Seguridad digital/Digital Security

From Anarchaserver
  • EVALUATION CRITERIA BEFORE PRODUCING NEW DOCUMENTATION
   Don't reinvent the wheel (is it duplicating upstream work)
   Who's the public & what are the objectives (security & technical level)
   Who's behind it? (long-term project vs one shot, collaboration)
   Threat modelling (security is a process, not a set of tools)
   Maintainability (is it updated, open source, update frequency needs, etc.)
   Translation & translatability (tools, length, language, cultural translation, easiness to provide translation to group, etc.)
   User feedback & peer review, (criteria: correct, complete, up to date, translated, indicate always the last date the manual has been updated/released)
   Support, hotlines after reading manuals, if you still have questions
   Ethical/trans-queer-feminist "approved" manual
  • AVAILABLE DOCUMENTATION
   Activist security: 
   http://www.activistsecurity.org/

General security purpose off line for activists

   Kit didactico Genero, TIC y Activismo (Spanish and Catalan):
   http://www.donestech.net/files/KIT_CAST_5.pdf
  Been downloaded a lot, positive feed back a lot of interest from feminists in latin america, should be upated but can address a global audience.

   Radical Community Manager - basicly Twitter, Facebook and non-secure communication to reach the mainstream (Spanish):
   http://nocionescomunes.wordpress.com/2011/10/10/radical-community-manager-breves-nociones-para-aprender-a-comunicarse-organizarse-y-luchar-en-las-redes-2-0/
   Security in a box (Spanish):
   https://securityinabox.org/es
   Community Focus: Digital Security in Context
   https://securityinabox.org/communities
   Tools and Tactics for the LGBTI Community in the Arabic region
   Tools and Tactics for the LGBTI Community in sub-Saharan Africa
   Tools and Tactics for the Environmental Rights Defenders in sub-Saharan Africa
   Alternativas por prism-break (Spanish):
   https://prism-break.org/#e
   Alternativas por tactical tech (English):
   https://cooperativa.ecoxarxes.cat/bookmarks/view/230845/quick-guide-to-alternatives
   List of guides on security and alternative service providers (Spanish and English):
   https://www.riseup.net/es/resources
   https://help.riseup.net/en/security/resources
   https://help.riseup.net/es/security/resources/radical-servers (eng only)
   FLOSS manuals: Bypassing censorship (English, Spanish, and more):
   http://www.flossmanuals.net/bypassing-censorship/
   http://en.flossmanuals.net/bypassing-es/
   FLOSS manuals: Basic Internet Security (English):
   http://www.flossmanuals.net/basic-internet-security/
   Lilithlela cyberguerrila (English):
   https://lilithlela.cyberguerrilla.org/
   EFF surveillance toolkit (English):
   https://ssd.eff.org/
   Versión for printing: https://ssd.eff.org/book/export/html/14
   Guide d’autodéfense numérique (French):
   https://guide.boum.org/
   Tails documentation (English, French, and German):
   https://tails.boum.org/doc/
   Cryptoparty Handbook (German & English):
   http://www.cryptoparty.in/documentation/handbook
   Cryptoparty fork (the terms crypto and party are misunderstood):
   Privacy Café https://privacycafe.nl/ (Dutch)
   Café vie privée https://café-vie-privée.fr/ (French)
   Encryption Works (English and Portuguese):
   https://pressfreedomfoundation.org/encryption-works
   GPG Encryption Guide (English)
   http://www.tutonics.com/2012/11/gpg-encryption-guide-part-1.html
   5 of the best Free Linux Encryption Tools (English)
   http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html
   Partially outdated (TrueCrypt) / mterial ranking options need to be frequently updated
   Comparison of disk encryption software (English, Bahasa Indonesia)
   http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
   Not a real reference howto or article, but useful for discovering new encryption methods and tools related to them.
   Equalit/Frontline: Digital Security and Privacy for Human Rights Defenders (English)
   https://equalit.ie/esecman/index.html
   Security Hosting Guide from Equalit.ie
   https://learn.equalit.ie/wiki/Choose_a_hosting_provider
   Staying Safe: Security Resources for Human Rights Defenders (English): 
   https://www.newtactics.org/conversation/staying-safe-security-resources-human-rights-defenders
   Your Legal Guide to Digital Security for Arab Human Rights Activists (English): 
   http://globalvoicesonline.org/2013/04/22/your-legal-guide-to-digital-security-for-arab-human-rights-activists/
   "Our Right to Safety: Women human rights defenders' holistic approach to protection" (English): 
   http://protectionline.org/2014/03/13/publication-by-awid-and-whrd-ic-our-right-to-safety-women-human-rights-defenders-holistic-approach-to-protection/
   PDF: http://protectionline.org/files/2014/03/our_right_to_safety_en.pdf
   Protection Manual for LGBTI Defenders
   www.eidhr.eu/files/dmfile/protection-manual-or-lgbti-defenders_en.pdf
   Take Back the Tech (English, Spanish, French)
   https://www.takebackthetech.net/
   https://www.takebackthetech.net/be-safe/privacy

