A DIY Guide to Feminist Cybersecurity
January 13, 2017 10:32 AM   Subscribe

Hack*Blossom: "You have a right to exist safely in digital spaces. Although we have to rely on outside parties for technology to access these spaces, there are tons of helpful tools and strategies that allow you to take greater control of your digital life and mitigate the risk of malicious threats. We’ll walk through common areas of digital life such as web browsing, private data, and smartphones to show you different ways that you can implement as much or little security as you’re comfortable with."

Framed specifically from a feminist angle, but good advice for everybody who lives their life online and seeks privacy & security.
posted by bluecore (34 comments total) 82 users marked this as a favorite
 
I wish the author[s] would be more specific about what kind of threat each of this laundry list of software tools is supposed to mitigate. For example, using Tor Browser gives you very different (and much stronger) anonymity protections than using a VPN provider, but it's not clear from the document that this is the case nor how you should choose one based on your own needs. For example, regarding VPNs, they write:
Generally you want someone that does not store logs of its users while implementing OpenVPN as its VPN technology (some VPN tech has been hacked by the NSA; as far as we know, OpenVPN has not).
But if your adversary is an intelligence agency with the ability to take advantage of flaws in various VPN implementations, then running all your traffic through a central point and making them pinky swear not to keep logs is a pretty dumb idea.
posted by indubitable at 10:56 AM on January 13, 2017 [3 favorites]


Also, it's worth remembering that a huge amount of "hacking" is actually just boring phishing attacks. See also: Podesta e-mails. The rest of it is mostly botnet attacks that exploit machines with unpatched vulnerabilities or virus payloads delivered through ad networks.

Not that Tor and VPNs don't have their place, but with security you've really got to go for the boring low-hanging fruit before anything else. Use an ad-blocker. Stay current on OS and software updates. Use a password manager. Decent Security stuff.
posted by tobascodagama at 11:23 AM on January 13, 2017 [8 favorites]


(VPNs are probably a good privacy practice to get into when using public WiFi, but you've really got to trust the endpoint of your tunnel.)
posted by tobascodagama at 11:24 AM on January 13, 2017 [2 favorites]


Is the link broken? I feel like I read a different version of this page, because most of what y'all have mentioned is addressed there. It's a long article, but the info is solid. Decent security stuff.
posted by gobliiin at 11:38 AM on January 13, 2017 [4 favorites]


If you're on a linux firejail is a tool for running browsers (and other software) in a clean sandbox that's erased when the browser is closed.
posted by CBrachyrhynchos at 12:24 PM on January 13, 2017 [1 favorite]


Well, I did learn a LastPass tip I didn't know about restricting mobile device access, so that's a win!
posted by Samizdata at 12:27 PM on January 13, 2017


tobascodagama: "Also, it's worth remembering that a huge amount of "hacking" is actually just boring phishing attacks. See also: Podesta e-mails. The rest of it is mostly botnet attacks that exploit machines with unpatched vulnerabilities or virus payloads delivered through ad networks.

Not that Tor and VPNs don't have their place, but with security you've really got to go for the boring low-hanging fruit before anything else. Use an ad-blocker. Stay current on OS and software updates. Use a password manager. Decent Security stuff.
"

No personal association, but I keep loving my Pihole install. You don't have to have a Raspberry Pi to use it. I run it on an old Thinkpad (running Debian Jessie) I also use for World Community Grid use. Not only does it block ads, but it gives you amazing insight into what is happening on your LAN. Also, as far as I can determine, the default lists block almost all the Microsoft Win 10 tracking stuff.
posted by Samizdata at 12:30 PM on January 13, 2017 [3 favorites]


Also, if I can dedicate two lappies (well, one with a battery fault making it not portable, so it also works as a NAS. The ThinkPad has a dead screen), and idle time on a Kindle Fire to the Metafilter WCG group, you can too!
posted by Samizdata at 12:35 PM on January 13, 2017


Since we're on the topic of cybersecurity advice, I'd like to point folks to this research done at Google about the differences between what novices think are good security practices and what experts think.

