Infosec masters capstone ideas: supporting the closeted whistleblower

I’m a long way from having to choose a capstone but I want it to be meaningful. Focusing on an end goal is ideal so I can actively apply the concepts of my coursework to my capstone. Since learning about global surveillance systems (thank you Edward Snowden), I’ve been impassioned about learning about these systems and teaching people about them. Abused populations like journalists and whistleblowers are the groups that I identify with the most because of their importance for a democratic society.

Tor and Tor hidden services, in general, are intriguing, and there is a lot of existing academic work on them. However, there are four equally interesting software projects that are dependent on Tor’s success. We have Ricochet, an instant messaging client and soon to be file sharing client. There’s OnionShare, a file sharing client. There’s Pond, an email-like messaging client. Add there’s SecureDrop, a fire sharing and email-like messaging system.

Simply put, anonymity tools are required for information and metadata control; be it maximal deniability or maximal influence, whistleblowers need to control what is and is not exposed. Journalists are a tool of whistleblowers, not the other way around.

I am not a software developer or a cryptographer. I never want to be because my brain is not developed for those types of information manipulation. However, educators (technology trainers), which I have been valued for since I started using and understanding general purpose computers, are an important part of the information security ecosystem. As a surveillance self defense instructor for Seattle Privacy Coalition, it is clear that educators are a required part of trusted crypto tool adoption.

There is a societal need for people that understand information infrastructures, the operations of journalists, the threats of surveillance, crypto and software specialists, and how to boil all of that down into consumable information for the lay person. Not to mention be a valuable feedback loop for crypto and software developers.


Nothing in information security can ever be perfect because information security tools are always targeted at specific problems. Problems will always shift. Crypto and software developers need to solve many unique problems, and sources and journalists need to solve many unique problems. How do they work together?

As it stands, the problem that I want to tackle is helping bridge the gap between sources and journalists. Edward Snowden was largely successful as a whistleblower because his skill set is technical in nature. Knowledge of various systems allowed him to reap maximal control, albeit he was not alone. Snowden had a native advantage in the process of whistleblowing. Most people that are exposed to information presumed to have public interest are not technical and therefore do not have a native advantage. To leak something to a reporter they respect requires comfortability with their own crypto tool knowledge, if any, and they have to commit to a journalist they think they can trust. Closeted whistleblowers are not going to pick a journalist just because they publish a PGP key or because their organization hosts a SecureDrop site.

The “closeted” whistleblower

‘Closeted’ and ‘in the closet’ are adjectives for lesbian, gay, bisexual, transgender etc. (LGBT) people who have not disclosed their sexual orientation or gender identity and aspects thereof, including sexual identity and sexual behavior.

This is applicable to a person who is conscious of organized wrong-doing, has information or access to information that is presumed to be in the public interest, and needs to leak said material to a publication organization.

The solution then must be education and awareness. Something structured yet easily adaptive. Should we develop source curriculum?

Semantic information–be it verbal or written, without hands-on workshops–probably transitions best into tacit knowledge if it is formed into scenarios. Source curriculum must avoid explicit information (regurgitation) wherever possible.


Can whistleblower threat modeling training be accomplished without in-person education?

SecureDrop landing pages are very specific. They do not offer hypotheticals, they focus purely on the “best” way to use a specific system. Is that enough to help turn a closeted whistleblower into a whistleblower?

Does SecureDrop support all forms of direct-to-journalist whistleblowing? If not, what’s missing?

Can web-based curriculum be designed well enough to turn computer users into secure whistleblowers?

Trust is always a required foundation in security. How do we teach “how to trust”?

I’ll think of more and better questions.

Defending against Stingrays and other cellular attacks at protests


I am a security educator, but I am not your security educator. It is in your interest to question everything I share with you and adjust accordingly. It is ultimately your responsibility for understanding why you take specific actions or inaction to maintain good defenses. Additionally, using some of the below processes, methods or tools may be illegal in your region. This post is for educational purposes only.


You are an intelligent activist, journalist, or legal observer that is aware of the possibility of active or passive surveillance while exercising your non-violent, constitutionally protected (United States) rights. High profile protest events or people engaged with these events will have corporate or government stalkers during and after the event. You know that you need to safeguard your assets during protest events with post-event in mind — the present and future states of your metadata and information in tandem with other attendee’s metadata and information.

