Category: Security & Privacy

Defense Against the Dark Arts and Mr. Robot’s Netflix ‘n’ Hack (rebooted) at Recurse Center

Last Saturday, I hosted another Mr. Robot’s Netlfix ‘n’ Hack session at the Recurse Center. I’ve been doing these weekly for three weeks now (here is a link to last week’s), and this time was the first week when the new set of batchlings were in the space. To better include them, we rebooted the series and re-screened the first episode of the show.

Last week was also the national elections in the United States. The outcome of that election was that Donald Drumpf was voted into office as President and over the course of the week he began selecting self-described white nationalists into positions of power in his upcoming administration. In light of these events, I’ve spent most of my waking hours fielding incoming requests for help about “what to do” in a number of different areas.

This election changes very little for me, personally. I have already been aware that we live in a police state, controlled by fascists and white supremacists. I’ve been preparing for worse and prepared for this eventuality for a long time. What this election changed, for me, was the fact that everyone around me was suddenly treating me like the things I was doing made sense, rather than being treated like some overly paranoid weirdo. So, that’s nice.

This also means that I’ve been getting lots of questions about digital security, privacy, anti-surveillance and censorship circumvention techniques. Y’know, commsec, opsec, and security culture stuff. In light of these events, I decided to kick off the new round of Mr. Robot’s Netflix ‘n’ Hack sessions with a whirlwind crash course of the defensive aspects of computer security techniques. Basically, I ran a very compressed CryptoParty.

Someone suggested that we call this a “Defense Against the Dark Arts” session, and I liked the analogy well enough to take the suggestion. Like the other Mr. Robot’s Netflix ‘n’ Hack nights, this one was well attended. We filled the session room to the max. It was probably between 15 or 20 of us to start with, and then it dwindled down to about 10 for the actual screening and post-screening discussion.

In my paradoxical, eternal optimism, I somehow had the idea that we could complete this lightning CryptoParty, which included install fests of Signal and the TorBrowser, within thirty minutes. I was wrong; we went over by about 30 minutes, and the screening of Mr. Robot started late. But so many (all?) of the attendees got set up with Signal and the TorBrowser, and that was really great.

As promised, I wanted to make sure that everyone had links to the reference guides and other resources presented in this defense-focused super quick “Defense Against the Dark Arts” session. To do so, I sent a follow up email with links to those resources. A portion of that email is presented verbatim, here:

In addition to these primers and the links included in them, additional useful resources are:

  • PrivacyTools.io – Simply start at the top and read down the page. This is as guided an introduction to privacy issues and what to do about them as it gets.
  • EFF’s Surveillance Self-Defense Handbook – A thorough treatment of anti-surveillance software, along with tutorials for how to get them installed and working on your system.
    • If you’re feeling overwhelmed by all of this already, consider spending just a little bit of time to walk yourself through the SSD’s Security Starter Pack.
  • PRISM-Break! – An overwhelmingly large digital reference card for all the privacy-enhancing tools available to you for a particular platform, purpose, or protocol. Be cautious here, some of the listed tools are experimental, not audited, or worse.
  • Security in a Box – A slightly dated, but still generally solid, resource website featuring much of the same content as the EFF’s Surveillance Self-Defense guide, but with a regularly updated blog. Created and maintained by the TacticalTech.org collective.

There’s a ton of stuff in there, and learning about how to defend yourself from governments, corporations, or malicious individuals on the Internet is more involved than simply picking up one or two tools. But a few well-chosen tools does give you a really, really good start. Taking some time to familiarize yourself with the above guides will hopefully help you become even more capable.

Following the install fest, we finally screened Episode 1 of Mr. Robot again. I already posted our list of tools, techniques, and procedures from the first week, and this didn’t change much. With a different audience, however, the discussion we had post-show did change quite a bit.

Unlike the first week, when people were interested in Tor onion routing and the dark/deep Web, this time people wanted to know about social engineeering and password cracking. So our discussion focused on sharing resources for social engineering, and books such as Kevin Mitnick’s “Art of Deception” and Robert Cialdini’s “Influence: The Psychology of Persuasion” came up. (So did Freedom Downtime, a documentary about Kevin Mitnick’s persecution by the FBI.)

After that, we also talked about the mechanics of password cracking. I gave an overview of the process from exploitation to data exfiltration, but focused on using the hash-“cracking” (really guessing) tool called Hashcat to demo finding the plaintext of hashed passwords. A lot of time in the discussion was spent showing the practicalities of how hashing (i.e., “trap door functions” or “one-way functions”) works by using md5 and shasum commands on the command line. Then I showed the syntax of the hashcat command to run a dictionary attack (with the infamous “rockyou” wordlist) against simple unsalted MD5 hashed passwords from a very old data dump file (hashcat -a 0 md5sums.txt wordlists/rockyou.txt). Have another look at the SecLists project on GitHub to find wordlists like these useful for password cracking.

We also talked about some common mistakes that application developers make when trying to secure their applications, and that users often make when trying to secure their passwords:

  • Try to generate per-user, instead of per-site, salt.
  • Don’t just double-hash passwords (i.e., hash(hash($password)), because this reduces the entropy used as input for the final result, and increases the chance of hash collisions. Instead, iterate the hash function by concatenating the original input (or a salt, or something) back into the resulting hash as well (i.e., hash($salt . hash($salt . $password))). This iteration also slows down an offline attack, but again, only if done correctly in code.
  • Don’t use multiple dictionary words as a password, even a long one, because these are easy to guess. For instance, contrary to popular belief, “correct battery horse staple” is a bad password, not because it lacks entropy, but because all of its components are likely to be in an attacker’s wordlist. Use a password manager and generate random passwords, instead.

Next week, we’ll return to our regularly-scheduled Mr. Robot’s Netflix ‘n’ Hack format: a demo/show-and-tell/exercise of a tool, technique, or procedure (TTP) featured in Episode 1, followed by a screening of Episode 2, and ending with a discussion about Episode 2’s TTPs. I thought that since we’ve done Onion services already, I would change gears and show an online attack similar to some of the ones Eliot used in the show by demoing a tool called Hydra. Another participant also said they may demo hiding data inside of audio CDs using a steganographic tool called DeepSound, also featured in episode 1.

However, this upcoming Saturday is a number of anti-Trump and anti-surveillance organizing meetings and workshops, so I may have to skip this week’s Mr. Robot’s Netflix ‘n’ Hack myself. If not, we may switch to Sunday just for the week. Time will tell. :)

Cell 411, the “de-centralized” smartphone app that “cops hate” is neither de-centralized nor hated by cops

If you’re following anti-police brutality activists, you might have heard about a new smartphone app that aims to cut down on the need for police. Cell 411 is touted as “the decentralized emergency alerting and response platform” that “cops don’t want you to use.” There’s only one problem: its central marketing claims aren’t true. Cell 411 is not decentralized, and there’s no evidence that cops don’t want you to use it.

Let me be clear that I love the idea of a decentralized emergency alerting response platform. I think it’s incredibly important for such a tool to exist. I’m so committed to that belief that I’ve been building a free software implementation of just such a tool, called Buoy, for a few months now.

Further, I believe it’s equally important that the developers of a tool like this actively eschew the State-sponsored terrorist gangs known as law enforcement, because that mindset will inform the tool’s development process itself. On the face of it and from the research I’ve done to look into Cell 411’s developers, I think there is a lot of welcome overlap between them and myself. Indeed, I’m grateful to them for developing Cell 411 and for dropping their price for it, offering it free-of-charge on the Android and iOS app stores, which is how it should be. Nobody should be charged any money for the opportunity to access tools for self- and community protection; that’s what cops do!

I’ve even reached out both publicly and privately to the developers of Cell 411 through email and Twitter to ask them about a possible collaboration, pointing them at the source code for the Buoy project I’m working on and asking where their source can be found.1 I want to see a project with Cell 411’s claims succeed and be a part of abolishing the police and the State altogether. I think there’s real potential there to make headway on an important social good (abolishing the police, dismantling the prison industrial complex, among other social goods) and I want to offer whatever supportive resources I can to further a project with these goals.

But I am concerned that Cell 411 is not that project. The fact is there are glaring, unexplained inconsistencies between their marketing material, the perception that they encourage the public to have about their tool, and their tool’s legal disclaimers. Such inconsistency is, well, sketchy. But it’s not unfamiliar, because this exact kind of inconsistency is something activists have seen from corporations and even well-meaning individuals before. We should be able to recognize it no matter the flag, no matter how pretty the packaging in which the message is delivered is wrapped in.

On the Google Play store, Cell 411 describes itself like this:

Cell 411 is a De-centralized, micro-social platform that allows users to issue emergency alerts, and respond to alerts issued by their friends.

The problem is in the very first adjective: de-centralized. To a technologist, “decentralization” is the characteristic of having no single endpoint with which a given user must communicate in order to make use of the service. Think trackerless BitTorrent, BitCoin, Tor, or Diaspora. These are all examples of “decentralized” networks or services because if any given computer running the software goes down, the network stays up. One of the characteristics inherent in decentralized networks is an inability of the network or service creator from unilaterally barring access to the network by a given end-user. In other words, there is no one who can “ban” your account from using BitTorrent. That’s not how “piracy” works, duh.

