Difference between revisions of "Seguridad digital/Digital Security"
Spideralexx (talk | contribs) |
|||
Line 24: | Line 24: | ||
Been downloaded a lot, positive feed back a lot of interest from feminists in latin america, should be upated but can address a global audience. | Been downloaded a lot, positive feed back a lot of interest from feminists in latin america, should be upated but can address a global audience. | ||
''' | |||
Radical Community Manager - basicly Twitter, Facebook and non-secure communication to reach the mainstream (Spanish): | Radical Community Manager - basicly Twitter, Facebook and non-secure communication to reach the mainstream (Spanish): | ||
http://nocionescomunes.wordpress.com/2011/10/10/radical-community-manager-breves-nociones-para-aprender-a-comunicarse-organizarse-y-luchar-en-las-redes-2-0/ | http://nocionescomunes.wordpress.com/2011/10/10/radical-community-manager-breves-nociones-para-aprender-a-comunicarse-organizarse-y-luchar-en-las-redes-2-0/''' | ||
Security in a box (Spanish): | Security in a box (Spanish): |
Latest revision as of 16:01, 8 October 2014
- EVALUATION CRITERIA BEFORE PRODUCING NEW DOCUMENTATION
Don't reinvent the wheel (is it duplicating upstream work) Who's the public & what are the objectives (security & technical level) Who's behind it? (long-term project vs one shot, collaboration) Threat modelling (security is a process, not a set of tools) Maintainability (is it updated, open source, update frequency needs, etc.) Translation & translatability (tools, length, language, cultural translation, easiness to provide translation to group, etc.) User feedback & peer review, (criteria: correct, complete, up to date, translated, indicate always the last date the manual has been updated/released) Support, hotlines after reading manuals, if you still have questions Ethical/trans-queer-feminist "approved" manual
- AVAILABLE DOCUMENTATION
Activist security:
http://www.activistsecurity.org/
General security purpose off line for activists
Kit didactico Genero, TIC y Activismo (Spanish and Catalan):
http://www.donestech.net/files/KIT_CAST_5.pdf
Been downloaded a lot, positive feed back a lot of interest from feminists in latin america, should be upated but can address a global audience.
Radical Community Manager - basicly Twitter, Facebook and non-secure communication to reach the mainstream (Spanish):
http://nocionescomunes.wordpress.com/2011/10/10/radical-community-manager-breves-nociones-para-aprender-a-comunicarse-organizarse-y-luchar-en-las-redes-2-0/
Security in a box (Spanish):
https://securityinabox.org/es
Community Focus: Digital Security in Context
https://securityinabox.org/communities
Tools and Tactics for the LGBTI Community in the Arabic region
Tools and Tactics for the LGBTI Community in sub-Saharan Africa
Tools and Tactics for the Environmental Rights Defenders in sub-Saharan Africa
Alternativas por prism-break (Spanish):
https://prism-break.org/#e
Alternativas por tactical tech (English):
https://cooperativa.ecoxarxes.cat/bookmarks/view/230845/quick-guide-to-alternatives
List of guides on security and alternative service providers (Spanish and English):
https://www.riseup.net/es/resources
https://help.riseup.net/en/security/resources
https://help.riseup.net/es/security/resources/radical-servers (eng only)
FLOSS manuals: Bypassing censorship (English, Spanish, and more):
http://www.flossmanuals.net/bypassing-censorship/
http://en.flossmanuals.net/bypassing-es/
FLOSS manuals: Basic Internet Security (English):
http://www.flossmanuals.net/basic-internet-security/
Lilithlela cyberguerrila (English):
https://lilithlela.cyberguerrilla.org/
EFF surveillance toolkit (English):
https://ssd.eff.org/
Versión for printing: https://ssd.eff.org/book/export/html/14
Guide d’autodéfense numérique (French):
https://guide.boum.org/
Tails documentation (English, French, and German):
https://tails.boum.org/doc/
Cryptoparty Handbook (German & English):
http://www.cryptoparty.in/documentation/handbook
Cryptoparty fork (the terms crypto and party are misunderstood):
Privacy Café https://privacycafe.nl/ (Dutch)
Café vie privée https://café-vie-privée.fr/ (French)
Encryption Works (English and Portuguese):
https://pressfreedomfoundation.org/encryption-works
GPG Encryption Guide (English)
http://www.tutonics.com/2012/11/gpg-encryption-guide-part-1.html
5 of the best Free Linux Encryption Tools (English)
http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html
Partially outdated (TrueCrypt) / mterial ranking options need to be frequently updated
Comparison of disk encryption software (English, Bahasa Indonesia)
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
Not a real reference howto or article, but useful for discovering new encryption methods and tools related to them.
