The Gang Learns About Digital Security for Activists
Notes from the Tabsters workshop on cleaning up your shit to prevent getting doxed
On May 27th, 2022 Tabs Discord member @Here Max facilitated a workshop on basic digital security and threat modeling for Today in Tabs subscribers. The session was held in a voice channel on the Discord, and you can review it here in several formats:
Audio Recording (mp3, 52:02)
Video Render (mp4, 52:02)
Recordings and transcripts are all courtesy of Ian Servin. Thanks Ian! What follows is Max’s notes and outline, and some resources mentioned in the talk.
Buttoning up your personal digital safety can be a step on your path, but it doesn't have to be the first one. You can get out and meet your neighbors, join a mutual aid society, donate money to a cause you believe in, volunteer time with a group you respect—all within the risk profile of your average everyday life. Don't be like the Uvalde cops and US Marshals, valuing your safety over the lives of children who were calling 911. But don't be a goober and leap into the breach unprepared. Here's what I recommend:
Do something right now. Don't let some bogeyman doxing fear hold you up.
Make an action plan to improve your security foundation. Make those improvements.
Go do bigger things.
Why should you trust me? You shouldn't.
What are we doing:
What's a threat model
How do you apply it to your situation.
Not specifically about preventing getting doxxed
1. Safe Basics: pyramid o’ things - think Maslow's hierarchy of needs
Base: Backups - protection against flood, fire, children & ransomware
Then: Password Manager (and check https://haveibeenpwned.com)
Then: Multi factor authentication/two factor authentication - any MFA is better than no MFA
Then: End to end encrypted messaging: Signal is currently the best bet
Then: Encrypt your disks
Then: Hardware keys: e.g. Yubikey
Then ever so rarely: Encrypted email but really encrypted email is like a hairsbreadth below enlisting a specialist because you are a likely target of Nation State or Non State Actors.
Note that "VPN" isn't on this list in 2022, where it was in previous years.
2. Threat Modeling: aka A Piano Could Fall From The Sky But Mostly One Doesn't
REMEMBER THE GOAL: create a sufficient sense of safety to go do the things you want to do
REMEMBER THE ANTIGOAL: don’t just cosplay some sort of hacker spy and justify withdrawing from the world
What do you have that you want to protect?
Who do you think you need to protect it from?
What happens if it is compromised? What are the consequences?
How likely is it to happen?
How can you address the most likely/high impact risks?
2(a). What do you have that you want to protect?
Information - no one can access what you have
Integrity of information - no one has changed the information or destroyed it
Integrity of identity - no one is pretending to be you
Location - not just stored addresses - travel pattern for people and goods
Pattern of communications
What you communicate
Who you communicate with
What you are reading or researching
Information about friends, family and associates - the superhero weakness
2(b). Who do you want to protect it from?
Your employer - Your future employers
Nation State Actors/Non-state actors
2(c) What are the consequences?
Who is harmed, and in what way?
Would it be possible to make up for a loss after the fact?
Risk adjusted cost of reacting may be less than cost to protect:
Even bad publicity is good?
2(d) How likely is it to happen?
Will they just stumble on it in the garbage/facebook (no equivalence implied 😉)
Groups that are likely to be targeted
Women and non-binary
Ethnic or religious minorities
In the US: Black, Indigenous and Asian people bear particularly high risks
What resources can your adversaries bring to bear?
Nosy great uncle with a lot of time on his hands
Nation State Actors/Non-state actors
'Natural aggregators' - Uber, FB, IRS <— (this bullet is particularly dated. Where data aggregation once appeared to be a side effect of doing business, it increasingly has become the business.)
2(e). How can I address the most likely/high impact risks?
Don't abandon good processes for ‘perfect’ (WhatsApp may be fine)
Look for tweaks to current habits (shredder in front of the recycle bin)
Be realistic about costs:
Equipment - a second phone, a cheap laptop
Attention - making everything just a little bit harder every day
Reduction in connectivity
2 (Appendix). Terminology you will see as you read up on Threat Modeling:
Assets, Adversaries, Threats, Adversaries’ Capabilities, Mitigation & Acceptance. Don't get scared off by the vocab. It's just the stuff we've talked about here.
3. Giving yourself a safe foundation:
Do this exercise on paper in private. Make an action plan. Shred your notes
Consider 1 to 3 sessions with a lawyer or counselor, not because they'll help, but because they're legally prohibited from retelling your stories. $1 and an engagement letter goes a long way.
In 2022, many of these are three years old. Always look for dates, this stuff changes all the time!