Mobiles phones security manuals


   Quema tu móvil (Spanish):
   https://quematumovil.pimienta.org/
   A practical guide to protecting your identity and security when using mobile phones (many languages including spanish, french, arabic, etc)
   https://www.wefightcensorship.org/es/article/proteja-sus-datos-y-anonimato-en-su-telacfono-ma3vilhtml.html
   Mobile Phone Security and Android Apps:
   http://en.flossmanuals.net/tech-tools-for-activism/mobile-phone-security-and-android-apps/
   Use mobile phones securely :
   https://techtoolsforactivism.org/content/use-mobile-phones-securely
   TextSecure manual:  send encrypted SMS/text messages
   http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
   Avoid fake base stations / man in the middle attack with cell tower
   https://secupwn.github.io/Android-IMSI-Catcher-Detector/ (english)
   Shield for mobile
   http://killyourphone.com/

Non-textual formats


   Videos Ono robot (Spanish):
   https://onorobot.org/languages
   Me and my shadow (Spanish):
   https://myshadow.org/es
   Data Dealer (online game, English):
   http://datadealer.com/
   EFF panopticlick, IP Check (browser fingerprinting tools, English):
   https://panopticlick.eff.org
   http://ip-check.info
   The Internet (Doesn't) Need Another Security Guide (video, English)
   https://www.youtube.com/watch?v=VHgs3YcxzXw
   Unlike Us Network - Institute of Network Cultures (organization, Enligsh)
   http://networkcultures.org/unlikeus/

Paper books


   Information Security for Journalists (English)
   http://files.gendo.nl/Books/Information_Security_for_Journalists_v1.01.pdf

Infographics & comics


   Email self-defense (English)
   https://emailselfdefense.fsf.org/en/infographic
   XKCD on PGP (English)
   http://www.explainxkcd.com/wiki/index.php/1181:_PGP
   http://www.explainxkcd.com/wiki/index.php/897:_Elevator_Inspection
   Joy of tech
   http://www.geekculture.com/joyoftech/
   Tor and HTTPS (English, Spanish, and more):
   https://people.torproject.org/~lunar/tor-and-https/en/tor-and-https.svg
   https://people.torproject.org/~lunar/tor-and-https/es/tor-and-https.svg