Unfortunately, many of the people I’ve spoken to about Cell 411 seem to believe that “decentralized” simply means “many users in geographically diverse locations.” But this is obviously ignorant. If that were what decentralized meant, then Facebook and Twitter and Google could all be meaningfully described as “decentralized services.” That’s clearly ridiculous. This image shows the difference between centralization and decentralization:

The difference between centralization and decentralization.

As you can see, what matters is not where the end users are located, but that there is more than one hub for a given end user to connect to in order to access the rest of the network.

Armed with that knowledge, have a look at the very first clause of Cell 411’s Terms of Service legalese, which reads, and I quote:

1. We may terminate or suspend your account immediately, without prior notice or liability, for any reason whatsoever, including without limitation if you breach the Terms.

This is immediately suspect. If they are able to actually enforce such a claim, then it is a claim that directly contradicts a claim made by their own description. In a truly decentralized network or service, the ability for the network creator to unilaterlly “terminate or suspend your account immediately, without prior notice or liability” is not technically possible. If Cell 411 truly is decentralized, this is an unenforceable clause, and they know it. On the other hand, if Cell 411 is centralized (and this clause is enforceable), other, more troubling concerns immediately come to mind. Why should activists trade one centralized emergency dispatch tool run by the government (namely, 9-1-1), for another centralized one run by a company? Isn’t this just replacing one monopoly with another? And why bill a centralized service as a decentralized one in the first place?

Virgil Vaduva, Cell 411’s creator, told me on Twitter that the app is not open source but hinted that it might be in the future:

This leaves me with even more questions, which I asked, but received no answer to as yet. (See the Twitter thread linked above.)

Cell 411’s proprietary source code is licensed under an unusual license called the BipCot NoGov license, written by a libertarian group with whom I share distrust and hatred of the United States government. Where we differ, apparently, can be summed up by this Andy Singer quote:

Libertarianism is just Anarchy for rich people.

And that concerns me greatly. Cell 411 originally cost 99¢ per app install on both the Google Play and iTunes app stores. It’s now free, which, again, is a move in the right direction. But by refusing to release the source code, SafeArx holds its users hostage in more ways than one. There are already rumors that the company is intending to monetize the app in the future, perhaps by charging for app downloads or perhaps in some other way in the future. That is fucked. The people who need an alternative to the police most of all are not people with money. That’s why all of Buoy’s code was available as free software from the very beginning; so those people could access the tool. And beyond that, it’s the very people who need an alternative to the prison industrial complex most who are also most in need of safety from capitalism’s exploitative “monetization.”

I hope Virgil chooses to make Cell 411 free software too—i.e., not just free as in no-charge but software libre as in freedom and liberty. A closed-source tool is downright dangerous for activists to rely on, especially for an app that is supposed to be all about communal safety. This has never been more obvious than in the post-Snowden age. If you share our goal of abolishing the State and ending the practice of caging human beings, and you want to dialogue, please do what you can to convince the people running SafeArx and Cell 411 of the obvious strategic superiority of non-cooperation with capitalism.

Which brings me to my next major concern: there is no evidence that cops hate Cell 411, despite the headlines. It’s obvious, at least to anyone who understands that the purpose of cops is to protect and uphold white supremacy and oppress the working class, why cops would hate a free decentralized emergency response service. Again, I want to use such an app so badly that I began building one myself.

But if Cell 411 is centralized, then it becomes a much more useful tool for law enforcement than it does for a private individual, for exactly the same reason as Facebook presents a much more useful tool for the NSA than it does for your local reading group, despite offering benefits to both.

Cartoon of a protester ineffectually trying to shoot corrupt government officials with a 'Facebook' logo positioned as a gun.

I am not saying that Cell 411 is a bad tool. Far from it. My belief is that it is a good tool for individuals and my hope is that it will become a better tool over time. But if Cell 411 is to go from “good” to “great,” then it must actually be decentralized. It must be released freely to the people as free software/software libre. Private individuals who are working to create social infrastructure as an alternative to police must be able to access its source code to integrate it with other tools, to hack on it and make it more secure. This is the free software way, and it is the only feasible anti-capitalist approach. And the only strategically sound way to abolish police is to abolish capitalism, since police are by definition capitalism’s thugs.

It is the explicit intent of police and the State to prevent private individuals from taking their own protection into their own hands, from making their own lives better with their own tools in their own way, by not allowing access to the source of those tools. We, Cell 411 included, should not be emulating that behavior.

I want to be able to run my own Cell 411 server without asking for permission from SafeArx to do so. If Cell 411 were decentralized free software, I would be able to do this today, just as I can publish my own WordPress blog, install my own Diaspora pod, or run my own Tor relay without asking anyone for permission before I do it. This is what I can already do with Buoy, the community-based emergency response system that is already decentralized free software, licensed GPL-3 and available for download and install today from the WordPress plugin repository.

As a developer, I want to see Cell 411 and Buoy both get better. Buoy could become better if it had Cell 411’s mobile app features. Cell 411 could become better if its server could be run by anyone with a WordPress blog, like Buoy can be.

But as long as Cell 411 remains a proprietary, closed-source, centralized tool, all the hype about it being a decentralized app that cops hate will remain hype. And there are few things agents of the State like more than activists who are unable to see the reality of a situation for what it is.

Admiral Ackbar: Proprietary and centralized software-as-a-service? It's a trap!

If you think having a free software, anarchist infrastructural alternative to the police and other State-sponsored emergency services is important and want to see it happen, we need your help making Buoy better. You can find instructions for hacking on Buoy on our wiki.

  1. Here’s the email I sent to Virgil Vaduva, Cell 411’s creator and SafeArx’s founder (the company behind the app):

    From: maymay <bitetheappleback@gmail.com>
    Date: Sat, 27 Feb 2016 20:03:38 -0700

    Hi Virgil,

    My name is maymay. I learned about Cell 411 recently and I’m excited to see its development. It is similar to a web-based project of my own. I am wondering where the source code for the Cell 411 app can be found. I could not find any links to a source code repository from any of the marketing materials that I saw on your website.

    Our own very similar project is called Buoy. The difference is that Buoy is intended for community leaders and intends to be a fully free software “community-based crisis response system,” with the same anti-cop ideology as Cell 411 but built as a plugin for WordPress in order to make it super easy for anyone to host their own community’s 9-1-1 equivalent.

    Our source code is here:

    https://github.com/meitar/better-angels/

    We have focused on the web-app side of things because that’s where our experience lies, but were hoping to create a native mobile app later on. It seems you already made one. Rather than reinvent the wheel, we’re hoping to integrate what you’ve done with Cell 411 with what we’ve already developed in order to facilitate a more decentralized, truly citizen-powered infrastructure alternative to 9-1-1.

    So that’s why we’re interested in looking at Cell 411’s source code.

    Thanks for your work on this so far.

    Cheers,
    -maymay
    Maymay.net
    Cyberbusking.org

    []

Buoy (the first?) anti-policing community-based crisis response system, now available in Spanish

Buoy, (the first?) anti-policing community-based crisis response system, is now available in Spanish.

This is a really, really big deal, because communities of Spanish-speaking residents in the United Snakes of Amerikkka are some of the most oppressively policed communities in this so-called “great” country. These are sometimes families of immigrants, with members who may be undocumented, and for this simple reason they are frequent targets of the xenophobic, racist militarized occupation by the huge number of government-sponsored domestic terror gangs known as “Law Enforcement,” police, or ICE.

With Buoy, residents of these communities finally have the beginnings of a fully community-owned and operated emergency dispatch telecommunication system that does not force or even expect its users to cooperate with 9-1-1, or indeed any other traditional “public safety service” offered by government officials. Buoy users choose people they know and trust in real life and organize “teams” with one another. With the press of a single button, they can then create a private group chat that shows each team member the real-world location of all other team members, allowing team members to share video or pictures and otherwise coordinate appropriate responses to incidents, without the interference of police.

Here is a short video introduction to Buoy’s alert-and-response features:

Of course, there are many other ways social groups of any size can use Buoy. Here’s a list of additional use cases.

If you are interested in helping us crush the monopoly of State-backed so-called “protective services,” if you want to evict the police from your community, if you want to be part of abolishing the police and mercilessly eradicating every reason for their very existence, we want and need you to join this project. Have a look at our “Contributing” guidelines for ways you can help. Liberals, Statists, and cop apologists need not apply.

Kill white supremacy,
-maymay, Buoy developer

P.S. Did you notice how this post has a different tone than my original post announcing Buoy’s prototype release? Guess which one expresses how I really feel.

Technology, the Internet, and Race: Tool for Liberation or Oppression?

Enhanced transcript of panel introductions at the “Technology, the Internet, and Race: Tool for Liberation or Oppression?” session at the recent at 25th annual Computers, Freedom and Privacy conference in Washington, DC held on October 14th, 2015. The transcript is “enhanced” because its links were added by me, the transcriber, and do not mean to imply an acknowledgement or endorsement by the speaker whose words were hyperlinked.

[music]

Singer: iMix! What I like! What I like! What I like! What I like!

Jared Ball (producer @iMiXWHATiLiKE): Good afternoon, everybody.

Audience: Good afternoon!

