Archive for June 2009
Wael was heading back from Sweden where he was attending a social media conference. His plane arrived around 3am in Cairo. His passport was taken by State Security Police for four hours, and was only returned to him after he staged a sit in with a banner. Now the customs agents have taken his laptop and said they won’t be returning it except after investigating it.
He was tweeting live up to a point, not sure what’s happening now.
Persepolis 2.0 describes Iran’s post-election uprising and spreads the word about Iranians’ historic struggle against repression. Based on the graphic novel by Marjane Satrapi and edited by two Iranians living in Shanghai.
Unlike most of us, it looks like @Patrick Meier knows what he’s talking about. He should, considering he’s doing a Phd at Harvard on “The Impact of the Information Revolution on Authoritarian Rule and Social Resistance: From Information Revolution to iRevolution?”
Patrick has an excelent guide on How To Communicate Securely in Repressive Environments. He keeps it up to date based on his studies and input from readers, and will provide a more detailed guide on request (my guess is that not all requests will be handled equaly).
You should really read it there. If you’re a Farsi speaker, please translate it and email me, I will post it here (or maybe Patrick will want to post it next to the original).
If you’re in a rush, here are a few practical tips. Again, better to refer to the original as it will change over time.
These tactics are listed below along with a number of other important ones. Please keep in mind that tactics are case- and context-specific. They need to be adapted to the local situation.
- Mobile Phones
- Purchase your mobile phone far from where you live. Buy lower-end, simple phones that do not allow third-party applications to be installed. Higher-end ones with more functionalities carry more risk. Use cash to purchase your phone and SIM card. Avoid town centers and find small or second-hand shops as these are unlikely to have security cameras. Do not give your real details if asked; many shops do not ask for proof of ID.
- Use multiple SIM cards and multiple phones and only use pay-as-you go options; they are more expensive but required for anonymity.
- Remove the batteries from your phone if you do not want to be geo-located and keep the SIM card out of the phone when not in use and store in separate places.Use your phone while in a moving vehicle to reduces probability of geo-location.
- Never say anything that may incriminate you in any way.
- Use code.
- Use Beeping instead of SMS whenever possible. Standard text messages are visible to the network operator, including location, phone and SIM card identifiers. According to this recent paper, the Chinese government has established 2,800 SMS surveillance centers around the country to monitor and censor text messages. The Chinese firm Venus Info Tech Ltd sells real-time content monitoring and filtering for SMS.
- Use fake names for your address book and memorize the more important numbers. Frequently delete your text messages and call history and replace them with random text messages and calls. The data on your phone is only deleted if it is written over with new data. This means that deleted SMS and contact numbers can sometimes be retrieved (with a free tool like unDeleteSMS. Check your phone’s settings to see whether it can be set to not store sent texts messages and calls.
- Eavesdropping in mobile phone conversations is technically complicated although entirely possible using commercially available technology. Do not take mobile phones with you to meetings as they can be turned into potential listening/tracking devices. Network operators can remotely activate a phone as a recording device regardless of whether someone is using the phone or whether the phen is even switched on. This functionality is available on US networks.
- Network operators can also access messages or contact information stored on the SIM card. If surveillance takes place with the co-operation of the operator, little can be done to prevent the spying.
- Mobile viruses tend to spread easily via Bluetooth so the latter should be turned off when not in use.
- Using open Bluetooth on phones in group situations, e.g., to share pictures, etc., can be dangerous. At the same time, it is difficult to incriminate any one person and a good way to share information when the cell phone network and Internet are down.
- Discard phones that have been tracked and burn them; it is not sufficient to simply destroy the SIM card and re-use the phone.
- Digital Cameras
- Keep the number of sensitive pictures on your camera to a minimum.
- Add plenty of random non-threatening pictures (not of individuals) and have these safe pictures locked so when you do a “delete all” these pictures stay on the card.
- Keep the battery out of the camera when not in use so it can’t be turned on by others.
- Practice taking pictures without having to look at the view screen.
- Use passphrases for all your sensitive data.
- Keep your most sensitive files on flash disks and find safe places to hide them.
- Have a contingency plan to physically destroy or get rid of your computer at short notice.
- Flash disks
- Purchase flash disks that don’t look like flash disks.
