[swb-public] Community Needs Re: Introduction and some resources

Martin L. Fällman martin.fallman at civilrightsdefenders.org
Mon Jan 2 09:30:21 UTC 2017


Hi Colin, list,

I had to leave my email aside during the weekend, as you can imagine.
:) Anyhow, to your question:

 

                           I had hoped I might solicit further thoughts
from you on what might be the second part of that community assessment,
which is: from your experience, what are the constraints that you tend
to run into and what are the unaddressed needs?

 

Your observation about a desire for *organizational* policies rings
very true to me. Its what Ive seen in the last ~1.5 years, and was
actually the main outcomes of two advanced digsec workshops I
facilitated recentlywith participants from several different
organizations in roughly the same contexts, I might add. I think a lot
of the participants I see in trainings would love that kind of open
template, especially one with input from security professionals whove
actually set up policies in organizations before. And it would create a
great base for workshops, as well. 

 

Now, I love manuals, so any kind of Practical $tech manuals would be
really cool too. Cheat sheet-type graphics for stuff like Signal, GPG
etc, maybe in the style of Ange Albertinis binary format posters
(https://github.com/corkami/pics/tree/master/binary
<https://github.com/corkami/pics/tree/master/binary> ) would be really
neat and super helpful. 

 

I think another unaddressed need is security reviews. Oftentimes the
funding for trainings comes with requirements on how many participants
should be trained per year, etc, which as you might appreciate means you
end up doing a lot of parachute trainings (jump in, train 12
participants, leave) but not much in-depth stuff. Some mid-size
organizations in the places I work have expressed an interest in deeper
reviews of e.g. information management, network infrastructure, and so
on. Theyre not interested in an ISO certification, nor a pentest, but
just that someone who knows this stuff can check the AD config and wifi
settings to make sure they havent made a fatal mistake somewhere.

 

Also there is a *ton* of possibilities to harness IR, forensic and
malware research skills into powerful advocacy tools. For example,
Citizen Lab does excellent malware research, but they dont really
produce the kind of hard-hitting reports that SWB could help local
organizations develop.  

 

Anyway, these are just of the top of my head, so you can imagine
theres a lot more when we start digging into things. :)

 

Best,

 

//MLF.

 

 

From: Collin, Anderson [mailto:collin.anderson at asc.upenn.edu] 
Sent: fredag den 30 december 2016 21:28
To: Martin L. Fällman <martin.fallman at civilrightsdefenders.org>;
swb-public at lists.securitywithoutborders.org
Subject: Community Needs Re: Introduction and some resources

 

Hi Martin,

 

Thank you for the comprehensive overview of the community that exists
to address the needs of civil society. A few of us have had
opportunities to engage with those initiatives, but often not all of
these different efforts -- especially those closer to the ground. This
was also a useful baseline for some of the comments that Claudio had
made at 33c3 about the limitations of funding and existing capacity in
terms of time/expertise/funding. I appreciate that this list has started
with a diversity of backgrounds, so we can start off properly.

 

I had hoped I might solicit further thoughts from you on what might be
the second part of that community assessment, which is: from your
experience, what are the constraints that you tend to run into and what
are the unaddressed needs?

 

For example, what I've come to appreciate this year is that for some
organizations that I collaborate with, their desire has been for people
to come in and help construct organizational policies around IT use
(e.g. as simple as requiring that all users in the Gapps domain have
2FA). That experience would suggest that a reasonable breakout project
might be an open "template for NGO IT governance policies"  or at least
best practices, that could be a modified but start the conversation
properly and reflect the unique needs to human rights defenders. It's
not chasing APTs, but it could be impactful and perhaps aligns well with
the capacity of the list. 

 

Do you see other open areas where SWB could complement other
initiatives, places where the time and skillset haven't been applied?

 

Cordially, 

Collin Anderson

________________________________

From: swb-public <swb-public-bounces at lists.securitywithoutborders.org>
on behalf of Martin L. Fällman <martin.fallman at civilrightsdefenders.org>
Sent: Friday, December 30, 2016 4:45 AM
To: swb-public at lists.securitywithoutborders.org
Subject: [swb-public] Introduction and some resources 

 

Hi list!

Im really, truly happy to see the level of engagement from tech (and
law!) people on this list already. Feels like nexs call really hit home
for a lot of people.

*** TL;DR ***
A lot of the things Ive seen people ask on the list over the last ~36
hours are solved or at least studied problems. Below I try to present at
least some of the work I know of (and thats top-of-mind for me right
now.) On the one hand Im linking to resources which demonstrate some
current thinking in securing journalists/activists/human rights
defenders, and on the other Im linking some research thats come out
recently to demonstrate the current state of the field. Its not
exhaustive, but for many this will be a decent starting point.
*** END ***

Im a Protection Officer with Civil Rights Defenders[1], operating out
of Stockholm, Sweden. Were an NGO working to support human rights
defenders (in the UN definition[2]) in many parts of the world, with our
main activities in the former Soviet Union, the East and Horn of Africa,
South-East Asia, and the Western Balkans. Were also scaling up
activities in Latin America, and we are engaged in legal work protecting
human rights in Sweden.