Even if you are not in the United States, this post might help you. I have instructed activists that have been or are victims of stalking or physical attacks after attending protest events. Having secure communications while minimizing data linkability is a critical part of defending yourself from people who want to scare you or hurt you.

This post is not about the broad problem of Detecting and Defending Against a Surveillance State. This post is about your need to communicate and coordinate with other activists or publish information online while at a protest event. This post provides meaningful defenses against specific attacks carried out at protests.


The following scenarios will define our risk scope that will be composed of assets, adversaries, threats, and vulnerabilities.

1. Local cellular networks store connection logs of nearby mobile devices and can actively alert local users as a scare tactic.

2. Local law enforcement can “Man in the Middle” every one’s cellular traffic to intercept communications.

3. Federal intelligence agencies and local law enforcement both actively surveil protest attendees and share data and information via Fusion Centers.


  1. Personal safety.
  2. Personal identification data and information.
  3. Mobile device identification data and information.
  4. Mobile device local storage including your contacts database, text messages database, calendar, notes, call records, media files, and social media access and identities.


  1. Regular cellular network operators run by AT&T, Verizon, Sprint, and T-Mobile.
  2. Organizations with records access to regular cellular network operators such as federal agencies and local law enforcement.
  3. Imitation cellular networks run by federal agencies, local law enforcement, and private entities with money and motive.
  4. Organizations with records access to imitation cellular networks such as federal agencies, local law enforcement, and private entities.
  5. Close-proximity federal agents, law enforcement agents, and private entity employees.


  1. Parallel construction.
  2. Doxing.
  3. Physical mobile device collection.
  4. Physical visual and auditory collection.
  5. Cellular network infrastructure data collection.
  6. IMSI catcher data collection.
  7. Cellular network infrastructure mobile device attacks.
  8. IMSI catcher mobile device attacks.


  1. You. People’s faces, for example, are biomarkers (like fingerprints) that are commonly collected data at protest events. Personal actions that you make include those taken at protest events but also before and after events. For instance, how you transport yourself to and from events. Automatic license-plate readers are rampant. Electronic payments such as debit and credit card transactions, mass transit payments, Starbucks cards and gift cards all leave digital traces linkable to your identity.
  2. Mobile devices via visual identification or physical loss.
  3. Mobile device network traffic including device networking identifiers, connection metadata, unencrypted communications metadata, or unencrypted content.
  4. Other people’s mobile devices with information about you.
  5. Online publications and social media.

Risk Responses

There are certain risks that you have to accept as an activist or journalist while attending a protest. Journalists and legal observers may have greater legal protections for certain things, but they have the same assets, adversaries, threats, and vulnerabilities as activists when engaging in civil protests. Digitally communicating is something that you can’t always give up. Given our above risk scope, the question then becomes: what aspects of your risk scope should you be willing to accept, avoid, or mitigate?


Elimination of the vulnerability that gives rise to a particular risk so that it is avoided altogether. This is the most effective solution, but often not possible […]. Eliminating email to avoid the risk of email-borne viruses is an effective solution but not likely to be a realistic approach in the modern enterprise.

Our focus is to avoid what we can and mitigate or accept the rest.

Action 1: Do not use your personal, mobile devices.

You have a lot of personal information on your Android or iPhone that you should not risk getting lawfully taken, illegally stolen, or damaged. You cannot reasonably allow your personally-identifiable hardware device IDs to get associated with likely-adverse events that are out of your control. Regular, contracted cellular device service accounts are commonly associated with your Social Security Number and/or government issued ID. It is trivial for anyone to link hardware device IDs and phone numbers to you.


Risk mitigation involves the reduction in likelihood or impact of a risk’s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result.

We have to use a mobile device to communicate because that is the tool that we know how to use and because they are valuable assets.

Action 2: If you’re attending a protest by yourself, an inexpensive, prepaid burner phone might be great start to surveillance self defense. Coupled with the exclusive use of end-to-end encrypted communication tools such as TextSecure, Signal, and RedPhone, you are dramatically increasing the security of your communications.