Jared Ball: A’ight, we wanna keep things moving here. My name’s Jared Ball. It’s an honor and a privilege to moderate the next panel. And I just wanted to say, just very quickly, I appreciate Joe Torres and the work he does with Free Press, and that organization in general. And the efforts around these particular kinds of conversations. Because I think one important value of centering the experience of so called people of color in any question is issues of privacy and surveillance supreme among them, is that doing so immediately forces an immediate focus on the imperial and colonizing of the nature of the State itself. Such an approach lends itself to gaining a view from below, from the among the so called wretched, the subjects of colony of empire. And with that said, I want to welcome our panel.

Alvaro Bedoya: Great intro for that, thank you, Jared. Everyone, I’m Alvaro. I want to talk about two substantive points to answer this question and one strategy point which we can expand on later if it comes to point, is that surveillance technology doesn’t target everyone equally. It disproportionately targets the weak, it disproportionately targets the unpopular, and so we need to look at privacy as a shield for the weak and as a shield for the unpopular. The second point is that surveillance is often beta tested on vulnerable communities, and we need to start explaining how that happens because I think we’ll create broader coalitions. And that’s the third point: how do we act on this to counter surveillance and to stop it?

And so, on the first point, I think, and I’m aware that I’m preaching to the choir in large part here, but I think a lot of Americans, when they think of surveillance of vulnerable people, they might know Martin Luther King and the vicious surveillance of Martin Luther King by J. Edgar Hoover. What they might not know is that J. Edgar Hoover also surveilled Cesar Chavez, and also surveilled the Black Panthers. It was critical in the dismantling of that organization. But before [that], it was Japanese-Americans who were surveilled. Before that, it was a W.E.B. Du Bois who was surveilled for trying to go to Europe while Woodrow Wilson was trying to negotiate some pretty lofty principles, and point out that a major population in Woodrow Wilson’s hometown in the United States was not exactly getting that same fair deal. Y’know, after all this it was LGBT service members, and I guess what I’m trying to say is that when unpopular, powerless people meet the gears of government, they tend to lose. And so what privacy is, it’s a space that allows them to do that work without powerful forces stopping them. And I think this is a framing useful for us.

The second item: surveillance being beta-tested on vulnerable communities. So, quick story. So, I was born in Peru, I came here when I was five. My grandmother is straight out of a Gabriel García Márquez novel, lives in this old, old house—it’s been crumbling—in a little mountain town in Northern Peru called [TK-NAME OF TOWN HERE]. And, um, for years, I think all of us remember when a long distance call was, like, a really big deal. And for years we would call my grandmother, and it would be a really bad connection, it was a really big deal for us. And uh, the fact of the matter is, probably from about 1993 on, every single time my brother and I called our almost centenarian grandmother in a little mountain town in Northern Peru, the Drug Enforcement Administration (DEA) was making a record of it. And this is kind of the secret history of the “215 program” that folks in this room probably know about, but I don’t think the point has been sharpened in this respect. Before 215, the program that allowed the collection of all of our call records all the time, was a Drug Enforcement Administration program that logged international calls. They were not international calls to just anywhere, they were international calls to mostly all Latin-American areas and certain areas elsewhere. And, um, I remember this story coming out, and no one making the second leap in that sentence. The first leap being all international calls were logged, the second leap being that probably means that if you’re a Latino living in the United States, every time you called your mom, or your grandmother, your grandfather, anyone back home, the Drug Enforcement Administration was keeping track of that.

And so, another instance I think you’re going to see this is with facial recognition. The FBI has a fifty-million strong database of faces that State and local law enforcement can use to identify suspects in photos. Before I left Capitol Hill, my boss, Senator Franken, inserted a request, made a request that would include in an audit of the Federal Bureau of Investigation’s facial recognition systems statistics on demographics and on who is in this database. And I suspect what’ll happen if GAO [Government Accountability Office] is able to produce this information is that it won’t be an equal representation of all of our communities in that database. That database is gonna be disproportionately poor, disproportionately Black, and disproportionately Latino. And so I think we need to reckon this fact.

Final point, and then I’ll close because I know we just wanted to do brief statements here. When I was a Senate staffer working on NSA reform legislation, and I know some of you have heard it before because I’ve said it to you, I noticed something very troubling. And it was this: we had so many hearings about NSA. We had so many hearings. We had hearing after hearing after hearing and that’s wonderful and each time the administration had sent people and they get yelled at and they would yell back and it was true sort of exchange of ideas, as much as you can have in an unclassified setting. Um, one thing that I never heard in any of those hearings—and I could’ve missed it, but I’m pretty sure I never heard it—was the name Martin Luther King. Or was the name Cesar Chavez. Or was any bit of this history of disproportionate surveillance of vulnerable communities. And, um, I think that’s everyone’s loss. I think that’s our loss because—I think that’s everyone’s loss because they don’t know, but I think it’s our loss because our coalition could be all the more stronger the more we have the civil rights community activated and moving alongside with us. I’ve said this before to someone and they’ve said, “Well, Alvaro, y’know, we don’t really need the Left. We need the Right. We need the Right to get to 60 [votes].” And this person was exactly right. You need the Right, you need Republicans, and God bless them, God bless folks that are in the Republican party that are with us on this surveillance issue, we need those folks to get to 60. But we need the Left to make sure that what we get out of that 60 is actually worth something. Because there are amendment notes after amendment notes and if your coalition is not strong you will lose those votes and you will get a far worse product because of it.

So, looking forward, we have a debate about Section 702, which allows for the surveillance of communications collected in the United States with one international—I’m sure I’m getting some tiny piece of that wrong—but, um, in those communications collected are some entirely domestic communications, we now know that. But in those communications are going to be awful lot of communications by immigrants. And this program does not affect everyone equally. It disproportionately impacts immigrants, it probably disproportionately impacts Latinos, and I think we need to put that forward and talk about that.

And I think I will close there.

Anika Collier Navaroli: Thank you. Thanks everyone, thanks again for coming. So before I talk a little bit about the surveillance and technology piece, I want to talk a step backwards and I want to talk about the notion of privacy as we currently know it. So the way that we typically think about it in these circles is the philosophical or the legal definition. And in doing that I think that we make certain assumptions. And I want to talk a little bit about those assumptions.

So, first, I think the assumption that we make is that there is agency over one’s own body or one’s own personhood. And I think the second assumption that we make is that privacy is this thing that exists. And in order to do so I think that we create a certain privilege. And to say that, I want to say essentially that there are certain communities within the United States who have never had the privilege of what I’m going to define as privacy.

So, privacy, by “privacy” what I’m talking about is non-surveillance, or a non-monitoring. And so basically what I’m going to talk about a little bit here is the Black community, just because that’s the community that I’m a member of, that’s the one I know the best, and it’s the one that I’ve studied the most.

So, I attended a conference very similar to this a couple of months back hosted by a lot of the same folks and I went to a panel that was about cybersecurity. So it started with the NSA programs Alvaro was just talking about and I think this is one that definitely did it right in discussing the historical impact and the disparities. And what I was shown at the very beginning of this panel was a document that was put up on the screen. And it was a very simple document. This document was stated to be the very first piece of surveillance within the United States. And what that was, was a “slave pass.”

An official "Negro Passport" issued by the Confederate States of America's official War Department in 1865.

And this was, for those of you who don’t know what a slave pass is, it was a piece of paper that was given to Black Americans back in the day. And this allowed them to physically move from one confined plantation to another. And without this pass, there was a serious risk of bodily harm and/or death. So from the very beginning of Black folks being in America, their physical presence has been monitored and surveilled. And this includes folks that were privileged enough to be free. They had Freed Men Passes, and without these, they were not able to move about freely. And as some folks have seen from “12 Years a Slave,” but those didn’t also always work all the time. So just moving back through history we see from the very, very beginning the notion of privacy as we know it never existed for Black folks in America.

And as we move through history, we end slavery, and then we have physical signs that told folks where they could walk, where they could sit, where they could eat, where they could drink, where they could do the very simple things of life. And again, very physical movements of people being monitored, being surveilled, and not following these signs again created a risk of serious bodily harm and/or death. This continued. So we go through what Alvaro was talking about, we know about the civil rights movement of the 1960’s. We know about Assata Shakur, in her book she talks a lot about when she became really big—her autobiography, excuse me—when she became pretty big in the Black liberation struggle, there was a certain point at which she stopped receiving phone bills, but yet her phone was never disconnected.

Audience: [laughter]

Assata Shakur, a Black woman.

Anika Collier Navaroli: And that was the moment that she realized that her phone was in fact wiretapped. And again, now we know what happened. Everything has been declassified, we know about COINTELPRO, we know about J. Edgar Hoover, we know all these things now. But in those movements, not just the physical movements but also the social movements of Black people were being monitored. So, to me, it’s not extraordinary when we think about today’s society. And we think about the fact that the Department of Homeland Security is monitoring Black Lives Matter movement activists at things as simple as concerts. It’s not extraordinary to me that there are allegations in Chicago of Stingray devices being used to monitor the movements of protesters as they move about the streets. These things are not extraordinary in that the existence the privilege of privacy never existed for Black folks in America and to this day is not a notion that is really known.

And so I kinda want to start my thought process there and just realize and ground this conversation in the knowledge that when we talk about surveillance, when we talk about technology, we are talking about brand new tools for a thing that has always been going on.