Equalit/Frontline: Digital Security and Privacy for Human Rights Defenders (English)
https://equalit.ie/esecman/index.html
Security Hosting Guide from Equalit.ie
https://learn.equalit.ie/wiki/Choose_a_hosting_provider
Staying Safe: Security Resources for Human Rights Defenders (English):
https://www.newtactics.org/conversation/staying-safe-security-resources-human-rights-defenders
Your Legal Guide to Digital Security for Arab Human Rights Activists (English):
http://globalvoicesonline.org/2013/04/22/your-legal-guide-to-digital-security-for-arab-human-rights-activists/
"Our Right to Safety: Women human rights defenders' holistic approach to protection" (English):
http://protectionline.org/2014/03/13/publication-by-awid-and-whrd-ic-our-right-to-safety-women-human-rights-defenders-holistic-approach-to-protection/
PDF: http://protectionline.org/files/2014/03/our_right_to_safety_en.pdf
Protection Manual for LGBTI Defenders
www.eidhr.eu/files/dmfile/protection-manual-or-lgbti-defenders_en.pdf
Take Back the Tech (English, Spanish, French)
https://www.takebackthetech.net/
https://www.takebackthetech.net/be-safe/privacy
Mobiles phones security manuals
Quema tu móvil (Spanish):
https://quematumovil.pimienta.org/
A practical guide to protecting your identity and security when using mobile phones (many languages including spanish, french, arabic, etc)
https://www.wefightcensorship.org/es/article/proteja-sus-datos-y-anonimato-en-su-telacfono-ma3vilhtml.html
Mobile Phone Security and Android Apps:
http://en.flossmanuals.net/tech-tools-for-activism/mobile-phone-security-and-android-apps/
Use mobile phones securely :
https://techtoolsforactivism.org/content/use-mobile-phones-securely
TextSecure manual: send encrypted SMS/text messages
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
Avoid fake base stations / man in the middle attack with cell tower
https://secupwn.github.io/Android-IMSI-Catcher-Detector/ (english)
Shield for mobile
http://killyourphone.com/
Non-textual formats
Videos Ono robot (Spanish):
https://onorobot.org/languages
Me and my shadow (Spanish):
https://myshadow.org/es
Data Dealer (online game, English):
http://datadealer.com/
EFF panopticlick, IP Check (browser fingerprinting tools, English):
https://panopticlick.eff.org
http://ip-check.info
The Internet (Doesn't) Need Another Security Guide (video, English)
https://www.youtube.com/watch?v=VHgs3YcxzXw
Unlike Us Network - Institute of Network Cultures (organization, Enligsh)
http://networkcultures.org/unlikeus/
Paper books
Information Security for Journalists (English)
http://files.gendo.nl/Books/Information_Security_for_Journalists_v1.01.pdf
Infographics & comics
Email self-defense (English)
https://emailselfdefense.fsf.org/en/infographic
XKCD on PGP (English)
http://www.explainxkcd.com/wiki/index.php/1181:_PGP
http://www.explainxkcd.com/wiki/index.php/897:_Elevator_Inspection
Joy of tech
http://www.geekculture.com/joyoftech/
Tor and HTTPS (English, Spanish, and more):
https://people.torproject.org/~lunar/tor-and-https/en/tor-and-https.svg
https://people.torproject.org/~lunar/tor-and-https/es/tor-and-https.svg
TOOLS/STORIES
=
Harass map (English, Arabic):
http://harassmap.org/en/
Hollaback ending street harassment (multiple languages)
http://www.ihollaback.org/
The Guardian Project :
https://guardianproject.info/apps/
Orbot: Proxy With Tor
Orbot brings the capabilities of Tor to Android. Tor uses Onion Routing to provide access to network services that may be blocked, censored or monitored, while also protecting the identity of the user requesting those resources.
