Digital Security

Does "Smart" Make Sense?

Source : Cisco Smart Cities

If you are reading this blog, I bet you have attended an event in the recent past where the new buzzy topic “Smart Cities” was discussed. I have been to several such events lately. Interestingly, each mention of ‘smart city’ I heard carried a slightly different meaning. Further, there is seldom an answer to the question, “To what end are the cities smart?”. So I decided to to clarify “smart cities” for myself. Here are some of my thoughts. READ MORE »

The Right Message on Digital Security

Is the right message being heard?

Over the last few weeks in Nigeria, I had the opportunity to conduct capacity-building training sessions almost every day. While many of these sessions were enthusiastically received, discussions on digital security fell on deaf ears.

For one of these training sessions, I’m invited to train on “ICT,” and offered no further parameters. To be frank, I feel a bit like I’m Noah being asked to choose animals for his ark: decidedly “ICT” is too broad a category for training. So, I decide to prepare a few different topic areas and let the audience determine where we should focus our time.

The day arrives, I enter the room, and rows of eyes look out at me. I do my typical intro: why I’m here, what I’ve done, what my areas of expertise are, and I ask: READ MORE »

A Day for Digital Security

Encryption dominated much of the discussion at the conference


Last week I took a Friday trip to the Knight Conference Center at the Newseum for a day focused on the present state of digital security as it relates to surveillance and the news media. The Freedom of the Press Foundation, Open Technology Institute, and Reporters Committee for Freedom of the Press co-hosted the “News Organizations and Digital Security: Solutions to Surveillance Post-Snowden” event, which drew a capacity crowd of technologists, journalists, media development professionals, and a few folks like me who work in the #Tech4dem space.

The star of the event turned out to be none other than Mr. Edward Snowden himself. After the conclusion of the day’s final panel - fittingly a discussion on “Security Lessons from the Snowden Files” - Snowden appeared for a brief Google Hangout with the audience. Like many of the panelists before him, Snowden called for a “change in attitudes towards digital security.” The (in)famous whistleblower stressed the importance, as he did during the initial release of the NSA documents, for a wider social and policy discussion on issues of digital security, surveillance, and potential regulation. After he wrapped up, the crowd took a trip to E Street Cinema for a screening of CitizenFour, a recently released documentary film tracking Snowden during the days leading up to and the months following the NSA leaks.


New NDITech Friends in the Northern Virginia Tech Community


NDI has been reaching out to the tech community over the last few years to explore mutually beneficial ways to work together. You may recall our conference in Silicon Valley last year, billed Governing Democratically in a Tech-Empowered World. Next week we're venturing south to engage the tech community in northern Virginia with our new friends from the NVTC - the Northern Virginia Technology Council. 
NDI and the International Committee of the NVTC are co-hosting a lunch discussion that hits on a couple of the key themes we're working on surrounding technology and democracy these days - digital security and civic innovation. The first panel, Digital Security to Protect Human Rights and Democracy Activists, will feature former NDItech star Ian Schuler and Amie Stepanovich - Senior Policy Counsel from Access. The panel will be moderated by Mohamed Reda, Chair of the International Committee of NVTC. Following a nice lunch the second panel - Technology, Civic Innovation and Democracy Support - will be moderated by Alex Howard and feature Megan Ryskamp Partnerships from Google; Amy Ngai Director of Partnerships and Training from the Sunlight Foundation; and our own Scott Hubli - Director of Governance from NDI.

CyberDialogue: The Future of Internet Freedom

CyberDialogue 2014

I’m recently back from Toronto attending CyberDialogue 2014, an extraordinary gathering hosted by the University of Toronto's Munk School of Global Affairs, particularly their extraordinary CitizenLab. It's a heck of a group they pulled together - about 150 people from across academia, the NGO world, security geeks and government.
The topic for the meeting: “After Snowden, Whither Internet Freedom?”

