KEMBAR78
Data Privacy for Activists | PPTX
GS
Uploaded byGreg Stromire
PPTX, PDF607 views

Data Privacy for Activists

The document is a workshop guide focused on data privacy for activists, outlining the importance of privacy, key concepts, and practical tools for safeguarding personal information. It includes topics such as encryption, common attack vectors, threat modeling, and recommended technologies like password managers and VPNs. The workshop emphasizes the need for secure habits and awareness of digital security risks when organizing activist activities.

Download to read offline
Data Privacy For Activists
◎ Name for Today ◎ Preferred Pronouns (e.g. they, them, their) ◎ What brought you here? What do you want from this workshop? Introductions Around the Room
Hello! I am Greg Stromire (he, him, his) I work for a data privacy company. I participate in activism. I am not an expert in either. And I am not a lawyer. But I can still offer some tips.
Helpful Tools Useful technologies to better safeguard yourself and other members. Crypto 101 Whiteboard activity! Encryption is a powerful tool in maintaining privacy, but only when used correctly. Some cryptography fundamentals can help you make smart choices. Why We’re Here What is data privacy, what it means for activists, and some key concepts for context. Put in Practice Hands-on practice using new tools and best practices to establish good habits when performing organizing tasks. Common Attacks Overview of some of the most common threat vectors for activists -- which overlap with personal and professional use. Threat Modeling Utilizing a basic framework for security assessment to prevent and prepare. Agenda
1. Why We Are Here What is data privacy, and why does it matter for activism?
Important Concepts PrivacyAnonymity Authenticity
Privacy Unhindered agency to express oneself selectively, with direct control over one’s own information and explicit boundaries. Anonymity The ability to exist, and especially communicate, in a manner that does not reveal any personally identifiable information about the source. Important Concepts Authenticity Provide, with a high level of confidence, an assurance of the identity of an individual through reliable and verifiable means.
“ Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say. ◎Edward Snowden
Activists … have something to say.
JFK Airport - Craig Ruttle / AP Photo
2. Threat Modeling A basic framework for security.
Threat Modeling
◎Who would be most likely to target us? Threat Modeling
◎Who would be most likely to target us? ◎How much money, time, and skill do they have to dedicate to targeting us? Threat Modeling
◎Who would be most likely to target us? ◎How much money, time, and skill do they have to dedicate to targeting us? ◎What would they most likely want from us (i.e. money? incriminating information? access to trusted contacts?) Threat Modeling
◎Who would be most likely to target us? ◎How much money, time, and skill do they have to dedicate to targeting us? ◎What would they most likely want from us (i.e. money? incriminating information? access to trusted contacts?) ◎What would happen to us if they were successful? Threat Modeling
http://web.mit.edu/tweilu/www/eff-ssd-mockup/threatmodel.html
GovernmentsSurveillance state and law(less) enforcement IndividualsUSB drives, webcams, and (spear) phishing CorporationsBreaches, metadata, and (de)anonymization
COINTELPRO (COunter INTELligence PROgram) A series of covert, and often illegal, projects conducted by the United States FBI aimed at surveilling, infiltrating, discrediting and disrupting domestic political organization.
Some of the Groups Targeted by the FBI’s COINTELPRO Zinn Ed Project
Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community, Just in Time for Trump The Intercept
White Is the color of milk and fresh snow, the color produced by the combination of all the colors of the visible spectrum. Black Is the color of coal, ebony, and of outer space. It is the darkest color, the result of the absence of or complete absorption of light.
Databases Breaches Online services lose user’s private information haveibeenpwned.com
“ The Guardian December 15, 2016
DEMO Has my account info ever been leaked? https://haveibeenpwned.com Place your screenshot here
DEMO What does my online “fingerprint” look like? https://panopticlick.eff.org/ Place your screenshot here
3. Common Attacks Get to know some frequently used threat vectors.
Trust At some point, you must concede a level of trust in the components of the devices in your life
Keylogger Could be wireless, could be physically between keyboard and cpu. USB Drives Not so innocent. Can provide an attacker with control of the machine with ease. Rootkit Programs that can control the device. Hard to detect. Hard to get rid of. MITM Monkey in the Middle. Someone in between the intended sender and recipient, without either know it. Could be just listening, but could also be modifying messages. (Spear) Phishing Messages meant to coerce a user into entering their credentials into a spoofed site. Spear- is targeting one person specifically Common Attacks Brute Force Common, weak, or reused passwords. May include theft of actual device. May be open Wifi or bluetooth.
Phishing Attempting to get you to enter your own credentials. From: <mailadmin@stanford.edu > Sent: Friday, Sept. 30, 2016 10:31 AM To: <employee name> Subject: Email Account Update Due to migration to a new Open Source Email Collaboration Solution (SunsetGates), it is mandatory that you update your Stanford University information immediately, using the update link below: http://update.sunsetgates.com/update/server/ admindesk/index.htm Failure to update, will result to closure of your account. Thanks for your Co-Operation. Email Admin Desk
Spear Phishing Targeted toward a specific person. From: "john.doe@ulberta.ca" (link sends e- mail) Sent: Sat, 2 Jan 2016 09:58:07 GMT To: <recipient's name removed>@ce.berkeley.edu (link sends e-mail) <john.doe@ulberta.ca> (link sends e-mail) Dear Dr. <recipient's name removed>; I recently read your last article and it was very useful in my field of research. I wonder, if possible, to send me these articles to use in my current research: 1-http://auth.berkeley.eduh.in/<link removed> 2- http://www.sciencedirect.com/science/article/p ii/S1644966515000825 Thanks for you Cooperation in Advance. John Doe Department of Civil and Environmental Engineering University of Alberta Phone: (XXX) XXX-XXXX
Machine in the Middle Eve Bob
Machine in the Middle Eve Bob
Machine in the Middle Eve Bob
Machine in the Middle Eve Bob
Machine in the Middle Eve Alice Bob
Machine in the Middle Eve Alice Bob
Machine in the Middle Eve Alice Bob
Machine in the Middle Eve Alice Bob
Machine in the Middle Eve Alice Bob
“Found” USB Drives Consider ALL unsafe.
KeyLogger Captures keyboard input.
Brute Force Password Cracking Time Number of Characters (A-Z, a-z) (A-Z, a-z, 0-9) (A-Z, a-z, 0-9, !@#$%^&*) 6 8 sec 3 min 13 min 8 3 hr 10 days 57 days 10 169 days 106 yrs 928 yrs 12 600 yrs 108k yrs 5m yrs 14 778k yrs 1bn yrs 5bn yrs
