Revision as of 11:00, 21 June 2016

Issues about Security, Privacy, Anonymity

• Datas and states
• Datas and companies
• Datas and citizens
• Datas and art

So what ?

• Holistic security : Physical security + Psycho-social security + digital security
• A global recipe : Autonomous infrastructures - Free Libre Open Source Softwares - end to end encryption
• Make some noise ! encrypt to increase the cost of surveillance

Mapping activities and risks

Cloud of ideas and words related to security > questions to establish a baseline of privacy and security knowledge

Draw your tech day

Draw your interactions with your digital devices, from the morning to the moment you go to bed, including what kind of data you receive, you produce, you transfert and exchange with other people

Ask yourself good questions

1. Read up and educate yourself about your country's internet laws and policies. Some security technologies such as encryption are illegal in some countries, for example.
2. Inform yourself about your country's laws and policies in relation to freedom of expression, right to privacy and against online and offline harassment. Those laws do not exist in all countries, and when they exist they are not framed and applied in the same way.
3. Keep your computer and devices clean and healthy: Updating your software, running a firewall, and protecting yourself from virus infection are fundamental to the security of your data
4. Map your data: What kind of data do you produce and/or manage? With whom? Where is this data stored? Which devices or online platforms hold your data? Most importantly, how sensitive is your data and what would happen if this particular data suddenly disappeared or was seen and copied by a third party?
5. Secure your data: Especially where our data is stored online, it is crucial to choose strong passwords, or better passphrases, and to use a different one for each of our accounts.
6. Connect safely to the internet: When going online, especially if you are transmitting personal data and passwords, it is crucial to always use an encrypted connection which ensures that your data cannot be seen by anyone as it travels from your computer to the website you are visiting or to the service you are using.
7. Anonymise your connections: There are sometimes good reasons to hide your physical location and your internet activities. Tor browser anonymises your connections when you're browsing the internet, by hiding the sites you are visiting from your internet service provider, and hiding your location from the sites you visit.
8. Secure your communications: you might want to consider tools you can use and ways you can change your behavior to increase your security when using mobile phones as well as options for email and instant messaging
9. Practice self-care: Nothing is secure if we only think about technology and we neglect our wellbeing. If you are exhausted, stressed or burnt out, you might make mistakes that impair your security.

You should repeat periodically this exercise of permanent risk analysis so as to update the threat model and the answers you could put into practice

Secure your devices and data

Computer

• Switch your computer to linux ;)
• Protect your computer against malware and virus https://securityinabox.org/en/guide/malware
• Protect your information from physical threats https://securityinabox.org/en/guide/physical
• Create and maintain secure passwords https://securityinabox.org/en/guide/passwords
• Destroy sensitive information https://securityinabox.org/en/guide/destroy-sensitive-information

Mobile phone / tablet

• Use mobile phones as securely as possible https://securityinabox.org/en/guide/mobile-phones
• Use smartphones as securely as possible https://securityinabox.org/en/guide/smartphones
• Encrypt your mobile phone, basic Android security setup guide https://securityinabox.org/en/guide/basic-setup/android

What is Internet ?

A network of networks of computers : Your computer > Internet Service Provider > router > gateway > backbone > sever serveur / routeur

• http://maps.level3.com/default/ ou http://www.submarinecablemap.com/#/landing-point/marseille-france
• http://www.teliasoneraicmap.com/
• http://www.vox.com/a/internet-maps 40 maps that explain the internet
• https://www.sprint.net/images/network_maps/full/Global-Global-IP.png

900px|centré

What is an IP address ?

An IP address identify your computer inside a local network (it is a private IP, for example 192.168.1.101), then your internet box provide you a public IP address connected to Internet (for example 82.239.0.211). Each network devices is identfied by a unique physical address called the MAC address (for example f4:6d:04:3a:ef:55)

• visualize your ip address and the geolocalization of your computer http://whatismyipaddress.com/
• demo traceroute : visualize where your traffic is going http://www.yougetsignal.com/tools/visual-tracert/

How the data are circulating in the network

If you tried the previous link, you can see that your request reach a server that can be on the other side if the world. But there are third parties that collect informations and datas on your navigation, most of the time to gather informations about you and to sell it for commercial purposes (we call them data brokers), so in function of the website, one single request can be tracked by up to more than twenty other companies ...

