Category Archives: Education

Tor Project successes

Related: Users of Tor

2015

2015-Sep | Free Software Foundation: Tor relay reinstated in the Kilton Library: a win for free software-based anonymity

2015-Jun | GlobalVoices: Tor Use in Russia Spiking in Response to Kremlin’s Censorship Efforts

2015-Apr | Committee to Protect Journalists: Journalists overcome obstacles through crowdfunding and determination

2015-Mar | GlobalVoices: Netizen Report: Macedonian Leak Scandal Reveals Mass Surveillance, Corruption

2015-Mar | Motherboard: Iran Is Trying to Block Tor

2014

2014-Nov | Committee to Protect Journalists: How Facebook’s Tor hidden service improves safety for journalists

2014-Sep | Comcast: Setting the Record Straight on Tor

2014-Aug | GlobalVoices: Iran’s Internet Users Outsmart Government in Cat-and-Mouse Censorship Game

2014-Jul | Dailydot: Iran blacklists Tor network, knocking 75 percent of users offline

2014-May | Transition House As domestic abuse goes digital, shelters turn to counter-surveillance with Tor

2014-Apr | Reporters Without Borders: Reporters Without Borders and Torservers.net, partners against online surveillance and censorship

2013

2013-Jul | GlobalVoices: Another Journalist Arrested in Zambia

2012

2012-Jun | Reporters Without Borders: Government steps up control of news and information

2012-Feb | Ars Technica: Tor’s latest project helps Iran get back online despite new Internet censorship regime

2011

2011-Apr | GlobalVoices: Over the Firewall and into the Fire

2011-Apr | Freedom House: Leaping Over the Firewall: A Review of Censorship Circumvention Tools

2011-Jan | GlobalVoices: Iran: Blocking activity, email interception, and renewed pressure on the Green Movement

2011-Jan | Tor Project: New Blocking Activity from Iran

2010

2010-Jan | GlobalVoices: Poland: Discussions of TOR and Internet Filtering

2009

2009-Sep | GlobalVoices: التدوين باسم مجهول مع ووردبرس و تور

2009-Mar | GlobalVoices: Anonymous Blogging with WordPress & Tor Updated!

Advertisements

[tor-talk] Corporate policy and procedure

Dear Tor Talk,

As part of my internship work with the ACLU of Washington, I’m looking for practical examples of corporate policies and procedures for:

  • Deploying Tor relays and management
  • Deploying Tor Browser on client computers and management

I will be preparing templates, and related Tor education/marketing materials, for organizations within Washington State that we want to see supporting Tor. We will also publish these materials using a public domain license for anyone to use.

For example, if a library or law office, etc, wanted to support Tor by one or both of the above examples, they might want to develop internal policies detailing how to deploy it and how to manage it. This might be important material to have in advance when advocating to managers or a board of directors.

A policy to manage a Tor relay might include:

  • Statement of purpose
  • Device access policy
  • Abuse complaints policy
  • Admin management policy
  • Isolated network zone exception policy
  • Links to any related standard operating procedures

A standard operating procedure for Tor relay management might include:

  • List of maintainers, contact information, and escalation procedures
  • Maintenance schedule
  • Management commands and expected outcomes
  • Troubleshooting steps. Reference to internal governing policy

Regarding policies and procedures for managing Tor Browser, should it be managed any differently than Firefox or Chrome? Clearly the network traffic is different from standard HTTP/HTTPS but more like HTTPS. QoS might not work at all. If companies replace client-side SSL/TLS certs for monitoring, would that affect Tor Browser? Exception policies might be prudent. Updating procedures might be different.

If your work place has any of the above documents or you have prepared similar documents in your own advocacy, please email me a copy or a redacted copy, and thank you!

ACLU-WA encryption evangelism internship proposal

Goal

Further the use of FOSS encryption technologies within Washington legal and journalism circles.

