Data security in crisis situations

Shout out to Baron Oldenburg and Eleanor Saitta for feedback on this post!

Information is flying around fast and loose as you try to help people in need. Anyone who has capacity to help has been added to a spreadsheet tracking needs. If you’re in the thick of it, this piece isn’t for you yet. But even in those moments, be careful about who you share sensitive data with – there are big ramifications later if you get it wrong.

But when you can come back and slow down a little bit to think about the longer-term ramifications of data, you should come back and investigate this. Because while getting people the immediate help they need as quickly as possible is more important than keeping their data safe, the long term impacts of a data leak could put people already in harm’s way further in harm’s way. Example: collecting immigration status when determining which shelters will work for which folk could open you up to a subpoena or backdoor that leaks the data.

So far, I don’t know of any data breaches from community-led crisis response, but it’s frankly a second disaster waiting to happen. People offer admin access to EVERYONE involved in order to feel equitable. People are then scared to remove admin access to things because they don’t want to upset anyone. This leaves a very large attack surface for something to go wrong even beyond the flaws of the tool itself. So limit how many administrators you have, and have a regular cadence to check in on who has access as an admin and otherwise. Set up an impersonal rubric to remove access (“hasn’t accessed this data in x days” or “we’ll only have 3 admins, and we talk monthly about who is best in those roles” are two examples). 

To limit the impact of a data breach, collecting ONLY necessary data is the best way to design. You don’t need to be collecting demographic data unless you’re running an equitability study later. Example: address and risk level shouldn’t be cross referenced unless absolutely vital. 

Do not use one shared login for vital or administrative accounts. Most tools worth their salt will allow you to have multiple accounts log in for the same view, so set people up with individual accounts so the account access can be managed. Any person with a shared login will be able to change it for everyone else. 

Retrofitting later is a pain, but is worth the pain. If you’re in a place where you can migrate to a new tool for a longer-term vision, I’d recommend mapping out tool options against group considerations. I do a grid with rows for technical options, and columns for things I care about. Things like longevity of data, alignment of the org with your group’s politics, who the data is visible to, if the data can be sold to external parties, relationship with law enforcement, etc. I then indicate how aligned with my goals each option is, and discuss the resulting grid with the rest of the tech team. Here’s an example grid for picking which messaging platform to use with each other:

If you’re able to turn on multifactor authentication (MFA), that’s another point where you can limit who the admins are. Doing this can slow some things down and be at odds with people being able to take the day off, but it’s another vector along which security can be tightened up as things slow down in the response. 

As an individual thing, Google Advanced Protection is worth turning on if you’re using Google tools. If you’ve got a workspace domain that’s being used in the response, all the admins should have it on, even if you’re just using people’s personal ad hoc accounts for most of the response work. We’re generally in favor of keeping data in Workspace even for many sensitive NGOs in complex situations because it keeps it off of individual devices and out of chats/email where it’s hard or impossible to purge, update, or track access. This of course presumes you have good connectivity, but so do most of these tools.

If you do have to have shared accounts for some things, using a password safe that gives you shared vaults can let folks log in without having direct access to the password if they’re willing to install the plugin — mostly for third party logistics or data feeds or whatever, not for the primary collaboration tools.

What else should folks be doing?

When Things Go Wrong: Response and Recovery

Originally posted on the Truss blog

When building systems with threats in mind, it’s not enough to just plan, not enough to just raise the cost to a bad thing happening — we still have to have an idea of what we’ll do when the bad thing happens despite our best efforts.

Truss modernizes government and scales industry through digital infrastructure. Information which is sensitive to individuals and to the welfare of the organization flows through the pipes we set up. Whether hospital records, the move locations of a military family, or financial data, Truss takes the best care possible in setting up infrastructure which mitigates the likelihood of a breach. We also have a plan for such a breach, in case it happens anyway.

At RightsCon, I moderated the panel The Rules of Cyberwarfare: Connecting a Tradition of Just War, Attribution, and Modern Cyberoffensives with Tarah Wheeler, Tom Cross, and Ari Schwartz. The question was this: if “cyber”* is a fifth arena of war (the existing domains being land, air, water, and space) what is a just response to a cyberattack which follows the international expectation of deescalating?

