/299$31c3-talk-6399

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

I don't think I have to explain anything, it says it all up there. OK, Michael, you're free. And everyone said, Michael, I work for the international human rights organization ACCESS and I'm going to be talking about threats to civil society, but also responses to those threats. And I'm actually going to try to focus a little bit more on the response. In the past, we've done this talk at home in 2013, for instance, and it was very much on threats, which are always exciting and always changing. But it's become more interesting for me anyway on ways of building a response to those threats, groups, organizations working together to have infrastructure to be able to respond to these threats better. So I'm going to be talking about these threats briefly, the rapid response to those threats and then some of the things that we're looking forward to in twenty fifteen. So I probably don't need to go too deep into the threats that are being faced by civil society today, but. Civil society is always going to be at a disadvantage when compared to corporations or governments in protecting themselves from attack, and some of that is just based on capacity. Some of that is because they focused they're non technical civil society organizations or groups. Maybe they're activists and social, political or otherwise, and they are not interested, or at least initially not interested in digital security, but rather their activism or their work. What we see is more and more and we have been seeing this more in the news as well, that groups such as journalists, especially investigative journalists, independent media websites, all varieties of activists and all sorts of contexts, lawyers and others, are getting targeted. And what's also interesting is the groups and organizations and foundations that fund and support these groups are also a potential factor for attack, but also potentially as a strong ally in providing this additional capacity for these groups. So the perspective that I'm g
oing to be speaking from, um, wow, that's washed out, but is through our helpline, what we call it, which is three offices around the world that focus on providing this, uh, rapid response support, as well as digital security advice to civil society groups. The oldest one is based in Tunis. It's been around since around February of 2013. It's got most importantly, one shift lead in two incident handlers. Um, then we opened an office in San Jose with a shift lead, an incident handler, and most recently in Manila with a shift lead and an incident handler. In addition to those core staff members who are available, we also have various support folks such as technologists, developers and a trainer. So why do why they're part of it or a lot of it is timezone. So what we want to be able to provide is somebody who doesn't have to stay up the whole night and in a very unsustainable way, provide digital security support to, uh, a group or an organization, regardless of what times on in. So by being in these different time zones, we're able to pass jobs from one office to the other during kind of regular hours. And hopefully that makes it more sustainable for us as a support organization. In addition, it allows us to have language coverage in these different regions, as well as regional expertize and relationships with regional organizations and all of that. So, uh, what type of cases have we seen or in on our helpline? So. The three twenty thirteen we had around twelve point six on average cases per month, up to twenty fourteen, we're now averaging thirty seven cases. So what that basically means is we have more than one new case per day. And to be clear, these are external non tort abuse cases. So we also run a number of exit nodes and we handle the abuse of those as well. So cases are increasing. Our capacity is also increasing. And most importantly, what I think speaks to the increasing case load is that our internal kind of workflows and processes are improving. So, you k
now, because we've dealt with problem X before, we can now have a template for that and maybe we've created a walk through or we found the appropriate resources that are online that are effective for that. Um, and so we're looking forward to further solidifying those workflows and then also making sure that those are audited with other organizations that do similar things so that we're doing the best practice that we can. Looking at these cases from another way, also kind of splitting it arbitrarily between the two years we've done cases in more than 60 countries, the countries very pretty wildly. It's not as interesting data as you would think in terms of the rankings because there were such a higher number of cases in twenty fourteen. Um, you know, you know, you could still have a greater number of Malaysia cases in twenty fourteen as you had in twenty thirteen, but it doesn't make it to the top ten, that type of thing. Um, so there are a couple of different contexts that maybe are shared between these different countries that we definitely saw. So presidential elections are definitely a ripe time for the targeting of independent media sites or activists and protests and civil unrest for sure. One of the interesting things is the prominence of the United States. So in the US, there are many international organizations that are based there that do work elsewhere in the world. And so a lot of that work is actually helping these organizations, such as advocacy organizations or other do that work in a safe and effective way. That's not putting their local partners at risk. And so that also speaks to kind of the lack of depth that we've started categorizing things. Still, we haven't differentiated those cases within the actual target countries. Twenty fourteen you have hacking groups, the targeting of LGBTI communities and as well as independent media and journalists. I'm going to take a brief look at Vietnam just because it's a the number one, uh, country that we work