Action 3: Burner hotspots can provide an important proxy when depending on cellular networks. Similarly, it is possible to use a burner phone with a data plan to be used exclusively as a burner hotspot. When you are part of a coordinated, trusted group of people, burner hotspots allow everyone to share one device ID. Attributing communications to specific people becomes harder which affects the threat of parallel construction. Cellular network data collection cannot easily identify mobile devices that are in “airplane mode” with Wi-Fi turned on.

This threat mitigation action presumes that adversaries do not prey on the 802.11 standard (Wi-Fi). However, intercepting properly hardened Wi-Fi communication is a much harder feat compared to the ease of intercepting legacy telephony communication. Raising the cost of surveillance also lowers the exploitation probability.

Action 4: If you are part of an activist group, cost is a factor, and you know that law enforcement involvement is a low risk, using your personal cell phone in airplane mode behind a burner hotspot is a relative improvement. Backups, transport encryption and storage encryption are paramount in this scenario.

Enabling “airplane mode” on your mobile device is a critical deterrent to baseband processor attacks. Wi-Fi chipsets are not nearly as vulnerable to network exploitation as baseband processors are.

Action 5: This is the combination of Action 1, 2, and 3 and is the ideal action in a group setting. It requires that a group uses both burner hotspots and burner phones to maximize compartmentalization. It is also critical that both burner hotspots and burner phones are properly configured before attending protest events.


Recognizing a risk, identifying it, and then accepting that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted. Risk acceptance must be a conscious choice…and regularly reviewed.

When using a burner hotspot to provide Internet access, there are inherent risks when using Wi-Fi devices. These devices also have hardware IDs, albeit the range needed for detection is much smaller. Additionally, collecting and tracking Wi-Fi device IDs are not nearly as threatening as collecting and tracking cellular network hardware IDs.

People using mobile devices can have photo and video recordings made of them using said devices. This is an inherent problem when attending protest events and is not covered in this post.

Note: “Acceptance,” “Avoidance,” and “Mitigation/Deterrence” quote reference:


It is important to privately meet with protest party members and plan secure communicating prior to events. Here is a list of some questions you might want to ask and solve.

  1. Do the protest areas have reliable cellular service?
  2. Are you going to live stream parts or all of the event?
  3. Are you going to use text communications? Which ones?
  4. Are you going to use voice communications? Which ones?
  5. How many people do you need to support with Internet?
  6. Will everyone in your party be proactively securing their communications in the same way? If not, how do you have to adjust?
  7. Are you going to share access to your burner hotspots?
  8. How long will you be participating at an event? Will you have sufficient battery power?
  9. What is your fallback plan if party members get separated and are not within hotspot range?
  10. What is your fallback plan in case the cellular networks get shut down?
  11. What is your fallback plan if your organizers/hotspot carriers get arrested or leave?
  12. How are you going to responsibly dispose of your burner hotspot after a protest event?

Necessary planning actions

  1. As of June 2015, Walmart and BestBuy are national suppliers of prepaid hotspot solutions. Verizon sells a $50 hotspot with 1GB or 10GB 30-day plans but are pricey. Do your research to maximize anonymity when buying devices and services, and be aware of your cellular data needs.
  2. Burner phones do not necessarily need data service, just the ability to receive a text message in order to register with Open Whisper Systems. Once a burner phone is connected to Wi-Fi, TextSecure, Signal, and RedPhone should work flawlessly.
  3. Do not activate or use cellular service of any burner device from any anchor point.
  4. Uninstall all mobile apps that do not have an explicit purpose for advancing the protest’s cause. Disable any service or app that cannot be uninstalled for the same reasons.
  5. Employ strong (long, high-entropy) passphrases on all mobile devices. This includes device access and also Wi-Fi access.
  6. Enable storage encryption on all applicable devices.
  7. Enable two-factor authentication on all online social media accounts. Do not bring the 2nd authentication device with you to protest events.
  8. Use VPN’s or Tor when possible/applicable to mitigate upstream metadata collection.
  9. Some prepaid cellular service providers might allow you to bring your own hotspot device. If you can procure one pseudonymously, certain manufacturers support external antennas which might support signal stability.
  10. Online social media planning

    We know that federal intelligence agencies, local law enforcement agencies, and corporations stalk online social media. If any aspect of your identity is connected to the accounts from which you’ll be publishing information about protest events, you, and maybe your accessible social media contacts, are vulnerable. Disassociating your ID to cellular infrastructure is probably still an invaluable self-defense step, but be aware that attributing your presence to specific protest events can be trivial.