Here's what novices think (in order):
1. Use anti-virus
2. Use strong passwords
3. Change passwords frequently
4. Only visit web sites you know
5. Don't share personal information

And here's what experts think (ie you should be doing more of these):
1. Install software updates
2. Use unique passwords
3. Use two-factor authentication
4. Use strong passwords
5. Use a password manager
posted by jasonhong at 1:13 PM on January 13, 2017 [8 favorites]


Can I append:

0. Actually stop to read dialog boxes before clicking on things

That's usually 80% of problems sorted right there. Of course there's still the 'fake dialog box' problem, but we just had a post on bullshit 101.
posted by sysinfo at 1:44 PM on January 13, 2017 [8 favorites]


I would be interested in what security experts who are also behavioral experts recommend. For example, installing software updates is great if you're a security expert who is focused on his computer a lot of the time, and knows what update sources to trust.

Experts who spend time with this stuff will also tend to trust updates because they spend a lot of time thinking about the security issues of specific pieces of software, how the updates address those issues, and so will tend to trust what they know -- possibly not entirely "rationally".

Just like doctors tend to focus on the weight issues of overweight patients, and then miss other factors, I think it's possible that computer security experts focus on what they wish people would do ("This security update fixes a _critical_ _vulnerability_! Why doesn't everyone just install it instantly! Garh!") rather than looking at the total picture.

This is not to say that anti-virus should be in the #1 position, though.

Honestly, I've been trying to figure out the whole antivirus thing myself this week. Which one? Believe me, I won't have a false sense of security.

False sense of security isn't a problem most users have these days, I don't think. I wonder if the experts de-emphasized antivirus deliberately to offset that perceived false sense of security. Is antivirus not really needed? That would surprise me.
posted by amtho at 6:59 PM on January 13, 2017


First: I am a senior network security architect.

I like the feminist angle, yet this article reads like a long-winded warning to carry your pepper spray to thwart potential online threats. I'm trying to figure how to detect online threats so women don't have to worry about getting re-tweeted by a twitter-famous person then having the wrath of hell descent upon them.

This subject means a great deal to me because I have spent 22 years helping build the internet and the applications that run on it. And here I am, looking at what we've built and I realize, we really fucked up. I can hardly use what I spent 22 years making. That really sucks.

My thoughts are the internet protocols themselves are biased against women and minority groups. This may sound ridiculous on its face, but I firmly believe this. What I believe, is that because the internet protocols were designed to transmit data for scientific research, that the protocols themselves fail us when we try to transmit our thoughts and beliefs at a large, chaotic and distributed scale. I believe the reason we have the problems we have today are because what is notnot carried at the internet protocol level is sentiment.

This sounds absurd though, impossible, the internet protocols cannot possibly transmit any sort of sentiment! I agree it sounds absurd. However, It is my opinion that we struggle to imagine an internet protocol designed to transmit sentiment because the original purpose of the internet was to serve scientific data exchanges, and that is all we've ever really known. So it makes sense we would struggle to imagine this reality. We also know the internet protocols were designed by mostly men, who by no fault of their own made what they made. I don't mean to incriminate at all men here, I'm just pointing out that the protocols were built my men in a different time and place for the purpose of serving science. Serving other purposes wasn't really considered, and given the context I think we ended up with a pretty awesome set of protocols. I also believe though, that systemic bias did not allow for the men who built the internet to consider protocols that would exchange anything other than data, because why would you? Who needs that? It makes no sense in the context of the early internet, and so, it was probably the right thing to do and I don't really blame anyone for what BGP or TCP/IP or SMTP does.

Now, fast forward 40+ years and I am trying to re-imagine what a protocol exchange would look like for exchanging emotional value. How would a protocol ascertain that? It is hard to imagine, because all we know is a world where the purpose of the internet protocols are to exchange data between hosts. And then we let our brains synthesize the words into some kind of meaning and context. This is a beautiful thing, the protocols insure the data arrives and is exchanged with 100% accuracy, but we do not consider the two humans on either end and how they will interpret the data which is exchanged, or how it will be shared beyond that. When I explain this to people the most common reaction I get is a funny look and and the response "but humans are irrational! How can we ever detect sentiment?!" to which I reply "YES! We ARE irrational and unpredictable! And the protocols must be more helpful! We must make the internet safer by transmitting our intent at a more fundamental protocol level!"

