#PDF17: Notes on digital security needs of orgs and individuals

Q: How do we even get into the same room in the first place? These events are expensive. Fellowships can help but you need a professionalized affiliation to get the funding you need. How do you even connect in the first place? If you know you need help?

A: Those that are able to attend events like this should make our resources open source so others can solve problems. People will generally seek solutions to their own problems. Some people donate their time to help train up organizations and make documentation easy to understand and to run with. Need to have a digital safety baseline before helping with security. If you create documentation, make it open and share it.

A: People need to create “cultural products” around digital security. Comic books, music, etc. is desperately needed. Easiest way to get people on board. Also tone and language we use to describe digital security. Is it cool and futuristic? Full of fear? Shame?

Q: I’m nonchalant about my digital security needs. How do you start thinking about what’s important. Where do you start? How do you prioritize what matters?

A: Experience is often learn by fire. That has informed baseline best practices, then collaborating with others builds it up. Coming at it when most people connected to [me] are under attack, it can feel overwhelming and scary, like your life is being taken away from you. Like all of your debit cards and everything are taken away. Prophylactic measures come out of that experience.

Q: What are the first things on the checklist?

A: Don’t use the same password for everything!

A: Go to a data broker website and see how much of your data is out there.

A: Add two-factor auth to every account you use. It’s trivial to get into someone’s email without it. Much harder with it. Every step you take increases the skillset necessary to get your info.

A: If you’re a target at all, use an iPhone or a Chromebook. If you need to open attachments, iPhone or Chromebook are best bet. Average hacker can’t attack a Chromebook, everything is digitally signed by Google. When traveling, go with an empty Chromebook, log in when you get there, then wipe when you come home. iPhone is encrypted by default and harder to run stuff that’s not digitally signed for it. Easier to exploit an Android phone for these reasons.

A: Try to understand why you do certain things, like when you give information to a grocery store. Why am I entering this information? You have to change your online behavior. Difficult to differentiate online and offline behavior. Take small steps, one step every day.

A: If not iPhone, iPod touch. Cheaper but just as secure.

A: Having a community space to talk about this stuff is important. If I want to start teaching people about these issues, where do I start? Try to think the way the person you’re working with thinks. Who are the people that are important to protect around you?

Q: How do people feel about existing resources that people typically point to? Resources that proclaim to be “out of the box”? Also thinking about to what degree to invest in resources and whether it’s worth bringing in people themselves.

A: Existing resources are completely useless now, political change or something else makes them out of date. Some have been translated into many languages, but not up to date. One post the authors pledged to maintain it to keep it accurate. If you have choice between bringing someone in or pointing to doc, bring someone in! For example Access Now’s Helpline is a great free resource.

A: Understand the basic things that everyone should do. But if you have a targeted group of people that are dealing with a specific adversary, understand how you can minimize damage.

A: Many people in trainings have said they don’t need another guide. People should be funding small groups that are context specific. Some docs like EFF’s guide is being maintained. It’s all CC licensed. Take it! Docs need to be really specific, and try to have it be from a specific community.

Q: What else do you connect digital security trainings to? How do you contextualize it?

A: How do you not also get the crap kicked out of you? People being harassed online is a huge part of it, such a direct correlation to mental health, anxiety, depression, etc.

A: CPJ has a rapid response team that does physical, emotional, operational security. An integrated approach is being seen as the way to do this. For example, need training to manage emotional response of being hacked.

A: Also, how to match the right people to the right people. Right now it’s like two blind people trying to find each other. What is needed in this field is the networking and matchmaking. Need funding or other collaborations to help with this. A lot of people in the room might be able to help with this.

Q: Am I increasing risk by connecting AI to something like the blockchain?

A: [WHOA] You can either hide the things and keep them out of public view, or have one thing and put it everywhere. Where’s the data coming from? Is it dangerous (most data is). If so, try to scrub.