January 28 2021 GM
@ February 4 | MENA Monthly Meetup https://internetfreedomfestival.org/wiki/index.php/MENA_Monthly_Meetups
@ February 24 | Latin America Monthly Meetup https://internetfreedomfestival.org/wiki/index.php/Latin_American_Monthly_Meetups
@ February 26 | TC CKS: Story Time Cafe with Internet Master Storytellers https://digitalrights.formstack.com/forms/cks33
Time: 9:00am EST / 2:00pm UTC+0
Topic of discussion: Security Training and Security in a Box
- Bring your updates, questions, and resources to share with other digital rights defenders!
- This week our featured guest is Gus Andrews, who will be talking about security training materials, and particularly about Security in a Box and its refreshment.
The Security in a Box curriculum is getting a refresh! Come talk to Gus about what is working and not working for you about SiaB in particular, and security training materials in general. We will explore how materials on tool setup could be maintained with details about which settings and buttons to select, while also responding quickly to interface changes and language community needs.
Speaker: Gus Andrews
First of all: Gus tell us about your background in IF community
- In 1999, during the anti-globalization protests, I worked with the international Independent Media Center (Indymedia or IMC) movement, which helped everyday citizens post reports from protest movements online. This was at a time when posting online required most people to write HTML code—there were barely even blogs, much less Twitter, Facebook, YouTube, and Instagram!
- I mostly ran dispatch—the radios we used to coordinate and let people know where police were, because this was before everyone had cell phones (yes even “dumb” phones!) Developers from the IMC websites went on to work on Twitter, which is a story for another time… possibly told by Gaba or Elijah.
- I helped found New York City’s IMC, which we housed in the hackerspace of 2600 Magazine. That’s how I started going to the biennial Hackers On Planet Earth (HOPE) conferences. Then I started speaking at HOPE… then helping organize it.
- Because of my work at HOPE I was hired in 2013 to build the capacity of the IF community to make privacy-protecting software more usable, by the Open Internet Tools Project. OpenITP ran the IFF (at first it was called the Circumvention Tech Festival).
- I worked with Sandy, Ciprian, and Dragana at OpenITP. It was my job to organize usability “hackathons” so I ended up meeting a LOT of people in the community.
- I then went on to do more software usability work in a one-year fellowship at Simply Secure. After that I left direct IF work for a while, and I worked at ThoughtWorks.
- I wrote a book summarizing a lot of what we’ve learned in international digital security training: keepcalmlogon.com I’ve also done consulting for Internews, 1Password, and Tactical Tech.
- And this month I started working at Frontline Defenders.
Tell us about SIOB. What is it?
- Security In A Box was one of the first comprehensive digital security guides—it came out in 2009, and it was distributed as a paper guide and CD as well as a website. Tactical Tech and Frontline Defenders developed it jointly. It has always focused on the needs of communities who are at higher risk of their lives and safety when it comes to dealing with law enforcement and governments. It includes tactics (like securely wiping your data, recovering from data loss, and getting around internet censorship, as well as developing good passwords), tool guides for specific operating systems and apps, and it has included guides for threats in specific regions. You can view it here
Why are they starting to revamp it now?
- The biggest challenge in security guides, as we all know, is keeping them up to date because technology changes so fast. For one thing, we’ve moved away from an early emphasis on encrypted email, as a community, because key handling is so difficult. And Signal wasn’t even called Signal when the guide was first created—I think it was called TextSecure, it didn’t have a desktop client (or emoji!), and it focused on encrypting SMS, not creating a separate chat channel.
- SiaB, unlike say the EFF’s SSD or the new Citizen Lab guide, is focused on higher-risk users in a wide range of international locations.
- It is different from other guides in that we want to keep providing screenshots and step-by-step guides to tools we use, because many of the human rights defenders we work with may not be using the software in their native languages, and need to be told “select the third menu item” rather than naming that item. So screenshots need to be updated often as the tools change.
- The choice of tools we recommend has also changed. And there are new scenarios that have emerged since the guide was first written. For example, the advice used to be more “avoid social media.” Now, there’s more awareness of the potential benefits of visibility for human rights defenders, so the guide will be adapted to help people weigh the benefits and risks of going public with their stories under different regimes.
What is your goal for SIOB in the next year
- In addition to updating it, I want to leave SiaB more sustainable than I found it.
- Did you know the community has written over a dozen security guides in the past decade?! And that’s in English alone! We suspect there is some duplication of effort. As organizations and funding lines come and go, there isn’t always coordinated handoff between them. I’m calling a bunch of manual developers together to strategize about longer-term maintenance.
- Two projects that can be part of long-term maintenance: First of all, better planning for localization. I’ve reached out to the Localization Lab to start talking about how we can do that.
- A second long-term maintenance project, that we’re less likely to get to in the six months I’m assigned to this, is having software developers take screenshots as part of their update process, and pass them on to us. SecureDrop already does this to some extent. I’ll be talking to developers to explore how much of a challenge it would be to automate screenshots.
- So a lot of this involves changing the workflow by which sites are updated, possibly in collaboration with other guide developers. I had a great chat with Lindsay, who works on the EFF’s Security Self Defense curriculum, about this the other day, or rather there were some answers
Any change in recommandation about keepass? Our colleagues in Burundi use it, but what if the legislation forces you to hand over your password to keepass when the police asks? Would you recommand keepass and tails? (I'm not sure I'm making sense)
- "What are laws about handing over your password" is a topic that is on my articles-to-write list. The big challenge being that it's so different from country to country.
- We've got some instructions up about that but I would love comments on whether they work for you, etc