From NDI's perspective, one of our greatest worries could be framed by dropping the H from whither: "After Snowden, will Internet Freedom Wither?”

Since Secretary Clinton put Internet Freedom on the policy agenda back in 2010, the US State Department has poured millions of dollars into promoting an open internet through funding technology to keep activists safe online and discussing the notion for a unified Internet with open access for all.

This has been a very important conversation within the United States government as well as in the world of human rights. Before the State Department Internet Freedom push, the entire discussion of rights online was framed around cyber-hyphen whatever - with language of security and control. Protect the online space by stripping away anonymity, maximizing monitoring, and generally empowering governments - including those of regimes not well known for vibrant democracy or rule of law. Rather than a monologue controlled by the Pentagon and NSA, the introduction of Internet Freedom as a frame shifted the internal conversations into a debate - and as a result, NGOs working for human rights advocates and democratic organizers had a place at the table. READ MORE »

Will Mobile Phone Security Always Be An Oxymoron?


Is true mobile phone security a lost cause? With the increasing popularity of mobile messaging applications with weak security practices, the escalation of sim card registration requirements, and the nearly antiquated legal definitions of the ways that mobile phones are used by citizens, securing mobile phone communications is a multi-faceted problem.

I’ve done mobile security trainings for a number of years now. And one of the biggest challenges that emerges with thinking through mobile security is all of the different areas where threats can emerge: the technical infrastructure of GSM networks, the personal information that’s needed to obtain a sim card, the location tracking capabilities of phones, and the list goes on.

During RightsCon, I had the opportunity to chat with the following rockstars about the current state of mobile security and what can be done to make improvements:

Alix Dunn, Creative Lead at The Engine Room  

Bryan Nunez, Technology Manager at The Guardian Project

Carly Nyst, Legal Director at Privacy International

Chris Tuckwood of The Sentinel Project

Craig Vachon, VP Corporate Development at Anchor Free

Pablo Arcuri, Chief of Party at Internews

Oktavía Jónsdóttir, Program Director at IREX

Rory Byrne, Founder and CEO at Security First


Back to Basics - 5 Simple Security Tips

Computer-Aided Reporting Conference 2014

Last friday I was gatecrashing the Investigative Reporters and Editors Computer-Aided Reporting conference up in Baltimore. Super cool conference; I’ll write it up more generally later. I was asked to share a bit about NDI’s perspective from the field on how we work with political activists and citizen journalists to be aware of the risks they face when using the internet for organizing or communications.

It was a great crew up there - myself, Jennifer Valentino-DeVries from the Wall Street Journal and Susan McGregor from Columbia University ably moderated by Josh Meyer, a board member with the sponsoring organization.

Sometimes in life it’s hard to know what to say (a buddy’s unsuitable engagement, a breakup convo, comments on a friend’s poor artistic performance) and one of them for me are 10-minute digital security discussions. You can’t dive into the details of a complicated tool like GPG. You can scare the pants off of them, but playing dead is not a valid defense mechanism online. So we tag-teamed it. Susan started things off with a quick “how the internet works” - and therefore where you can be attacked - while Jennifer focused on some core software of use in newsrooms like Tor, password managers and Cryptocat

I decided to take a slightly different tack and talk about really boring stuff. Seems like a presentation winner, right? READ MORE »

The Story of a Software Audit

TrueCrypt logo

Auditing of software of both the license and the source code is nothing new, especially of tools that are new to the digital security plethora of tools. But what about software whose use is widely recommended, but where little is known about the licensing decisions and the differences between original code and platform-specific applications? This is the impetus for the audit of the encryption software TrueCrypt.

TrueCrypt allows you to create an encrypted container on your computer's hard drive to store sensitive files, that to the untrained eye, appear like any other file you might find on a user’s computer.  TrueCrypt storage “volumes” are typically made to look like a large video file (and hey, we even have a tutorial on how to make one that actually plays part of a video).

Despite being an open-source licensed project, there are legal and technical limitations to its openness.

