Practical Security for the Prudent American
It’s a distressing time to work in politics. Harassment, hate campaigns, doxxing, and Russian hackers all played a role in the 2016 election, and since there have been few consequences for the perpetrators, the same people are doubling down on these crude tactics in 2018 and 2020.
Anyone who touches sensitive confidential documents, financial records, or voter data must take active measures to protect themselves, or they are a liability to the whole movement. Even if you’re “only” a volunteer working on a campaign for a few days, it’s a sure bet that you have access to lots of interesting documents and systems, including a bunch you didn’t know about. I have been that volunteer.
Unfortunately, bad and confusing advice is everywhere, because much of the security folklore from the IT industry is either pointless, or dangerously incorrect today. Here I have tried to cut through the noise, and show just five things that are truly necessary.
Here’s one of the most dangerous fallacies you have heard:
“If a government wants to hack you, there’s nothing you can do.”
I’ve heard this countless times over the last 20 years. It’s sort-of correct in a useless technical sense. The state of the art in protecting computers against strong attackers is indeed very bad, and governments do have sophisticated haXX0ring capabilities.
But when it comes to the mundane, workaday task of stealing a bunch of campaign and personal secrets, even the meanest ex-KGB lab can’t afford those sophisticated capabilities every time. There’s just too much hacking to do! There are direct, practical steps you can take to raise the cost of hacking your accounts which may put you out of reach. Here are the most important:
Use a password manager, such as 1Password, Lastpass, or KeePass. If any of your passwords have been around for years, they have to be changed. Otherwise hackers will find them in the data dumps from sites cracked in years past, and reuse them with barely any effort at all. For the same reasons, it’s best never to use the same password on multiple sites, because then a hacker that steals the password from one site can log in to all. Remembering so many passwords is impossible for any human that’s not Rain Man, or possibly this guy, so the answer is a password manager.
Once you have a password manager, you’ll discover a chicken-and-egg problem, which is that you need an uber-secure password to protect all your other passwords. Diceware is a good way to create that one password to rule them all.
Get a Security Key. This is a physical, hardware device that you have to put in the computer to log in. You can carry it with your regular keys. It works on Google, Facebook, Twitter, Github, and Dropbox. You can use the same key for all your accounts; you won’t have to carry a bunch of them. (Although it is a good idea to get two, so you have a backup, and so you can do the Advanced Protection Program, which is next.)
“Security Key” is a generic name, like “facial tissue.” The Kleenex of security keys is Yubikey. My advice is just buy Yubikeys, right here, and get on with it.
Once you have Security Keys, enroll your Google accounts in the Advanced Protection Program. Google worked hard to design this level of security to prevent exactly the spear-phishing attacks that are being used against the DNC, the former HFA, current campaigns, activists, and others. And to this day, most of the people being targeted by these attacks think Advanced Protection is for somebody else.
Stop thinking this. The anti-phishing training you have sat through was a waste of time. You will not be able to beat the phishers with your cleverness. Neither will your SMS or Authenticator-app-based “two factor” logins, which are also trivially phished. Security Keys and Advanced Protection are for you. If you remember (or tweet) only one thing, make it this one.
Inside private GSuite domains, the equivalent to the Advanced Protection Program is “security key enforcement” and OAuth whitelisting. If you are a GSuite administrator, turn on these settings.
Get a Security Key or be this year’s Donna Brazile.
Use the Chrome browser and install the extensions “uBlock Origin” and “HTTPS Everywhere.” Chrome gives you the most protection against bad sites stealing your access to other sites or breaking your computer. uBlock Origin disables most ads and tracking tools. Ad networks are used for a whole lot of things, none of which are good for you. We can have a nice leisurely debate about how to redesign sustainable internet business models after we win. Today, you need to be cloaked from ad networks.
Use Signal for all your text messaging needs. Ordinary SMS messages are easy to intercept, for a professional hacker (which is why SMS messages for 2-factor logins are a bad idea). Signal can also replace all your two-person phone calls and video chats, usually with better audio quality to boot. You can do this — Signal is nearly universal among people in progressive politics, journalists, and other forward-leaning techno-hipsters at this point.
These quick and easy-ish steps are the bare minimum for anyone in politics (or media, activism, government… and basically anything else) in 2018. Remember the wise words of our 43rd president, who’s done an amazing job and is getting recognized more and more: “Fool me once, shame on .. shame on you. Fool me … you can’t get fooled again.”
One last time, in the biggest font Medium has:
1. Use a password manager: Lastpass, 1Password, or KeePass.
2. Use a Security Key.
3. Enroll in the Google Advanced Protection Program.
4. Use Chrome with uBlock Origin and HTTPS Everywhere.
5. Use Signal.
Postscript. There’s a ton more that we could say, and have said, about the threat model in play, the reasons for the above, and increasingly esoteric things you can do if you are specifically being targeted and need more tinfoil-hattery. This list is short and sharply worded because it’s online, where almost nobody will read past the first few hundred words. The New Data Project provides more in-depth training to allied organizations, including 1:1 setup sessions, for a nominal fee. Please send an email to team@newdataproject.us if you are interested.
Finally, observe that most valuable privacy tools are built by nonprofits. It has been ever thus, because surveillance is very profitable and fighting surveillance is very not. Please consider giving a few dollars to the Freedom of the Press Foundation (Signal) or Electronic Frontier Foundation (HTTPS Everywhere).
In the current climate, causes and campaigns too often lack the time, expertise, and flexibility to work beyond immediate deadlines. The New Data Project (NDP) is a new 501(c)(4) organization built to address this gap by testing new approaches, looking beyond the current cycle, and serving as an advanced technology research lab for progressives.