ed in for this year. And it's represents a case that or it represents a lot of issues that are faced in a lot of places and it gets them all. So what's interesting about Vietnam is you actually do have access to Facebook and you do have access to popular platforms that are censored in Iran or China or other places. But what that means is then you have provision hacking groups and other folks taking advantage of those platforms to try to target folks. So we get a lot of account recovery or compromised accounts. You get a lot of abuse of abuse mechanisms on these platforms. So the classic examples of that is real name policy. So this is something that's especially prevalent with Facebook. And for a time it was a significant threat because if enough people, uh, reported your profile, then Facebook would ask you for an identity card or information, and this would be likely an individual that's, you know, working under a pseudonym. And they would be thinking that they're authenticating themselves to Facebook when in fact, they might be authenticating themselves to their entire network, um, which means they provide their information to Facebook. Then Facebook publishes that new updated information to their profile, basically outing them. So that's obviously something that you want to prevent. In addition, Vietnam is interesting because, uh, there's a lot of infrastructure or potential infrastructure attacks on the website side. Websites get, uh, of independent media and civil society groups get targeted. And so there's a lot of needs regarding updated and heartening details for. And there's a lot of existing organizations that we can connect groups with, so such as deflect cloud flares, project Galileo or Google as Project Shield, that I'll provide free protection to civil society. And then, of course, there's a host of other secure communications and anonymity concerns there more generally in the countries and communities that we've worked in. There's there's obviously a
wide spectrum of need, but maybe some of the ones that are most interesting or most familiar to you guys are secure email, GPG encrypted email is still very tough for a lot of folks. And so mail pile is also obviously something that we're anticipating greatly. But we can't put all of our faith in one tool, secure file sharing and collaboration. There isn't really one cross from one cross platform solution for that, unfortunately, but there are some very interesting ones. So like BitTorrent sync, for instance, friend, for example, on mobile is very interesting, but it's not Phos website security. There's a lot of targeting of websites because there's a lot of poor practices out there and people have a lot of difficulty if you're a non technical organization in keeping those websites up to date, let alone kind of hard and or secure. And so one of the big needs for a lot of organizations is what's termed secure hosting. So basically a hosting provider that will proactively make sure that things are up to date and protect against threats that are coming out. And unfortunately, that costs a fair bit of money for and so are out of reach for a lot of these civil society organizations. And then I already talked about real name policy a little bit. So what are some of the ways that people are that that organizations are trying to support this work and try to improve this work? So one piece of this is improving the workflows that we have for responding to these attacks. So a number of organizations such as Digital Defenders Partnership Circle, if Internews and others as well as ourselves put a thing called Digital First Aid Kit, which is basically the first step towards trying to audit these workflows and how we respond to these situations. But it's not just for the existing community in order to build some type of general foundation of response, let's say, to targeted malware or whatnot. It's also to make it easier to build additional rapid response groups and communities a
round the world, because what's most helpful is it's not one organization doing this, but it's a number of organizations that international and regional and local and community levels doing this work in terms of improving these processes as well. There's been the recent listing of civil society certa to try to improve this coordination between the civil society community. And you can check it out. It's not accredited yet as a cert. We're also hoping to go through this same process. And a lot of this is to help audit our workflows and help make sure that all the things that we do are our best practice and are easily shareable publicly so that other groups can also build these types of infrastructure and support mechanisms for civil society. Hello. And so this is kind of zoomed in a bit. But one of the interesting aspects of the helpline work that we do and the response that we have is actually only 50 percent or 50 one percent of our cases are reactive in the sense that someone is urgently contacting us and they need X, Y or Z done. About half of our cases are instead people picking us, most likely organizations or individuals that we already have a relationship with, from working with them in the past that are asking for proactive help to secure communications in some variety or implement or trying out some tool or have a training on a particular practice. And so what this does is actually put rapid response organizations in a difficult position because they're nominally focused on this reactive type of support, but in building these relationships with these different organ. Associations or groups, you're you become involved in these more long term fiscal capacity building. And so some of the ways of helping that is by bridging the gap between the rapid responders and the training community. So the training community are the folks that do this type of capacity building for organizations and individuals. But as of now, there isn't a great interaction between the two
communities. And and so, for instance, a lot of the materials that are created for training are targeting end users rather than targeting folks, training other people. So a rapid responder doesn't necessarily have a lot of materials in which that they can learn how to best communicate secure communications issues to a given community. But that's getting filled at least at some level. There's the level up project, which is currently being managed by inertness, and there's also the safe type project, also currently being management and use that are very exciting. Level up is focused on trainers and safe on auditors of the security of organizations. So these are ways of filling in these gaps between rapid response and the training of end users and trying to fill in. Like what about organizational level? What about getting more trainers that can kind of work in that spectrum? On the other side, trainers often fall into the an issue where they're funded to go to a certain place and do a training for a week or five days or three days with a number of different organizations on a set number of topics. And that's all that they're funded to do. And maybe they're not even an organization, but a number of consultants. And so one way of helping support that initial interaction with digital security tools and practices is to have these rapid response responder groups supporting the trainers when they're going to these places and coming out of those trainings so that those organizations can continue to engage on those topics. If they have issues with their, you know, Thunderbird in an email installation or something like that, they'll have folks that have the capacity to respond in a meaningful manner and all that type of stuff. So those are kind of my pitches for ways of tying those two threads together. On the other side, you also have rapid responders and developers. So a lot of trainers and rapid responders receive very interesting user feedback on these tools because they're