- Keep flash disks hidden.
- Email communication
- Use code.
- Use passphrases instead of passwords and change them regularly. Use letters, numbers and other characters to make them “c0mpLeX!”. Do not use personal information and changer your passphrases each month. Do not use the same password for multiple sites.
- Never use real names for email addresses and use multiple addresses.
- Discard older email accounts on a regular basis and create new ones.
- Know the security, safety and privacy policies of providers and monitor any chances (see terms of service tracker).
- Browsers and websites
- Turn off java and other potentially malicious add-ons.
- Learn IP addresses of visited websites so that history shows only numbers and not names.
- When browsing on a public computer, delete your private data (search history, passwords, etc.) before you leave.
- When signing up for an account where you will be publishing sensitive media, do not use your personal email address and don’t give personal information.
- Don’t download any software from pop-ups, they may be malicious and attack your computer or record your actions online.
- Do not be logged in to any sensitive site while having another site open.
- Just because your talking online doesn’t mean you are not under surveillance.
- As with a cell or landline, use code do not give salient details about your activities, and do not make incriminating statements.
- Remember that your online activities can be surveilled using offline techniques. It doesn’t matter if you are using encrypted VOIP at a cyber cafe if the person next to you is an under-cover police officer.
- When possible, do not make sensitive VOIP calls in a cyber cafe. It is simply too easy for someone to overhear you. If you must, use code that doesn’t stand out.
- Blogs and social networking sites
- Know the laws in your country pertaining to liability, libel, etc.
- When signing up for a blog account where you will be publishing sensitive content, do not use you personal email address or information.
- In your blog posts and profile page, do not post pictures of yourself or your friends, do not use your real name, and do not give personal details that could help identify you (town, school, employer, etc.).
- Blog platforms like wordpress allow uses to automatically publish a post on a designated date and time. Use this functionality to auto-publish on a different day when you are away from the computer.
- On social networks, create one account for activism under a false but real-sounding name (so your account won’t be deleted) but don’t tell your friends about it. The last thing you want is a friend writing on your wall or tagging you in a photo and giving away your identity.
- Even if you delete your account on a social networking site, your data will remain, so be very careful about taking part in political actions (i.e., joining sensitive groups) online.
- Never join a sensitive group with your real account. Use your fake account to join activism groups. (The fake account should not be linked to your fake email).
- Don’t use paid services. Your credit card can be linked back to you.
- File sharing
- Use a shared Gmail account with a common passphrase and simply save emails instead of sending. Change passphrase monthly.
- For sharing offline, do not label storage devices (CDs, flash drives) with the true content. If you burn a CD with an illegal video or piece of software on it, write an album label on it.
- Don’t leave storage devices in places where they would be easily found if your office or home were searched (i.e., on a table, in a desk drawer).
- Keep copies of your data on two flash drives and keep them hidden in separate locations.
- When thinking of safe locations, consider who else has access. Heavily-traveled locations are less safe.
- Don’t travel with sensitive data on you unless absolutely necessary. If you need to, make sure to hide it on your person or “camouflage” it (label a data CD as a pop music CD). See Sneakernet.
- Internet Cafes
- Assume you are being watched.
- Assume computers at cyber cafes are tracking key strokes and capturing screenshots.
- Avoid cyber cafes without an easy exit and have a contingency plan if you need to leave rapidly.
Digital Security Technologies
When combine with the tactics described above, the following technologies can help you stay safe and keep your data relatively more secure.
- Mobile phones
- Digital cameras
- Use scrubbing software such as: JPEG stripper to remove the metadata (Exif data) from your pictures before you upload/email.
- Have a safe Secure Digital Card (SD) that you can swap in. Preferably, use a mini SD card with a mini SD-SD converter. Then place the mini SD into a compatible phone for safekeeping.
- Use an effective anti-virus program and ensure it updates itself online at least once a day: TMIS, McAfee, Symantec/Norton, AVG, Avira, NOD32, Kaspersky.
- Do not use illegal, cracked, hacked, pwned, warez software.
- Keep your software programs (operating systems, productivity suites, browsers) up-to-date with the latest software updates.
- Use software to encrypt your hard drive: Bitlocker, TrueCrypt, PGP Whole Disk Encryption, Check Point, Dekart Private Disk.