Hamid Khan: Hi, good afternoon. My name is Hamid. I am from Los Angeles with the Stop LAPD Spying Coalition. I want to start off by just picking up where Anika stopped where, what I gathered was, for many communities historically speaking and even currently as well, privacy is a luxury, it’s not really a right. So I think that’s something that we need to really just at least acknowledge and put it out there. Secondly, since yesterday, if I was not working on the ground on the streets, just organizing out in Los Angeles, one would assume that surveillance is purely a Federal issue whereas the local police is kept completely out of the equation most of the time. And when you look at history, before the FBI came into existence, the police Red Squads were very much in operation. And the police Red Squads didn’t start because the Russians were coming. The police Red Squads started in the 1880s because of the Haymarket strike in Chicago. That was the formation. In 1886 Haymarket happens. In 1888, Chicago police department is the first department to formally incorporate a section which was going to engage in covert intelligence gathering and surveillance of communities. And from there on, we see this rapid escalation of the Red Squads.

So local police is and has always been on the forefront of surveillance, spying, and infiltration. There was a conversation about Stingrays, there was a conversation around automatic license plate readers, the Los Angeles Police Department has all these tools. We talked about Fusion Centers, the Los Angeles Police Department has its own internal Fusion Center as well. New York Police Department works closely with the CIA. So the point I’m trying to raise is that locally law enforcement have been on the front lines of surveillance, spying, and infiltration.

Which brings me to the point then, of how does it impact communities, and particularly communities of color. And most of the time the conversation starts from impact, rather than core concepts. Like, y’know, okay, well, this is what has happened, without us backtracking and seeing what has been the history behind this thing. Another thing that Anika raised was that this is not a moment in time, this is a continuation of history.

So Bill Bratton is known all around the world, not just in the United States, as one of the “top cops.” I mean, as much bogus propaganda as there is. And Bill Bratton is really the one who pushed the “Broken Windows” theory. So I just want to ask Paul, if you could open that Word document from Edward Banfield. So—if you can—Edward Banfield was the intellectual guru of James Q. Wilson who was one of the coauthors of the infamous Broken Windows article in The Atlantic in 1982, which was coauthored by George Kelling, and this is what set the tone for how Broken Windows was informed:

Edward C. Banfield, a white man wearing a suit and tie.

The implication that lower-class culture is pathological seems fully warranted. Rather than waste time and public money implementing policies based on the false notion that all men were created equal, better to just face facts and acknowledge the natural divisions that exist. Members of the lower classes should leave school in ninth grade, to get a jump on a lifetime of manual labor. The minimum wage should be replaced to encourage employers to create more jobs for “low-value labor.” The state should give “intensive birth-control guidance to the incompetent poor.” And the police should feel free to crack down on young lower-class men.

Edward Banfield, mid-century political scientist, University of Chicago

So that “the police should feel free to crack down on young lower-class men.” This is the origin of “Broken Windows” policing.

So this is the tally as of yesterday how many people have been murdered by law enforcement in the United States as of 2015.

The Guardian's "The Counted" data visualization project keeps demographic records of reported police murders.

Nine-hundred and two already. This is a tally that was started by The Guardian. It’s called “The Counted.” And when you do the math, every seven hours and thirty-six minutes, someone is being murdered by law enforcement. I mean, just posit this for a second. Every seven hours and thirty-six minutes. Today, as we sit here, more than three people on average will be killed by law enforcement. And look at the numbers. Los Angeles leads that. Eighteen already in 2015. When you look at per-million, 5.24 Blacks per million. 2.42 Hispanic/Latino per million. 2.1 white. So 250% is the disparate impact on the Black community on how law enforcement is murdering them.

How is the law enforcement responding when we go and protest this? Can you go to the next slide, please?

LAPD Sheriff's Department officers wearing full body armor, face plates, and other extreme military combat outfitting.

This is what we look at. This is what we are facing. This is the intense militarization of the police. This is when we go out onto the street. This is how we are met. This is how we are brutalized. So when somebody talks about privacy and then people talk about “hacking,” the previous slide shows how families are being hacked. How their spirits are being hacked. How trauma is being created. And this is what is going on the streets of Los Angeles.

And the last couple of slides I just want to show, if you wanna go to the third one. This is now happening.

The Daily Beast reports on the first legal "Taser Drones" in the United States.

North Dakota is the first State in the country that is now authorized law enforcement use of drones armed with “non-lethal weapons,” as if tasers and rubber bullets have never killed people. And lastly I just want to show you a slide. This is what we are facing. This is the LAPD’s architecture of surveillance, something that we know now.

Circular diagram depicts how the various component of the United State's domestic surveillance, spying, and infiltration architecture fit together.

From Fusion Centers to Suspicious Activity Reporting (SAR) program, to “See Something, Say Something,” to the Intelligence Gathering Guidelines where they can legitimately now place informers in political groups where they can also, the cops can take fictitious personas and fake identities to Facebook or social media. Then you look at Predictive Policing, then you look at TrapWire technology, which is a street-level camera that picks up your body image and immediately transfers it to the Fusion Centers, to Stingray, and then somebody was saying that Stingray is not going to be used because now they’re using “dirt-boxes,” the Digital Receiver Technology, which is Stingray on steroids. And then we move into the Automatic License Plate Readers (ALPRs), Drones with high-definition cameras. The DHS memo basically, and this is what leads to the how police begin surveillance of poor people, because my work is based out of Skid Row in downtown Los Angeles, where gentrification is running rampant, and one of the things this memo said was it took three small cases of low-level arson and they put a memo out that said if there is any housing rights activists, that if there is any rally or if there is anything going on, that should be considered a suspicious activity, and a Suspicious Activity Report should be filed on housing rights activists. And then we see the militarization, Joint Terrorism Task Force, and the Fusion Centers.

And I want to end by saying that as we are looking at this, who ultimately is going to pay the price? I mean, when we look at the murders on the street, the most recent audit of the Los Angeles Police Department’s Suspicious Activity Reporting, two years ago, came out that—now these are counter-terrorism programs, most of the police now is heading towards counter-terrorism and counter-insurgency—that all the SARs that were sent to Fusion Centers, over thirty-one percent of them were filed on Los Angeles’s Black community, the community that is less than ten percent of the population. A three-to-one disparate impact. In the gender count, fifty percent of these SARs were opened on Black women. These are counter-terrorism programs.

Lastly, the Los Angeles Sheriff’s Department has now become the largest repository of biometrics, they have now a database where they can gather biometrics on fifteen million subjects, and that is an extension of the US military (Navy and Marine) program called the Identity Dominance System, which started in Afghanistan where they had basically taken everything off of the whole population of Afghanistan and now as of this month are launching into the second phase, which is called the IDS-2, Identity Dominance System 2.0, where they are going to start looking at a person’s gait, how you walk, how you move your hands and your arms.

So in essence, what we are seeing is now that speculative policing is going to the next level. Because what this all is, it is speculative policing, and I’ve reached my time, so I’ll stop right there.

Singer: iMiX! What I like! What I like! What I like!

[music]

Pair with David Whitehouse on the disturbingly intimate relationship of policing and schooling.

A Sneak Peek at Better Angels’ Buoy: the private, enhanced 9-1-1 for your personal community

As some of you already know, over the past several months, I’ve been working with a team of collaborators spanning four States and several issue areas ranging from alternative mental health/medical response, to domestic violence survivor support, to police and prison abolitionists. Although we don’t all share the exact same politics, we’ve come together as one group (we’re calling ourselves the “Better Angels”) because we all agree that more has to be done to support communities of people whom the current system fails, regardless of whether that failure is deliberate or not. In the spirit of software development as direct action, we set out to design and implement free software that would have the maximum social impact with the minimum lines of code, as quickly as possible.

Today, I want to introduce you to that software project, which we’re calling Buoy.

Screenshot of the Better Angels Buoy community-driven emergency dispatch system sending an alert to a crisis response team.

What is Buoy

Buoy is a private, enhanced 9-1-1 for your website and community. We call it a “community-driven emergency dispatch system” because everything about its design is based on the idea that in situations where traditional emergency services are not available, reliable, trustworthy, or sufficient, communities can come together to aid each other in times of need. Moreover, Buoy can be used by groups of any size, ranging from national organizations like the National Coaliation Against Domestic Violence (NCADV), to local community groups such as Solidarity Houston, or even private social clubs such as your World of WarCraft guild.

Indeed, the more community leaders who add the Buoy system on their websites, the safer people in those communities can be. One can imagine the Internet as a vast ocean, its many users as people sailing to the many ports on the high seas. Buoy is software that equips your website with tools that your users can use to help one another in the real world; the more buoys are deployed on the ocean, the safer traveling becomes for everyone.

How does Buoy work?

Using Buoy is simple. After a website admin installs and activates Buoy, each user of that website can define their personal response team by entering other users as their emergency contacts. This is shown in the screenshot below.

Screenshot of Buoy's "Choose your response team" page.

The “Choose your team members” page, available under the “My Team” heading in the WordPress dashboard menu, allows you to add or remove users from your response team. When you add a user, they receive an email notification inviting them to join your team.

Screenshot of Buoy's "Team Membership" page.