• https://trackography.org/ > Choose a country and a newspaper and see who is collecting data when you go to this website

Internet role play

Each person become an element of the network :

• Computer A
• ISP box at home
• Gateway to Internet
• Backbone
• Trans-oceanic cable
• Gmail server
• Autonomous Tchat server
• Public wifi access point
• Computer B

Now, let's send a "normal" e-mail from computer A to computer B and let's see who can read what between metadatas and the content of the mail. Repeat the exercise with an encrypted e-mail, with a normal tchat and an encrypted tchat

Reduce your digital shadow

The web - Browser and plug-ins

• To remove adds : ublock origin https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
• To prevent tracking : betterprivacy https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
• To reduce our digital shadow : Privacy Badger https://www.eff.org/privacybadger
• To use as much as possible encrypted communication between our computer and the server : HTTPS everywhere https://www.eff.org/https-everywhere
• To avoid viruses from web pages and javascript https://noscript.net/
• To avoid viruses from Flash content : flashblock https://addons.mozilla.org/en-US/firefox/addon/flashblock/

Alternative search engines

To add a new search engine to Firefox, see https://support.mozilla.org/en-US/kb/add-or-remove-search-engine-firefox

• https://duckduckgo.com/ see also the bangs https://duckduckgo.com/bang : if you add "!w" to your request, it will search directly on wikipedia
• https://www.qwant.com/
• https://startpage.com/
• https://searx.laquadrature.net/ meta hackable search engine

centré

Evaluate the traceability of your system and browser

the "fingerprinting" allow one to identify us in function of our configuration : operating system, browser configuration, plug-ins, size of our screen, ...

• to make a test : Panopticlick http://panopticlick.eff.org/

Remove metadata from files

Metadata are included in pictures, text documents, videos, and can include geolocalization, the name of the autor and many more informations

• see the tool Exiftool :

To remove metadata :

exiftool "-all:all=petit chaton" -overwrite_original *.ogg

Use emails in a safer way

Alternative email providers

• https://help.riseup.net/
• http://no-log.org/
• http://autistici.org
• https://www.openmailbox.org/
• https://mailinabox.email/

Disposable emails

• https://www.guerrillamail.com/
• https://www.sharklasers.com/
• http://maildrop.cc/
• http://throwawaymail.com/
• http://yopmail.com/
• http://clipmail.eu
• https://addons.mozilla.org/fr/firefox/addon/bloody-vikings/

Encrypt mails with PGP

With a combination of thunderbird and enigmail plug-in  :

• PGP avec enigmail et thunderbird https://securityinabox.org/en/guide/thunderbird/windows
• Tutorial from FSF https://emailselfdefense.fsf.org/en/
• 15 reasons not to start using PGP http://secushare.org/PGP

Communication and exchange services

Let's use alternative services without any commercial purposes FLOSS (Free/Libre Open Source), to replace skype, dropbox, doodle, google doc, ... :

• Dégoogleise Internet https://degooglisons-internet.org/

500px|centré

Tchat

• pidgin with à OTR https://otr.cypherpunks.ca/
• https://crypto.cat/
• https://pond.imperialviolet.org/
• https://ricochet.im/
• https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily

centré

Visioconference

• chat with visioconference with jit.s https://jitsi.org/Main/Download / installation : https://jitsi.org/Documentation/SetUpJitsiAccount / open an account https://jit.si/
• directly in the browser : https://meet.jit.si/ or https://www.mozilla.org/fr/firefox/hello/
• Tox to replace skype https://tox.im/

Preserve your anonymity, circumvent censorship

Use Tor (The Onion Router), Tails (Live Linux amnesic operating system), a VPN (create a tunnel between you and your vpn provider)

• TOR : https://www.torproject.org/projects/torbrowser.html.en
• TAILS : https://tails.boum.org/install/index.fr.html
• VPN : https://help.riseup.net/fr/vpn

Understand the difference between encryption and anonymity

• video gpg tactical tech https://tacticaltech.org/projects/decrypting-encryption https://vimeo.com/132517596
• tor browser : https://www.youtube.com/user/TheTorProject

Social network

Let's ask some good questions

Quel est le modèle économique du site sur lequel je m'inscris ? Qu'est-ce qui lui permet d'exister ?

Réglages des paramètres de confidentialité, mots de passe sûrs à changer, utilisation d'https

Bien déterminer quel type d’informations on publie, obtenir l’accord de tiers :

• qui peut voir l’information que je mets en ligne
• qui est le propriétaire de l’information que je publie sur le site de réseautage social
• quels renseignements à mon sujet mes contacts peuvent-ils transférer à d’autres parties
• Est-ce que mes contacts sont à l’aide avec le fait que je partage leurs renseignements avec d’autres
• Fais-je bien confiance à toutes les personnes avec qui je suis en réseau ?