While TrueCrypt’s source code is publicly available, the binaries (what makes TrueCrypt function without any installation process), are not. This matters because use of these binaries could potentially have security flaws that are unknown and unfixed. As cryptographer Matthew Green points out, the majority of TrueCrypt users only run and install it through the binaries, and while the source code sems trustworthy, it’s unclear if the binaries are.   READ MORE »

Learning ADIDS - Digital Security Trainings for Grownups

I thought it was a brand of athletic shoes, but apparently I was wrong.

I was recently at a training-of-trainers with some of the best digital security experts in the business. We’re working with a crop of young trainers from around the world eager to improve their skills in teaching others the critical - and timely - topics of safety and privacy online.

We’re not children anymore. (I, at least, am nowhere close.) That means, in part, that we don’t learn in the same way that children do - and a lot of the teaching methodologies we’re brought up on don’t work well for adults. We are building out a set of digital security training materials and in the process I’ve been learning about a pedagogical approach called ADIDS. I’ve also been learning how to pronounce “pedagogical.”

ADIDS stands for Activity, Discussion, Inputs, Deepening, Synthesis. It’s a proven approach based on experimental results and sound learning principles - and entirely new to me. This may explain much of my academic career. In any case, by taking a topic and approaching it through these five lenses, one gives a broad audience of adult learners the best chance possible to absorb new, complex information.

People don’t learn everything all at once. It’s a frequent sin in digital security trainings to blast through a complicated topic, say “any questions?,” nod in satisfaction, and move on confident that the information has been absorbed and will be faithfully lived from that day forward.

With ADIDS, you’d go through a series of stages on a given topic. It also makes Death by Powerpoint refreshingly implausible. READ MORE »

An App That Spotlights Your Risks

Panic Button Logo

Earlier this month, I had the opportunity to participate in an event to determine how human rights defenders might approach an emergency alert mobile app given their diverse risks, and to ensure that activists first consider their risks before adopting such a tool.

The following is a summary of this event, written by Alix Dunn of the Engine Room and Libby Powell of Radar. 

How can an app developer make sure that an app doesn’t do more harm than good? For Amnesty International, that question could be one of life or death for human rights defenders using their new Panic Button app. READ MORE »

Fake or Real? Fake Domain Attacks on Civil Society Web Sites

Fake Domains

We work with civil society organizations around the world that are facing increasingly sophisticated cyber attacks against them from relenteless, well-resourced, and tecnically extremely savvy adversaries that attempt to curtail, surveil, and otherwise hinder their work. We are routinely called to assist our partners in preventing and mitigating denial-of-service attacks against and hacking of websites and online services, expecially during political events such as elections.  Our partners are under threat  in myriad ways, ranging from account compromises, social media takedowns to regime trolls and spammers, and malware. 

ACCESS Now, a US-based advocacy organization focused on internet governance and digital security has just compiled the first in a series of reports focused on these threats to civil society organizations.  The first assessment focused on fake domains when an adversary creates a similar-looking website or social media profile to one of a civil society organizations. These fake domains are used to dilute or confuse the message of the organization and subvert their effectiveness by drawing readers from the original site, or in order to serve malware to specifically target the audience of the original website. READ MORE »

Our Digital Future: What's Next for Internet Research

NDItech was recently at an event on Our Digital Future: Ideas for Internet Research hosted by The George Washington University’s Elliott School of International Affairs. A diverse panel of experts in the field were invited to the discussion: Matthew Reisman, a Senior Manager at Microsoft, Milton Mueller, Professor at the Syracuse University of Information Studies, Brian Bieron, Senior director with eBay, and Carolina Rossini who serves as Project Director for the Latin American Resource Center.