When you are invited to join someone’s response team, you receive an email with a link to the “Team Membership” page, shown here. On this page you can accept another user’s invitation to join their team or leave the teams you have previously joined.

After at least one person accepts your invitation to join your response team (i.e., they have opted-in to being one of your emergency contacts), you can access the Buoy emergency alert screen.

screenshot-3

You can bookmark this page and add it to your phone’s home screen so you can launch Buoy the same way you would launch any other app you installed from the app store. Pressing the large button nearest the bottom of the screen activates an alert and immediately sends notifications to your response team. Clicking on the smaller button with the chat bubble icon on it opens the custom alert dialog, shown next.

screenshot-4

Using that button with the chat-bubble icon on it, you can provide additional context about your situation that will be sent as part of the notification responders receive.

For some use cases, however, sending an alert after an emergency presents itself isn’t enough. Unfortunately, this is the only option that traditional 9-1-1 and other emergency dispatch services offer. In reality, though, there are many cases where people know they’re about to do something a little risky, and want support around that. This is what the other button with the clock icon on it is for.

Clicking on the smaller button with the clock icon on it opens the timed alert (“safe call”) dialog, shown next.

screenshot-5

Use this button to schedule an alert to be sent some time in the future. This way you can alert your response team to an emergency in the event that you are unable to cancel the alert, rather than the other way around. This is especially useful for “bad dates.” It’s also useful for border crossings or periodic check-ins with vulnerable people, such as journalists traveling overseas.

Regardless of which alert option you select, Buoy will gather some information from your device (including your location and your alert message) and either send your alert to your response team immediately or schedule the alert with the Buoy server. A nice pulsing circle animation provides visual feedback during this process.

screenshot-6

If you pressed one of the immediate alert buttons, the next thing you’ll see when you use Buoy is some safety information. This information is currently provided by the website admin, but we have some ideas of how to make this even more useful. Either way, if it is safe to do so, you can read through this information and/or take one of the suggested actions immediately. In the example screenshot here, Buoy has been installed on the website of a domestic violence survivor’s shelter, so the admin composed safety information that helps DV survivors quickly find and access even more supportive resources, such as hotlines and other nearby services like animal rescuers.

screenshot-7

If you’re in an emergency situation where interacting with your phone isn’t feasible, such as if you are being beaten or chased, you can simply ignore this screen. As long as you don’t lose or shut off your device, your device will send your location to your response team so that they will be able to track and find you, even if you travel away from the spot where the crisis originally began.

If you can interact with your phone, you can also close the safety information window at any time. When you do, you will see that behind the safety information window, a private, temporary chat room has been loaded in the background.

screenshot-8

When one of your response team members responds to your alert, they will join you in this chat room.

In addition to the chat room, behind the safety information window is also a real-time map. (The map can be accessed at any time by clicking or tapping the “Show Map” button. Tapping the same button again hides the map.)

screenshot-9

On the map, a red pin shows the initial location of the emergency. Your avatar shows your current position. As responders respond to your alert, their avatars will also be added to the map.

Buoy is just as easy to use from the point of view of a responder, as it is from the point of view of someone sending an alert. When a responder clicks on a notification from the alert (either by email, SMS/txt message, or whatever other notification mechanism they prefer—we are continually working to add new notification channels as our people-power and resources allow), they will be shown your alert message along with a map. They can click on the red pin to get turn-by-turn directions from their current location to the emergency alert signal. If they choose to respond, they click on the “Respond” button and will automatically be added to the group chat shown earlier.

screenshot-10

When a responder clicks the “Respond” button, they will automatically be added to the same live chat room that the alerter is in. They will also see the same map.

screenshot-11

The alerter and all current responders become aware of new responders as they are added to the chat room and the map. As people involved in the incident move around in the physical world, the map shown to each of the other people also updates, displaying their new location in near real time.

screenshot-12

Clicking on any of the user icons on the map reveals one-click access to both turn-by-turn directions to their location and one-click access to call them from your phone, Facetime, Skype, or whatever default calling app your device uses.

Who should use Buoy? Should it only be used in emergencies?

Although Buoy is designed to be useful in even the most physically high-risk situations such as domestic or dating violence abuses, kidnapping, home invasion, and other frightening scenarios, you can use Buoy however you want. We particularly encourage you to use Buoy when you feel like your situation may not rise to the level of calling 9-1-1 or when you feel like the presence of police officers will not improve the situation.

For instance:

  • If you feel you are being followed as you walk home on campus, use Buoy. Your friends will be able to watch your location on their screens and quietly chat with you as you walk home, ensuring you reach your destination safely.
  • If you or someone you are with feels suicidal, or is having a “bad trip,” and you don’t want cops showing up to your house but need assistance, use Buoy. Responders will be notified of your physical location and will be able to coordinate a response action with you and with each-other in real time without ever notifying the authorities of the situation.
  • If you are with a group at an outing such as a hike or a large amusement park and get separated from your group, use Buoy. Each group member will be able to see one another’s current location on a map, can easily coordinate where to meet up, and can even access turn-by-turn directions to one another’s locations with one tap of a finger.

We’ve designed Buoy with people for whom “calling the cops” is not possible or safe, such as:

  • Undocumented immigrant and homeless populations.
  • Domestic violence victims and survivors.
  • Social justice and social change activists/political dissidents.
  • Freed prisoners.
  • Frequent targets of assault and street harassment (trans/queer people, women).
  • People suffering from a medical or mental health emergency.
  • Especially all the intersections of the above (homeless feminine queer youth of color, for instance).

In other words, these are all demographics who could benefit by having “someone to call” in the event of an emergency for whom “the police” is obviously a counterproductive answer, because when police are involved they are more likely to escalate the situation than de-escalate it.

That said, even if these descriptions don’t fit who you are, you can still use Buoy and if you do, we hope you find it useful.

How can I get Buoy?

Buoy is a bit like a very advanced telephone. Just like a telephone, it’s not very useful if no one else you know has one! For Buoy, or a telephone, to be useful, you have to know someone else who already has it.

Since Buoy is so new and is designed to be used in real-life emergencies, we are only working with a small group of alpha testers in order to ensure that there are no major technical or usability issues before its widespread adoption. However, we are very excited about the possibilities and we are currently looking to include more people in the testing process. If you think this is exciting and want to help put the finishing polish on this tool, please get in touch with someone from the Better Angels collective directly; links to our contact information is posted on the Buoy project’s development site. (Or just email me at bitetheappleback+better.angels.buoy@gmail.com directly.)

That being said, if you are a community leader, and you maintain a WordPress-powered website, you can try out Buoy right now by installing it directly from your WordPress admin screens! It’s just as easy to install as any other WordPress plugin. Similarly, if you yourself are not a “community leader,” but you want to try it out, you can either ask to join our private testing phase or you can tell others in your community about Buoy and see if the group of you can install it on your own group’s website.

If you do that, don’t hesitate to ask for technical or other help of any kind over at the Buoy support forums.

How can I help Better Angels projects?

There’s a lot you can do to help make Buoy better or help the Better Angels collective more generally! Check out our contributor guides for more information! Of course, one of the most immediate things you can do to help is spread the word about this project. (Hint hint, click the reshare button, nudge nudge!) Cash donations are also very helpful! Finally, we’re also trying very hard to get the entire tool translated into Spanish, so if you’re bilingual and want to help, please sign up to be a Better Angels translator here.

We think Buoy is a great tool for building strong, autonomous, socially responsible, self-sufficient communities, and we hope you’ll join us in empowering those communities by making them aware of Buoy.

CryptoParty Albuquerque: Know Your (Digital) Rights

A few weeks ago I had the pleasure of hosting CryptoParty Albuquerque. If you missed the party (and it was an awesome party), be sure to check out my “what you missed” post about CryptoParty Albuquerque. As I wrote there, my co-host and I began CryptoParty Albuquerque with two back-to-back presentations to ensure that everyone participating got exposed to what we felt are the most fundamental bits of information.

My opening presentation was first and it was a gentle introduction to threats and how to defend against them. After that, I handed the mic to my co-host, who gave a brief “digital know your rights” talk. A video and a transcript of that presentation is below:

So, it’s good to encrypt your data using all the tools available, but what happens when you’re faced with police wanting to search your digital device? Well, the best tool you have then is to know your rights! And thanks to the Electronic Frontier Foundation (EFF) and their helpful guides we know what to do when the police come around asking to search your phone or computer. Tonight I’m going to be talking about what your rights are and how to act around the police, essentially giving you a brief overview of the guides the EFF has available.

With that in mind, I am not a lawyer and I am not giving you actual legal advice, I am just sharing with you what I learned from reading a bunch of stuff on the internet, because I care about these things, but it is not actual legal advice. Please use these suggestions at your own discretion.

The rights protecting your digital advice are pretty much the same that are granted to you by the fourth amendment of the constitution. You are protected against unreasonable search and seizure of your phone. With a few exceptions, you’re not obliged to let the authorities into your device, so we say the fourth amendment mostly applies.

We need to borrow a bit from maymay’s threat model from the previous presentation and figure out who we are and what we are protecting. We’re going to go over four roles in this presentation and those include:

  • a person going about your day
  • a protestor, activist, or someone documenting a protest or the police themselves?
  • an employee at your job?
  • a person crossing the border into the U.S?

