Digital Security
for Parliamentarians
Pranesh Prakash
Policy Director
(also Technologist)
Centre for Internet & Society
Bangalore, India
no proprietary software or standards were used in the making of this slideshow.
Parliamentarians
Ensure that your laptop, phone, desktop, router, etc., are all free of viruses, trojans, and dangerous malware.
Ensure that your communications between yourselves, and with your constituents are secure and that hackers can't listen in.
Ensure that your banking transactions are safe.
Ensure that your passwords are not stolen.
Digital Security
"Threat Model"
i.e., why asking "Is Gmail/Facebook/Viber secure?" is not a sensible question.
What are you protecting?
Whom are you protecting yourself against?
What capabilities does the adversary have?
What do you hope to achieve?
(e.g., preventing the snooping or simply to make it tougher?)
(e.g., confidentiality of communications, or anonymity?)
To what lengths are you willing to go?
Trade-offs: Convenience vs. Privacy/Security
Security comes at a cost
(usually at the cost of convenience)
Solution?
<important>Good Security Hygiene</important>
{Traffic, End-to-End} Encryption
Free/Open Source Software
Open Standards
Decentralized Solutions
Federated Networks
Solution?
Learn about common pitfalls.
Think about your security practices.
Develop good security hygiene.
Realize that security technologies are tools and not solutions.
Threats
Operating System
How many of you use Microsoft Windows?
(What version of Windows?)
Mac OSX?
Threats
Operating System
Linux is used by fewer people, so almost no viruses and malware for Linux.
(Even my parents use Ubuntu Linux, and have fewer problems since they shifted.)
Threats
Operating System
If you use MS Windows: you must use
anti-malware / antivirus software
Microsoft Security Essentials (Vista + Win 7)
Windows Defender (Win 8+)
Threats
Text
Threats
Text
Threats
Installing Software
Threats
E-mail Attachments
Threats
Phishing
Threats
Phishing
General Hygiene
- Set a lock-screen with a passcode!
- Use Free and Open Source Software
-
Linux (even my parents can use Ubuntu)
- When need be, use TAILS /
QubesOS / Whonix
- When need be, use TAILS /
- Android (but binary blobs)
- FOSS on Mac/Windows
-
Linux (even my parents can use Ubuntu)
- Physically secure your devices
- Use full-disk encryption
Passphrase Hygiene
Use a password manager (LastPass / KeePass)
Long master password / passphrase using phrases in Hindi/Tamil/etc. / XKpasswd.net / Diceware
Test password strength using telepathwords & zxcvbn
Use two-factor authentication wherever available
Good sources for info on passwords: Ars Technica, AgileBits blog.
E-mail Hygiene
- Never open an attachment that you weren't expecting.
- Make sure all your attachments are scanned by a malware scanner (especially if you use Windows). Use the web interface for VirusTotal, if need be.
- Howsoever authentic looking, never reply to an e-mail asking you for personal information like your password, account details, etc.
- Never click a link in an e-mail that scares you into thinking you need to change your password, etc. The bulk of these are phishing attempts.
- ALWAYS check the link (usually it appears in the status bar) BEFORE clicking it.
Transport Security
On an Open WiFi, e.g.
- Encrypted Proxy Service ("VPN") (weak anonymity, security till VPN, so hides content from ISP but is not end-to-end)
- Bitmask (Linux, Android, w/ Win, OSX coming soon)
- Anonymizing Networks (Tor / I2P) (strong anonymity, hides content from ISP, but security is not end-to-end)
- Tor Browser Bundle (Linux+OSX+Win) / Orbot+Orfox (Android)
- TAILS / Whonix / Qubes OS / Subgraph OS (alpha)
Transport Security
On an Open WiFi, e.g.
Browser Hygiene
Use either Chromium or Firefox
Essential Extensions/Add-ons
uBlock Origin (FF & Chromium & Safari)
HTTPS Everywhere (FF & Chromium & FF for Android)
Password Manager (inbuilt, or add-on)
uMatrix (FF & Chromium, not for beginners)
NoScript (FF-only, I use it w/ default "allow")
Certificate Patrol (FF, v. useful but can be annoying)
"Private Browsing" mode only deletes stuff (browser history, cookies, etc.) once you close the browser.
Commonly Used + Insecure
Communication Protocols / Apps
- Mobile + Landline Calls (v. weak)
- SMS (v. weak)
- Email (from v. weak to not strong)
- Whatsapp + Viber + Line + Wechat + Skype + Twitter + FB + Google Chat (from okay to not v. strong)
There is no magic bullet!
SMS
No way to really secure. (Metadata always leaks.)
Instead use data or use coded language.
Alternative:
SMSSecure (SMS, Android-only - Metadata still leaks)
If you have data, other alternatives exist: XMPP (Conversations, Android: Play Store + F-Droid), Signal (Android, iPhone), WhatsApp, etc.
For average needs: Use WhatsApp / Viber
Phone Calls
No way to secure. (Metadata always leaks to telco.)
(Weak encryption. SS7 attacks!)
Alternative:
1. WhatsApp (multi-platform, call quality is great)
or
2. WebRTC
or
3. SIP app + SIP provider (cross-platform, federated, p2p)
Skype (video/voice/desktop)
WebRTC
1. Talky.io (https://talky.io) (recommended)
2. Jitsi Meet (https://meet.jit.si)
3. Firefox Hello (built into newest Firefox)
SIP
Windows / Mac / Linux: Jitsi
Video livestreaming
Web: Rhinobird.tv (https://rhinobird.tv)
WebRTC
Talky just works.
E-mail + Attachments
Use something other than e-mail (recommended)
Peerio (very easy to use)
For press orgs: GlobaLeaks / SecureDrop
Else: E-mail Provider + E-mail Client + OpenPGP
Provider: Riseup.net
(Snowden used this, but downside: painting-target-on-your-back)
Client: Thunderbird + Enigmail / Claws + Claws GPG plugin
OpenPGP using GnuPG: built-in (Linux), GPG4Win (Windows), GPGTools (Mac OS X), OpenKeychain (Android)
IM/Chat + Files
WhatsApp (since Dec. 2015 supports file transfer)
or:
Crypto.cat (using Chromium / Firefox / iOS)
Peerio (using Chromium / Android / iOS / Windows / OSX)
Better: XMPP Provider + XMPP App + OMEMO
Provider: Jabber.at / Yax.im /
(or service I maintain: Chats.im)
App: Conversations (Android), ChatSecure (iOS), Gajim (Windows, Linux), Monal (Mac OS X)
Contact Details
Get in touch with me using:
XMPP: pranesh(at)prakash.im + pranesh(at)cis-india.org
E-mail: pranesh(at)prakash.im + pranesh(at)cis-india.org
IRC: the.solipsist/freenode + sol/oftc
SIP: pranesh@ostel.co
Mumble: sol:chats.im
For help, join this XMPP chatroom:
crypto@chat.cis-india.org
Digital Security for Parliamentarians
By Pranesh Prakash
Digital Security for Parliamentarians
- 1,893