What this will look like or how it will work I have no idea really. I'm just trying to visualize in my head a protocol that passes along some value of sentiment or intent on the sender side. This seems like something that can be realized. Basically IMO our contemporary internet requires additional protocols which us understand what kind of emotional labor will be required of us to interact with the data BEFORE WE SEE THE DATA.

This I believe will open up online systems to allow users to better ascertain the intent of the person who crafted the packet. And maybe instead of firewalls that block ports, we have end up eventually with firewalls that block someone when they are angry and lashing out. That to me seems like a safer internet. That to me is what "feminist cybersecurity" should really be about.

And the cool part is that I work for a 20 billion dollar tech company who thinks my idea is interesting and is encouraging me to continue working on it.

Maybe the next internet will be a better one. I'm trying.
posted by Annika Cicada at 8:16 PM on January 13, 2017 [44 favorites]


Fucking awesome, Annika Cicada. Please keep us apprised.
posted by Johnny Wallflower at 8:40 PM on January 13, 2017 [1 favorite]


Trust no one, apparently.

WhatsApp vulnerability allows snooping on encrypted messages

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.

However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.

posted by Johnny Wallflower at 8:44 PM on January 13, 2017 [1 favorite]


Johnny Wallflower: "Trust no one, apparently.

WhatsApp vulnerability allows snooping on encrypted messages

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.

However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.
"

A friend and I were discussing changing secure IMs (since the recent Telegram vuln reveal). He asked me what I thought of WhatsApp. I said something along the lines of "Oh, the chat app owned by one of the biggest data miners of all time? Pretty sure they are in the NSA's back pocket." I will stick with my program that is created by an embittered, self-funded Russian multimillionaire that hates governments and is only one social conscience away from being a Bond villain.

And, before someone mentions Signal, I use a dumbasastumpphone and Signal requires a phone, NOT a tablet, since it appears to be a glorified SMS tool. Even the desktop Chrome app requires a phone to link to. At least Telegram works with my tablet, Windows, and Linux without needing a phone. Franz gives me Telegram and more (Plus it's icon was an inspiration for my current facial hair, and I have been REALLY happy with this look.)
posted by Samizdata at 9:16 PM on January 13, 2017 [1 favorite]


Johnny Wallflower: "Fucking awesome, Annika Cicada. Please keep us apprised."

Seconded, please and thank you.
posted by Samizdata at 9:34 PM on January 13, 2017 [1 favorite]


Thirded, Annika Cicada, because after re-reading it was like a light suddenly turned on in my head and I really grokked what you were saying and it was awesome. Also it totally linked to something I was trying to explain to a developer friend last night:

Security isn't an engineering problem any more - it's a social or cultural problem. We have the tools to make communication and transactions virtually impregnable, but we don't have the social structures around it. It's no good me having PGP and Signal if you don't (whether you understand the principles behind the software or not), and I can try and try and try to convince you to use secure systems, but if they're too hard or too obtrusive or too unfamiliar then why would you? And anyway, your best friend doesn't use Signal so you can't talk to them securely, and even if you did, their parents don't, so...

The interesting thing about the WhatsApp vuln is that WhatsApp is a product to which encryption was added well after launch, and has a vast userbase for whom breaking communication with their contacts on rekeying would be a showstopper. The question for them is not "is this entity advertising itself as my contact really my contact?' but rather "why can't I send or receive this message?" It breaks the basic functionality of the app. Signal doesn't have this, because the average Signal user expects this behaviour out of the box - it's not breakage for that class of user.

To make encryption and cybersecurity protocols work, things need to work out-of-the-box. Transparently. The difficult, break-y parts need to be negotiated without asking for intervention. The configurations need to be functional at install time without asking a million questions, but open enough that power users can tweak to their heart's delight.

That's what I think, anyway.
posted by prismatic7 at 11:15 PM on January 13, 2017


My thoughts are the internet protocols themselves are biased against women and minority groups. This may sound ridiculous on its face, but I firmly believe this. What I believe, is that because the internet protocols were designed to transmit data for scientific research, that the protocols themselves fail us when we try to transmit our thoughts and beliefs at a large, chaotic and distributed scale. I believe the reason we have the problems we have today are because what is notnot carried at the internet protocol level is sentiment.