Rights are different for each of these roles, and I’ll go over each in more detail.
Before I do, I want to say that if you are not a citizen of the U.S. you are still, amazingly enough, protected by the fourth and fifth amendments, but your interaction with the police may be more complicated depending on your immigration status. Unfortunately, that situation is beyond the scope of this presentation, but there are resources available to you if you are not a citizen and the police are compelling you to let them search your device. Besides the EFF, you can contact the National Lawyers Guild, and locally, Somos un Pueblo unido, a wonderful organization based in Santa Fe, and the NM chapter of the Dreamers. These will have specialized legal resources that can be made available to you as an immigrant, however, the following tips still do apply.

So the first situation is you’re just going about your day, and officer Johnson comes up to you and says “I’d like to search your phone!” What do you do? Well, you should have already encrypted your device. If you encrypt your device, it will be protected against easy access, and you have the right not give up your passphrase under any circumstances. The best protection is a full passphrase with encryption, as screen locks, like the four digits on iOS or the pattern match on Android are easily bypassed. Now, a grand jury or a judge may try to compel you to give up your passphrase and decrypt your device, but the police cannot, and if you find yourself in a situation where a judge or jury is trying to make you give up your passphrase, please call the EFF, they’ll help you out.

Now, you have an encrypted device, and Office johnson wants to search it. Well, don’t consent to a search! say “I do not consent to a search.” In fact, don’t say anything else, and say nothing about your passphrase or how you protected your device. You have the right to be silent and ask to speak to a lawyer before any questioning. Keep saying you don’t consent to a search. If the office has a warrant and they come to your home, don’t open the door, but ask them to slide the warrant underneath the door. Verify the warrant is perfect. It needs four things to be correct: Your name and address, typo-free, the scope of the warrant, meaning what they can search, a judge’s signature, and a deadline that cannot have passed. If any of these are wrong or missing, give the warrant back to them and refuse the search, telling them to come back with a valid warrant. Use that time to encrypt your device. If the warrant is valid, or if they’re conducting a warrantless search on your device without your consent, contact a lawyer if you have one, or the EFF if you don’t. Finally, be careful using biometrics like fingerprints to lock your device. Police can compel you to unlock a device with your fingerprint as these are part of your identity, and the government already has them on file. If you use a fingerprint lock, turn off your phone so the fingerprint is flushed from memory and your passphrase is needed to unlock the device.

If you’re an activist at a protest or documenting a protest or the police, these special tips may be useful to you:

You can legally film the police, anytime, in any public space. If they tell you to stop filming, say you are legally filming the police and it is constitutionally protected. Also be sure to livestream in case they don’t care about your constitutional rights, and most importantly, protect yourself over your device. In fact, consider a burner phone. These are relatively inexpensive phones that you use in protests or as an alternative to your actual personal phone. The idea is that there’s nothing important on these phones, they are single use and can be lost without personal data being sacrificed. Regardless of what kind of phone you bring to a protest, encrypt your device! This makes it harder for the police or anyone to get at whatever you were recording or communicating to your fellow activists. Finally, mass arrests are unfortunately not uncommon at protests and actions, so remember that if you are arrested, after you are released you should get your device back. If not, file a motion for it to be released, even if the police put it into forfeiture or think it holds evidence of a crime, you can still get it back.

What if you’re an employee and have a work computer? Well, in that case, don’t use your work computer for personal communications of any kind. Use it only for work. This is n’t just what your boss wants, it’s also good for you, as your employer can consent to searches of computers they give you, and furthermore, you don’t know if they’re logging your computer activity. In fact, they probably are. So, you should also encrypt your network traffic as much as possible, especially if your work computer is your only computer and you need to use it for personal reasons occasionally. And if your boss ever asks for your personal paswords, like to Facebook, for example, tell them no, even if they say it is in your contract. It’s illegal for employers to ask employees for personal passwords and any contract with such a clause is illegal. For that matter, don’t mix personal passwords and work passwords.

One last role, and it’s a special one: what if you are crossing the border into the U.S? In this case, the fourth amendment doesn’t apply. Customs and Border Patrol agents at the US borders are empowered to search and often confiscate anything entering the united states, including your digital device. So what do you do? Well, as usual, encrypt your device! and turn it off before you reach the border. Like with the police, you cannot be compelled to give up your passphrase to a device, and even though border agents can confiscate and forensically search your device, it will be difficult for them, and more private for you, if your device is protected by a strong passphrase and encryption. The EFF has even more tips about how to protect your data at the border in the border crossing guide online, so check them out. Lastly, some US states provide stronger protections against confiscation at the border, that is, the agents in these states need probable cause to confiscate your device, so try to enter the U.S. through them. These states include Arizona, shockingly, California, Oregon, Washington, Idaho, Montana, Alaska, and Hawaii. Some territories also provide these protections.. Remember, international airports count as borders.

Now, while this presentation described your rights and some suggested behaviors when dealing with the police, it does not, unfortunately, describe how the police will actually act. As we’ve seen time and again, the police wield great power, and they will not always act in accordance with your rights. So, even if you flex your rights as suggested in these presentations, the police may still illegally search, confiscate, or even destroy your phone or computer. In this case, it is best to not obstruct them, note their name and badge number if you can, stay silent, contact a lawyer or the EFF, and above all, protect yourself so you can share what happened with people who care, and we can signal boost your story.

For more complete information and advice, please visit the EFF, form which I culled much of this information. Oh, and, thanks EFF for all the great work you do. More resources on how to interact with the police is on copwatch.org, as well.

Thanks for watching and be secure out there!

CryptoParty Albuquerque: A Gentle Introduction to Threats and How To Defend Against Them

One of the unique things about CryptoParty Albuquerque was simply the diversity of participants. Not only was CryptoParty Albuquerque the largest cryptoparty I’ve had the pleasure to host (it began with over 35 people, check out this blog post to get a debrief on what you may have missed), but it was also the only one that didn’t have a pre-existing audience specifically in mind. What I mean is that, prior to this cryptoparty, the other cryptoparties I’ve hosted have all been for a single community—queer activists, or reporters, for example—rather than being aimed at “everybody.”

This means that, unlike other cryptoparties that functioned almost like anti-surveillance boot camps, this one really was a party in addition to being a skills-building workshop. The fact that we had ongoing educational activities that were set up kind of like museum exhibits (that you could touch, of course) in the center of the social and food spaces was really helpful. But it also meant that it was bit more difficult to set the stage for the event at the beginning, because we didn’t really know who was going to be there or what they wanted to focus on.

My co-host and I knew we wanted to start the event in one large group, because we wanted to make sure that everyone who participated was exposed to the most foundational concepts and immediately useful information. We decided that this meant we wanted to at least touch on these three things before we split up into breakout sessions:

  • threat modeling,
  • politics, and
  • digital “Know Your Rights” training.

What we ended up doing was back-to-back presentations at the start of the cryptoparty in which I gave a presentation on the first two bullet points, combining an inrtroduction to theat modeling with the political importance of what we are doing. This made sense to us because it is specifically the fascistic politics of the current Amerikkkan surveillance state that threatens the livelihood and pursuit of liberty of most people (of color) around the globe, obviously.

In my usual style, I created a fast-paced visual slideshow and distilled numerous different sources of information into a speech covering the bare essentials of threat modeling and surveillance politics that clocked in at under ten minutes. Unfortunately, my presentation was not recorded live at the cryptoparty itself, but I’ve recreated it in this video embedded below. What follows is the re-created video of my introduction to CryptoParty Albuquerque and an aspirational transcript of my welcome speech:

Are. You. Ready. To. CRYPTO?

:)

Welcome, welcome everybody to CryptoParty Albuquerque, the first crypto party in New Mexico! Thank you to our hosts, thank you to my co-host and co-organizers, to everyone who’s been working so hard this past week to make this event happen. And, of course, thank YOU all for coming!

So, the tagline of this event is “Learn how to protect your data from prying eyes,” and that’s what we’ll be doing during the CryptoParty. You’ll have the opportunity to participate in a hands-on digital safety training, some privacy workshops, and if you take a look around, you’ll see we’ve set up numerous educational activities around the space at our “activity stations.” We’ll talk more about all of these in a just a little bit.

But when we say “learn how to protect your data from prying eyes,” the obvious next question is: “Whose eyes?” In other words, who are we protecting our data from? Well, broadly speaking, there are three main categories of adversaries one might want to protect one’s data from. They are:

  • Governments,
  • Corporations,
  • and malicious individuals.

When it comes to governments, I like to quote Taylor Swift, who says, “Mass surveillance is the elegant oppression, a panopticon without bars. Its cage is small but out of sight, behind the eyes—on the mind.”

Swift is talking here about the global and domestic mass spying conducted by the NSA. And, okay, maybe this isn’t a real Taylor Swift quote, but you get the idea.

If this is a bit too abstract for you, remember that just this week we learned that the Department of Homeland Security has been monitoring the Black Lives Matter movement since anti-police protests erupted in Ferguson, Missouri last summer. DHS agents are even producing minute-by-minute reports on protesters’ movements, even for the most mundane of community events. This shit is real, my friends!