- Use a different file type to hide your sensitive files. For example, the .mov file extension will make a large file look like a movie.
- Mac users can use Little Snitch to track all the data that goes into and out of your computer.
- From a technical perspective, there’s no such thing as the delete function. Your deleted data is eventually written over with new data. There are two common ways to wipe sensitive data from your hard drive or storage device. You can wipe a single file or you can wipe all of the ‘unallocated’ space on the drive. Eraser is a free and open-source secure deletion tool that is extremely easy to use.
- Flash disks
- Email communication
- Browsers and websites
- Use Firefox and get certain plugins to follow website tracking such as ghostery and adblock, adart to remove ads/trackers.
- User Tor software or Psiphon to browse privately and securely.
- I shan’t list access points for secure browsers, Proxy servers and VPNs here. Please email me for a list.
- Always use https in “Settings/General/Browser Connection.”
- Use Skype but not TOM Skype (Chinese version). Note that Skype is not necessarily 100% secure since no one has access to the source code to verify.
- Off The Record (OTR) is a good encryption plugin. For example, use Pidgin with OTR (you need to add the plug-in yourself).
- Gizmo offer encryption for voice conversations, and then only if you are calling another VoIP user, as opposed to a mobile or landline telephone. However, because neither application is open-source, independent experts have been unable to test them fully and ensure that they are secure.
- Adium is a free IM application for Macs with built-in OTR encryption that integrates most other IM applications.
- Blogs and social networking platforms
- There are no safe social networks. The best way to be safe on a social network is fake account and a proxy server.
- The anonymous blogging platform Invisiblog no longer exists, so the best bet now is WordPress + Proxy (preferably Tor) + anonymity of content.
- Log out of facebook.com when not using the site.
- File sharing
- Internet Cafe
The above material was collected in part from these sources:
- Tactical Tech’s Mobiles-in-a-Box and Security-in-a-Box;
- MobileActive’s Mobile Security
- FLOSS Manuals;
- Feedback from DigiActive and Digital Democracy;
- Personal experience and that of other colleagues in the field.
As mentioned above, please send suggestions and/or corrections as well as updates. And again, please do check the comments below. Thanks!
Wed. 24 June: Support Iran Elections. wear black (remembering the victims) and Green (Sustaining the hope)
I’m copying this verbatum from http://iranriggedelect.blogspot.com/2009/06/what-i-have-witnessed.html to maximise exposure and as a pre-emptive measure against any damage done to that blog:
Thursday, June 18, 2009A powerful note from a female medical student in Iran, translated from Farsi by a trusty reader.
It’s painful to watch what’s happening.
I don’t want anything to do with what has been said this far, as I neither have the strength nor the resilience to face all these unfathomable events.
I only want to speak about what I have witnessed. I am a medical student. There was chaos last night at the trauma section in one of our main hospitals. Although by decree, all riot-related injuries were supposed to be sent to military hospitals, all other hospitals were filled to the rim. Last night, nine people died at our hospital and another 28 had gunshot wounds. All hospital employees were crying till dawn. They (government) removed the dead bodies on back of trucks, before we were even able to get their names or other information. What can you even say to the people who don’t even respect the dead. No one was allowed to speak to the wounded or get any information from them. This morning the faculty and the students protested by gathering at the lobby of the hospital where they were confronted by plain cloths anti-riot militia, who in turn closed off the hospital and imprisoned the staff. The extent of injuries are so grave, that despite being one of the most staffed emergency rooms, they’ve asked everyone to stay and help–I’m sure it will even be worst tonight.
What can anyone say in face of all these atrocities? What can you say to the family of the 13 year old boy who died from gunshots and whose dead body then disappeared?