Brute Force Password Cracking
Brute Force Password Cracking Actual actual reality: Nobody cares about his secrets. (Also, I would be hard pressed to find that wrench for $5) .https://xkcd.com/538/
Questions so far?
Useful technologies to better safeguard yourself and your organization. 4. Helpful Tools
Maintained Has it been updated recently? Have there been fixes to bugs or other security vulnerabilities? Audited Has a security audit been performed on this program? Open Source Is the full source code available for inspection? Guidelines for Selecting Quality Tools
Post-It Notes Webcam attacks are real. Attackers can gain access and control the webcams on your laptop for spying, and sometimes the best solutions are the simplest -- cover your camera with tape or sticker. Password Manager One of the best tools for protecting accounts. Popular password managers (e.g. Lastpass, 1Password) can generate unique, super-strong passwords for you. Use for every account you have. Privacy Badger Another browser plugin to limit trackers. Also provides a “Do-not- track-me” mode that should be respected. HTTPS Everywhere Browser plugin that can help prevent Man in the Middle. Some sites will start on HTTP before being promoted to HTTPS. uBlock Origin Blocks ads. Useful because many are trackers themselves, but also could be vulnerable to attacks. Helps to limit attack surface. Browsing Online 2-Factor Auth Another great tool for protecting accounts, this one can help even if your password is leaked or cracked. Check out twofactorauth.org for more info.
VPN Virtual Private Networks re-route and disguise your traffic. Consider mandatory for open networks (e.g. coffee shops). Some VPN services are better than others, so do some research. Tor “Anonymizes” your traffic by bouncing off multiple nodes in between source and destination. Some skepticism as to efficacy without critical-mass adoption, so proceed with caution. Protecting your network activity
Demo Protected Network! Place your screenshot here
Voice Signal and WhatsApp have voice encryption capability, but quality can be lacking. Not sure about other options. Text / Chat Several options out there, notably Signal and WhatsApp. Both are end-to-end encrypted as well. Some controversy around WhatsApp “vulnerability.” More like design decision, but I prefer Signal’s approach. Email Best solution is to encrypt end-to-end. This means a setup like Thunderbird (email client) and Enigmail (crypto add-on). Keep in mind: Content is encrypted. Metadata and subject is in the clear. Data in Transit - Digital Communication
Demo Encrypted email! Place your screenshot here
VeraCrypt Successor to TrueCrypt, offers a lot options. Downside: offers a lot of options. Usually best to stick with defaults. Bonus: VeraCrypt offers ability to create “Hidden Volumes” GPG / Keybase Command-line tools have proven their worth, but also proven hard to use. Some new developments on the horizon, but these are usually for those with more experience. Stock OS Apps Great for full drive encryption: macOS: FileVault Windows: BitLocker Only basic features for for files and folders: macOS: Disk Utility Windows: Encrypted File Service Data at Rest - Secure Storage
QubesOS “A reasonably secure operating system.” Essentially runs a fresh virtual machine for each process, then burns it down when you’re done. Tails A privacy-oriented OS. Custom Linux build with privacy settings maxed- out. Still experimental. Additional Security
5. Put in Practice Developing secure habits while organizing
◎Think about what info is on the phone ◎Disable fingerprint ◎Protect with passphrase ◎Backup data ◎Put in airplane mode ◎Pictures or video without unlock ◎Consider a “dumb” phone, or a “burner” with no identity info attached Mobile Security
◎ They know you called a gynecologist, spoke for a half hour, and then searched online for the local abortion clinic’s number later that day. But nobody knows what you spoke about. ◎ They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret. ◎ They know you received an email from a digital rights activist group with the subject line “52 hours left to stop SOPA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion. Mind your Metadata https://ssd.eff.org/en/module/why-metadata-matters
Verify Keys! Eve Alice Bob Out-of-Band
◎ Passwords on Everything (and don’t share!) ◎ Always lock and know where your devices are. ◎ Signal is pretty solid ◎ Thunderbird+Enigmail is too ◎ Get a VPN, but know its limits ◎ Legal in Oregon to record law enforcement ◎ 2-Factor Auth goes a long way ◎ So does a password manager ◎ Never provide passwords over email ◎ Look for HTTPS ◎ Mind your “cloud” accounts Some final tips, recap, & recommendations
A word on digital security But it can make a big difference. Especially if you share your knowledge. One workshop does not a private activist make.
https://ssd.eff.org/en
Hands On Let’s get set up! Place your screenshot here
Thanks! Any questions? You can find me at: greg@tozny.com PGP: 0x317DCBC8
Special thanks to these resources: ◎ Electronic Frontier Foundation ◎ Freedom of the Press Foundation ◎ American Civil Liberties Union ◎ Ctrl-H in Portland, Or ◎ Presentation template by SlidesCarnival ◎ Diagram featured by poweredtemplate.com Credits
Special thanks to these articles: ◎ https://www.theguardian.com/us-news/2015/may/22/edward-snowden-nsa-reform ◎ https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-warrantless-data-to- entire-intelligence-community-just-in-time-for-trump/ ◎ https://www.aclu.org/blog/whats-government-doing-targeting-civil-rights-leaders ◎ https://www.aclu.org/blog/shhhh-what-fbi-doesnt-want-you-know-about-its-racial-profiling- program?redirect=blog/criminal-law-reform-racial-justice-national-security/shhhh-what-fbi- doesnt-want-you-know-about ◎ http://www.oregonlive.com/politics/index.ssf/2015/11/black_lives_matter_oregon_just.html ◎ https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion- accounts-breached ◎ https://uit.stanford.edu/phishing ◎ https://tozny.com/blog/10-unnerving-privacy-fails-thru-data-aggregation/ Credits
Special thanks to these articles: ◎ https://security.berkeley.edu/news/phishing-example-spear-phishing-attack-articles ◎ http://www.theverge.com/2016/12/13/13940514/dnc-email-hack-typo-john-podesta- clinton-russia ◎ https://thehackernews.com/2015/08/lenovo-rootkit-malware.html ◎ http://securityaffairs.co/wordpress/49999/hacking/found-usb-drive-hack.html ◎ http://geeknizer.com/top-usb-hacks-pwn/ ◎ https://www.inetsolution.com/blog/june-2012/complex-passwords-harder-to-crack,-but-it- may-not ◎ https://www.skyhighnetworks.com/cloud-security-blog/you-wont-believe-the-20-most- popular-cloud-service-passwords/ ◎ http://imgur.com/gallery/iVHfwLc ◎ http://lifehacker.com/truecrypts-security-audit-is-finally-done-with-mostly-1695243253 ◎ https://tails.boum.org/ ◎ https://www.qubes-os.org/ Credits

More Related Content

PDF
Social Engineering - Strategy, Tactics, & Case Studies
byPraetorian
 
PPTX
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
PPTX
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
byAvansa Mid- en Zuidwest
 
PPTX
FNC Corporate Protect Workshop
byforensicsnation
 
PPTX
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
PPTX
03.fnc corporate protect workshop new
byforensicsnation
 
PPTX
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
byAndrew Morris
 
PDF
Weaponizing OSINT – Hacker Halted 2019 – Michael James
byEC-Council
 
Social Engineering - Strategy, Tactics, & Case Studies
byPraetorian
 
The Art of Human Hacking : Social Engineering
byOWASP Foundation
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
byAvansa Mid- en Zuidwest
 
FNC Corporate Protect Workshop
byforensicsnation
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
03.fnc corporate protect workshop new
byforensicsnation
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
byAndrew Morris
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
byEC-Council
 

What's hot

PDF
Security
byBob Cherry
 
PDF
Talks submitted
byKim Minh
 
PDF
Ce hv8 module 02 footprinting and reconnaissance
byMehrdad Jingoism
 
PDF
Opsec for security researchers
byvicenteDiaz_KL
 
PDF
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
byChris Fernandez CEHv7, eCPPT, Linux Engineer
 
PPTX
Social Engineering
byCyber Agency
 
PPTX
Digital Defense for Activists (and the rest of us)
byMichele Chubirka
 
PDF
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
byKimberley Dray
 
PPTX
Attacks on the cyber world
byNikhil Tripathi
 
PDF
Password and Account Management Strategies - April 2019
byKimberley Dray
 
PDF
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
byEC-Council
 
PDF
OSINT Basics for Threat Hunters and Practitioners
byMegan DeBlois
 
PDF
LASCON 2015
byClare Nelson, CISSP, CIPP-E
 
PDF
Getting users to care about security
byAlison Gianotto
 
PPTX
Jason Samide - State of Security & 2016 Predictions
bycentralohioissa
 
PPTX
Lofty Ideals: The Nature of Clouds and Encryption
bySean Whalen
 
PDF
Honeypots, Deception, and Frankenstein
byPhillip Maddux
 
PDF
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
bykhalavak
 
Security
byBob Cherry
 
Talks submitted
byKim Minh
 
Ce hv8 module 02 footprinting and reconnaissance
byMehrdad Jingoism
 
Opsec for security researchers
byvicenteDiaz_KL
 
Penetrationtestinglovesfreesoftware libreplaner2017-christianfernandez-hispag...
byChris Fernandez CEHv7, eCPPT, Linux Engineer
 
Social Engineering
byCyber Agency
 
Digital Defense for Activists (and the rest of us)
byMichele Chubirka
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
byKimberley Dray
 
Attacks on the cyber world
byNikhil Tripathi
 
Password and Account Management Strategies - April 2019
byKimberley Dray
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
byEC-Council
 
OSINT Basics for Threat Hunters and Practitioners
byMegan DeBlois
 
LASCON 2015
byClare Nelson, CISSP, CIPP-E
 
Getting users to care about security
byAlison Gianotto
 
Jason Samide - State of Security & 2016 Predictions
bycentralohioissa
 
Lofty Ideals: The Nature of Clouds and Encryption
bySean Whalen
 
Honeypots, Deception, and Frankenstein
byPhillip Maddux
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
bykhalavak
 

Viewers also liked

PDF
Beyond Lifeguards Layers of Protection
bySuncoastMeetings
 
PDF
Privacy & Data Protection in the Digital World
byArab Federation for Digital Economy
 
PDF
Utilizing Noise Addition For Data Privacy, an Overview
byKato Mivule
 
PPTX
Data Protection by Design and Default for Learning Analytics
byTore Hoel
 
PPTX
Overview of privacy and data protection considerations for DEVELOP
byTrilateral Research
 
PDF
Smau 2016 seminario privacy: Data Protection Officer, seminario alovisio go...
byMauro Alovisio
 
PPTX
Learning design meets learning analytics: Dr Bart Rienties, Open University
byBart Rienties
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
byTushar Rajput
 
PPTX
Google+ is here. What now?
byPublicis Modem UK
 
PPTX
Big data privacy security regulation
bycjw119
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PDF
How Google Works
byEric Schmidt
 
Beyond Lifeguards Layers of Protection
bySuncoastMeetings
 
Privacy & Data Protection in the Digital World
byArab Federation for Digital Economy
 
Utilizing Noise Addition For Data Privacy, an Overview
byKato Mivule
 
Data Protection by Design and Default for Learning Analytics
byTore Hoel
 
Overview of privacy and data protection considerations for DEVELOP
byTrilateral Research
 
Smau 2016 seminario privacy: Data Protection Officer, seminario alovisio go...
byMauro Alovisio
 
Learning design meets learning analytics: Dr Bart Rienties, Open University
byBart Rienties
 
Unit 6 Privacy and Data Protection 8 hr
byTushar Rajput
 
Google+ is here. What now?
byPublicis Modem UK
 
Big data privacy security regulation
bycjw119
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
How Google Works
byEric Schmidt
 

Similar to Data Privacy for Activists

PPTX
Online privacy & security
byPriyab Satoshi
 
PDF
Security for Data Scientists
byDavid Arcos
 
PDF
Computer Security
byFrederik Questier
 
PPTX
Personal Threat Models
byGeoffrey Vaughan
 
PPT
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
PPTX
Frontiers of Computational Journalism week 11 - Privacy and Security
byJonathan Stray
 
PPTX
Is your privacy, private?
byDionShawMSPM
 
PPTX
Digital Security and safety for journalists
byantoniokisembo
 
PPTX
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
byCengage Learning
 
PDF
Computer & Data Security
byFrederik Questier
 
PDF
Why My E Identity Needs Protection
byecarrow
 
PPTX
Security in web based attacks and application.pptx
byumanggargcse
 
PPT
Innovative Ideas in Privacy Research.ppt
byssuser991de0
 
PPT
dexa.ppt
byQwer401863
 
PPTX
Cyber Security and Data Privacy in Information Systems.pptx
byRoshni814224
 
PPT
Threats ,Security , social and legal issues regarding internet
byasalahuddin317
 
