Category: opsec for activists

There’s a Serious Vulnerability in WPA-2, the Thing Everyone Uses.

WPA-2, the encryption standard that protects the transmissions of
virtually all modern wifi devices and keeps random kids in your city from being able to siphon your naked photos or sensitive political communications off your network, has been revealed to have a major

The bad news: Basically everyone is vulnerable to some extent, and there is no fix available today for most devices.

The good news: There is currently no publicly available code to take advantage of this vulnerability, which requires a high level of skill to exploit. How vulnerable you are will realistically depend on your threat model (and what kind of device you have). Android devices are most vulnerable, Windows and iOS less so. Attackers will need to be in range of your wifi in order to perform the attack. And the extent that the infosec world is correctly freaking out about this means that patching this vulnerability should be a priority. But we expect vulnerabilities to persist in some unpatched routers and IoT devices for years.

We write this blog with the expectation that readers need better-than-average security. So while some of these recommendations might be overkill for average users, we make them with the understanding you are here because you want to be more careful and secure when possible.

What you should do:

1) Actually, stick with WPA-2 for now, and check your wifi settings! Since we don’t have anything better. Use WPA2-AES to reduce some of the impact of the attack. Decent Security has a good blog post on the details of how to set up your wireless network.

2) Use HTTPS (which provides a layer of encryption)
whenever possible. The easiest way to do this is use HTTPS Everywhere
with Chrome / Firefox. The KRACK vulnerability will not remove the
layer of security provided by HTTPS.

3) Watch for updates. Here’s a list of vendors who have already patched.

3) Contrary to what you
may read, we don’t recommend using a VPN at this point, especially since many
free ones engage in extremely disreputable activity with your data and
will turn it over to governments who ask for it anyway.

4) Avoid
connecting to public wifi until patches are issued.
Find out what router
you use at home or in your organization, and keep an eye out for

5) If it’s an option, consider using ethernet cables! They still exist and circumvent this issue.

Further reading: (from least to most technical)

What Is The Krack WPA2 WiFi Hack And How Can You Protect Yourself?

Wired – The ‘Secure’ Wifi Standard Has a Huge, Dangerous Flaw

TechCrunch article on KRACK

Ars Technica – How the KRACK Attack Destroys Nearly All Wifi Security

“Regarding Krack Attacks”

Original blog post by researchers who discovered “KRACK”

Why the Las Vegas Shooting Was a Security Agency’s Nightmare

Why the Las Vegas Shooting Was a Security Agency’s Nightmare:

“The first reports about the horrific attack
in Las Vegas on Sunday night will surely evolve into more detailed
knowledge. But there are three lessons we might draw from the
information already available. First, automatic rifles like the one the
shooter apparently used have the potential to kill large numbers of
people, particularly when aimed at a crowd in a confined space. Second, a
shooter positioned in a high-rise building hundreds of meters away can
render moot many of the security measures now used to protect crowds.
And third, despite what gun advocates tend to say in response to
shootings, it’s incredibly unlikely that any armed bystander could have
made a difference, given the distance, elevation, and darkness that
separated this shooter from his victims. These three facts made the Las
Vegas shooting a nightmare scenario for police agencies, and for the rest of us too.“

Personally, we can only think of a few things that would help:

1. Metal detectors / baggage screening in major metropolitan hotels

2. Gun control legislation banning devices that modify semi-automatic weapons to full auto, closing the automatic weapons loopholes that still exist, instituting limits on magazine capacity, and cracking down on sellers that violate the law.

If you need to check on someone’s safety today in Las Vegas:

866-535-5654 is the number to call.

Security Tips Every Signal User Should Know

Security Tips Every Signal User Should Know:

OK, one more post about Signal.

Dox the Sh*t Out of Yourself with These Nifty Tools.

Dox the Sh*t Out of Yourself with These Nifty Tools.:

We’ve talked about doxing before, and how you can defend yourself from trolls, creeps, and worse.

Here’s another arrow in your quiver: the fantastic OSINT Search Tool by Michael Bazzell. Just click the headline, and you’ll see a number of options in a toolbar on the left hand side. Go crazy and see what you can find about yourself online. You might be surprised.

We like this tool because it automates a bunch of different search options to give you a fuller picture of what a determined non-state opponent could turn up about you.

Give it a try.

How to Use Signal Without Giving Out Your Phone Number

How to Use Signal Without Giving Out Your Phone Number:

by Micah Lee.

Now you can find out if your friends have Signal…without telling Signal

Now you can find out if your friends have Signal…without telling Signal:

Changes are coming to Signal. And good ones.

From their blog:

“Using this service, Signal clients will be able to efficiently and
scalably determine whether the contacts in their address book are Signal
users without revealing the contacts in their address book to the Signal service.”

It’s yet another move to cut the service provider out of the loop. For people who need secure and private communications, this is a good thing.

For a (very) technical explanation of how it works, click the headline.

Using AI to identify protestors hiding behind hats or scarves is entirely possible

Using AI to identify protestors hiding behind hats or scarves is entirely possible:

It’s not very effective yet, but it’s getting there.

“Too many worry about what AI—as if some independent entity—will do to us. Too few people worry what *power* will do *with* AI.” – Zeynep Tufekci

How White Supremacists Prepared for Charlottesville

How White Supremacists Prepared for Charlottesville:

Here’s ProPublica with a short analysis of recently leaked white supremacist Discord chats. These originally came from Unicorn Riot in a serious reporting scoop.

Taken collectively these provide insight on the mindset and tactics of major white supremacist groups in the months before Charlottesville. So what can we learn? (Points below are paraphrased from article:)

1. They were prepared to do violence, no surprise there

2. The rally involved an intense amount of planning. At least some participants were very tech-savvy. This fits with the levels of coordination, communication and logistics on display in Charlottesville.

3. Not only have they been closely tracking opponents using open-source intelligence and in-person surveillance, they even sent much of their compiled information to police.

( At minimum this raises serious questions about the relationship between police and white supremacist groups in Virginia and helps explain why they stood back and allowed attacks and gunshots to go unanswered. Recent reporting also shows that they ignored requests from the UVA student body for safety information, rebuffed offers for additional police from other universities, and focused on antifa as a threat to the exclusion of alt-right and white supremacist groups. No doubt all this suited “Unite the Right” perfectly.

Given that information on activists gathered by police departments also makes its way into federal intelligence databases like DHS, it further raises the question: could leftists who haven’t committed a crime be surveilled by federal intelligence agencies due to information obtained indirectly from Nazis?” It doesn’t seem out of the range of possibility at this point. – eds.)

4. Some members displayed a sophisticated knowledge of security culture and leftist tactics. So you should too. They went to some lengths to keep their plans from being uncovered, and did what they could to conduct surveillance on potential counter-protestors. High standards for digital and personal security are going to be important.

The full article is required reading for anyone who opposes fascism and white supremacy in the US. Now that Discord has shut down alt-right accounts, this is the closest we’re going to get to a definitive peek into the current tactics of white supremacists for a while.

Who is Ramzan Kadyrov?

Who is Ramzan Kadyrov?:

The leader of Chechnya threatens journalists, human rights defenders, and politicians. Sometimes those he threatens turn up dead.

He is also behind the recent anti-gay purge in Chechnya, in which hundreds of people have been tortured, starved, and beaten. When they returned home, the Chechen government encouraged their families to kill them.

He is an enemy of human rights and a reminder of why security culture is so important for activists. In some countries, it prevents surveillance by isolated hate groups. In others, it could save your life when the State wants you dead.