TOOLS/STORIES

=
   Harass map (English, Arabic):
   http://harassmap.org/en/
   Hollaback ending street harassment (multiple languages)
   http://www.ihollaback.org/
   The Guardian Project :
   https://guardianproject.info/apps/
   Orbot: Proxy With Tor
   Orbot brings the capabilities of Tor  to Android. Tor uses Onion Routing to provide access to network  services that may be blocked, censored or monitored, while also  protecting the identity of the user requesting those resources.
   https://guardianproject.info/apps/orbot
   Orweb: Private Web Browser
   Orweb is a privacy enhanced web browser that supports proxies. When used with Orbot, Orweb protects against network analysis, blocks cookies, keeps no local browsing history, and disables Flash to keep you safe.
   https://guardianproject.info/apps/orweb
   InformaCam
   InformaCam is a plugin for ObscuraCam that allows the user, without much  intervention on their own part, to inflate image and video with extra  points of data, or metadata. The metadata includes information like the  user’s current GPS coordinates, altitude, compass bearing, light meter  readings, the signatures of neighboring devices, cell towers, and wifi  networks; and serves to shed light on the exact circumstances and  contexts under which the digital image was taken
   https://guardianproject.info/2012/01/20/introducing-informacam/
   Panic Button: How to turn a mobile phone into an alert system for activists
   https://panicbutton.io/
   http://livewire.amnesty.org/2013/04/15/how-to-turn-a-mobile-phone-into-an-alert-system-for-activists/
   Kill Packet 
   This post explores a hypothetical case where one has volatile data on a remote machine that needs to be removed as fast and as discretely as possible without having to open up a laptop and log in via SSH, an SFTP/FTP browser 
   http://julianoliver.com/output/log_2013-02-24_19-21     
   Videre     
   Effective documentation and exposure are vital factors in the fight  against human rights violations. Videre, an international charity  founded in 2008, gives local activists the equipment, training and  support needed to safely capture compelling video evidence of human  rights violations. This captured footage is verified, analysed and then  distributed to those who can create change.Videre’s unique approach addresses the lack of reach, security,  verification and impact that hampers civil society’s current efforts to  expose human rights abuses. We reach out to those groups and individuals that traditional or new media cannot; ensure the security of activists who film violations; verify footage before use; and follow through to ensure effective distribution and measurable impact.
   http://www.videreonline.org/                                                                 

TRANSLATION RESOURCES

=========
   https://coati.pimienta.org/: simultaneous interpretation technologies, and manuals for interpretation in events
   Translation collectives:
   http://guerrillatranslation.com/
   http://fr.mondo-lingua.org/
   http://translatorswithoutborders.org/
   Web-based translation tools and communities:
   https://transifex.com/
   https://weblate.com/

Type of material

====
   Audio, video, text ???
   Generic / specific (targetting a global audience vs specific traget group)
   Tools and/or methodologies (manual howto or manual state of mind)

PROBLEMS & EXPERIENCES

==========

What is missing? A lot of material is only available in English / Need for cultural translation & fiting lifestyle worlds (not only language)/ Not enough embedded documentation / manuals for mobile phones / more material infographics/videos/audios / Always trouble to find right material for right target groups / like a lot tactical tech/ sensation that people do not read so RTFM does not work / interested in developping tactics and praxis Activists relalated to 15th may movement, not really aware of digital security... need to use mainstream tools like twitter but also needs to learn new tactics to protect privacy / Need for more material for smartphones and mobile phone users https://pad.riseup.net/p/THF_security_documentation_mobiles Need for translation in the sense of embedding and interested in filling the gaps to make steps between need for visibility and invisibilty oscillate Lacking not so much documentation about how to use tools but documentation that embeds contexts and situations of target groups Understanding privacy as a collective value. Maybe you're priviledged and don't need it, but people communicating with you do need or desire it. Broad concepts of information security:

 - availability, access control, secrecy
 - authenticity, identity management, anonymity
 - reliability, denial-of-service

Problems experiences with cryptoparties / cf also article of asher wolf "hacker community we need to talk?'/ http://inewp.com/dear-hacker-community-we-need-to-talk/ Some participants points at the fact that security has become an issue, more important and central last year for feminist gorups. before we would try to convince them and now they look for us Set of visual icons to label the manual (quickglance to grasp an idea about the manual quality) Specific groups: activists, feminists, artists, immigrants, age groups (younger people are not using email anymore)


SECURITY DOCUMENTATION MOBILES

Main Topics: Cases/Intro, Preparing an action, Promoting an action, during an action

   Intro: about mobiles and security
   Notes on the notion of security
   Which type of operative systems for mobile (degrees of "security" they offer)
   Ways to track a mobile phone (agnez checks for dumb phones, gsm tracking)
   Tools to prepare and coordinate actions quickly
   Instant messaging: Telegram (Marta checks security issues and manuals)
   Another instant messaging possibility: Chatsecure with Jabber 
   To get info: SecureDrop
   Proxy for Android: Orbot
   Share, Communicate over VIRTUAL PRIVATE NETWORK (VPN)
   To avoid using a phone: netbook with Tails
   To avoid using your smartphone: Dumbphone/Multifunctional phone/ Burner phone and pre-paid sim card
   To avoid fake base stations in GSM/UMTS network
   Tools to spread the call for the actions safely
   Twitter Proxy
   Facebook Proxy
   Tor Browser Bundle
   Anonymous emailing
   Tools to communicate the action
   Streaming: Bambuser proxy? any anonymous streaming server?
   Reporting: StoryMaker
   Creating evidence: InformaCam
   Documenting: Mobile Martus

4. Images and illustrations for the previous tools This is a generic manual, if you distribute it locally or translate it, we suggest to add info about the legal situation and the activist context.