PPT
Threats
bysbmiller87
 
PPTX
Cyber Security Awareness Program.pptx
byDinesh582831
 
ODT
Who's that knocking on my firewall door?
byBruce Wolfe
 
PPTX
Cybercrime and Security
byNoushad Hasan
 
Online privacy & security
byPriyab Satoshi
 
Security for Data Scientists
byDavid Arcos
 
Computer Security
byFrederik Questier
 
Personal Threat Models
byGeoffrey Vaughan
 
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
Frontiers of Computational Journalism week 11 - Privacy and Security
byJonathan Stray
 
Is your privacy, private?
byDionShawMSPM
 
Digital Security and safety for journalists
byantoniokisembo
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
byCengage Learning
 
Computer & Data Security
byFrederik Questier
 
Why My E Identity Needs Protection
byecarrow
 
Security in web based attacks and application.pptx
byumanggargcse
 
Innovative Ideas in Privacy Research.ppt
byssuser991de0
 
dexa.ppt
byQwer401863
 
Cyber Security and Data Privacy in Information Systems.pptx
byRoshni814224
 
Threats ,Security , social and legal issues regarding internet
byasalahuddin317
 
Threats
bysbmiller87
 
Cyber Security Awareness Program.pptx
byDinesh582831
 
Who's that knocking on my firewall door?
byBruce Wolfe
 
Cybercrime and Security
byNoushad Hasan
 

Recently uploaded

PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
Airtable Building Semantic Search with Milvus
byZilliz
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PPTX
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 
PDF
BSides NYC 2025: Inside Cloud Attack Paths End-to-End Adversary Simulation
byMauricio Velazco
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PPTX
Mosaic: The Agentic AI Video Editing Platform
byDaniel Gimness
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
Airtable Building Semantic Search with Milvus
byZilliz
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 
BSides NYC 2025: Inside Cloud Attack Paths End-to-End Adversary Simulation
byMauricio Velazco
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
Mosaic: The Agentic AI Video Editing Platform
byDaniel Gimness
 

