docs but not edit Right now it’s free encrypted Us based Closed source for-profit Anything into matter most you own semaphore… maybe not so much

Signal for groups Setup disappearing message Don’t recommend Desktop Signal From sec perspective don’t really want to get messages Also an American company They can say “yes they have an account, and signed up X, and sent last message Y"

Wicker / WickerME Closed source and for $ Feds have asked for 2 people’s info Couldn’t give up message content Have ephemeral and group messaging Great thing is that your phone is not your uniqueID So I can create an account, and dispose

Any service Know the founder’s politics Create a ProtonMail account All Proton >> Proton mail is PGP encrypted

Don’t tell people what they’re doing is stupid Help them get to more secure places

Comment about wicker: it is harder to setup sometimes then signal Tip: when you’re getting folks on wicker If you say - no email - no phone Then no one will know who it is Show them how a picture disappears

Q: what about an intervention for a bad training Tell them you’re cancelling the training Get the PDFs And do the training yourself I love my audience, I trust you, and I got your back Imps: journalists (e.g.) are going to give it one shot Make it simple, like sugar water A bad training can turn peoples off e.g., don’t teach people how to use PGP to start with

Q: If you genuinely want encryption w/ web based email, how do you use that? Use my PGP guide MailVelope is an extension on Chrome Does key mg in the browser It loses keys. Then you’re screwed. It can’t get some keys.

Q: If an org is committed to Gmail? My guide is a web based guide Doesn’t say use thunderbird And sometimes Web based is better (e.g., in a border crossing, there’s nothing on your machine)

Q: RiseUp - is it good? It’s legit They knew what was up before Snowden Free VPN service They deal with really serious thread models, e.g. folks showing up to beat your pwd out of you

Gmail sec engineers are the best in the world. RiseUp second. But Gmail isn’t trying to solve an activist problem.

You gotta choose the right tool for the person, meet them where they are

Evan: RiseUp is the best you can do with current standard They have project Leap Trying to figure out what happens if their server gets raided Leap provides VPN + Email It’s still not done

Kop: RiseUp is great If using it is not an admission of guilt However, that’s not great in every country B/c In some places, even using it is enough to get you in jail or worse

Q: I think the threats to me are low But I’m talking w/ people who are in risk How can I make a more secure web / make other people more secure

Find yourself based on your geo, working with one group EFF is great in SF, not NYC Also start using these tools Join InfoSec twitter and provide feedback Or May1st or People’sLink

Q: What about being on insecure channels, smarter? Learn about how metadata collection works Create new accounts Use Tor Link it to a new Gmail Go through what that is like Know that this persona can now freely speak

Search for yourself on: PeekYou <> <>

All of those sites have some kind of link to pull your site

Go to Privacy Rights Clearinghouse You can look up data brokers

These are easy to use insights on what data brokers have on you Once you see “oh wow, that’s what I look like to a data broker” It’s a glimpse into what you look like to law enforcement

Q: Phones and laptop cameras Phone is always triangulated to cell towers if on You have a unique pattern & pace If you switch to a new phone, we’ll still know who you are Baseband sw can be updated at any time You should put tape on your cameras

Also you can buy faraday bags Or throw it in a fridge / microwave Or you put it Comment: RiseUp is important Use them Free VPN for your phone BitMask

Psifon OTF funded Used in China / India