Même en ne s'inscrivant pas, des plateformes (Facebook, linkdin) créent des "shadow profiles" à notre insu

Gare à la création de comptes sur d’autres plateforme avec son compte facebook, google

Choisir entre 4 types d’identité

• ton nom réel : plus facilement identifiable mais génére de la crédibilité et influence
• anonymat : permet des expressions d'opinion sur des questions mal vues et sensibles, option la plus difficle à maintenir, peu d'opportunité de générer un réseau de solidarité
• identité pseudonymique : risque d'identification dans le monde réel, mais possible
• pseudonymat collectif : identité collective anonymous guerilla girl, risque si un membre du collectif fait des bêtises, nourrir les imaginaires et les actions avec cette identité collective

4 stratégies pour altérer son ombre digitale

Les différents niveaux stratégiques : installation de programme et d'appli, génération de contenus et de meta-données (explication de la différence), utilisation de dispositifs matériels (comment on se connecte au net)

• fortification : créer des barrières, restreindre l'accès et la visibilité, monitorer qui te suit qui tente de compromettre, creer des comptes ds tous les medias sociaux pour baliser le terrain, antivirus et spyware à jour, quarantaine, chiffrer, cacher ta webcam, migrer vers os plus surs comme gnu/linux
• réduction : moins c'est mieux, combiner tactiques pour générer un manque de données sur soi : nettoyer et éliminer comptes et profils non-utilisés, ignorer et bloquer des applications et services digitaux non nécessaires, résister à la publication d'images et d'infos sur soi et son collectif, utiliser des vieux devices
• obfuscation ou camouflage : plus de données tu génère, c'est le mieux : dévaluer la valeur de l'info, rompre les routine de navigation (apps et plug in), générer du bruit avec son identité (ouvrir différents comptes avec x identités), se cahcer dans la mutlitude ou ds identité collective (bien lire le zen manual), ne pas contaminer, créer des personnages crédibles (voir fakena ds zen manual pr créa id crédibles
• compartimentation : bien compartimenter tes données, tes identités : bien déterminer ses domaines sociaux et bien les compartimenter, maintenir séparés, isoler la surface d'attaque

Téléphone mobile / intelligent

Fonctionnement de la téléphonie, triangulation, autorisation des applications, metadonnées, OS alternatifs, applications signées, rooting et jailbreaking

Chiffrer son téléphone, mot de passe sur, utiliser des applications libres

Logiciels à recommander pour la communication et l’échange

• Voir le magasin d'applications libres de droits http://f-droid.org/
• Voir particulièrement les applications proposées par https://guardianproject.info/

Logiciels mobiles réputés sures (au 06 2016)

• SMSSecure
• Signal
• Telegraph et Snapchat qui ne sont pas libres mais chiffrent de bout en bout
• Orbot + Orweb (naviteur type Tor bundle)
• keepassDroid
• Android Privacy Guard (chiffrement d'emails)
• Obscuracam pour occulter les visages

Libérer son téléphone

• Libérer son Android : http://fsfe.org/campaigns/android/liberate.fr.html + http://www.gnu.org/philosophy/android-and-users-freedom.html

900px|centré

Synthèse des bonnes pratiques

Backup, phrases de passes solides, utilisation de logiciels FLOSS, Infrastructure autonome sympathique (Yunohost, services non commerciaux), sécurité holistique, actualisation de l’évaluation des risques, réseau de confiance, Safe spaces

Qu'est que l'on commence, qu'est que l'on arrête, qu'est-ce que l'on continue de faire ?

• Start
• Stop
• Keep

Évaluation de l’atelier

900px|centré

Identifying good resources

• Security in a box https://securityinabox.org/ tools revised by a pool of digital security trainers, download the software from there
• Me and my shadow https://myshadow.org/ tips for mobile phone and browser
• Zen manual https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual focused on the gender and tech question : on-line identities, safe spaces, ...
• Holistic security : Physical security, Psycho-social security, digital security https://holistic-security.tacticaltech.org/
• About Dating apps : https://www.eff.org/deeplinks/2012/02/comparing-privacy-and-security-online-dating-sites http://www.forbrukerradet.no/appfail-en/ https://grindrmap.neocities.org/overview.html
• A webserie about privacy, big data, surveillance ... "Do not track me" https://donottrack-doc.com/en/episodes/