andonome
/
domestos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity
domestos/threat_model.md

13 KiB
Raw Blame History

date tags
2023-04-20T00:00:00
Security
Politics

Building a Meme in Under a Month

People have parroted the phrase 'depends on the threat model', so often, so quickly, and so vacuously, that I find my toes curling at the sound of it. But after a run-in with the mods on Reddit's /r/privacy, some noteworthy gaffs came up which I think I can give a non-vacuous example of where the threat model really matters.

It started with /r/NewIran, where hopeful and irate Iranians, sick of the Unitary Theocratic Islamic Republic (i.e. 'government') and their Supreme Leader (his actual title), talk about dissent and share memes. Someone posted a message: "do not share details with people on the subreddit, as Neẓām ['the government'/ 'the system'] may pretend to be a supporter in order to find out who you are" (and we know what happens then).

"It might be good to share a general cyber-security guide", I suggested in the comments.

"You should definitely do that", replied the OP.

Iran's a million miles away, and I don't know much about the culture. But if a pro-privacy FOSS-enthusiast can't answer the call to keyboard-war, then what is the point in all those laptop stickers?

So I got to work, with a deep-seated feeling of dread, knowing that the wrong information, or even mixed messages, might land someone in bother.

The Plan

  • I wanted to make a guide for non-techie users. A couple of memes, or basic infographics, showing simple steps to cover the absolute basics in cybersecurity.
  • It should be stripped down, and focus on the most pressing requirements of the Iranian protests.
  • The guide was not to instruct, but to inform, so that people could take basic cyber security into account.

The Epistemological Limits of Research

Articles about Iran focus on big stories, women's rights, and the evils of their government. They don't talk much about encryption.

However, some facts were still available:

  1. Briar (the secure chat app) was designed almost for this exact purpose.
  2. Signal received such heavy limitations that people started running proxies.
    • Standard users (whom the guide was to be for) do not like fiddling with proxies.
  3. Finding facts in the swamp of loud Americans having opinions about what this says about their politics isn't fun.
  4. Iranians could access internet over their phones pretty much all the time, but house internet received serious restrictions or simply went down entirely (different ISPs, presumably).

Nonsense on Reddit

I posted a request for information on /r/privacy, which was promptly deleted. The mod left a single reply saying 'already covered in the sidebar: 'Digital Security Tips for Protestors'.

You might want to stop here and check out the link. Otherwise, here's a run-down of the headers:

  1. Enable full-disk encryption on your device
  2. Remove fingerprint unlock
  3. Take photos and videos without unlocking your device
  4. Install Signal
  5. Read our Surveillance Self Defense (SSD) guide for street-level protests
  6. Use a prepaid, disposable phone
  7. Back up your data
  8. Consider biking or walking to the protest
  9. Enable airplane mode
  10. Organizers: Consider alternatives to Facebook and Twitter

Every point in this list - a full 10/10 - has at least one serious problem when viewed as a resource for an Iranian protest. I've put a small list at the end under 'Problems with Privacy at Protests'.

I made my own little protest on /r/privacy, but the mod doubled down, and refused to see this guide as anything but universal. Apparently /r/privacy have a list of 'privacy facts', which they're content to parrot without further thought.

The Guide

All the back-and-forth, random research, asking a graphic designer to compose the images, dealing with right-to-left and UTF-8 issues, font problems, re-translating mistakes, finding another translator after the first disappeared (I hope they're okay), double-checking statements with various folks from /r/NewIran, took weeks.

Seems implausible for a couple of little images, but there it is. Weeks.

Considerations for the Guide

Some young Iranians successfully used Tumblr to communicate online. They took to fandom spaces and spoke in veiled English. Picture young women in a Powerpuff Girls forum, speaking about plans to move against 'Mojo-Jojo'.

The tor browser seemed good, except for the obvious trail it might lead. Luckily, they'd thought of that - it has a 'bridged' mode, where it looks like something non-tor. Initially I made a guide which involved changing the language, but it turned out later that a Persian version exists, so I just changed the link, and remade the screenshots.

The guide should not advertise itself as 'HOW TO EVADE POLICE AND BRING DOWN THE EVIL GOVERNMENT'. That sort of message could get people in trouble. Instead, it would simply say 'how to stay safe online', and use plausibly-generic cyber-security advice.

Pretty much every website uses ssl certificates nowadays, so DNS spoofing wouldn't be easy...except with standard users, who would presumably accept any self-signed certificates if they saw enough pop-ups. Iran also once had a country-wide hack, which redirected their traffic, and allowed total inspection of would-be encrypted traffic. And of course, on an individual level, spoofing certificates seemed a real challenge for a government which had historically reacted to internet-type problems by just shutting it down. Ultimately, DNS and certs seemed too much to think about, so I put it aside, except for the most basic simplifications.

The final guide didn't have quite the translation I was looking for, and the bridge connection mode ended up with the English version, with Persian notes (I don't recall why). Mistakes were made, but some Iranians gave it a final run, then I put it out on /r/NewIran for people to do as they please. I have no idea what, if anything, happened with the images after that.