With regards to corporate adversaries, we see plenty of examples of abuse and privacy violating behavior. In November of 2014, for example, Josh Mohrer, the general manager of Uber New York, was busted for using an internal Uber tool called “God View” that shows the company’s execs the real-time location of every single customer and driver. Mohrer was using the tool track the movements of a journalist, without her permission or consent. And just one month before that, in October 2014, two bombshell stories in the New York Times detailed how PR firms representing the oil and gas industry have been openly plotting campaigns of dirty tricks against anti-fracking activists and opponents of the Keystone XL pipeline.

And then, of course, there are malicious individuals:

A normal Wednesday afternoon, this Colorado man is playing his favorite shooting game: heavily armed SWAT teams battling are criminals, when suddenly the imaginary world broke into reality—quite literally.

“I think we’re getting SWAT’ed. What in the world?”

“POLICE! PUT YOUR HANDS UP! HANDS ON YOUR HEAD! GET ON THE GROUND! NOW! MOVE! GET ON THE GROUND! GET ON THE FUCKING GROUND!”

The gamer, known as Kootra, was swatted.

This is a new kind of prank called swatting. This term stands for a mean prank: anonymous hackers reporting feet hostage situations and other violent crimes, all just to see SWAT teams rush in on innocent victims.

Swatting. I also call this: “attempted murder by cop.” So these are some examples of WHO you might want to protect your data from, and why.

Now, you might be thinking to yourself, “Okay, that’s great, but…how?”

The answer to that is: Encryption.

Encryption is just math. But don’t worry! You don’t need to know any math—not even basic addition—because a bunch of very smart people already worked the math out, and a huge community of free software advocates encoded the mathematical algorithms in computer software programs. All you have to learn is how to use the software, and that’s what we’ll do here during the CryptoParty.

For example, If you want to browse the Internet anonymously or bypass online censorship, use Tor, a special Web browser that helps keep your physical-world location secret while you explore the Internet. Or perhaps you want to send a private text message? Use an app called TextSecure. Share a file without revealing your location? OnionShare. Chat secretly? There’s an app for that, too. Software called the GNU Privacy Guard or GPG for short can secure your email, and you can install browser add-ons like Mailvelope to use it with your existing GMail account.

We’ll learn more about all of these tools tonight, during the CryptoParty. But with so many tools to learn, how do we decide what to use? And which one do we use, and when? For that, we need a “threat model.”

A threat model is just a way of narrowly thinking about the sorts of protection you want for your data, and how to go about actually protecting it. Whenever you begin assessing threats to you or your data, ask yourself some basic questions about your situation, like:

  • What do you want to protect? We call things you want to protect “assets.” Assets can be physical, like your laptop or phone. But assets can also be information, like some information in an email, or knowledge of your home address.
  • Who do you want to protect it from? We just talked about adversaries: they are the people or organizations attempting to undermine your security or violate your privacy.

There are also some other questions involved in assessing threats, but the answers to all of these questions are personal and subjective. They’ll be different for different people. And we’re not here to tell you what to think or how to feel. That, obviously, is your government’s job.

So what we’re going to do is introduce a simple framework that you can understand and use to make better informed choices about the technology you use so that you can take steps to protect your privacy, confidentiality, and integrity. Remember, after all, that different people have different assets to protect from different adversaries.

Threat Pyramid

Importantly, different adversaries pose different kinds of threats, based on what capabilities they have. For example, an individual with a grudge may be able to send you harassing e-mails, but they don’t have access to all of your phone records, so they can’t use those against you. Your mobile phone provider, however, does have all your call logs, and therefore has the capability to use that data in harmful ways. Your government has even stronger capabilities.

Notice, also, the number of adversaries who can pose major threats is much smaller than the number who can pose only mild threats or annoyances. The power to do the most harm is concentrated in governments and some multinationals with extremely sophisticated capabilities. The more of a threat these capable adversaries can pose, the more power they have over everyone below them on the pyramid.

Now, it is specifically this hierarchy, where the most resourced governments and corporations have more surveillance capability than everyone else, this situation is sold to us as “security.” And the issue is not that no measure of security can be had from this arrangement. The issue is that whatever so-called “security” this set-up does happen to offer you is a matter of benevolence from everyone above you in the pyramid.

Let’s take a second look at these. What are these things?

Cameras mounted on a wall.

I bet at least half of you are thinking to yourselves, “Those are security cameras,” aren’t you? But these cameras do not, themselves, provide security. These are surveillance cameras. They collect data about everything they can see. That data—that video record—only increases your security if the person who controls the video record has your best interests at heart. Otherwise, the data collected by these cameras only help the people controlling the cameras; think about the huge difference between cameras on cops, and cops on camera.

So the people who perform the most powerful surveillance in the world are at the top of the pyramid—that would be the USA, and the UK, etc. Anyone who chooses to rely on such surveillance for their “security” is putting blind trust in everyone who performs more powerful surveillance than they can.

A common fallacy is that with total surveillance comes security. That is, they say that after you give up your privacy, they will give you security. But what we see in reality is that even with that total surveillance, you still have the Westgate Shopping Mall terrorist attack in Kenya, you still have the Boston Marathon bombing, you still have the Emanuel African Methodist Episcopal Church shooting in downtown Charleston, and it is not stopped. Not to mention things like SWAT-ting, abusive phone calls from your evil ex, and the constant small harassments normal people deal with on a daily basis. And these attacks are not stopped because surveillance, itself, is not security.

Surveillance brings the ability to control some people some of the time, because “When we know we might be under surveillance, our behavior changes. We might decide not to go to a political meeting, to censor what we tell friends, family, and colleagues, thinking it might fall into the wrong hands or simply be made public. Under surveillance we may decide not to become a whistleblower.” Surveillance erodes privacy, which is a necessary condition for thinking and expressing oneself freely. But it still does not make us safe.

So our privacy is violated, our ability to express ourselves is controlled. Meanwhile, violent attacks on random individuals are rarely stopped. Our security is far from guaranteed. The people who benefit from surveillance are the people behind the video camera, not the people in front of it.

If we can’t rely on big, powerful surveillance states with sophisticated technology to have our best interests at heart—and we can’t—what can we do to keep ourselves safe and secure?

In the digital realm, we can encrypt, because encryption doesn’t depend on anybody else’s good will. It depends solely on math. No amount of physical force can coerce or threaten math. The police cannot beat up encryption algorithms with a nightstick. Encryption, like an idea, is literally bulletproof.

At this point, maybe some of you are thinking, “Yeah! Encrypt ALL the things!” And maybe some other people in the audience are sitting here thinking, “Augh! This sounds hard!” To you folks, I want to say: Take a deep breath, relax. Remember that you don’t have to be perfect at this. Remember that all things are difficult before they are easy. Remember that you don’t have to encrypt all the things immediately, today. There is a lot to learn!

So pick one thing, just one thing to start out with based on your personal threat model, because every little bit does help. The more encrypted data there is out there, the safer everyone who uses encryption is. And even if all you do is encrypt your apple strudel recipes when you send emails to your mother, you’re still helping by making it harder and more expensive for the adversaries of political dissidents, activists, journalists, friends, colleagues, and family, to target them.

So choose a tool you’re interested in knowing more about, go to a breakout session, and above all else, remember: KEEP CALM AND ENCRYPT.

Thank you all for listening.

What you missed at CryptoParty Albuquerque

CryptoParty Albuquerque, the first cryptoparty in New Mexico, was a huge success. It was by far the largest CryptoParty I’ve ever had the pleasure to help organize, with over 35 people showing up for the very start and more trickling in throughout the day. Due to its size, the format of the CryptoParty varied from other, smaller ones that I’ve hosted before.

We had pizza, popcorn, and drinks set up in the back of our space, where most people gathered to socialize and mingle and get to know one another pre-party. Then, shortly before the start of the event, we cranked up the volume on the four-panel main screen at the front of our space and played the excellent CryptoParty intro video, featuring excerpts from JuiceRapNews, and clips of interviews with Jacob Appelbaum, William Binney, and others. You should watch it, it’s fun:

By the time the intro video had played a third of the way through, everyone in the space had gathered around to watch it:

cryptoparty-abq-juicerapnews

We immediately followed that with two whole-group introductory presentations. I had spent the past few days making a “Welcome and Intro to CryptoParty Albuquerque” presentation, which I presented first. It included an introduction to threat modeling and discussed the importance of pro-privacy and anti-surveillance thinking. My presentation was not recorded live, but I recreated it in this video of the slideshow I used:

Then I handed the mic to my fellow CryptoParty host, who followed me with a Digital Know Your Rights presentation and its own slideshow, which I’ll link to from this post when I get a copy of the slides. Update: here is the Digital Know Your Rights presentation.

Our presentations were ten minutes each, so with the ten minute intro video, these three parts of the CryptoParty took only 30 minutes.

