Teaching communications security to lawyers

This article is meant mostly to run through how we ran a cryptoparty style training in realistic computer security & communications security for attorneys this weekend, and to encourage others to do the same.

Attorneys have a duty of confidentiality to their clients, and by the nature of their work often are recipients of very sensitive information. At the same time, computer security is not their primary job- nor, for the vast majority, should it be. We went into this training with a few guiding principles:

1. Do no harm. If someone is using a reasonably secure tool, and is happy with it, we were not going to recommend that they switch to something else without good reason.
2. Attorneys understand risk management. If we spoke to them in terms of identifying and mitigating risk, we would do better than speaking about threat management or other terms that are common in infosec land.
3. Practical, actionable advice. Do not make the perfect the enemy of the good. If someone showed up and left only having made one small change, it was a win. We offered options ranging from “this is better from what you’re probably doing but not too complicated” to “this is a pain in the neck for your workflow but might be good to know about for very sensitive information,” especially for complicated tasks like secure file exchange.

What we taught

Before the event, we spent a while digging through bookmarks to find resources and asking folks who had done cryptoparties or similar training for recommendations and resources. These ended up mostly going into our “Learning more” handout linked below- there are some good guides to attorney information security awareness, so we didn’t have to start from scratch.

• Computer Security Tools & Concepts for Lawyers by Kendra Albert
• Operational Security for Lawyers by Ansel Halliburton

I also did an informal survey of attorneys I knew wherein I bugged them about how they exchanged sensitive files with clients (if you’re an attorney friend who was on the receiving end of that, thank you for indulging me and answering all my questions and talking through all the considerations!)

Handouts

• Learning More
• Secure File Exchange
• Password Managers and Two Factor Authentication
• Secure Messaging
• Email and Web Security
• Backups

The handouts we assembled were designed to give attendees a place to go for more information on a topic. They were designed originally with the idea that if attendee didn’t make it to a table topic at the event, they could grab the handout and read up. As it turned out, they seemed to mostly be used by attendees while talking with a trainer about that specific topic, as a guide to discussion, and a place to take notes.

File Sharing

This is a complicated topic and involves a lot of tradeoffs. First, it should be something that the attorney and the client discuss, and agree on a level of protection. This will vary; not every document needs to be highly secured, but some cases will call for more protections. This is also an area where we worried about making things so complicated that they would be less secure in practice.

What we presented, as seen in our handout, was a range of options from “password protect a PDF” which is not super secure but better than sending plaintext documents around, all the way to OnionShare, which requires the use of Tor.

We generally recommended VeraCrypt as a good solution for strong security, but as with a lot of these tools, VeraCrypt has some usability issues for non-nerds. This is an area where lack of good UX is an issue, because anything more complicated than saving a PDF with a password requires many steps through poorly designed dialog boxes. I’m a nerd who is very comfortable with complicated software and the command line, and I still was a little worried the first few times I made a VeraCrypt container with their how-to guide open next to me. If I could ask the tech community for one thing to help lawyers, it would be to please help fix the usability issues in this area.

Whichever software you use, do make sure to select a good password. Ansel Halliburton writes in Lawyerist that a Word document protected with a dictionary word can be cracked in seconds. Using long, randomly generated passwords greatly increases the protection and time to crack.

Secure Messaging & Email

Our advice here was to use an encrypted messaging app for highly sensitive information instead of email, but again this will vary based on the comfort level of the attorney and their client needs. In addition to the links on our secure messaging handout, here are guides to this topic which are worth reading:

• Communicating with Others
• Comsec presentation by Grugq
• EFF’s Secure Messaging Scorecard

And for some reading on secure email practices, check out Security In a Box’s guide.

Event Day

The format of the event was pretty low key: we rented the upstairs of a bar which had lots of tables available, told folks to turn up with their laptops and phones, and brought a bunch of the handouts for people to take home. The event opened with a short welcome, a discussion about what we wanted to do (raise awareness and introduce tools, with a strong emphasis on see-do-teach), and then we went around the room for introductions. Since the group wasn’t too big, this was a nice way to gauge everyone’s interest in various topics and to break the ice. Trainers mentioned what they were primarily there to teach (none of us really stuck only to our “assigned” topic) and where they would be. Then we sent trainers to various tables & told attendees to jump on in.

You may have other methods that work, but I found it most helpful to ask the attendee sitting at my station what problems they most wanted to solve. Answers to this varied; from learning how to back up a GMail account, to setting up 2-factor on Facebook, to talking about being aware of phishing risks in email.

Most of what was actually passed on at the event was driven by questions from the attendees and what the “trainers” felt comfortable teaching. As we had such a small group, training was very hands-on and one-on-one. This might not work so well with a large number of attendees but smaller number of trainees.

Regardless of how you end up running your training day, remember to have fun and work with your attendees to secure their systems!

Tips on planning & running a communications security training event

1. Find a space: you’ll want somewhere with wifi access. Access to some electrical outlets so that people can charge their devices if the batteries run down during all the downloading can be helpful. We had a large posterboard welcoming people & put the wifi information on that.
2. Bring name tags & pens. We had everyone who wanted to put on a name tag & it seemed to help people when they approached tables.
3. If you bring food, try to stick with computer-friendly snacks. Our snacks were m&m packets, pretzels, and goldfish. Avoiding greasy or crumbly foods is probably a good idea.
4. Bring pencils or pens for people to take notes with.

We’ll be repeating this event in D.C. in July 2017 with ACLU-DC, so please come if this is a topic that interests you!