https://guardianproject.info/apps/orbot
Orweb: Private Web Browser
Orweb is a privacy enhanced web browser that supports proxies. When used with Orbot, Orweb protects against network analysis, blocks cookies, keeps no local browsing history, and disables Flash to keep you safe.
https://guardianproject.info/apps/orweb
InformaCam
InformaCam is a plugin for ObscuraCam that allows the user, without much intervention on their own part, to inflate image and video with extra points of data, or metadata. The metadata includes information like the user’s current GPS coordinates, altitude, compass bearing, light meter readings, the signatures of neighboring devices, cell towers, and wifi networks; and serves to shed light on the exact circumstances and contexts under which the digital image was taken
https://guardianproject.info/2012/01/20/introducing-informacam/
Panic Button: How to turn a mobile phone into an alert system for activists
https://panicbutton.io/
http://livewire.amnesty.org/2013/04/15/how-to-turn-a-mobile-phone-into-an-alert-system-for-activists/
Kill Packet
This post explores a hypothetical case where one has volatile data on a remote machine that needs to be removed as fast and as discretely as possible without having to open up a laptop and log in via SSH, an SFTP/FTP browser
http://julianoliver.com/output/log_2013-02-24_19-21
Videre
Effective documentation and exposure are vital factors in the fight against human rights violations. Videre, an international charity founded in 2008, gives local activists the equipment, training and support needed to safely capture compelling video evidence of human rights violations. This captured footage is verified, analysed and then distributed to those who can create change.Videre’s unique approach addresses the lack of reach, security, verification and impact that hampers civil society’s current efforts to expose human rights abuses. We reach out to those groups and individuals that traditional or new media cannot; ensure the security of activists who film violations; verify footage before use; and follow through to ensure effective distribution and measurable impact.
http://www.videreonline.org/
TRANSLATION RESOURCES
=========
https://coati.pimienta.org/: simultaneous interpretation technologies, and manuals for interpretation in events
Translation collectives:
http://guerrillatranslation.com/
http://fr.mondo-lingua.org/
http://translatorswithoutborders.org/
Web-based translation tools and communities:
https://transifex.com/
https://weblate.com/
Type of material
====
Audio, video, text ???
Generic / specific (targetting a global audience vs specific traget group)
Tools and/or methodologies (manual howto or manual state of mind)
PROBLEMS & EXPERIENCES
==========
What is missing? A lot of material is only available in English / Need for cultural translation & fiting lifestyle worlds (not only language)/ Not enough embedded documentation / manuals for mobile phones / more material infographics/videos/audios / Always trouble to find right material for right target groups / like a lot tactical tech/ sensation that people do not read so RTFM does not work / interested in developping tactics and praxis Activists relalated to 15th may movement, not really aware of digital security... need to use mainstream tools like twitter but also needs to learn new tactics to protect privacy / Need for more material for smartphones and mobile phone users https://pad.riseup.net/p/THF_security_documentation_mobiles Need for translation in the sense of embedding and interested in filling the gaps to make steps between need for visibility and invisibilty oscillate Lacking not so much documentation about how to use tools but documentation that embeds contexts and situations of target groups Understanding privacy as a collective value. Maybe you're priviledged and don't need it, but people communicating with you do need or desire it. Broad concepts of information security:
- availability, access control, secrecy - authenticity, identity management, anonymity - reliability, denial-of-service
Problems experiences with cryptoparties / cf also article of asher wolf "hacker community we need to talk?'/ http://inewp.com/dear-hacker-community-we-need-to-talk/ Some participants points at the fact that security has become an issue, more important and central last year for feminist gorups. before we would try to convince them and now they look for us Set of visual icons to label the manual (quickglance to grasp an idea about the manual quality) Specific groups: activists, feminists, artists, immigrants, age groups (younger people are not using email anymore)
SECURITY DOCUMENTATION MOBILES
Main Topics: Cases/Intro, Preparing an action, Promoting an action, during an action
Intro: about mobiles and security
Notes on the notion of security
Which type of operative systems for mobile (degrees of "security" they offer)
Ways to track a mobile phone (agnez checks for dumb phones, gsm tracking)
Tools to prepare and coordinate actions quickly
Instant messaging: Telegram (Marta checks security issues and manuals)
Another instant messaging possibility: Chatsecure with Jabber
To get info: SecureDrop
Proxy for Android: Orbot
Share, Communicate over VIRTUAL PRIVATE NETWORK (VPN)
To avoid using a phone: netbook with Tails
To avoid using your smartphone: Dumbphone/Multifunctional phone/ Burner phone and pre-paid sim card
To avoid fake base stations in GSM/UMTS network
Tools to spread the call for the actions safely
Twitter Proxy
Facebook Proxy
Tor Browser Bundle
Anonymous emailing
Tools to communicate the action
Streaming: Bambuser proxy? any anonymous streaming server?