MANUALS:

   Quema tu móvil (Spanish):
   https://quematumovil.pimienta.org/
   A practical guide to protecting your identity and security when using  mobile phones (many languages including spanish, french, arabic, etc)
   https://www.wefightcensorship.org/es/article/proteja-sus-datos-y-anonimato-en-su-telacfono-ma3vilhtml.html
   Mobile Phone Security and Android Apps:
   http://en.flossmanuals.net/tech-tools-for-activism/mobile-phone-security-and-android-apps/
   Use mobile phones securely :
   https://techtoolsforactivism.org/content/use-mobile-phones-securely
   TextSecure manual:  send encrypted SMS/text messages
   http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
   Avoid fake base stations / man in the middle attack with cell tower
   https://secupwn.github.io/Android-IMSI-Catcher-Detector/ (english)

1// INTRO: ABOUT MOBILES AND SECURITY 1.1. Notes on security (can be written editing notes from yesterday's session: https://pad.riseup.net/p/THF_security_documentation decide on threat model, the more vulnerable a person the stronger the security measures they need to use don't forget analogue, meeting in real life, sending snail mail, using payphones the weakest link is human. you may have used all the best privay and anonymity techniques for years and a friend or family member can accidently out you by sending you a facebook message: hey i saw you in a photo. https://securityinabox.org/en/chapter-11 https://securityinabox.org/en/chapter_3_1 In mobile phones, information is vulnerable in many ways: each mobile phone provider has full access to all text and voice messages sent via its network. Phone providers in most countries are legally obliged to keep records of all communications. Voice and text communication can also be tapped by third parties in proximity to the mobile phone, using inexpensive equipment. Mobile phones can store all sorts of data: call history, text messages sent and received, address book information, photos, video clips, text files. These data may reveal your network of contacts, and personal information about you and your colleagues. Phones give out information about their location. 1.4. Which type of operative systems for mobile (degrees of "security" they offer)

the OS may well include hidden features enabling better monitoring by the service provider of any particular device.
   -Blackberry(Non-open source)
   http://en.wikipedia.org/wiki/BlackBerry#Intelligence_agency_access
   -Android:
   -Cyanogenmod(http://www.theverge.com/2013/12/9/5191778/cyanogenmod-rolls-out-encrypted-text-messaging-by-default-whisper-systems )
   -Boeing Black(Probably non-commercial, non-open-source just for US Security)
   -iOS

1.3. Ways to track a mobile phone As part of normal operation, every mobile phone automatically and regularly informs the phone service provider where it is at that moment. What's more, many phones nowadays have [GPS]](/en/glossary#GPS) functions, and this precise location information may be embedded in other data such as photos, SMS and internet requests that are sent from the phone. This link provides an in-depth knowledge about how mobile networks and mobile devices are vulnerable to attacks, in our means this is being able to be traceable: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks It needs simplification to be used by us also. Threat Levels:

   -Monitoring your network traffic. It can be a cell tower, a user on your local Wifi, router etc.
       -Fake cell towers used by police: "Stingray" http://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-tower-cops-and-providers-use-to-track-your-every-move (more reliable source)
       - Pratical example of spying (https://www.youtube.com/watch?v=fQSu9cBaojc)
    -Service providers may be obligated to give information to police and goverment in some countries??(source)
    -Wifi Tapping(needs source)
   -Through accessing your physical hardware(It can be both a user that has access to your mobile device or an adversary that has attained to your lost/stolen mobile device)
   -Through using malwares, vulnerable application. Also modified versions of legitimate applications and operating systems.
   -Untrusted data that send to you via an application that can contain injection vectors.
   -Untrusted or weak developed applications that contains security flaws:
       -http://www.csoonline.com/article/2134120/mobile-security/manufacturers-building-security-flaws-into-android-smartphones.html
   -Super paranoid NSA level stuff:
       -http://www.slate.com/blogs/future_tense/2013/07/22/nsa_can_reportedly_track_cellphones_even_when_they_re_turned_off.html