Panelists made a number of interesting observations about the status and power of the internet in today’s global society. Matthew Reisman pointed out that Microsoft, in particular, is interested in studies of how government regulatory policies are affecting the ability of entrepreneurs to conduct business online - which would be most easily measured by conducting econometric research on internet policies enacted around the world.  As trade and services burgeon online, governments are creating barriers that complicate the ease of doing international business. It is important for those researching the modern impact of the internet to consider just how these barriers are affecting businesses, economies, and people, especially in a world where eCommerce has grown to encompass over 6 percent of the global retail sector over a period of ten years. Milton Mueller further asserted that developing an understanding of intimate relations between technology and social relations is essential, including how [we] are going to govern newly implemented technologies, and what the global impact of this governance will be.

The internet is global and as such has particular impact on the economic possibilities for developing countries. We hope to see tangible data from conversations such as this that makes the point wht the internet - in economic and political terms - is a vital resource for countries worldwide.


Mobile Phones in International Development: Insecure and Problematic for Security and Privacy

Creative Commons Photo by flickr user gruntzooki

There is a new report by Hibah Hussein, a researcher at the New America Foundation that sharply critiques the lack of privacy and security considerations in mobiles-for-development projects. As readers of this blog know, mobile phones are proliferating as a communications and information delivery channel in international development - in health care projects, those focused on economic development and livelihoods, and also in social accountability and transparency work. We here at NDI have certainly extensively used mobile phones in systematic election monitoring, for citizen outreach and delivering civic information, and for citizens to hold their elected officials accountable. 

But, as Hussein poses, mobile phones are inherently insecure channels easily surveilled and monitored by design (after all, telcoms charge by usage and thus watch closely what you do), poorly regulated if at all with meaingful privacy protections in most developing countries, and thus inherently subject to deliberate or inadvertent privacy and security breaches. Since mobile projects in development often target the most vulnerable and marginalized populations and much of development happens in countries with poor governance all the way to outright dictatorships, this combination, Hussein argues, is a recipe for disaster.  She notes that international development projects lack privacy and security procols and guidelines and proposes a framework for them to consider in their projects. 


Beyond Repair? Normative Change in Freedom Online

Norms are shifting on the Internet. Don't get left behind. (image by  nettmonkey)

Cyberspace and all communications associated with the Internet was once idealized as a free and open space in which communications could flow back and forth at liberty. This idea has slowly changed in the last 25 years and we are now seeing the Internet and cyberspace as a “Fierce Domain” in which states engage in hostile actions against one another and increasingly against their own citizens. We wondered what normative changes have occurred over the last 15 years in cyberspace and what the implications of this change has been on democrats around the world. 

Jeffrey Legro’s definition of norms as “collective understandings of the proper behavior of actors” is helpful to illustrate how norms have evolved in cyberspace. So then, what are the specific norms we would like to see in cyberspace as a democracy support organization? There are currently very clear trends of norms that we wish we didn’t see. 
First we see a significant inrease in offensive and defensive state-level cyber capabilities and a growth in state censorship and surveillance. The data globally, as illustrated through sample data taken from censorship monitoring projects such as the Berkman Center’s Herdict Project (Image Right), illustrate an increase in reports of online censorship. Although this data is based on citizen reporting and may not also be state-generated, the enormity of reports of censorship is staggering. 
Along with censorship comes its closely related counterpart, surveillance, and the reports of individuals being surveilled in their online activities is only increasing. Furthermore as indicated by experts in tracking censorship and surveillance such as Ronald Deibert at the Munk School of Global Affairs’ CitizenLab surveillance is getting worse. Globally we almost certainly passed the statet when only a few states were using the Internet as a means of censorship and surveillance against their own citizens. States are increasingly socializing, demonstrating, and institutionalizing censoring and surveillance behavior.

A Roundup of Recent Surveillance Revelations

Source: Flickr/robjewitt

The Washington Post and others have reported extensively on the now declassified secret court opinion from 2011, which claims that the National Security Administration (NSA) has been illegally gathering tens of thousands of electronically-based communications among American citizens for several years now. An internal NSA audit conducted in May 2012 reported 2,776 incidents of unauthorized collection, storage, access to and distribution of legally protected communications from April 2011 to March 2012.  

