Digital Security

for Parliamentarians

Pranesh Prakash

Policy Director

(also Technologist)

Centre for Internet & Society

 

Bangalore, India

 

 

CC-BY-SA 4.0

no proprietary software or standards were used in the making of this slideshow.

Parliamentarians

Ensure that your laptop, phone, desktop, router, etc., are all free of viruses, trojans, and dangerous malware.

 

Ensure that your communications between yourselves, and with your constituents are secure and that hackers can't listen in.

 

Ensure that your banking transactions are safe.

 

Ensure that your passwords are not stolen.

Digital Security

"Threat Model"

i.e., why asking "Is Gmail/Facebook/Viber secure?" is not a sensible question.

 

What are you protecting?

Whom are you protecting yourself against?

What capabilities does the adversary have?

What do you hope to achieve?

(e.g., preventing the snooping or simply to make it tougher?)
(e.g., confidentiality of communications, or anonymity?)

To what lengths are you willing to go?

Trade-offs: Convenience vs. Privacy/Security

Security comes at a cost

(usually at the cost of convenience)

Solution?

<important>Good Security Hygiene</important>

 

{Traffic, End-to-End} Encryption

 

Free/Open Source Software

 

Open Standards

 

Decentralized Solutions

 

Federated Networks

Solution?

Learn about common pitfalls.

 

Think about your security practices.

 

Develop good security hygiene.

 

Realize that security technologies are tools and not solutions.

Threats

Operating System

 

How many of you use Microsoft Windows?

(What version of Windows?)

 

Mac OSX?

Threats

Operating System

Linux is used by fewer people, so almost no viruses and malware for Linux.

 

(Even my parents use Ubuntu Linux, and have fewer problems since they shifted.)

Threats

Operating System

If you use MS Windows: you must use

anti-malware / antivirus software

 

Microsoft Security Essentials (Vista + Win 7)

Windows Defender (Win 8+)

 

 

Threats

Text

Threats

Text

Threats

Installing  Software

 

 

Threats

E-mail Attachments

 

 

Threats

Phishing

 

Threats

Phishing

 

General Hygiene

  • Set a lock-screen with a passcode!
  • Use Free and Open Source Software
    • Linux (even my parents can use Ubuntu)
      • When need be, use TAILS /
        QubesOS / Whonix
    • Android (but binary blobs)
    • FOSS on Mac/Windows
  • Physically secure your devices
  • Use full-disk encryption

Passphrase Hygiene

 

Use a password manager (LastPass / KeePass)

Long master password / passphrase using phrases in Hindi/Tamil/etc. / XKpasswd.net / Diceware

Don't reuse passwords!

Test password strength using telepathwords & zxcvbn

Use two-factor authentication wherever available

 

Good sources for info on passwords: Ars Technica, AgileBits blog. 

E-mail Hygiene

 

  • Never open an attachment that you weren't expecting.
  • Make sure all your attachments are scanned by a malware scanner (especially if you use Windows).  Use the web interface for VirusTotal, if need be.
  • Howsoever authentic looking, never reply to an e-mail asking you for personal information like your password, account details, etc.
  • Never click a link in an e-mail that scares you into thinking you need to change your password, etc.  The bulk of these are phishing attempts.
  • ALWAYS check the link (usually it appears in the status bar) BEFORE clicking it.

Transport Security

On an Open WiFi, e.g.

 

  • Encrypted Proxy Service ("VPN") (weak anonymity, security till VPN, so hides content from ISP but is not end-to-end)
    • Bitmask (Linux, Android, w/ Win, OSX coming soon)

 

Transport Security

On an Open WiFi, e.g.

 

 

Browser Hygiene

Use either Chromium or Firefox

 

Essential Extensions/Add-ons

uBlock Origin (FF & Chromium & Safari)

HTTPS Everywhere (FF & Chromium & FF for Android)

Password Manager (inbuilt, or add-on)

uMatrix (FF & Chromium, not for beginners)

NoScript (FF-only, I use it w/ default "allow")

Certificate Patrol (FF, v. useful but can be annoying)

 

"Private Browsing" mode only deletes stuff (browser history, cookies, etc.) once you close the browser.

Commonly Used + Insecure

Communication Protocols / Apps

  1. Mobile + Landline Calls (v. weak)
     
  2. SMS (v. weak)
     
  3. Email (from v. weak to not strong)
     
  4. Whatsapp + Viber + Line + Wechat + Skype + Twitter + FB + Google Chat (from okay to not v. strong)

 

There is no magic bullet!

SMS

No way to really secure.  (Metadata always leaks.)

Instead use data or use coded language.

 

Alternative:

SMSSecure (SMS, Android-only - Metadata still leaks)

 

If you have data, other alternatives exist: XMPP (Conversations, Android: Play Store + F-Droid), Signal (Android, iPhone), WhatsApp, etc.

 

For average needs: Use WhatsApp / Viber

Phone Calls

No way to secure.  (Metadata always leaks to telco.)

(Weak encryption. SS7 attacks!)

 

 

Alternative:

1. WhatsApp (multi-platform, call quality is great)

or

2. WebRTC

or

3. SIP app + SIP provider (cross-platform, federated, p2p)

Skype (video/voice/desktop)

WebRTC

1. Talky.io (https://talky.io) (recommended)

2. Jitsi Meet (https://meet.jit.si)

3. Firefox Hello (built into newest Firefox)

 

SIP

Windows / Mac / Linux: Jitsi

 

Video livestreaming

Web: Rhinobird.tv (https://rhinobird.tv)

 

WebRTC

Talky just works.

 

  

E-mail + Attachments

Use something other than e-mail (recommended)

Peerio (very easy to use)
For press orgs: GlobaLeaks / SecureDrop

 

Else: E-mail Provider + E-mail Client + OpenPGP

 

Provider: Riseup.net

(Snowden used this, but downside: painting-target-on-your-back)

 

Client: Thunderbird + Enigmail / Claws + Claws GPG plugin

 

OpenPGP using GnuPG: built-in (Linux), GPG4Win (Windows), GPGTools (Mac OS X), OpenKeychain (Android)

IM/Chat + Files

WhatsApp (since Dec. 2015 supports file transfer)

or:

Crypto.cat (using Chromium / Firefox / iOS)

Peerio (using Chromium / Android / iOS / Windows / OSX)

 

Better: XMPP Provider + XMPP App + OMEMO

Provider: Jabber.at / Yax.im /

(or service I maintain: Chats.im)

App: Conversations (Android), ChatSecure (iOS), Gajim (Windows, Linux), Monal (Mac OS X)

Contact Details

Get in touch with me using:

XMPP: pranesh(at)prakash.im + pranesh(at)cis-india.org

E-mail: pranesh(at)prakash.im + pranesh(at)cis-india.org

IRC: the.solipsist/freenode + sol/oftc

SIP: pranesh@ostel.co

Mumble: sol:chats.im

 

For help, join this XMPP chatroom:

crypto@chat.cis-india.org

Digital Security for Parliamentarians

By Pranesh Prakash

Digital Security for Parliamentarians

  • 1,893