Feminist CMC researchers have been talking about this since the listserv days. Basically, those of us with privilege are raised with language norms that serve to monopolize discussion (and feel entitled to do so). This has obvious implications for the classroom. Applied to communication that is, in human terms, practically infinite, the result is infinite trolling in infinite combinations.

All of our communications modes involving more than two people are absurdly scaled from academic classroom and conference models. We've known for more than 22 years that even in an academic classroom or conference, those modes don't generally work without dedicated structure and discussion leadership. We took something that doesn't work without a moderator for 30 people sharing a small community, expanded it to millions, and still wonder why those networks become de facto platforms for segregation.

I've been thinking a lot about this (since I'm a discourse analysis nerd), and IMO we need:

1. Better walls. Not every discourse space needs to be shared by everyone.
2. Kill the over-reliance on tagging as an ontology. Without a common agreement on key terms, (and agreement isn't necessary between communities), keyword tagging creates conflict.
3. Discussion leadership empowered to use a banhammer.
posted by CBrachyrhynchos at 11:57 PM on January 13, 2017 [8 favorites]


Actually, I think computer-mediated communication could benefit from a classroom practice that does actually help minorities: taking a limited number of turns. As the song goes, "if you say it once, why say it again?"
posted by CBrachyrhynchos at 12:11 AM on January 14, 2017 [3 favorites]


CBrachyrhynchos: "My thoughts are the internet protocols themselves are biased against women and minority groups. This may sound ridiculous on its face, but I firmly believe this. What I believe, is that because the internet protocols were designed to transmit data for scientific research, that the protocols themselves fail us when we try to transmit our thoughts and beliefs at a large, chaotic and distributed scale. I believe the reason we have the problems we have today are because what is notnot carried at the internet protocol level is sentiment.

Feminist CMC researchers have been talking about this since the listserv days. Basically, those of us with privilege are raised with language norms that serve to monopolize discussion (and feel entitled to do so). This has obvious implications for the classroom. Applied to communication that is, in human terms, practically infinite, the result is infinite trolling in infinite combinations.

All of our communications modes involving more than two people are absurdly scaled from academic classroom and conference models. We've known for more than 22 years that even in an academic classroom or conference, those modes don't generally work without dedicated structure and discussion leadership. We took something that doesn't work without a moderator for 30 people sharing a small community, expanded it to millions, and still wonder why those networks become de facto platforms for segregation.

I've been thinking a lot about this (since I'm a discourse analysis nerd), and IMO we need:

1. Better walls. Not every discourse space needs to be shared by everyone.
2. Kill the over-reliance on tagging as an ontology. Without a common agreement on key terms, (and agreement isn't necessary between communities), keyword tagging creates conflict.
3. Discussion leadership empowered to use a banhammer.
"

You know, banhammering will be a lot more useful once things swap over to IPv6 and everyone has their own address, preventing IP hopping. Also, tagging REALLY gets on my nerves in a lot of ways. You know, I just WANT TO UPLOAD THIS DAMN PICTURE RIGHT NOW! I don't want to have to develop a tagging schema for my stupid meme pics!
posted by Samizdata at 12:55 AM on January 14, 2017


Annika Cicada, how will your protocol deal with deception? It's a really interesting idea and corresponds much better to how we do social behaviour in the flesh, when it is almost impossible not to signal affect along with everything else -- and where complete neutrality carries its own message -- but we also learn in real life to fake our emotions and while your protocol is proof, perhaps, against the Hulk, it's much less use against Iago.
posted by alloneword at 1:43 AM on January 14, 2017 [1 favorite]


I've been trying to figure out the whole antivirus thing myself this week. Which one?