Data Privacy for Activists

  • 1.
  • 2.
    ◎ Name forToday ◎ Preferred Pronouns (e.g. they, them, their) ◎ What brought you here? What do you want from this workshop? Introductions Around the Room
  • 3.
    Hello! I am GregStromire (he, him, his) I work for a data privacy company. I participate in activism. I am not an expert in either. And I am not a lawyer. But I can still offer some tips.
  • 4.
    Helpful Tools Useful technologiesto better safeguard yourself and other members. Crypto 101 Whiteboard activity! Encryption is a powerful tool in maintaining privacy, but only when used correctly. Some cryptography fundamentals can help you make smart choices. Why We’re Here What is data privacy, what it means for activists, and some key concepts for context. Put in Practice Hands-on practice using new tools and best practices to establish good habits when performing organizing tasks. Common Attacks Overview of some of the most common threat vectors for activists -- which overlap with personal and professional use. Threat Modeling Utilizing a basic framework for security assessment to prevent and prepare. Agenda
  • 5.
    1. Why We AreHere What is data privacy, and why does it matter for activism?
  • 6.
  • 7.
    Privacy Unhindered agency to expressoneself selectively, with direct control over one’s own information and explicit boundaries. Anonymity The ability to exist, and especially communicate, in a manner that does not reveal any personally identifiable information about the source. Important Concepts Authenticity Provide, with a high level of confidence, an assurance of the identity of an individual through reliable and verifiable means.
  • 8.
    “ Arguing that youdon't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say. ◎Edward Snowden
  • 9.
  • 10.
    JFK Airport -Craig Ruttle / AP Photo
  • 11.
    2. Threat Modeling A basicframework for security.
  • 12.
  • 13.
    ◎Who would bemost likely to target us? Threat Modeling
  • 14.
    ◎Who would bemost likely to target us? ◎How much money, time, and skill do they have to dedicate to targeting us? Threat Modeling
  • 15.
    ◎Who would bemost likely to target us? ◎How much money, time, and skill do they have to dedicate to targeting us? ◎What would they most likely want from us (i.e. money? incriminating information? access to trusted contacts?) Threat Modeling
  • 16.
    ◎Who would bemost likely to target us? ◎How much money, time, and skill do they have to dedicate to targeting us? ◎What would they most likely want from us (i.e. money? incriminating information? access to trusted contacts?) ◎What would happen to us if they were successful? Threat Modeling
  • 17.
  • 18.
    GovernmentsSurveillance state andlaw(less) enforcement IndividualsUSB drives, webcams, and (spear) phishing CorporationsBreaches, metadata, and (de)anonymization
  • 19.
    COINTELPRO (COunter INTELligence PROgram) Aseries of covert, and often illegal, projects conducted by the United States FBI aimed at surveilling, infiltrating, discrediting and disrupting domestic political organization.
  • 20.
    Some of theGroups Targeted by the FBI’s COINTELPRO Zinn Ed Project
  • 21.
    Obama Opens NSA’sVast Trove of Warrantless Data to Entire Intelligence Community, Just in Time for Trump The Intercept
  • 23.
    White Is the colorof milk and fresh snow, the color produced by the combination of all the colors of the visible spectrum. Black Is the color of coal, ebony, and of outer space. It is the darkest color, the result of the absence of or complete absorption of light.
  • 24.
    Databases Breaches Online services lose user’sprivate information haveibeenpwned.com
  • 25.
  • 26.
    DEMO Has my accountinfo ever been leaked? https://haveibeenpwned.com Place your screenshot here
  • 27.
    DEMO What does myonline “fingerprint” look like? https://panopticlick.eff.org/ Place your screenshot here
  • 28.
    3. Common Attacks Get toknow some frequently used threat vectors.
  • 29.
    Trust At some point,you must concede a level of trust in the components of the devices in your life
  • 30.
    Keylogger Could be wireless,could be physically between keyboard and cpu. USB Drives Not so innocent. Can provide an attacker with control of the machine with ease. Rootkit Programs that can control the device. Hard to detect. Hard to get rid of. MITM Monkey in the Middle. Someone in between the intended sender and recipient, without either know it. Could be just listening, but could also be modifying messages. (Spear) Phishing Messages meant to coerce a user into entering their credentials into a spoofed site. Spear- is targeting one person specifically Common Attacks Brute Force Common, weak, or reused passwords. May include theft of actual device. May be open Wifi or bluetooth.