Briar

I was never sure about Briar, but I felt there wasn't much use in reminding people they could use Whatsapp - surely they already know! Briar also has the ability to communicate over Bluetooth and local Wi-Fi. Two people in the vicinity of a cafe where they have both had a coffee and connected once could communicate. That's not amazing, but it's not nothing, and the communication wouldn't advertise itself outside of that network. It could also keep this anonymity going through an entire chatroom, where different people have different responses and replies, or could host blogs to pass from phone to phone, simply via Bluetooth. A simple blog post about where there's danger, or how to circumvent danger, could be invaluable if it could spread through a city-wide movement.

Briar uses tor, which threatens to tell authorities that you're using tor if you don't take extra precautions, but every report I'd heard suggested that home-internet providers cooperated with Neẓām while mobile phone providers did not. One last tipping point for it was the generally unknown icon - authorities might be less likely to inspect that app if they couldn't immediately see it was a chat-app. This was a shaky judgement call, but in the end I went for it, recommending Briar.

The Final Guide

I don't think I have a copy of the absolute final translation. This was before I reflexively wrapped every project and text note in a git log. So some changes were probably made since this material, but the translation would look something like this:

Safety while Walking

  • Your phone tells people where you are.

  • Put your phone on airplane mode, or turn it off if you can.

  • If your phone is on airplane mode, you can still use public Wi-Fi.

    Briar - chat app

  • To talk with people safely, download Briar from the Google Play Store, and ask your friends to install it.

  • Briar will work with just WiFi or Bluetooth - no internet required.

[ QR Code Shows link to Briar on Google Play Store ]

Safety at Home 1

Computer Safety at Home

  • Bad people online can see what you are talking about, and know who you are from your previous posts.

  • If you need to post on Reddit or Facebook, make a new account.

    What Your ISP Sees

  • The people controlling your internet may not see what you write, but they can see which sites you visit, and know what you are doing from which articles you read, and which sites you go to, and when.

Safety at Home 2

Tor Browser

When you use Tor browser, people cannot see which sites you visit, but they will know that you are using Tor! To remain more safe, install Tor, and then connect to a 'bridge', so nobody knows that you are using Tor.

Safety at Home 3

[ installation instructions ]

Problems with Privacy at Protests

This guide to protests looks fine for the USA, and many points work for most European countries, but it absolutely does not work as a general guide.

If you want to point out any other nonsense in the list, do get in touch.

  1. Enable full-disk encryption on your device

Protestors who use full-disk encryption will simply be told to unlock their phone. This should be obvious, in addition to being confirmed by Iranians online, and also it's really bloody obvious.

Why are you using full disk encryption anyway? It says right here in the settings, you have full disk encryption. What are you trying to hide?

Step this way...

So at this point, the 'full disk encryption' advice might have gotten someone dragged into a dark room for police to break their body.

  1. Remove fingerprint unlock

Why bother? The article says 'the authorities can compel you to unlock with biometrics, but not a password'. But of course, this means 'the American police, assuming they obey the rules'.

  1. Take photos and videos without unlocking your device

Why? And why take photographs at all? To document police abuse, and later instigate a prosecution on the Iranian police?

This only lets the police identify your fellow protestors if they grab your phone, and lets them identify you as a protestor if they inspect your phone later, once you've left the protest.

  1. Install Signal

How about Facebook, instead? /r/privacy objected to this on the basis that 'the government' is watching Facebook', but Neẓām is not watching Facebook. Better yet, how about putting Whatsapp on the homepage of your phone, and burying Tumlbr with a bunch of other apps, for system settings, Maths, and Youtube?

Or how about swapping app icons, so the music app leads to Whatsapp?

Signal is blocked, and bypassing the block with a bridge doesn't mean anything unless everyone else uses Signal, which they won't. So we're back to the problem of a single super-private person with a Gopher page served over tor. Sure - it's private, but it's not 'private communication' unless you're communicating with someone.

  1. Read our Surveillance Self Defense (SSD) guide for street-level protests

Is this guide available in Persian?

  1. Use a prepaid, disposable phone

Can people in Iran buy pre-paid phones, without ID? Can they even buy sim cards without identification?

I read online, asked a few, and got mixed messages. I really don't know, and until someone knows, this is possibly useless and potentially dangerous advice.

Besides, how will a crowd of people get the money for a new phone every night for a month? Assuming they all have the funds for a phone-a-day, do local shops have the stock to supply burner phones to a crowd of thousands, night after night?

As usual, Americans think about how to keep themselves safe in the moment, not about how wider society functions.

  1. Back up your data

Why? Because you might lose your cat photos and memes when the police confiscate your phone at the local rally? This really has no bearing on taking on a government.

  1. Consider biking or walking to the protest

...because otherwise police cameras can pick up your car's licence plate. You know - the car all Iranians go everywhere in, due to lack of public transport in America.

  1. Enable airplane mode

The article mentions this will cut communication, so it may not be a good idea. That's true enough - it may be an awful idea. Perhaps information from friends and colleagues has more value.

But this isn't information, or a tactic. The message simply says to turn off aeroplane mode and provides a couple of caveats after.

Of course if plan had included Briar, then aeroplane mode wouldn't cut the phone's ability communicate through Bluetooth.

  1. Organizers: Consider alternatives to Facebook and Twitter

...or Mark Zuckerberg will have them deported for being foreign.