Cryptoparty for CUNY students

~ Jon Pickens

 

Please go to:

http://bit.ly/cuny-crypto

Your Perspective

https://goo.gl/76Bjd4

Importance of security/privacy

• Herd Immunity
• Secure today, pwned tomorrow (data breach)
  • https://haveibeenpwned.com/

 

 

• Threats students (and peers) may face?
  • Cyber harassment (doxxing)
  • Potential employers (googleable)
  • law enforcement (&ICE

Example: ICE

https://raidsmap.immdefense.org/

 

• Students can be undocumented
• Students may have undocumented family
• Your peers may be undocumented

Online collaboration and ...ICE?

ICE builds profiles by surveilling social media

ICE has active contracts with major tech companies to aid in surveillance

http://fortune.com/2018/10/23/tech-companies-surveillance-ice-immigrants/

https://www.eff.org/deeplinks/2018/06/hart-homeland-securitys-massive-new-database-will-include-face-recognition-dna-and

Just one example, other police surveillance included in HART

Holistic Approach

holistic-security.tacticaltech.org/

Holistic Approach

• Balance, not purity
• Improving, not finishing

Threat Modeling

1. What do I want to protect?
2. Who am I protecting it from?
3. How likely is this threat?
4. What are the consequences if I fail?
5. How much trouble am I willing to go through to prevent the consequences?
6. Implement change && return to (1)

Actor Mapping

• Improves understanding of threats
• Reveals new threats/allies
• Helps prioritize threats

Threat Modeling CUNY

A Simple Actor Map            

Student

IT Dept

CUNY

NYS Gov

Fed Gov

City Tech

Federal

• 4th amendment
  • No unwarranted search
• 14th amendment
  • Penumbra- right by implication
  • due process --> Marital privacy (same sex marriage 2015)
• Privacy Act 1974
  • Restricts federal surveillance to foreign entities
  • Restricts federal disclosure of records
• Patriot Act 2001
  • Lowers barriers to surveillance
• Freedom of Information Act (FOIA) 1967

New York State

• Freedom of Information law (FOIL)
  • Agencies responsible for responsible discolure of databases
• Personal Privacy Protection Law
  • Only collect necessary info
  • Must disclose to law enforcement, and inform user (unless it "impedes" investigation)
• Internet Security and Privacy Act
  • State agency cannot collect/share info without user consent (includes implied consent)

• CUNY Computer User Policy
  • Computers are for CUNY duties and (limited) socializing
  • IT may monitor individual e-mails, websites, other communications as part of
    • routine security monitoring
    • to diagnose tech issue
    • When failure to do so may harm individuals or make CUNY vulnerable to liability
    • Reasonable belief of a law being violated
    • Unusual account activity

Security Policies & Procedures

Instructors & Peers

Instructors

• Responsible for student records (FERPA, federal)
  • Non-disclosure form
• May assign work outside of CUNY infrastructure  (e.g. googledocs)

 

When should(n't) we use an .edu email?

 

Reflection

https://goo.gl/76Bjd4

Workshops

• Better Passwords
• Intro to Mobile Security

Mobile Security

How do we communicate?

 

How does tech communicate?

 

Carrier/ISP

Internet/cell infastructure

Applications

Operating system

Phone Hardware

You

Friend

You

Server

Hardware

What can my phone do?

• Feature & Smart Phones:
  • Dial pad, touch screen, camera, mic, GPS,battery, bluetooth, cellular data,Call/SMS, antenna
• Smart Phones:
  • Accelerator, biometric scanner, NPC, Wifi

Software

• iPhone v. Android
  • Determine what apps can do?
• App questions:
  • What permissions does it ask for? required?
  • What info does it ask for?
  • Who owns the app? (FOSS?)
  • How does the mobile browser site compare?

Browser v. Facebook

• Pros of the FB app
  • Convenience
  • Notifications
  • Offline access
• Pros of the FB website via browser
  • FB has less access to your device
  • Fewer updates
  • More control of data

Providers and Infastructure

• Infrastructure
  • Who has access?
  • Their policies/legal requirements?
  • What can they see?
• Providers
  • What laws apply? Net Neutrality
  • What is their business model?

Easiest steps

• Phone settings
  • Lock screen/ phone encryption
  • Turn off what you don't use
• Browser
  • Firefox
  • Brave
  • Tor (Android)
• Communication
  • Signal
  • Riot
• Social media
  • Browser or FOSS app (F-Droid)

Setting up a phone