  • 31.
    Phishing Attempting to getyou to enter your own credentials. From: <mailadmin@stanford.edu > Sent: Friday, Sept. 30, 2016 10:31 AM To: <employee name> Subject: Email Account Update Due to migration to a new Open Source Email Collaboration Solution (SunsetGates), it is mandatory that you update your Stanford University information immediately, using the update link below: http://update.sunsetgates.com/update/server/ admindesk/index.htm Failure to update, will result to closure of your account. Thanks for your Co-Operation. Email Admin Desk
  • 32.
    Spear Phishing Targeted toward a specificperson. From: "john.doe@ulberta.ca" (link sends e- mail) Sent: Sat, 2 Jan 2016 09:58:07 GMT To: <recipient's name removed>@ce.berkeley.edu (link sends e-mail) <john.doe@ulberta.ca> (link sends e-mail) Dear Dr. <recipient's name removed>; I recently read your last article and it was very useful in my field of research. I wonder, if possible, to send me these articles to use in my current research: 1-http://auth.berkeley.eduh.in/<link removed> 2- http://www.sciencedirect.com/science/article/p ii/S1644966515000825 Thanks for you Cooperation in Advance. John Doe Department of Civil and Environmental Engineering University of Alberta Phone: (XXX) XXX-XXXX
  • 34.
    Machine in theMiddle Eve Bob
  • 35.
    Machine in theMiddle Eve Bob
  • 36.
    Machine in theMiddle Eve Bob
  • 37.
    Machine in theMiddle Eve Bob
  • 38.
    Machine in theMiddle Eve Alice Bob
  • 39.
    Machine in theMiddle Eve Alice Bob
  • 40.
    Machine in theMiddle Eve Alice Bob
  • 41.
    Machine in theMiddle Eve Alice Bob
  • 42.
    Machine in theMiddle Eve Alice Bob
  • 44.
  • 45.
  • 46.
    Brute Force PasswordCracking Time Number of Characters (A-Z, a-z) (A-Z, a-z, 0-9) (A-Z, a-z, 0-9, !@#$%^&*) 6 8 sec 3 min 13 min 8 3 hr 10 days 57 days 10 169 days 106 yrs 928 yrs 12 600 yrs 108k yrs 5m yrs 14 778k yrs 1bn yrs 5bn yrs
  • 47.
  • 48.
    Brute Force PasswordCracking Actual actual reality: Nobody cares about his secrets. (Also, I would be hard pressed to find that wrench for $5) .https://xkcd.com/538/
  • 49.
  • 50.
    Useful technologies tobetter safeguard yourself and your organization. 4. Helpful Tools
  • 51.
    Maintained Has it beenupdated recently? Have there been fixes to bugs or other security vulnerabilities? Audited Has a security audit been performed on this program? Open Source Is the full source code available for inspection? Guidelines for Selecting Quality Tools
  • 53.
    Post-It Notes Webcam attacksare real. Attackers can gain access and control the webcams on your laptop for spying, and sometimes the best solutions are the simplest -- cover your camera with tape or sticker. Password Manager One of the best tools for protecting accounts. Popular password managers (e.g. Lastpass, 1Password) can generate unique, super-strong passwords for you. Use for every account you have. Privacy Badger Another browser plugin to limit trackers. Also provides a “Do-not- track-me” mode that should be respected. HTTPS Everywhere Browser plugin that can help prevent Man in the Middle. Some sites will start on HTTP before being promoted to HTTPS. uBlock Origin Blocks ads. Useful because many are trackers themselves, but also could be vulnerable to attacks. Helps to limit attack surface. Browsing Online 2-Factor Auth Another great tool for protecting accounts, this one can help even if your password is leaked or cracked. Check out twofactorauth.org for more info.
  • 54.
    VPN Virtual Private Networks re-routeand disguise your traffic. Consider mandatory for open networks (e.g. coffee shops). Some VPN services are better than others, so do some research. Tor “Anonymizes” your traffic by bouncing off multiple nodes in between source and destination. Some skepticism as to efficacy without critical-mass adoption, so proceed with caution. Protecting your network activity
  • 55.
  • 56.
    Voice Signal and WhatsApp have voiceencryption capability, but quality can be lacking. Not sure about other options. Text / Chat Several options out there, notably Signal and WhatsApp. Both are end-to-end encrypted as well. Some controversy around WhatsApp “vulnerability.” More like design decision, but I prefer Signal’s approach. Email Best solution is to encrypt end-to-end. This means a setup like Thunderbird (email client) and Enigmail (crypto add-on). Keep in mind: Content is encrypted. Metadata and subject is in the clear. Data in Transit - Digital Communication