Reporting: StoryMaker
Creating evidence: InformaCam
Documenting: Mobile Martus
4. Images and illustrations for the previous tools This is a generic manual, if you distribute it locally or translate it, we suggest to add info about the legal situation and the activist context.
MANUALS:
Quema tu móvil (Spanish):
https://quematumovil.pimienta.org/
A practical guide to protecting your identity and security when using mobile phones (many languages including spanish, french, arabic, etc)
https://www.wefightcensorship.org/es/article/proteja-sus-datos-y-anonimato-en-su-telacfono-ma3vilhtml.html
Mobile Phone Security and Android Apps:
http://en.flossmanuals.net/tech-tools-for-activism/mobile-phone-security-and-android-apps/
Use mobile phones securely :
https://techtoolsforactivism.org/content/use-mobile-phones-securely
TextSecure manual: send encrypted SMS/text messages
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
Avoid fake base stations / man in the middle attack with cell tower
https://secupwn.github.io/Android-IMSI-Catcher-Detector/ (english)
1// INTRO: ABOUT MOBILES AND SECURITY 1.1. Notes on security (can be written editing notes from yesterday's session: https://pad.riseup.net/p/THF_security_documentation decide on threat model, the more vulnerable a person the stronger the security measures they need to use don't forget analogue, meeting in real life, sending snail mail, using payphones the weakest link is human. you may have used all the best privay and anonymity techniques for years and a friend or family member can accidently out you by sending you a facebook message: hey i saw you in a photo. https://securityinabox.org/en/chapter-11 https://securityinabox.org/en/chapter_3_1 In mobile phones, information is vulnerable in many ways: each mobile phone provider has full access to all text and voice messages sent via its network. Phone providers in most countries are legally obliged to keep records of all communications. Voice and text communication can also be tapped by third parties in proximity to the mobile phone, using inexpensive equipment. Mobile phones can store all sorts of data: call history, text messages sent and received, address book information, photos, video clips, text files. These data may reveal your network of contacts, and personal information about you and your colleagues. Phones give out information about their location. 1.4. Which type of operative systems for mobile (degrees of "security" they offer)
the OS may well include hidden features enabling better monitoring by the service provider of any particular device.
-Blackberry(Non-open source)
http://en.wikipedia.org/wiki/BlackBerry#Intelligence_agency_access
-Android:
-Cyanogenmod(http://www.theverge.com/2013/12/9/5191778/cyanogenmod-rolls-out-encrypted-text-messaging-by-default-whisper-systems )
-Boeing Black(Probably non-commercial, non-open-source just for US Security)
-iOS
1.3. Ways to track a mobile phone As part of normal operation, every mobile phone automatically and regularly informs the phone service provider where it is at that moment. What's more, many phones nowadays have [GPS]](/en/glossary#GPS) functions, and this precise location information may be embedded in other data such as photos, SMS and internet requests that are sent from the phone. This link provides an in-depth knowledge about how mobile networks and mobile devices are vulnerable to attacks, in our means this is being able to be traceable: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks It needs simplification to be used by us also. Threat Levels:
-Monitoring your network traffic. It can be a cell tower, a user on your local Wifi, router etc.