I specialize in digital security and design and facilitate trainings,
as well as consult with HRDs and their organizations on how to improve
their digital and physical security. My background is in teaching rather
than tech, but I've been in the human rights tech scene for some time
now, and I've been immersed in hacker culture for what feels like ages.

From where I'm sitting a lot of the questions I've seen asked on this
list since it opened up are already answered, or at least explored to
some extent. I'd like to share some resources and materials -- not
exactly an exhaustive list, to be sure -- so those on the list who are
new to the human rights defender world can get an idea of a) what is
being taught and used, and b) the amount and quality of research which
is available on what issues human rights defenders actually face in the
field.


## Resources
First off, some resources to show what and how we teach, which should
also give an overview of which worries and problems we most often
encounter in the field:

The Level-Up project was started by Internews but is now released to be
cared for by the larger community. It's a collection of teaching
material for digital security trainings. http://level-up.cc/ 

LevelUp <http://level-up.cc/> 

level-up.cc

Contribute & Contact. Get in touch to help improve LevelUp - share
training content with other trainers, provide feedback, and more. >>




The Orgsec Confluence node is a collection of discussions sprung out of
(among other things) the Internet Freedom Festival[3] regarding digital
security specifically for organizations and represents a slightly
different approach to security. https://orgsec.community/#all-updates 

Dashboard - Confluence <https://orgsec.community/#all-updates> 

orgsec.community

Welcome to Confluence. Confluence is where your team collaborates and
shares knowledge  create, share and discuss your files, ideas, minutes,
specs, mockups ...




AccessNow (who also runs an amazingly good helpline for human rights
defenders) have recently published a neat and graphic guide called A
First Look at Digital Security.
https://www.accessnow.org/a-first-look-at-digital-security/ 

Dont panic! Download A First Look at Digital Security
<https://www.accessnow.org/a-first-look-at-digital-security/> 

www.accessnow.org

The U.S. elections and subsequent transition period have brought to the
fore a number of fears for many people and organizations. For some of
our new clients at the ...




matt mitchell, Cooper Quintin and Rachel Weidinger published a very
good overview of resources which digital security trainers have found
helpful.
https://medium.com/@geminiimatt/security-training-resources-for-security
-trainers-winter-2016-edition-4d10670ef8d3#.8w435t9x7 


<https://medium.com/@geminiimatt/security-training-resources-for-securit
y-trainers-winter-2016-edition-4d10670ef8d3#.8w435t9x7> 

Digital Security training resources for security trainers ...
<https://medium.com/@geminiimatt/security-training-resources-for-securit
y-trainers-winter-2016-edition-4d10670ef8d3#.8w435t9x7> 

medium.com

Getting questions about how to increase security? Us too. Right now we
could use a lot more security trainers to meet the demand. This post is
the first in a series ...




Security In-A-Box is a joint project by the Tactical Technology
Collective and Front Line Defenders. It used to be the gold standard but
has become a bit dated by now. It still is a fairly good baseline
resource and is widely translated and has excellent specific community
guides (e.g. for LGBTQ persons in sub-Saharan Africa.)
https://securityinabox.org/en 

security in-a-box | tools and tactics for digital security
<https://securityinabox.org/en> 

securityinabox.org

Security in-a-box. Security in-a-Box is a guide to digital security for
activists and human rights defenders throughout the world. If you're new
to digital security ...





## Research
Secondly, there's actually a lot of research being done on exactly the
kind of questions you have asked on this list. This is skewed towards
the countries I work in/around, of course, but similar research is done
nearly everywhere in the world.

The Ugandan NGO Unwanted Witness (if they're not already on this list
they should join!) just put out a preliminary report on HRDs' perception
of surveillance in Uganda.
https://unwantedwitness.or.ug/download/Preliminary-Human-Rights-Defender
s%25E2%2580%2599-Surveillance-perception-Report-in-Uganda-2016-1.pdf

UW also put out a legal report on cyber legislation in Uganda, in
collaboration with us at CRD.
https://unwantedwitness.or.ug/analysis-of-uganda-cyber-laws-report/ 

Analysis of Uganda Cyber Laws Report | Unwanted Witness
<https://unwantedwitness.or.ug/analysis-of-uganda-cyber-laws-report/> 

unwantedwitness.or.ug

In a new report, Unwanted Witness Uganda and Civil rights defenders
provide a joint analysis on cyber laws in Uganda and their failure to
protect online freedoms and ...




The Citizen Lab at University of Toronto is a pretty big player in this
world, offering high-quality analysis of malware and censorship
encountered in repressive environments. https://citizenlab.org/ 

The Citizen Lab - University of Toronto <https://citizenlab.org/> 

citizenlab.org

The Citizen Lab is an interdisciplinary laboratory based at the Munk
School of Global Affairs, University of Toronto, Canada focusing on
advanced research and ...




AccessNow publishes a lot of reports digital security for HRDs.
https://www.accessnow.org/issue/digital-security/  

Digital Security Archives - Access Now
<https://www.accessnow.org/issue/digital-security/> 

www.accessnow.org

The Digital Security Helpline is a free of charge resource for civil
society around the world. We offer real-time, direct technical
assistance and advice to activists ...




Qurium, who are sort of a spiritual predecessor of SWB, also have
started publishing high-quality reports on what they encounter in their
work. https://www.qurium.org/alerts/ 

On a side note, the USABLE Tools project is really really neat and you
should all check it out. https://usable.tools/ (Specifically, their
resource list: https://usable.tools/resources.html ) 

 <https://usable.tools/> 

USABLE <https://usable.tools/> 

usable.tools

USABLE connects communities world-wide with leading UX experts and
digital security tool developers through Tool Feedback Trainings to
solve real problems, build ...





## Soapbox
If you made it all the way through this essay-length thing I thought
I'd get on the soapbox for a moment and give my view of things. If you
watched nex's talk from Congress I bet you will recognize some of these
things from there.

First off, security for HRDs needs to be as simple as possible to use.
Remember that these are 9 times out of 10 people who came into contact
with digital security issues *because of the work they do*. Something
other than their equipment and software will always be #1 in their minds
-- be it voting rights, environmental protection, ending corruption, or
some other cause.[4] Failure to offer a *usable* solution doesn't lead
to productivity loss and/or complaints, as in a corporate environment.
More often it will end in either a maintained pre-intervention security
posture, or a *degradation* of the security posture due to loss of
trust. Ouch.

Second, it's not the APTs that should be our primary concern. Commodity
attack tools (literally Metasploit and SET!) often work all to well
against HRDs, as does passive surveillance, repressive legislation, and
so on. Not to mention the threats of ordinary cybercrime, e.g.
cryptolockers. Running recent and patched versions of Windows and MS
Office with carefully tuned Group Policy settings might protect from the
absolute majority of things many HRDs face.

Third, welcome to the community! I really think we can build something
great together.


[1]: http://crd.org/ 
[2]:
http://www.ohchr.org/EN/Issues/SRHRDefenders/Pages/Declaration.aspx 

Declaration on Human Rights Defenders
<http://www.ohchr.org/EN/Issues/SRHRDefenders/Pages/Declaration.aspx> 

www.ohchr.org

Declaration on Human Rights Defenders. The Declaration on human rights
defenders in different languages. General Assembly Resolution
A/RES/53/144 adopting the ...



[3]: https://internetfreedomfestival.org/ 

 <https://internetfreedomfestival.org/> 

Internet Freedom Festival | 6  10 March 2017 (Valencia ...
<https://internetfreedomfestival.org/> 

internetfreedomfestival.org

The Internet Freedom Festival Themes are the general areas of interest
that will be discussed during the gathering, providing a structure to
the program.



[4]: Story time: the head of an old and large human rights organization
in [redacted] visited Stockholm for a while 2 years ago. I ended up
having to help him with his computer, a square-screened IBM Thinkpad
running WinXP SP2. Why? "I can't be bothered with getting a new
computer, this one works fine."


Warm regards,

MARTIN L. FÄLLMAN
PROTECTION OFFICER
 
CIVIL RIGHTS DEFENDERS
Address: Sergels torg 12, floor 12, SE-111 57 Stockholm, Sweden
Tel: +46 8 120 744 03, Mobile: +46 70 484 96 75
martin.fallman at civilrightsdefenders.org
PGP: 0ECD 731D D578 6145 AB22 D213 5104 FC60 779A FD28
SIGNAL available on cell number 
 
We defend peoples civil and political rights and empower human rights
defenders worldwide.
Learn how to support us on www.crd.org <http://www.crd.org> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.securitywithoutborders.org/pipermail/swb-public/attachments/20170102/92d55eb3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1142 bytes
Desc: not available
URL: <https://lists.securitywithoutborders.org/pipermail/swb-public/attachments/20170102/92d55eb3/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1112 bytes
Desc: not available
URL: <https://lists.securitywithoutborders.org/pipermail/swb-public/attachments/20170102/92d55eb3/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1082 bytes
Desc: not available
URL: <https://lists.securitywithoutborders.org/pipermail/swb-public/attachments/20170102/92d55eb3/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 823 bytes
Desc: not available
URL: <https://lists.securitywithoutborders.org/pipermail/swb-public/attachments/20170102/92d55eb3/attachment-0001.sig>


More information about the swb-public mailing list