The panel and audience knew that the responses which are happening now — the assumption of “hack back” against other state adversaries, the use of CFAA against people who might otherwise entertain the thought of being a patriotic hacker — we don’t agree with. The Computer Fraud and Abuse Act (CFAA) is what makes breaking those terms of service that are too long and dense to read fully a federal crime. That’s right, logging into your partner’s bank account after their death in order to pay the house’s electrical bill is a federal crime, and it’s the same law that’s used in most of the “hacker” cases you read about in the news. It’s also the number one reason the infosec professionals I know and love refuse to work with the government. The ACDC bill which allows “hacking back” is an exception to CFAA which means you can attack a computer that’s attacking you. Except of course it’s not that clear-cut.

Which brings in the questions that many folk in the audience had. What about attribution (the ability to know who is taking the action)? This is hard in digital space because it’s easy to attack something from behind someone else’s IP address. What about asymmetry (an imbalance between those in conflict with one another)? Is it ok if one country attacks the other in cyberspace when the other country is just beginning to get online? These are hard problems, but we can’t wait until they are solved to have conversations about responses. If you’re having a hard time moving on without those hard problems being “solved enough” first, you’re not alone – the audience also had a deeply difficult time with it.

But what would be acceptable? If there was a breach of military moving data, do you think it would be responded to differently than the malicious changing medical records? Do you think who the adversary is would matter? Does the immediate or the potential future impact on those involved matter more? Where is the line between war and espionage? We ended the panel with the a comparison to disaster response, so attendees would have a framing to continue the discussion.

Disaster response also focuses on preparedness (stockpiling water for the next Bay Area earthquake), response (digging our neighbors out of the rubble), and mitigation (enforcing building codes which make collapse in an earthquake less likely). We are terrible at recovery. When it’s time to rebuild, the money, attention, and volunteers have dried up. Huge swathes of Far Rockaway (2012) and New Orleans (2005) are still a wreck from hurricanes.

The same is true for online attacks — whether doxxing (the nonconsensual revealing of personal information) or DDoSing (a distributed denial of service attack is when many computers all pester your computer for a response, not allowing it to say anything). We spend so much attention on battening down the password hatches and doing incident response that most don’t think about what being whole again after an attack that might happen anyway looks like. And so much of infosec and government work is about trying to prevent the Bad Thing from ever happening. Plan A is to make a perfect system. But we must own up to Plan A rarely being the plan that works out. Don’t your contracts also have release clauses in them? Planning for worst case isn’t inviting calamity, it’s being pragmatic.

One of our engineers recently said, “I would rather throw away some work than have to be under a too-tight deadline later.” This was said as Plan A seemed less and less likely due to bureaucracy and too many moving parts. But Plans B and C were being procrastinated on by our government protective cover. Why? I see the cost of exploring options in government as high, with extremely limited resources to work with. This means all sorts of fragility and resources wasted putting out fires when Plan A didn’t work exactly as planned. A balance of ownership, accountability, and flexibility would have helped alleviate this difficult situation. Additionally, setting aside resources for recovering from inevitable failure helps the entire system be more robust.

While Truss doesn’t specialize in the actual recovery (there are firms and insurance providers who do focus on response and recovery plans), we know it’s a necessary part of a complete plan, and you should, too. Good luck out there today, and remember to keep in mind what you’ll do if it doesn’t all work out.

* Note that I have a deep visceral reaction to the word “cyber,” but it’s the word that has been thoroughly adopted in this discipline and so it has been used here for the sake of readability. The confusing image for this post is the inoculation to having to use the word.

Adventures with the TSA

In the last month, I’ve had two interesting experiences with the TSA. Both times, the airline ended up saving the day. I’m writing this not as a “LOOK HOW BAD THIS HAS BECOME!” as I have friends in targeted demographics as well as friends on lists who consistently get detained, and they already write far more eloquently and intimately about that side of things than I could wish to. This is more a “look at what this is like, for someone who is socially aware but also not in a tracking system” (that I know of).

What’s in a Name?