Tor

Tor relay and Tor exit relay adoption by organizations because of resources and stability. EFF “Tor Challenge” is unsuccessful at gaining long-term relays because they are focused on individuals that are largely not focused or lack stable resources. ACLU-WA support could happen in three ways: write to local organizations who are likely to
deploy a Tor relay, provide written education or in-person training, and create public reports on successes and failures. Supporting Tor supports human rights work 24/7/365, globally.

HTTPS and StartTLS

Many organizations who require privacy lack website/service transport security. Focusing on specific types of organizations, such as law firms and news agencies, would benefit the public and overall Internet health. HTTPS is critical for keeping private specific pages and forms visited in addition to any transmitted information. StartTLS is critical for keeping entire emails confidential. In light of recent developments in Texas [1], it would be timely to push Washington state legal policy organizations to adopt similar rules. The “Let’s Encrypt” project has been pushed out to November 16th, 2015 [2] — it would be great to have 2 months to start an ACLU-WA parallel initiative (focused on law firms and news agencies, for example) when it launches in order to benefit and enhance the initial press.

TextSecure, RedPhone, & Signal

While HTTPS and StartTLS are important for public and private communication, mobile apps can greatly strengthen inter-org privacy. Classic telephony and SMS communications are insecure. The Open Whisper Systems ecosystem uses state of the art encryption, is scalable, and is free and open source software. Purchasing 5th gen iPod Touch devices is a small cost for law firms and allows lawyers to register their work phone number with Signal. Doing so would let anyone with their regular work phone number to leverage end-to-end encryption instead. No wiretaps, no SS7 tracking, no IMSI catcher tracking, and no baseband or SIM card vulnerabilities that are inherent with any cellular device.

SecureDrop

Whistleblowing is a critical part in a democracy by keeping the public informed and organizations accountable. SecureDrop, by Freedom Press Foundation, is a powerful tool that allows anyone to leak information to targeted organizations. SecureDrop has been around for 2 years and is largely used by news agencies. That being said, a very small fraction of news agencies support SecureDrop which creates two problems: overall diversity and market diversity. Overall, there are too few options in terms of trusted organizations for whistleblowers to choose from. If a specific person who has access to specific information is only comfortable providing information to a specific organization or person, but secure a whistleblowing platform does not exist, nothing will get leaked. Similarity, if only news agencies support secure
whistleblowing platforms, other NGOs who might be better equipped to handle response will not get leaks. ACLU-WA could work with Freedom Press Foundation to focus on evangelizing SecureDrop to NGOs.

Conclusion

It is ethics and education apathy that is preventing people from adopting FOSS security systems that provide privacy. It is one thing to be apathetic in our personal lives, but it is not acceptable in professions that demand privacy in order to keep people safe.

1 http://ridethelightning.senseient.com/2015/07/when-must-lawyers-ethically-encrypt-data-texas-answers.html

2 https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-schedule.html

Infosec masters capstone ideas: supporting the closeted whistleblower

I’m a long way from having to choose a capstone but I want it to be meaningful. Focusing on an end goal is ideal so I can actively apply the concepts of my coursework to my capstone. Since learning about global surveillance systems (thank you Edward Snowden), I’ve been impassioned about learning about these systems and teaching people about them. Abused populations like journalists and whistleblowers are the groups that I identify with the most because of their importance for a democratic society.

Tor and Tor hidden services, in general, are intriguing, and there is a lot of existing academic work on them. However, there are four equally interesting software projects that are dependent on Tor’s success. We have Ricochet, an instant messaging client and soon to be file sharing client. There’s OnionShare, a file sharing client. There’s Pond, an email-like messaging client. Add there’s SecureDrop, a fire sharing and email-like messaging system.

Simply put, anonymity tools are required for information and metadata control; be it maximal deniability or maximal influence, whistleblowers need to control what is and is not exposed. Journalists are a tool of whistleblowers, not the other way around.

I am not a software developer or a cryptographer. I never want to be because my brain is not developed for those types of information manipulation. However, educators (technology trainers), which I have been valued for since I started using and understanding general purpose computers, are an important part of the information security ecosystem. As a surveillance self defense instructor for Seattle Privacy Coalition, it is clear that educators are a required part of trusted crypto tool adoption.