1.2 GSM GSM communication is not tap-proof ! GSM non-secure presentation at ccc december 2010 http://gizmodo.com/5719940/breaking-gsm-security-with-a-15-phone - Whatever assurances have been given about the security of GSM cellphone calls, forget about them now. - GSM is insecure, the more so as more is known about GSM = > ?? maybe GSM security is insignificant for our project as it is clear that GSM is simply not secure//Besides the GSM network there is only Wifi that can be used by mobile phones and they are not very accesible in an event of demonstrations?+1 Metadata tracking Network analysis 2// TOOLS TO PREPARE AND COORDINATE ACTIONS QUICKLY 2.1. Telegram Security issues:

   - Multiple devices https://github.com/DrKLO/Telegram/issues/208
   - Non-official apps could be a risk (e.g. Webogram is not official)
   - https://blog.thijsalkema.de/blog/2014/04/02/breaking-half-of-the-telegram-contest/

BUT Telegram is the most popular free software for instant messaging, so we may trust its big community as relatively reliable. But their servers software is still not free. 2.2. Chatsecure with Jabber "Orbot has the ability to transparently torify all of the TCP traffic on your Android device when it has the correct permissions and system libraries" https://www.torproject.org/docs/android.html.en https://play.google.com/store/apps/details?id=org.torproject.android&hl=es 2.3. To get info: SecureDrop 2.4. Proxy for Android: Orbot You need to root your phone. Otherwise, you still can use the following applications prepared to work with Orbot:

   - Orweb browser
   - ChatSecure
   - DuckDuckGo search engine
   - Add-on proxy mobile for firefox
   - Twitter proxy
   - StoryMaker
   - Mobile Martus

2.5. VPN It secures your computer's internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured from prying eyes. VPNs to connect remote datacenters, and individuals can use VPNs to get access to network resources when they're not physically on the same LAN (local area network), or as a method for securing and encrypting their communications when they're using an untrusted public network. Getting and dropping sensetive Information (Images, Docs, Videos) from your trusted Data-Center in an untrusted WIFI- Zone. https://we.riseup.net/riseuphelp+en/vpn-howto 2.5. Avoid using a phone: netbook with Tails For Keypersons who are preparing and doing a call for action. Gather physically if possible and use tails from your laptops spreading the first calls. Don't use mobile phones in this stage. Sending out the call for action. Instruct target groups that everyone should use/pass the same "call on action". For communicating decentral (non physical) use an encrypted irc on trusted ISPS. 2.6. Avoid using your phone Dumbphone/Multifunctional phone/ Burner phone and pre-paid sim card. You can also proctect your phone with signal blocking pouches, use the faraday'cage on your phone with RF Shielding Fleece. http://killyourphone.com/ 2.8 To avoid fake base stations in GSM/UMTS network Both law enforcement agencies and criminals use IMSI-Catchers, which are false mobile towers acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. The FBI or local police might deploy the device at a protest to obtain a record of everyone who attended with a cell phone. See the talk of Chris Paget called "Practical Cellphone Spying" at defcon 18 for a "how to". The projet called "Android IMSI-CATCHER Detactor " is a Android-based project to detect and avoid fake base stations. Find step by step installation guide at https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/wiki/Installation. 3// TOOLS TO SPREAD THE CALL FOR ACTION SAFELY 3.1. Twitter proxy 3.2. Facebook proxy 3.3. Tor browser bundle 3.4. Anonymous e-mailing 4// TOOLS TO COMMUNICATE THE ACTION 4.1. Streaming 4.2. Reporting: StoryMaker 4.3. Creating evidence: InformaCam 4.4. Documenting: Mobile Martus http://benetech.org/2013/10/02/introducing-mobile-martus-1-0/ 5. Images and illustrations for the previous tools Metadata: https://picup.it/media/pictures/sticker_375x360_Metadata.png