    If protecting your identity and your contact’s identity is important to you, you may consider creating anonymous or pseudonymous email accounts and online social media accounts using the Tor Browser or Tails Linux. Do not log into these social media accounts from any non-burner devices because of hardware and network ID linking.

    This post does not go into detail about maintaining anonymous or pseudonymous online identities. It also does not include information about responsible photo and video recording with the aim of protecting the identities of other activists.

    Please be awesome to other people, be smart, act intelligently, and be careful.

    On IMSI-catching detecting

    This post does not go into great detail about managing IMSI-catching detecting devices.

    I think that carrying network abuse detection tools, if you’re capable of managing them well, could prove to be invaluable for documenting abuse and following up with Freedom of Information Act requests. But someone with a detection tool must know how to use it and how to professionally release information about exactly what is detected.

    It seems prudent to carry such a device along with an identical burner device for secure communications. In retrospect, what affects the detector device is likely occurring to the communications device, too, given the nature of IMSI catchers and common cellular networks. Keeping the two device functions separate allows you to easily share the detection device, as evidence, to a qualified examiner, without jeopardizing the private information contained in your secure communications burner device.

    Supplemental watching

    Defcon 21 – Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell

    Defcon 18 – Practical Cellphone Spying – Chris Paget

    SS7: Locate. Track. Manipulate. [31c3] by Tobias Engel (SnoopSnitch)

    Supplemental reading

    IMSI Catchers: Practical Knowledge for Activists and Thotcon presentation

    StingRay Technology: How Government Tracks Cellular Devices

    Stingrays: The Biggest Technological Threat to Cell Phone Privacy You Don’t Know About

    Telco metadata surveillance: only minimal avoidance with HTTPS and Tor

    TextSecure, RedPhone, and Signal threat modeling

    Create an anonymous TextSecure and RedPhone phone number

My Microsoft Bing proposal: Support the Tor Project, part 2

I’ve submitted this brief proposal to a PM within Bing to attempt to start some dialogue about Tor at Microsoft. These are my personal views and not those of my employer.

Outside of Microsoft I volunteer for several privacy- and security-oriented nonprofits. Most of my volunteer work has to do with learning about privacy (security) tools so I can teach them to activists, journalists, and lawyers. I also volunteer as a political activist for Seattle Privacy Coalition (SPC) where I advocate for “privacy thinking” to the Seattle City Council. SPC was a major catalyst for driving the council’s recent adoption of their “privacy principles” that will soon evolve into influencing Seattle-wide policy and process.

One of the tools that I specialize in teaching is Tor, from The Tor Project. If you are not familiar, I would be delighted to meet with you over coffee sometime to discuss it. As it might concern Bing, Tor is a powerful tool for all kinds of people around the world. In nations controlled by repressive governments, for example, Tor lets people access otherwise censored Internet. Tor (software), and the thousands of volunteers from around the world whom make up Tor’s network, literally keep people safe as they strive to better themselves, their families, and their communities through access to information.

You might have heard that Facebook recently deployed a Tor “hidden service,” also called an “onion site.” Since Facebook now provides an onion site, Tor users can safely access Facebook without exposing their physical location to either Facebook or any unknown intermediaries. We all know how notorious Facebook is with regard to privacy, but Facebook’s concern for physical safety goes above and beyond what any other major technology player has given Internet users.

Alec Muffett, a Facebook engineer, has graciously published many tips concerning their experience deploying their onion site:

Building Enterprise Tor Onions: Tips and Notes

In retrospect, Bing’s tagline that I see on various social media is, “The better technology can adapt to you, the more you can be yourself.”

This is precisely what privacy means– Being able to create safe spaces using trusted tools to be honest with ourselves and our loved ones. I would really like to see Bing separate itself from the other search providers by making it clear that Microsoft understands privacy online by offering an onion site for Bing users.

Please let me know if you have any questions. If I am not able to answer something in enough detail, I have technical contacts whom would be grateful to offer assistance.


Anonymous surveillance self-defense survey process

Following January’s activist training, I have one objective that requires your help putting together two things:

1) create the content for a survey and-or survey template.

2) create a mechanism, compatible with WordPress, that distributes and collects anonymous survey data.

Regarding #2, Seattle Privacy Coalition could host an onion site, but that would require our activists to be comfortable with downloading and using Tor Browser Bundle before their training. Is that an acceptable requirement? a public Apache server could be configured to minimize the logged data, but the activist’s ISP and our website’s ISP would still have records. Is that an acceptable risk?

The survey as it exists:

  1. Do you use a cell phone when participating in protests?
  2. What is the operating system of the cell phone that you take to protests?
  3. Select the capabilities of said cell phone:
    1. Phone calls
    2. SMS (text messaging)
    3. Data (internet access via 2G, 3G, or 4G)
    4. Bluetooth
    5. Camera
    6. Video camera
    7. (fill in the blank)
  4. When participating in protests, what communication platforms do you use?
    1. Google Hangouts
    2. Apple iMessage
    3. SMS/texts
    4. Facebook Chat
    5. Email
    6. Twitter
    7. (fill in the blank)
  5. Do you know any differences between HTTP and HTTPS?
  6. Have you used privacy enhancing tools such as a VPN or Tor, either on a computer or on a cell phone?
  7. Have you ever sent an encrypted email before?
  8. Is your cell phone password protected?
    1. Yes, with a pin number
    2. Yes, with a password
    3. Yes, with a pattern
    4. Yes, with a fingerprint
    5. Yes, with a faceprint
    6. No
  9. Is your cell phone’s storage encrypted?
  10. Do you know what an IMSI-catcher, or “Stingray”, is?
  11. Regarding the personal computer that you use to coordinate protests, what is its operating system?
  12. Have you ever had a personal computing device seized or confiscated?
  13. Are you currently a victim of active surveillance?
  14. Do you drive, carpool, bus, bike, or walk to protests?
    1. Drive
    2. Carpool
    3. Bus
    4. Bike
    5. Walk
  15. Do you use your electronic debit, credit, and/or bus card(s) before, during, or after attending a protest?
    1. Yes, debit/credit
    2. Yes, bus (Orca) card
    3. No
  16. Do you have access to a technical specialist when you have questions about digital safety tools and practices?
  17. What topics would you like to see covered at this workshop?
  18. Will you be bringing your cell phone or laptop to the workshop? We encourage you to for our hands-on training.

Apps disabled on stock Motorola Moto E (2nd gen)

The following apps and/or services were ones I disabled. Some of them are Motorola services, some are Google apps, and some of them are apps that don’t provide any identifier at all yet have access to my phone. Before giving a new phone any network access (no cell network, no Wi-Fi), I disable these services.

This time around (I’ve tried many different mobile device configurations for security), this device is kept locked (not rooted) and lightly used (in this case TextSecure, RedPhone, and Flock are my only apps). I don’t have a browser like Chrome or Firefox because the web isn’t safe. I don’t use any social media apps because they suck up the contact list. The only software that I choose to run on this device (I have others) is from Open Whisper Systems.

Apps/services disabled:

Android Work Assistant
Basic Daydreams
Camera (replaced with “Open Camera”)
Cloud Print
Device Management
Exchange Services
Gallery (replaced with “Gallery ICS”)
Google Backup Transport
Google Contact Sync (replaced with “Flock”)
Google Hindi Input
Google Korean Input
Google Launcher Config
Google One Time Init
Google Partner Setup
Google Pinyin Input
Google Play Books
Google Play Games
Google Play Movies & TV
Google Play Music
Google Play Newstand
Google Text-to-speech Engine
HP Print Service Plugin
iWnn IME
Market Feedback Agent
Moto Actions
Moto Display
Motorola Alert
Motorola Boot Services
Motorola Checkin
Motorola Migrate
Motorola Notification
Motorola One Time Init
Motorola Sensor Services
Motorola Services
Motorola System Service
OMA Client Provisioning
Print Spooler
Setup Wizard
Sound Recorder
Storage Optimizer
Street View
Trusted Face