As part of their bulk surveillance program, the NSA has put pressure on numerous companies to release information about their customers. In early August, Lavabit, an email service used by Snowden and approximately 400,000 other people, shuttered its operations after rejecting to comply with a court order to help the US government spy on its clients. Founded in 2004 and owned by Ladar Levison, Lavabit email services used asymmetric encryption to provide a significant level of privacy and security for its users -significant enough that US intelligence agencies could not crack it. Under gag order, Levison was prevented from discussing in detail the reasoning behind his company’s shutdown. On the Lavabit website Levison left a cryptic message for users regarding his decision:

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise.”


Detailing Censorship Under Two of the World's Most Repressive Regimes

Two Papers on Censorship Presented at FOCI'13 Caught Our Interest

As sentiment that internet freedom is increasingly being threatened worldwide is on the rise, details on the extent of how censorship is conducted at a technical level is often unavailable. At the USENIX Free and Open Communications on the Internet (FOCI) workshop today in Washington, D.C. two papers provided this information in two countries. The first by Zubair Nabi focused on increases in Internet Censorship efforts in Pakistan, and the second by Simurgh Aryan, Homa Aryan, and J. Alex Halderman examined in detail the rigorous censorship regimes present in Iran. Both papers can be found here and both illustrate a disturbing trend in state repression of information. READ MORE »

DDoS Mitigation 101

Simple Techniques to Protect Your Website Against DDoS Attacks.

Distributed Denial of Service (DDoS) attacks are an increasingly popular method used against NGO and independent media websites to make them inaccessible during key political moments. 

How do they work?

The term DDoS in popular lexicon represents in reality a range of different types of attacks. Largely these attacks deal with the way in which computers and servers handles connection requests. The easiest way to think about DDoS attacks is to imagine your home telephone. If you receive one phone call at a time you can answer, talk, and communicate with ease. If, however, 50, 100, or 1,000 people all called you at the same time not even the best call waiting service would really suffice for your average home telephone. While computers and webservers can handle hundreds and at times even thousands of calls at the same time, they eventually reach a point were they are unable to respond adequately and give a busy signal. This busy signal prevents people from accessing content on your site, system, or online service.   READ MORE »

Animating Digital Security

Digital security can be quite challenging for activists working in conflict zones or similarly difficult environments. The SKeyes Center for Media and Cultural Freedom has produced the "Journalist Survival Guide", a series of animated videos aiming to provide journalists and citizen journalists operating in dangerous zones with the most essential recommendations on how to protect their physical and online safety. 

Our favorite videos include "How to Protect your Computer against Hacking and Malware" ... well as "How to Get a Secure Internet Connection". 


Want to see more? All videos as well as accompanying scripts are available in English and Arabic. Enjoy!

Spooks and Democracy Advocacy - Are We Becoming Cyberlosers?

Change the World

The recent revelations about large-scale NSA surveillance point to a pervasive problem facing democracy and human rights activists around the world. They face intense surveillance on a daily basis for working for universally accepted human rights and democratic and accountable governance. Those who thought of the internet as a space for free expression and a place where ideas are able to transit the globe unencumbered by now have realized that the reality of the Internet is not too dissimilar from that of the physical world. The great public square that is the internet is closely watched and increasingly controlled by governments and their spies.  We wonder increasingly: How can democracy and human rights activists still use this space to continue the good fight? What are the implications for democracy and human rights activists following the revelations of surveillance programs such as Prism and large-scale meta data dragnets?  Are we becoming fast the cyberlosers as the world is moving towards compromised internet governance, national internets, and pervasive surveillance? 

The bottom line is this: The online public square is depply compromised. Of course, this surely is not a great surprise.  READ MORE »

PRISM Shedding too much Light on Your Communications? Tips for More Digi-Sec!