  • 57.
  • 58.
    VeraCrypt Successor to TrueCrypt, offersa lot options. Downside: offers a lot of options. Usually best to stick with defaults. Bonus: VeraCrypt offers ability to create “Hidden Volumes” GPG / Keybase Command-line tools have proven their worth, but also proven hard to use. Some new developments on the horizon, but these are usually for those with more experience. Stock OS Apps Great for full drive encryption: macOS: FileVault Windows: BitLocker Only basic features for for files and folders: macOS: Disk Utility Windows: Encrypted File Service Data at Rest - Secure Storage
  • 59.
    QubesOS “A reasonably secure operatingsystem.” Essentially runs a fresh virtual machine for each process, then burns it down when you’re done. Tails A privacy-oriented OS. Custom Linux build with privacy settings maxed- out. Still experimental. Additional Security
  • 60.
    5. Put in Practice Developingsecure habits while organizing
  • 61.
    ◎Think about whatinfo is on the phone ◎Disable fingerprint ◎Protect with passphrase ◎Backup data ◎Put in airplane mode ◎Pictures or video without unlock ◎Consider a “dumb” phone, or a “burner” with no identity info attached Mobile Security
  • 62.
    ◎ They knowyou called a gynecologist, spoke for a half hour, and then searched online for the local abortion clinic’s number later that day. But nobody knows what you spoke about. ◎ They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret. ◎ They know you received an email from a digital rights activist group with the subject line “52 hours left to stop SOPA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion. Mind your Metadata https://ssd.eff.org/en/module/why-metadata-matters
  • 63.
  • 64.
    ◎ Passwords onEverything (and don’t share!) ◎ Always lock and know where your devices are. ◎ Signal is pretty solid ◎ Thunderbird+Enigmail is too ◎ Get a VPN, but know its limits ◎ Legal in Oregon to record law enforcement ◎ 2-Factor Auth goes a long way ◎ So does a password manager ◎ Never provide passwords over email ◎ Look for HTTPS ◎ Mind your “cloud” accounts Some final tips, recap, & recommendations
  • 65.
    A word ondigital security But it can make a big difference. Especially if you share your knowledge. One workshop does not a private activist make.
  • 66.
  • 67.
    Hands On Let’s getset up! Place your screenshot here
  • 68.
    Thanks! Any questions? You canfind me at: greg@tozny.com PGP: 0x317DCBC8
  • 69.
    Special thanks tothese resources: ◎ Electronic Frontier Foundation ◎ Freedom of the Press Foundation ◎ American Civil Liberties Union ◎ Ctrl-H in Portland, Or ◎ Presentation template by SlidesCarnival ◎ Diagram featured by poweredtemplate.com Credits
  • 70.
    Special thanks tothese articles: ◎ https://www.theguardian.com/us-news/2015/may/22/edward-snowden-nsa-reform ◎ https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-warrantless-data-to- entire-intelligence-community-just-in-time-for-trump/ ◎ https://www.aclu.org/blog/whats-government-doing-targeting-civil-rights-leaders ◎ https://www.aclu.org/blog/shhhh-what-fbi-doesnt-want-you-know-about-its-racial-profiling- program?redirect=blog/criminal-law-reform-racial-justice-national-security/shhhh-what-fbi- doesnt-want-you-know-about ◎ http://www.oregonlive.com/politics/index.ssf/2015/11/black_lives_matter_oregon_just.html ◎ https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion- accounts-breached ◎ https://uit.stanford.edu/phishing ◎ https://tozny.com/blog/10-unnerving-privacy-fails-thru-data-aggregation/ Credits
  • 71.
    Special thanks tothese articles: ◎ https://security.berkeley.edu/news/phishing-example-spear-phishing-attack-articles ◎ http://www.theverge.com/2016/12/13/13940514/dnc-email-hack-typo-john-podesta- clinton-russia ◎ https://thehackernews.com/2015/08/lenovo-rootkit-malware.html ◎ http://securityaffairs.co/wordpress/49999/hacking/found-usb-drive-hack.html ◎ http://geeknizer.com/top-usb-hacks-pwn/ ◎ https://www.inetsolution.com/blog/june-2012/complex-passwords-harder-to-crack,-but-it- may-not ◎ https://www.skyhighnetworks.com/cloud-security-blog/you-wont-believe-the-20-most- popular-cloud-service-passwords/ ◎ http://imgur.com/gallery/iVHfwLc ◎ http://lifehacker.com/truecrypts-security-audit-is-finally-done-with-mostly-1695243253 ◎ https://tails.boum.org/ ◎ https://www.qubes-os.org/ Credits