If you can't bring yourself to discount a pattern of stupidly horrible holes caused by AV itself, you might want to avoid even most premium third-party AV. Use the built-in security (of a fully up-to-date OS, and learn about it and what configuration tweaks are helpful to you. Don't use Internet explorer, and AFAIK you still don't want to consider OS X's Safari browser as secure either. Google Chrome browser is #1 out of any available set of choices; MS Edge is also not bad for security. Learn about the ransomeware threat specifically. One mitigation is offline backups of highly valued files e.g. family photos, although it requires a certain amount of effort).

banhammering will be a lot more useful once things swap over to IPv6 and everyone has their own address, preventing IP hopping

This is confused. IPv6 addresses are not guaranteed to be more persistent than IPv4 ones. IPv6 addresses are actually less persistent. The local part of the address was allocated 64 bits (!) for simplicity and future applications, and is now used to implement rotating "privacy addresses" for outbound connections.
posted by sourcejedi at 3:18 AM on January 14, 2017 [1 favorite]


I think about the deception question a lot. I don't have a proven answer yet.
posted by Annika Cicada at 6:26 AM on January 14, 2017


Feminist CMC researchers have been talking about this since the listserv days. Basically, those of us with privilege are raised with language norms that serve to monopolize discussion (and feel entitled to do so).

I would love to be more connected to people talking about this.
posted by Annika Cicada at 6:46 AM on January 14, 2017


Emotional intelligence with just a few lines of code

What I saw googling for a product I'd seen demo'd last summer was that this is a thing, lot's of API's both open and closed that are trying to upload our emotions.

I'd joked a few times that I didn't cover the laptop builtin web cam because I wanted the snoopers to watch me cleaning my sinuses. (yes gross:-) I am pretty sure while I may want a carefully cultivated emotion to be included in my email or post, I really don't want my emotion-of-the-moment to be freely exposed. A conundrum.
posted by sammyo at 6:54 AM on January 14, 2017 [1 favorite]


yeah, that shit freaks me out, sammyo.

I'm also trying to get my idea sorted out enough that it may eventually become a working group with the IETF in order that it serve the internet as a society, not the internet as late capitalism.
posted by Annika Cicada at 7:48 AM on January 14, 2017 [1 favorite]


I'd also like to say that after actually skimming the web page that it's quite a good review of the topic. But it is a lot, a lot of detail, a lot of work for a not totally unambiguous result. (how to know if a security measure actually works). What prismatic7 suggests "things need to work out-of-the-box. Transparently." is so on point, but is only part way there.

Anyway it's really good that clear articles like this are being posted, security is a process, and never perfect, but it's great message and awareness to spread. (oh and update your software today :-)
posted by sammyo at 8:26 AM on January 14, 2017 [1 favorite]


Good luck, Annika. You're tackling a worthy issue, and not one immediately recognizable as monetizable. Both of these are rare, too rare, these days.
posted by Strange_Robinson at 8:54 AM on January 14, 2017


Weak AI could do the job, it's modeling software and don't let the snake oil folks tell you differently, but it absolutely must be individually owned. It doesn't even look theoretically possible that a weak AI could be individually owned. Next up, the perfect superconductor!
posted by Strange_Robinson at 9:09 AM on January 14, 2017 [1 favorite]


An obvious example of the tagging problem comes in discussion of sexuality and LGBTQ politics where the meaning of any tag is shadowed by porn production.
posted by CBrachyrhynchos at 10:07 AM on January 14, 2017 [3 favorites]


Trust no one, apparently.

WhatsApp vulnerability allows snooping on encrypted messages


If we're going to bring that up here, then I might as well post Moxie Marlinspike's response: There is no WhatsApp 'backdoor'
posted by indubitable at 9:00 PM on January 14, 2017 [4 favorites]


Huh. Guardian, I am very disappointed with you.
posted by Johnny Wallflower at 9:05 PM on January 14, 2017


The EFF has some advice on securing your privacy. They also agree with Moxie as regards whatsapp.
posted by MoTLD at 3:29 PM on January 15, 2017 [1 favorite]


The trouble with expecting users to update promptly is that you only have to be burned once by an update that "breaks everything" for the naive user to assign the chances that the update will do something unwanted as higher that the chances the update will prevent something unwanted.
posted by Karmakaze at 6:52 AM on January 17, 2017 [1 favorite]


« Older Good Evening, All Current Art Is Fake   |   Switch it up Newer »


This thread has been archived and is closed to new comments