There is a societal need for people that understand information infrastructures, the operations of journalists, the threats of surveillance, crypto and software specialists, and how to boil all of that down into consumable information for the lay person. Not to mention be a valuable feedback loop for crypto and software developers.

Problems

Nothing in information security can ever be perfect because information security tools are always targeted at specific problems. Problems will always shift. Crypto and software developers need to solve many unique problems, and sources and journalists need to solve many unique problems. How do they work together?

As it stands, the problem that I want to tackle is helping bridge the gap between sources and journalists. Edward Snowden was largely successful as a whistleblower because his skill set is technical in nature. Knowledge of various systems allowed him to reap maximal control, albeit he was not alone. Snowden had a native advantage in the process of whistleblowing. Most people that are exposed to information presumed to have public interest are not technical and therefore do not have a native advantage. To leak something to a reporter they respect requires comfortability with their own crypto tool knowledge, if any, and they have to commit to a journalist they think they can trust. Closeted whistleblowers are not going to pick a journalist just because they publish a PGP key or because their organization hosts a SecureDrop site.

The “closeted” whistleblower

‘Closeted’ and ‘in the closet’ are adjectives for lesbian, gay, bisexual, transgender etc. (LGBT) people who have not disclosed their sexual orientation or gender identity and aspects thereof, including sexual identity and sexual behavior.

This is applicable to a person who is conscious of organized wrong-doing, has information or access to information that is presumed to be in the public interest, and needs to leak said material to a publication organization.

The solution then must be education and awareness. Something structured yet easily adaptive. Should we develop source curriculum?

Semantic information–be it verbal or written, without hands-on workshops–probably transitions best into tacit knowledge if it is formed into scenarios. Source curriculum must avoid explicit information (regurgitation) wherever possible.

Questions

Can whistleblower threat modeling training be accomplished without in-person education?

SecureDrop landing pages are very specific. They do not offer hypotheticals, they focus purely on the “best” way to use a specific system. Is that enough to help turn a closeted whistleblower into a whistleblower?

Does SecureDrop support all forms of direct-to-journalist whistleblowing? If not, what’s missing?

Can web-based curriculum be designed well enough to turn computer users into secure whistleblowers?

Trust is always a required foundation in security. How do we teach “how to trust”?

I’ll think of more and better questions.

My Microsoft Bing Proposal: Support The Tor Project

This proposal represents my personal views and not those of Microsoft.

The better technology can adapt to you, the more you can be yourself.

Tor (TorProject.org), the open source privacy tool, is as important to some people as public education, grocery stores, and 24/7 emergency services. Microsoft is a global technology company that should aim to maximize the privacy of its users. This proposal consists of four parts:

1) Deploy site-wide, always on Bing.com HTTPS

Just like Outlook.com, people’s ordinary Bing searches deserve the same respect and privacy as personal and workplace emails.

2) Deploy Tor relays (non-exits) in Bing datacenters

Microsoft should contribute to the Tor network by deploying at least 10 Gbps of Tor relay throughput, distributed globally.

3) Deploy a Bing.com Onion address

Many people are not able to reach various parts of the Internet because of government censorship. Giving Bing users direct access through Tor maximizes search accessibility and privacy.

4) Dedicate $100,000 a year for the next 5 years to Tor Project

In an effort to minimize US government donations, Tor Project is asking for the public’s help. Help The Tor Project directly by supporting their not-for-profit organization.

How will Microsoft help?

Since 2013, DuckDuckGo, a popular privacy-focused search engine, has had an Onion address for some time. Popular news outlets such as The New Yorker, Forbes, The Washington Post, and The Guardian have all deployed Tor-based “SecureDrop” instances in order to privately and securely collect information from concerned citizens. In 2014, Facebook deployed their own Onion address for its users. This year, Reddit users voted to donate $82,000 to Tor Project.

Brochures
https://blog.torproject.org/blog/spread-word-about-tor

There are three different versions of the brochure, all with the same front and different backs:

– Law Enforcement & The Tor Project: Geared as a quick reference for law enforcement audiences (not just investigators, but also support services).