By now, people were ready to get their hands dirty, so we broke the huge crowd up into two groups: people who wanted to learn tools for use on their laptops, and people who wanted to learn tools for use on their smartphones. Thankfully, we had a roughly even number of folks interested in each breakout session. We had created a big grid with masking tape on one of the walls earlier, and during the pre-party socializing we asked people to write their names (or pseudonyms) on sticky notes and post a sticky note into whatever part of the grid was of interest to them. They could post as many sticky notes as they wanted to, and could choose to use either blue-colored sticky notes to indicate that they felt comfortable educating others about the topic in question, or yellow-colored sticky notes to indicate that they wanted to learn about the topic from others. Our “Interest Grid” ended up looking something like this:

cryptoparty-abq-interest-grid

CryptoParty ABQ Interest Grid
Educators are Blue, Learners are Yellow
Hot Knowledge Mobile Desktop
Private SMS/txt messaging
Private phone calls
Secure+Anonymous Web browsing
Secure+Anonymous File Sharing
Private video calls
Full disk/device encryption
Private emails

So we broke the group into separate “Mobile” and “Desktop” workshops, intending to cover as much as we possibly could with such large groups. I lead the “Desktop” workshop session and within the next hour and a half or so, most folks who participated (more than 15) left having installed TorBrowser, OnionShare, and one of Mailvelope, MacGPG, or Thunderbird and Engimail. They also generated a keypair, submitted their keys to a keyserver, and tested sending encrypted email to one another. Everyone who created a keypair successfully sent an encrypted email! There was even a college student who brought her mother to the CryptoParty, and both of them were able to successfully send each other GPG-encrypted emails.

I don’t know exactly how well the mobile session went, because I wasn’t there, but from I heard, the results were similarly great. Most folks left the workshop having TextSecure and Redphone (for Android) or Signal (for iOS) installed and working, and had verified one another’s fingerprints. I also heard there was a lot of success getting Orbot and Orweb installed on people’s Android devices, and OnionBrowser for the iOS users.

There were also some folks who didn’t go to either breakout workshop, either because they didn’t bring any devices at all, they were just there to socialize, or because they were already familiar with what we were teaching. I also noticed that some of the folks who said they were familiar with the technologies we’d teach really moved up and helped the people sitting next to them get things installed in the odd case where something didn’t work or someone was feeling a bit lost. It was so great to have that much in-crowd help for groups this large!

Mostly, the rest of the folks hung around the food area to socialize, but they also explored the various “activity stations” my fellow CryptoParty host and I had set up before the start of the party. These included an old laptop running WireShark, an old MacBook running Tails off a USB stick, and a “Ask a Hacker” box that people could write questions on index cards and drop in the box to be answered later. The Tails demo station and the WireShark network traffic viewing station generated a lot of really great questions from people, and I think everyone enjoyed having the ability to click around on the computers knowing they weren’t going to screw anything up, particularly the people who had never heard of WireShark or Tails before.

In addition to the “Activity Stations,” several local artists set up their artwork around the social areas of our party space. Behind the food, there was a flatscreen TV showing a demo of a new game design tool called MeshTracer, courtesy Kurt Hollowell and DogEatDogGames.com, which looked something like this:

On the other side of the social space were these hollow glass sculptures filled with various different gasses, created by Albuquerque local Carl Willis:

cryptoparty-abq-glass-gas-sculptures

All throughout the space, including in the workshop areas, we also printed up a bunch of CryptoParty posters and other artwork along a cypherpunk and anti-capitalist theme. This set of posters taped on one of the pillars was my favorite:

cryptoparty-abq-kill-capitalism-posters

Other posters featured Anonymous-style Guy Fawkes masks with derisive things about the NSA, retro-style Tor promo posters, and the like.

After the breakout workshops, everyone regrouped for a short debrief, where my fellow host and I answered some of the “Ask a Hacker” questions. One of the questions was “How secure are my dick pics?” Another was about BitTorrent, so I referred folks to the beginner’s BitTorrent guide I wrote up previously. Here’s a pic of us doing that:

cryptoparty-abq-ask-a-hacker-qa

By this point, the band was all set up and ready to play, so we were all treated to a live Ugly Robot set! They gave away free merch (I won an Ugly Robot shirt!), lead us all in a “dance like a robot” mini-march, and got me in trouble for figuring out how to turn off the lights in the venue (kill the right breakers, duh) so that their custom-programmed visualizers behind them would look better. (LoL, capitalists and their “entrepreneurial” venues don’t know how to have any fun.)

cryptoparty-abq-ugly-robot-set

While the band played, the more technical among us had a keysigning party, where we signed on another’s pre-existing GPG keys, and showed the less experienced what this was all about. There was still pizza and beer, which was good because more people showed up specifically to hear the band. They got in the fun, too, though, and most of them left with EFF handouts and other pocket guides for how to deal with police harassment that we had printed up and placed on all the clear surfaces.

By the end of the night, people were already talking about CryptoParty Albuquerque number 2, and several folks suggested different venues that might want to host it. My hope is that the next event chooses a venue that doesn’t have such a stick up their asses about having a party and turning down the lights for a band, sheesh.

Anyway, I’d say we sparked some interest! All in all, a massive success!

You’re invited to CryptoParty Albuquerque: Learn how to protect your data from prying eyes!

Recently, I’ve been helping these folks get the first ever CryptoParties happening in New Mexico. If you’re going to be in or around the Albuquerque, New Mexico area next weekend, join us for a party! Either way, tell your friends. :)

CryptoParty Albuquerque, a new small collective of hackers, makers, and doers of various ages, with various levels of technical knowledge, is getting together next Sunday, July 26 at 4pm to throw a kick ass party while learning and teaching one another about privacy and security, encryption, digital safety, cryptography, and free software. And YOU’RE INVITED!

When Officer Friendly asks:

CryptoParty Albuquerque is a free and public event where we will run digital safety training and anti-surveillance workshops to help activists, journalists, change makers, and other vulnerable people protect their data from the prying eyes of the government, local police departments, and corporate spooks. The party and workshops are being hosted at Fat Pipe (200 Broadway Blvd NE, Albuquerque NM).

More information as available at our website: ABQCryptoParty.com.

What is a CryptoParty? Watch any of the short introductory videos here:

abqcryptoparty.com/intro

CryptoParty Albuquerque is free, there will be food, there will be solidarity, there will be music! Hell, there may even be dancing! Ain’t no party like a CryptoParty! :)

If you use Facebook, you may also invite folks to the event using this link:

https://www.facebook.com/events/917582934947858/

Thanks for your attention and we hope to see you at CryptoParty Albuquerque!

Remembering Caspar Bowden on “The Cloud Conspiracy”

“We live in a comic book.” It’s what friends and I say to remind one another that the dystopian future Orwell and others ominously predicted have come true. But just as the dastardly deeds of corrupt government officials and other villains implementing panoptic surveillance on the scale of Hollywood’s best plots has come true, so too have regular people like you and me been transformed into comic book-like super heroes.

Last week, privacy campaigner Caspar Bowden passed away from a malignant melanoma cancer. He was 53 years old. Caspar Bowden is most recently famous for independently deducing the existence of illegal NSA mass domestic and foreign spying (global warrantless wiretapping) using only publicly available sources such as public record legal documents. He was roundly ignored and sidelined, immediately being fired from his position as Chief Privacy Advisor at Microsoft, but he rose to renewed prominence after NSA whistleblower Edward Snowden revealed that his deductions were correct.

Caspar Bowden became a strong proponent of Free, Libre, Open Source Software (FLOSS) and joined the board of the Tor Project. In 2014, he gave a speech at the 31st Chaos Communications Congress titled “The Cloud Conspiracy” about his story. Like any thrilling comic book, it begins with an internal board meeting at the headquarters of one of the world’s corporate superpowers:

For 9 years, I was Chief Privacy Advisor at Microsoft. And I have to explain a bit about what that job was. I didn’t have any responsibility for legal compliance, thankfully. I didn’t do anything, really, in US privacy.

My job was to advise 40 “National Technology Officers” around the world. And at Microsoft, a National Technology Officer is a guy with a big brain, often one or two Ph.D.s, able to function essentially as Microsoft’s ambassador to governments around the world at a very senior level, normally citizens of their own country. In a sense, you could boil down their job to: if Steve Ballmer wanted to get a Prime Minister on the phone in half an hour, it was the NTO’s job to get that done.

So, I didn’t know about [the NSA’s secret spying program now known as] PRISM when I was at Microsoft, and what I’m about to tell you I deduced from open sources and deciding to read the American laws. Nobody asked me to do this. What happened to me after that I explained to a big internal Microsoft strategy conference about cloud computing, with all of the cloud management there, all of my National Technology Officers there, the deputy general counsel of Microsoft there, what I’d discovered. And I said to my technology officers, “Look, you ought to know this. If you sell Microsoft cloud computing to your own governments, then this law means that the NSA can conduct unlimited mass surveillance on that data.”

So the deputy general counsel at Microsoft turned green. I’d never seen anyone turn green before, but she did. There was dead silence in the room. In the coffee break, I was threatened with being fired, and then two months later they did fire me without cause.

So, since then, I’ve really, since 2011, went around trying to tell as many people as I could about what I’d discovered. And I’ve given variants of this speech now about 20 times, I suppose. But I hope this brings things right up to date as of about 2 weeks ago, and also, I’m going to tell you some things which I haven’t told before.

In the speech that follows, Caspar gives a breathtakingly detailed yet accessible overview of the legal, political, economic, and societal pressures that lead to total deadlock in the European Union’s highest level of government, leaving its citizens vulnerable to the NSA’s predations and other increasingly militarized cyber-intelligence operations.

Watch Caspar Bowden’s whole speech here.

So. “We live in a comic book.” Are you a 1 or a zero?