If your Twitter client didn't explode with the news about PRISM, here are the highlights, courtesy of the Washington Post:

An internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 articles last year. According to the briefing slides, obtained by The Washington Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.

The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.

Dropbox, the cloud storage and synchronization service, is described as “coming soon.” READ MORE »

Instant Messaging on Smartphones: WhatsApp's Lack of Security

WhatsApp Logo

WhatsApp has become a very popular (read: FREE) alternative to traditional text messaging.  Over the past few years, many smartphone users have shifted from using BlackBerry Messenger and other instant messaging apps to WhatsApp. This is especially true for activists in much of the Middle East and Sub-Saharan Africa.

The growing popularity is understandable considering that this cross-platform instant messaging application for smartphones only costs $0.99 for iPhone users and nothing for other platforms.  With more than 200 million active users monthly, WhatsApp CEO Jan Koum boasted that “We’re bigger than Twitter today,” at a conference in April. According to company statistics, WhatsApp users are quite active - sending 12 billion and receiving 8 billion messages per day.   

With WhatsApp you can send free messages to friends, family, colleagues, etc. anywhere in the world.   In addition to messaging, you can create groups and exchange an unlimited number of images, video and audio media messages.  Sounds pretty great, right? READ MORE »

Someone recovered your deleted pictures? *OH SNAP!*

Snapchat Logo

Wish there wasn't evidence of those drunken college photos? Or, pics of something that could be career-ending

Enter Snapchat, an app available on iOS and Android that allows users to take a photo, send it to a friend, and is deleted after 10 seconds. (It's so easy, even Stephen Colbert can do it). Sounds pretty great, right?


Snapchat photos appear to live "beyond the grave" in the memory of smartphones (perhaps making the Ghost logo all the more appropriate). 

Decipher Forensics recently investigated if Snapchat photos actually are deleted, or if the image and any associated metadata with such photos can be recovered. Report author  used two Android devices to send and receive Snapchat photos, and found that: READ MORE »

Bridge Into an Uncensored Internet

Tor (incognito)

Elections and other political events can be a time in less transparent environments when there is increased internet monitoring and censorship. With notable elections coming up in the next few months, particularly in countries with a history of internet monitoring and filtering, utilizing circumvention technologies ahead of these events become extremely important. Circumvention technologies enable you to route your internet connection to an IP address outside of your country, allowing you to view otherwise filtered content. One of the best circumvention technologies is Tor

However, in countries such as Iran and China, known Tor IP addresses (or "relays") had been intermittently blocked in the past, making it unusable. Expanded use of capabilities such as Deep Packet Inspection have even made it possible for some regimes to determine if internet traffic is being routed through Tor.  READ MORE »

Technology Tools for Activists Handbook

The best way to find out? Check out their handbook

Tech Tools for Activism (TTFA) has just released the latest version of it's handbook, with information and instructions for tools any activist can use. The handbook is not filled with flashy, sexy programs, nor does it give you THE one comprehensive answer that takes care of all your security needs. What the handbook does well, however, is to give you a simple explanation about why your security is at risk, and give you free programs that will help keep you safe.  Both the easy to read layout and educational explanations make this handbook a good primer for activists, their partners, and for anyone who has a general interest in security while using communications technology. 

Included in the manual are topics such as:

Make it Easy to "Do the Right Thing" with TAILS

A tails screenshot: using Open Office, IceWeasel, and Pidgin Messenger

Computer security is unpleasant. It's inconvenient. It's confusing. It makes your life harder, prevents you from accessing what you want when you need it, and requires being very thoughtful and careful at all times. All together, it's no wonder that so many people don't do what they should even when they know it's the right thing to do. You have to make choices to keep yourself safe and anonymous, and we all go with the easy default settings at times, or slip up occasionally.

What we really need is a system that makes people Do the Right Thing without taking any special, onerous action. 

Enter TAILS: The Amnesiac Incognito Live System.

Let's break that one down. READ MORE »

Syndicate content