Editor's Notes

  • #4 Tozny -- data privacy and cryptography, emphasize user control over data SAFE -- violence prevention, focus on consent Guiding principles!! No oppression (racism, sexism, etc) Political views should be respected No stupid questions or people → tech is hard! Don’t hack each other
  • #5 Apologize for geeking out on this template We’ll break at halfway Crypto 101 IF WE HAVE TIME and INTEREST
  • #7 May not think about authenticity as important. I’ll get to that later.
  • #8 Maybe it’s clearer how Authenticity can be important?
  • #11 Last night at JFK
  • #12 We make mission statements, bylaws, constitutions for our orgs...
  • #13 Questions to ask ourselves as part of this assessment.
  • #14 We think of the government -- the surveillance state. Corporations? Other Groups? Maybe they’re an opposing group? Individuals?
  • #15 Not to be overlooked.
  • #19 Gov -- Sometimes they are the offenders Corps --
  • #21 Read some released docs -- they would see members handing out fliers, then arrest them on suspicion of drug use for “looks like needle marks”
  • #26 Note the 500m Note the date
  • #27 haveibeenpwned.com Please try this at home! Please immediately change your password if you have a result!
  • #28 https://panopticlick.eff.org/ https://tozny.com/blog/10-unnerving-privacy-fails-thru-data-aggregation/
  • #30 Caveat for sanity. Trust the manufacturer, distributor, operating system, applications, etc.
  • #31 Some of these want to capture information Some of these want control over your devices (for information, or other) Combinations Won’t go into details for each
  • #32 https://uit.stanford.edu/phishing
  • #33 Org chairperson, financial officer, etc. https://security.berkeley.edu/news/phishing-example-spear-phishing-attack-articles
  • #34 DNC Chair Meant to say “illegitimate,” said “legitimate”
  • #44 Two years ago Chinese firm Lenovo got banned from supplying equipment for networks of the intelligence and defense services various countries due to hacking and spying concerns. Earlier this year, Lenovo was caught red-handed for selling laptops pre-installed with Superfish malware. One of the most popular Chinese computer manufacturers ‘Lenovo’ has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit software on certain Lenovo laptop and desktop systems it sells. https://thehackernews.com/2015/08/lenovo-rootkit-malware.html
  • #45 48 percent of USB drives were picked up by passers and plugged into a computer, and the unaware users also tried to open the file within. Bursztein used an HTML file (a document titled “final exam” or “spring break pictures,”) with phone-home capabilities, but he did not use remote access tools or any other spyware. http://securityaffairs.co/wordpress/49999/hacking/found-usb-drive-hack.html http://geeknizer.com/top-usb-hacks-pwn/
  • #46 Could be wireless, or connected in between keyboard and computer All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.
  • #48 https://www.skyhighnetworks.com/cloud-security-blog/you-wont-believe-the-20-most-popular-cloud-service-passwords/
  • #49 Remember: Threat Model Breaches - PW reuse? A Word About “Security Questions”
  • #52 Open source may be counter-intuitive: relates to auditing best practices Avoids common mistakes
  • #53 Concern for intentional “backdoors” Audited, just found minor vulns No longer maintained Absorbed into VeraCrypt
  • #57 “Require Approval on Change”
  • #60 I HAVE NO EXPERIENCE WITH EITHER OF THESE
  • #64 Signal → tap number, scan QR Email → verify “out of band”