The back issue on my end is this: I like my first name, but it’s not my social name – that’s “Willow,” my middle name. I have no desire to change my names, especially not to simply make the job the state has taken on easier. This means, when I travel internationally, my full name is listed with the airline from my passport, which also means my frequent flier programs have FIRST MIDDLE LAST. Which means when I book an intra-continental flight, my FIRST LAST shows up, while MIDDLE LAST are on all of my locally-relevant IDs (driver’s license, credit cards, academic IDs, etc). I have usually just brought an ID which indicates my first initial, and everything’s dandy.

This hasn’t been an issue until the last two months, when it has suddenly become enough of a red flag that merits extensive measures be taken that I’m not a dangerous person. Which means going through all of my stuff and a thorough pat down. Which is often used as a threat, not as a heads up. As someone who has consistently opted out of scanners which can store and transmit images of your body (and therefore into pat-downs) for the past 5 years of heavy travel, I’m pretty acquainted with the less aggressive version of this process. I asked to see the policy stating that they had a right to touch me, based on my name. TSA informed me that no one is allowed to see their policies, and to please wait on a supervisor.

A gold sticker replicates a TSA-agent's badge and reads "TSA Team Boston, Junior Officer" with the Department of Homeland Security emblem and eagles all over the place.I waited. And waited. My flight began to board. I was still on the other side of security. Finally, I went to the airline desk and told them what was going on, and they changed the name on the ticket to match the ID I had on hand. I made my flight. I’m not sure if the airline did a legal thing, so I’m not naming them, but holy shit am I grateful.

Victory point: the TSA staff felt so badly about their process and supervisor being so shitty that they gave me a junior TSA agent sticker. To which Jenbot responded “You’re just two more pasties away from the world’s funniest private screening.”

Nonconsensual Pat Downs!

Last night had significantly less humor. I, for once, went for the full-body scan thing. My emotional fortitude to opt out of every process is slowly being worn down, which just pisses me off even more. I hate rolling over and showing my belly, but I also hate being touched by strangers who think I’m a fucking villain 3+ times a month. The scan showed an “anomaly in my pants” (lulz), and the female-identified TSA agent started patting me down before verbal acknowledgement nor even eye contact were made. I stopped her, saying I hadn’t consented to a pat down, at which point she indicated the anomaly and stated a pat-down needed to happen. I said I understood, but I hadn’t yet consented. She asked if there was going to be a problem, I said “with you touching me without my consent? Yes.” She then deployed the mantra of “going through all of my stuff and a thorough pat down,” but this time with about 3 additional TSA agents, a manager, and 2 federal officers around me, with them holding onto my stuff.

I balked. I’d rather spend another night where I was than deal with this (I was in a lovely place with lovely people). They tried to take my ID to scan it for a report I wouldn’t see. I instead put on my boots, got my bags (they didn’t resist my taking my things, but they also didn’t make it clear in any way it was possible), and walked towards the airline counter to sort things out. As I was walking away, one of the federal officers told me in a surprisingly friendly tone that if I attempted to make it through a different security line that night, I would be arrested and criminal charges pressed against me.

The airline informed me that I could use the ticket’s cost towards a future flight, but that they couldn’t book me on another flight the next day free of charge. That was between me and the TSA. I went back to the security line and talked with state officers, the TSA manager, and their manager about my general work, large-scale conflict resolution, sexual assault survivors, trans friends, and the TSA’s lack of empathy and effectiveness. I should have left the last part out, but I was pissed off. They allowed me to go through the process that night, if I were willing to go through the pat-down and stuff-going-through. And fuck it, my going home was more important in that moment than my civil liberties. And yes, I’m also well aware that basically no other demographic would have been able to have this privilege (because while it was personally deeply uncomfortable and not ok, it was still a systemic privilege to be able to have a re-do).

A friend who happened to be in the airport at the same time (small world is small) had seen some of this happening, and waited past security for me to be sure everything was all right. I’m deeply thankful for this act of kindness and manifestation of social fabric. Also that the TSA manager enacted the pat-down, as a personalized moment of “I know I’m a part of a fucked up system.” I made it through security at the core of the airport just as my flight was meant to be taking off in a peripheral gate, but I jogged to my gate anyway. And the goddamn airline held an entire flight for 15 minutes just so I could still get out that night. So much gratitude.

