Posted on by Slingshot robot #1

7 – Cybersecurity as community care

By anonymous

When I advise mutual aid groups and activists on their cybersecurity, their first question is often “What messaging app should we use?”

The answer is Signal. But, while encrypted messaging is important, just “using the right app” really isn’t enough. If a right wing activist can log into your accounts, or a police officer unlocks the phone of the person you’re messaging after a protest, it doesn’t really matter how well encrypted your messages were in transit. The messages of your entire group are now going to be in the hands of someone who can use them to harm all of you.

Our cyber security isn’t individual — it’s built with and through the actions of our community. As our cybersecurity risks increase in the coming years, we need to stop thinking of it as a personal concern, and start thinking of it as a community endeavor. We live in a cyber risk ecosystem, and if you haven’t taken the necessary steps to understand those risks or protect your devices, accounts, and communications, it makes your entire community more vulnerable to those risks as well. 

What are these risks? There are basically three broad categories we should consider: We all face a very heavy ‘background noise’ of financially motivated attacks from scammers and extortionists. For those of us politically involved on the left, we will also face similar attacks from right wing hacktivists. And finally, we should limit our exposure to government surveillance. 

There are many, many forms each of these attacks can take, but it’s important to understand the most common. For political hacktivists and financial extortionists, the methods will be similar. First, trying to log into your accounts with username/password pairs that were leaked from other hacked websites. Second, “phishing” emails and “smishing” texts that try to get you to download files or enter your password into a mimicry of an actual login page. Finally, exploiting technical vulnerabilities in your operating system or browser if it hasn’t been kept up-to-date.

Clandestine government agencies may engage in these attacks as well, but the vast majority of government surveillance is much more simple. Law enforcement will just ask relevant corporations to hand over all relevant information about you. Google, Meta, and many other corporations have specific web portals to actively facilitate these requests. And if you’re stopped at a protest or on the street, cops can and will forcibly unlock your phone using thumbprint or facial recognition if no password lock is enabled.

I believe that the likelihood and magnitude of all three of these risks (financial extortion, political hacktivism, and government surveillance) will increase a lot in the coming years for leftists, anarchists, activists, and noncomformists in the US. With Trump’s far-right politics and talk about fighting “the enemy within”, it doesn’t take a huge amount of historical analysis to see that there will likely be an increase in surveillance and prosecution based on political ideology. But I believe that financial extortion and political hacktivism against the left will drastically increase as well, once it becomes clear that the administration now lacks the will to prosecute such attacks.

The impact of these can be serious. Law enforcement investigations could lead to prosecution or incarceration. Not just for you, but for those you have messaged. We wouldn’t talk to cops about our friend’s activities, but many of us continue to communicate via unencrypted mediums (email, text) over corporate servers (gmail, meta), on insecure devices (no password or not up to date). If cops can find something incriminating in a conversation, imagine what they can find across all of your collected emails or texts with a person. 

In addition, as our government-run social safety nets are pillaged, it will become much more difficult to recover from financial fraud and extortion. While the background noise of financially motivate attacks can affect anyone, this will be particularly true for individuals and organizations that become politically targeted. It’s hard to be an effective activist if your elderly relative has just had their financial accounts drained, or your partner’s intimate pictures have been posted publicly online for ransome. Brown shirts have always been the first, cutting blade of fascist violence, and it’s hard to imagine far right groups desisting from these attacks once they feel a carte blanche to pursue those of us on the left without repercussions.

So, how will we face these threats? The anarchist answer is predictable — solidarity, mutual aid, community care. Masking in a pandemic. Providing food for your neighbors. Once again, in yet another domain, we need to help each other to our feet in the still-crumbling ruins, to build a safer world for ourselves, together.

Below, I’ve provided a basic checklist to help you secure your devices to keep yourself and your community safe. I encourage you to share this list (or even a single bullet point!) with someone else in your community as well.

There’s not space to fully explain all of these protections, and even this checklist should be mostly considered a healthy starting place! For more in depth information you can visit privacyguides.org or infosecforactivists.org.

Checklist:

For all of your Devices (phones, tablets, computers)

  • Password (not face/thumb!) required to unlock lock screen
  • Full Disk Encryption enabled (automatic for newer phones)
  • All ‘sharing’ set to ‘off’ (airdrop, fileshare, screenshare, etc)
  • Updated operating system (and auto-update turned on)
  • Do all internet access through an updated web browser. 
  • Install antivirus (usually not needed for phones/tablets)

For Important Accounts (Anything with bank details or used to impersonate you)

  • Two-Factor Authentication enabled. (Preferably via app like 2FAS, not text)
  • Password not used on any other of your accounts (Password managers like bitwarden help with this). 
  • In particular, Email and Phone provider passwords MUST be unique — they can be used to unlock all other accounts
  • Password not easily guessed (Random is best – use a password manager!)
  • Audit privacy settings and disallow public visibility where possible

Communication

  • Use Signal for sensitive topics and wherever else possible
  • Assume text/email are unencrypted and not private
  • Understand metadata and configuration risks for other apps like whatsapp, messenger, or telegram
  • Use a trusted VPN on untrusted networks, or TOR to avoid surveillance
  • set an admin password and wifi password for any routers you own
  • Only use up-to-date browsers to access internet
  • Avoid “smart home” devices where possible — lightbulbs, fridges, printers etc are easily hacked, consider any network with these devices “untrusted”.

Networks