working in high risk environments with targeted communities. And it's the type of information that a developer hopefully would find valuable. However, they don't really have the capacity or time to be going to a developer and trying to formulate their feedback in a bug report or multiple bug reports, et cetera. And so there's not a lot of capacity currently to kind of connect that loop. And so one project that's an exception to that is open. ATP's security is a practice project, which is actually just one person. So obviously more capacity there. It would be awesome for the developers to train side. One of the things that we're looking forward to trying to do in 2015 is interact more with the developers of some of the secure communication tools that are relied on by these communities and trying to, instead of the developers, having to provide support for these communities, which, you know, is great of them when they're able to do it, but also have rapid responders and trainers supporting them when they're interacting. Some are generally. I hope I kind of spelled out in a general overview the rapid response community and going into twenty fifteen kind of the continued standardization and auditing of the existing workflows that we have. And and part of that is also trying to get it more publicly available so that more groups, you know, at a lower level can be built around these this documentation and these workflows continue to focus on specific communities that are being targeted, improving these different interactions between rapid responders and training groups, as well as these these loops with developers. So thank you. Michael, here it is. Wow. We'll be taking questions, please, if you as this thing is streamed, will you please walk up to the mikes? Number one, number two, number three and number four and talk into the mike. So we got it on the street. The young man, number three is the first. Number one will be the second. OK. Hello and thank you for the talk.
My question would be, are yourself as an organization being targeted at times and to have any luck, are you careful about that? To have any operational security regarding that? Sure, yeah. That's a really good question. So we certainly try to take a lot of precautions and the infrastructure that we build and the practice that we have. So, for instance, on the back end for ticketing, we use for Cross Tracker, which can be incorporated GPG, so that all the emails that it sends out to folks are encrypted. We have an encrypted SCHLUTER mailing list where we coordinate stuff. Um, we try to in order to access, uh, the request tracker. In the first instance, um, you need to connect to a VPN where you're authenticated, you know, via a certificate. Then you go to a website that's not publicly available, that's only available through the VPN where you're authenticated via a certificate, then you authenticate with your the account name and password. So I think that's three factors. So we definitely try to implement practices to protect this type of information and make sure that the trust that people put in us, you know, is well placed. OK, thank you, number one, please. OK, so, um, the question is about the party's need for secure file sharing. So, uh, what about unclad? Because I use my organization. It's not a frontline situation, but I know the security audits are badly needed. But have you considered it? And did you find it unusable because that was the prerequisite? Sorry, what was the tool on Gload Unplugged? I've not I've not played around with the project. OK, I'll check it out. I mean, that's one of the great examples of what we need to do is have some type or more capacity to be testing out new tools. And then once they reach a certain level of we want to be using them, then have them be security audited by the community and then finally incorporate them into the workflows. Cool. Thanks. Thanks. OK, do it sequentially. Number two, please. OK, Michael, thanks a lot f
or your nice talk. I mean, thanks a lot for all the work. I mean maybe I'm not so what. Informed about it but I was wondering how do you get your funding. And the other question was, um, I mean most of the search around they are private sector search or governmental search. I was wondering, do you find it easy to work with them? Are there obstacles that go on the top of your list that you would like to see removed? Are you sure? So on the first ask, so we actually have a Web page on our website. So websites access. Now, Doug and I have a funding page. I think it's slash about slash funding and it has our funding policy as well as where we get all of our money from, like specifically for each project, um, for the helpline or for access in general. It's like two thirds foundation and one third corporate government and individual donation. But you can see it like further broken down. Um, but yeah, that policy ends up, uh, meaning in practice that like we don't accept money from the US government, for instance, and some other entities. And that just comes out of our history. We originally were providing this type of digital security support to the Green Movement in Iran in 2009, 2010, and then we expanded. And so obviously in the Middle East, it's, uh, and a lot of communities getting US government funding is a nonstarter for the second one for certain. I'm actually a terrible person to ask that question. Rafael, who's sitting in the front would be much better at answering how it is interacting with private certs. I don't know if you want to like. OK, Michael, I think your computer is on 10 percent or something like that, at least that's what it says. OK, so I work in Luxembourg National Surf there. So that's basically I'm helping also. I'm trying to help civil society to have to improve our security. So it's it's not really a problem of the most complex part to deal with other the to get the trust on. It's also sort of the same problem you will have all the time in suc