Internal Consistency is How the Terrorists Win, Apparently

It’s worth noting here that I fly a fair amount. I also tend to detect patterns and systems fairly well. I dread the inevitable next agent-splaining of how TSA policies work, which are always attempts to be kind and to let me in on “how things work,” but are never remotely consistent. Fuck you. The haphazard nature of enforcement has little to do with “let’s keep ’em guessing!” and far more to do with “what equipment is working today and what rules we’ve been chop-busted about most recently.”

Which Just Adds To…

The cycle we’re caught up in right now does little to nothing to “catch the terrorists” (which is also just slapping a band-aid on a gaping wound of systemic problems) and a whole lot in further ostracizing and demeaning historically marginalized demographics.

I have no idea what to do with this – the work I can’t not do (for passion, for frustration, for specialization) merits traveling a fair amount. The people I love are a distributed lot. But I also can’t handle instances like this happening too much more before… something has to change. Me, or it.

Here’s something I used to do a lot more, and which now I’ve been worn down out of doing, so I can still have emotional capacity for other things I care about. And that also pisses me off.

Is it secret, is it safe?

Being in Berlin reminded me that I haven’t been around the hackers I know and love since my last round of gadget aquirement. A lot of conversations have been happening recently around the usability of crypto-aware tools (including an event in DC on Jan 11th that GWOB is doing with OpenITP – you should go!). What we fail to talk about are how easy many existing things are out there, and what they are. Here are some things we did:

Encrypt all the things!

Why this matters: when interacting with law enforcement, you can plead the 5th around your password, but the hardware itself can be seized, albeit sometimes for a short time. During this, they can take an image of your disk, IE, scan and copy anything on it. By encrypting your device, all they will see is adsfliu9p8aerkadfov8c79234hfgia etc instead of “ohai.”
File Vault

  • A Mac. It’s not as hard as you think. With a solid state drive, it takes about 45 minutes. Let it run tonight while you head to bed. For a Mac, plug it in, launch System Preferences > Security and Privacy > File Vault > Encrypt.
  • An Android. Also not difficult. Settings > Security > Encrypt Device. Again, you’ll need to leave it plugged in and have a bit of patience with it.

Password Management

Why this is important: helps you not fall into password reuse issues by allowing you to only remember one strong password, and loading in non-human-memorable passwords.
On Mac, I went for 1Password. It costs some money, but it’s hella easy to use, and I can share an encrypted file via dropbox between my multiple devices so I can still access accounts. While I’m plugging in these accounts to 1Password, I’m slowly changing all my less-secure passwords for randomized ones.

Communications

drawn for Morgan Mayhem’s Center for Civic Media talk on Coercion Resistant Design

Why this is important: While we’ve achieved HTTPS in most places, within and between larger “clouds” data is not actually sent encrypted. In order for you to maintain your privacy, it’s important for anything you send to be encrypted. All of these are usable in the exact same way from a user standpoint as the things they replace. They just also encrypt the traffic. Try them out.

I already use Adium for Off The Record (OTR) and Thunderbird for Pretty Good Privacy (PGP) on my Mac. I’d use Jitsi but it crashes anytime I’ve tried. Waiting until it works. That said, I also want the messages I send on my phone to be encrypted.

  • ChatSecure : chat on phone
  • TextSecure : already installed, but worth mentioning
  • Threema : also encrypts images etc! Let me know if you’re on it, definitely needs critical mass in order to be usable. I’m K69NNHXE
  • Orweb : Tor browser on phone
  • Orbot : Tor node on phone

Self-Hosting

Why this is important: you control your data. Or at least someone you can go punch in the face does. I am also incredibly hungry at this point of writing this post and thus this section lacks detail.
Uberspace : I like this group out of Berlin. They’re pretty great.
Ownweb : All the functionality of calendar, contact storage, etc. Works beautifully on Uberspace.
edit: Make that OwnCloud. Thanks, Natanji! Also, hosting on your own of course requires the mental and technical to maintain those servers.

Is it safe?

When is the last time you ran a backup? Why not right now?

<3 to all the fine folk who helped out with this : Tomate, Herr Flupke, Morgan.