– The Benefits of Anonymity Online: This is meant for journalists, domestic violence organizations, and others focused on protecting their identity online.

– Freedom & Privacy Online: The target audience here is the general public – helping educate people about the reasons that protecting their privacy is important.

Developing an Open Educational Resource on Encryption

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

— Edward Snowden, answering questions live on the Guardian’s website

Society needs an educational resource, covering the complex topics involved with information encryption, that is modular, openly accessible, and freely remixable. This is my proposal to create such a resource.

Open Educational Resources (OER) are freely accessible, openly licensed documents and media that are useful for teaching, learning, educational, assessment and research purposes. The development and promotion of open educational resources is often motivated by a desire to curb the commodification of knowledge[1] and provide an alternate or enhanced educational paradigm.

Utilizing Creative Commons licensing, an OER can be created on oercommons.org, where it will be maintained by a single authority, yet anyone in the world will be able to adapt and create their own work from ours. Oercommons.org provides a long-term support platform for maintaining these resources.

I started publicly asking for help in June of 2013–and I received a very warm welcome. You don’t have to look far to see why.

2013-06-24

August 2013:

2013-08-23 2013-08-23-2

October 2013: KEYNOTE: Journalism in the Age of Surveillance, Threat Modeling: Determining Digital Security for You, [For Journalism] Keeping Under the Security Radar, Improving Your Digital Hygiene

December 2013: United We Stand — and Encrypt by Josh Sterns2013-12-21

December 2013: Arab journalists need training for civil unrest and wars — referencing the CPJ’s Journalist Security Guide

January 2014: A Modest Proposal for Encrypting the Work of Activists by Kate Krauss

2014-01-20

It is clear that a diversity of educational resources are needed. While my original proposal was going to be supported by the United States Open Knowledge Foundation, OKFNUS has since back peddled due to lack of support from central-OKF. I am hoping that the many people behind Crypto.is are interested in spearheading the development of this OER. If they are not, and no other organization is, I will shortly be registering my own domain name to create a project launch page.

The initial launch of the OER can be created using Micah Lee‘s work, of the Freedom of the Press Foundation, Encryption Works: How to Protect Your Privacy (And Your Sources) in the Age of NSA Surveillance. Micah and the Freedom of the Press Foundation graciously licensed this work as CC-BY, allowing us, and even Wikipedia to reuse the work with attribution. I am hoping that Micah, himself, will want to be included in this project.

The target audience, initially, will be journalists, whistle blowers, activists, and dissidents. While these groups are the extreme, their example proves useful for the rest of society.

Please comment on this post, or tweet me, or email me your feedback.

Encryption for journalists #TA3M

Techno activism

Techno-Activism Third Mondays (TA3M) is an informal meetup designed to connect software creators and software users who are interested in learning or teaching about censorship, surveillance, and various open source technologies for personal computing devices of all kinds. The New York based OpenITP nonprofit is the organization behind starting TA3M in December 2012, with New York, San Francisco and Berlin hosting their first TA3M events in January of 2013. Currently, TA3M events are held in at least 20 cities throughout the world, with many more launching every month.

Seattle hosted its first TA3M event in August 2013. In our November event, 35 people were in attendance to partake in presentations about Geeks Without Bounds involvement, Tor software development, and Tor use on personal computing devices.

Seattle journalists

For December’s TA3M in Seattle, I’ll be presenting on the use of specific open source encrypted communications applications for mobile and personal computing devices. The target audience for my presentation will be for people brand new to using these encryption-optional chat tools, but for people generally familiar with instant messaging platforms.

  • ChatSecure for Android and iOS, by The Guardian Project
  • Orbot for Android, by The Guardian Project
  • Pidgin for Windows, OSX, and Linux

The rough draft of my presentation can be found here.

Tentative event schedule here.

If you are planning to attend this free and open-to-the-public event, and have any questions that technical people such as me can help answer for you, please post questions in the comment section of this post.