-Fake cell towers used by police: "Stingray" http://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-tower-cops-and-providers-use-to-track-your-every-move (more reliable source)
- Pratical example of spying (https://www.youtube.com/watch?v=fQSu9cBaojc)
-Service providers may be obligated to give information to police and goverment in some countries??(source)
-Wifi Tapping(needs source)
-Through accessing your physical hardware(It can be both a user that has access to your mobile device or an adversary that has attained to your lost/stolen mobile device) -Through using malwares, vulnerable application. Also modified versions of legitimate applications and operating systems. -Untrusted data that send to you via an application that can contain injection vectors. -Untrusted or weak developed applications that contains security flaws: -http://www.csoonline.com/article/2134120/mobile-security/manufacturers-building-security-flaws-into-android-smartphones.html -Super paranoid NSA level stuff: -http://www.slate.com/blogs/future_tense/2013/07/22/nsa_can_reportedly_track_cellphones_even_when_they_re_turned_off.html
1.2 GSM GSM communication is not tap-proof ! GSM non-secure presentation at ccc december 2010 http://gizmodo.com/5719940/breaking-gsm-security-with-a-15-phone - Whatever assurances have been given about the security of GSM cellphone calls, forget about them now. - GSM is insecure, the more so as more is known about GSM = > ?? maybe GSM security is insignificant for our project as it is clear that GSM is simply not secure//Besides the GSM network there is only Wifi that can be used by mobile phones and they are not very accesible in an event of demonstrations?+1 Metadata tracking Network analysis 2// TOOLS TO PREPARE AND COORDINATE ACTIONS QUICKLY 2.1. Telegram Security issues:
- Multiple devices https://github.com/DrKLO/Telegram/issues/208 - Non-official apps could be a risk (e.g. Webogram is not official) - https://blog.thijsalkema.de/blog/2014/04/02/breaking-half-of-the-telegram-contest/
BUT Telegram is the most popular free software for instant messaging, so we may trust its big community as relatively reliable. But their servers software is still not free. 2.2. Chatsecure with Jabber "Orbot has the ability to transparently torify all of the TCP traffic on your Android device when it has the correct permissions and system libraries" https://www.torproject.org/docs/android.html.en https://play.google.com/store/apps/details?id=org.torproject.android&hl=es 2.3. To get info: SecureDrop 2.4. Proxy for Android: Orbot You need to root your phone. Otherwise, you still can use the following applications prepared to work with Orbot:
- Orweb browser - ChatSecure - DuckDuckGo search engine - Add-on proxy mobile for firefox - Twitter proxy - StoryMaker - Mobile Martus
2.5. VPN It secures your computer's internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured from prying eyes. VPNs to connect remote datacenters, and individuals can use VPNs to get access to network resources when they're not physically on the same LAN (local area network), or as a method for securing and encrypting their communications when they're using an untrusted public network. Getting and dropping sensetive Information (Images, Docs, Videos) from your trusted Data-Center in an untrusted WIFI- Zone. https://we.riseup.net/riseuphelp+en/vpn-howto 2.5. Avoid using a phone: netbook with Tails For Keypersons who are preparing and doing a call for action. Gather physically if possible and use tails from your laptops spreading the first calls. Don't use mobile phones in this stage. Sending out the call for action. Instruct target groups that everyone should use/pass the same "call on action". For communicating decentral (non physical) use an encrypted irc on trusted ISPS. 2.6. Avoid using your phone Dumbphone/Multifunctional phone/ Burner phone and pre-paid sim card. You can also proctect your phone with signal blocking pouches, use the faraday'cage on your phone with RF Shielding Fleece. http://killyourphone.com/ 2.8 To avoid fake base stations in GSM/UMTS network Both law enforcement agencies and criminals use IMSI-Catchers, which are false mobile towers acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. The FBI or local police might deploy the device at a protest to obtain a record of everyone who attended with a cell phone. See the talk of Chris Paget called "Practical Cellphone Spying" at defcon 18 for a "how to". The projet called "Android IMSI-CATCHER Detactor " is a Android-based project to detect and avoid fake base stations. Find step by step installation guide at https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/wiki/Installation. 3// TOOLS TO SPREAD THE CALL FOR ACTION SAFELY 3.1. Twitter proxy 3.2. Facebook proxy 3.3. Tor browser bundle 3.4. Anonymous e-mailing 4// TOOLS TO COMMUNICATE THE ACTION 4.1. Streaming 4.2. Reporting: StoryMaker 4.3. Creating evidence: InformaCam 4.4. Documenting: Mobile Martus http://benetech.org/2013/10/02/introducing-mobile-martus-1-0/ 5. Images and illustrations for the previous tools Metadata: https://picup.it/media/pictures/sticker_375x360_Metadata.png