h situations. So it's not really more complicated with a cell than any other organization as soon as you have to trust your phone. Yeah. OK, number three, please. Yeah, I was in the, um, um, uh, uh, yesterday in room number one, Krypto Tales from the Trenches where the journalist talked a little bit about the whole issue, about using crypto tools for communication. And they seem to be running into a lot of the same issues that you guys are encountering when you do the work with the people out on the front. Are you connected to each other in a way, because I like the approach that you're closing the link to the developers. And I think it would be very smart that you all sort of joined forces now in the next time to come, because it seems to be a rather big issue to come up, uh, for many people. Yeah, I fully support that and I definitely want that to happen. It's just a little bit slow. Um, but it definitely is happening. Yeah, OK, there's somebody at number one, please. And was that a sign or. Yeah, OK. Talking to the microphone, it's not working. It's working OK now. Thank you. Well, first of all, thank you for a great book. I think it's a tremendous help for many people. And I would like to ask a question about this United States on rank two or something. And you said it was mainly because they are working abroad. But do you also have, you know, questions about, um, being being targeted by Western governments? And do you deal with that as well? Yeah, that's a great question. And certainly, um, so communities that are targeted by us, um, so there's like journalists, as I mentioned, more generally, um, lawyers dealing with topics, um, that the U.S. government doesn't enjoy activists. I think it's not dissimilar from the types of communities that would be targeted and in the U.K. or similar. OK, there's two more questions here. And this is Germany. We're trying to keep the timetables, so we'll take a maximum of three. Go ahead, Fabio. On Global Links, I want to ask y
ou if it does happen for the kind of job that you're doing, especially on the preemptive activities that relate to the training and the training activity to work with the, let's say, project based initiative, what I mean with global links, but probably also other software, you end up supporting a group typically in a vulnerable society where it's not your main job to do the digital security training, but you end up often working with people that require to have the digital security skills. And OK, we end up doing the training when it's needed, but it's not our job. And what you say about the past training critical points is exactly what we experience in several projects. So my meaning is, does it happen that when there are projects that involve civil society that need to be planted, that are already a set of partner, you can get engaged for the training, training and support for everything that's related to digital security. That's a core component of a project. But maybe who is leading it doesn't have specifically that kind of preparation and especially that kind of organized stuff to do training and training especially. Yeah. So I if I get what your question is, we would be more than happy to support, uh, like an organization such as yours when you're doing those types of activities. If you want to coordinate beforehand, that's even better. I don't know if any organization has a full map of what they want to be doing for the next five years. So we're more than happy to provide that support as issues come up. So, you know, if it's initially localization and support on secure communications to talk about global leaks or the like, we're happy to do it as it comes up, but happy to talk more later, if I understand your question. OK, thank you. Last question. Hang on, folks. When you're leaving, please, can you keep it quiet for the last two minutes? Go ahead. Do you have a model for letting people volunteer to provide instant handling sports to sort of like the the san
d storm center where folks can be on call to provide detailed triage investigation, that sort of thing? That's a good question. So if you're, uh, volunteering for a project like a secure communications tool or anonymity tool or some other project, we're more than happy to interact with you in with that project. For instance, if you end up getting some type of emergency response that you don't have the capacity for, we don't currently accept volunteers for this type of work just because it's usually rather sensitive. And it requires, um, it would require us to implement more, I guess, user control, um, in the back end to be able to incorporate that at this stage at least. Um, did you want me to ask something before I've seen you, but thank you for your question. I just checked your website and I would be curious to know if you have been to South Korea concerning the ITU planetary session and you had this campaign, you and I would be very, uh. How do you appreciate if you could tell us more about what a successful, uh, did you achieved something during this meeting? Sure. So in addition to the technical work that we do, we also have a policy and advocacy teams so that the ITU Internet governance stuff is more on the policy team. So I can't talk to that in particular. But I'd be more than happy to connect you with the policy folks that did go to South Korea and did work on that. OK, really, last question. How do you raise your how do you raise your profile and reach groups? How do they come across you? And of the, um, proactive, um, cases in which civil society actors sought out your help? What percentage of those had previously sought help or support? So for the first one, it's through, I guess, word of mouth currently that folks hear about us and get connected and there is a benefit because there's an implicit reference or referral in that. And so that helps us in the vetting process by, you know, already having one trusted partner know this organization or individua
l. But it is an internal discussion about how much more public we want to make it or have contact form on the website or things like that. But that's kind of an ongoing discussion for the preventative. Um, that's a really good question. I would say the majority of preventative cases are probably folks that we've already interacted with who might have initially heard about work that we've done from other folks or we've done reactive, rapid response for them. But as you kind of see in some of the stats, we're still kind of working on analyzing our statistics. So, like, I didn't try to look at that, but I'd be happy to look at that more and be able to share it later. OK, let's have a final hand from Michael. And thank you very much for that, John.