This issue is not about cheating(election) anymore. This is not about stealing votes anymore. The issue is about a vast injustice inflected on the people. They’ve put a baton in the hand of every 13-14 year old to smash the faces of “the bunches who are less than dirt” (government is calling the people who are uprising dried-up torn and weeds)
This is what sickens me from dealing with these issues. And from those who shut their eyes and close their ears and claim the riots are in opposition of the government and presidency!! No! The people’s complaint is against the egregious injustices committed against the people.Posted by every Iranian at 2:40 PM
When Stuart Feldman created Make in Bell labs in 1977, he wasn’t thinking of owning a product he could sell. He just wanted to get the job done. (sorry, I tried, but I can’t find a good reference for this story. still I’m sure I heard it from a credible source). The job, in his case, was to get a bunch of source files to compile together, in the right order, when needed. Dr. Feldman was fed up of typing a long sequence of compile and link commands to the terminal every time he changed one of his source files. And the most annoying bit was that you usually forget some dependency between files, miss out one command or the other, and the whole project is a mess. What Dr. Feldman needed was a program that could be given a set of rules, and when invoked would use these rules to determine which sequence of commands to execute.
So he wrote one, or rather, hacked it. After all, it had been a long day. Then he thought some of his team mates might like it, so he put it on the shared drive and emailed them.
Later that night he thought there were a few flaws in the rule-file syntax, things he would have done differently if he would have designed it properly. But by the time he got to the office the next day, it was too late. The use of make had spread throughout the lab and beyond. People needed it, and it was free, and easy to install. Make has been part of every *nix system since.
One of the sources of power of the open source model is that it prioritises capacity over capital. Capacity is the ability to do things, capital is means of production – that might or might not give you power to do things.
IBM, Oracle, SUN and others fund open source not out of benevolence, but because there are places where the option of having something for free is worth more than owning it. In fact, sometimes ownership has negative value. How so? Well, if Dr. Feldman would have owned Make, no-one else would ever contribute to its improvement. No major OS provider would include it. As it is, make evolves through small contributions of many engineers, and whenever you find yourself at an unknown machine with some complex project to compile, you know you can count on Make.
Capacity is intangible, so material economies use capital as an approximation of capacity. Obviously, capitalism is based on ownership of capital. The assumption is, if you have the means of production, you can produce, and thus generate value. Of course, its not so simple: you may have boards and nails, I have a hammer, neither of us can build a shed. That’s what markets are for. You can sell me your stuff or I can rent you mine. But that’s an approximation, it doesn’t always work, and when it does, its not always be the most efficient model. As the old saying goes, I want a glass of milk, I don’t want to buy the whole cow.
Open source software production distributes capacity without bothering with ownership of capital. I use a wordprocessor to produce text, I just want it to be there when I need it, I don’t need to own it. That’s easier to do with software, because I can give it to you and still have it. But we’re seeing capacity-centric models popping up in other places. Take cloud computing as an example. I don’t care how many servers Amazon or Google own. I just pay them for the capacity I need, when I need it. Car clubs are another, more down-to-earth example.
So why aren’t we seeing more of this? I think the main obstacle is legal. Our whole system is designed to measure, monitor, and manage the flow of capital. Until we figure out good ways to regulate the trade in capacity, we’re stuck with capital.
Regarding the bloody days in Iran and innocent people killed.
We are writing for all Iranians who are seeking peace and freedom and are against war and savage.
We ask Google to change Google logo for one day.
Support this idea by sending this link to all you friends
Update, June 16
Important! read #iranelection cyberwar guide for beginners
I’ve removed the gadget from my sidebar.
Iranian protesters are using any means possible to co-ordinate actions, gather and share intelligence, and provide the world with a constant stream of documented real-time information. They are twittering live from the clashes in the student halls and the protests on the street, posting images and videos of events as they unfold.
The Iranian authorities are doing all they can to block communications. SMS is blocked, websites hacked or firewalled, TV and Radio are obviously useless.
The protesters need constant supply of proxy servers. These servers are used to bypass the government blocks on Internet sites and messaging services. Of course, once the addresses of these servers are made public, its only a matter of time until the government blocks them. So its a constant race. There’s a chicken & egg problem here, in order to get the proxy server addresses you need to have an open communication channel.
Many people are using twitter to share the addresses of proxies as they emerge. What we need is a mechanism which would allow mass sharing of these numbers. Here’s a simple scenario: someone sets up a service which collects proxy server announcements from twitter and posts them on a site, with an outgoing RSS feed. that feed can then be syndicated and embedded in any site around the world, thus replicating the information and making it hard for the goverment to block it.
Should be easy for someone with the right skills & infrastructure, no?
I just posted this idea on twitter, and within 2 minutes got a response:
@yishaym Would this search/feed be useful to you: