Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lessons on netfreedom+best practices in cyber security


Published on

Lessons on netfreedom+best practices in cyber security

  1. 1. Lessons on Internet Freedom and Best Practices in Cyber Security Strategies & Tools for Nonviolent Conflict Washington, DC Dec 6-7, 2010
  2. 2. Internet Freedom @ FH <ul><ul><li>Freedom on the Net (FOTN) </li></ul></ul><ul><ul><ul><li>2009 (15), 2011 (37) </li></ul></ul></ul><ul><ul><li>Technology Support </li></ul></ul><ul><ul><ul><li>Support, Training, Research </li></ul></ul></ul><ul><ul><li>Advocacy / Policy </li></ul></ul><ul><ul><ul><li>Internet Governance (IGF) </li></ul></ul></ul><ul><ul><ul><ul><li>Freedom of Expression </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Engaging NGO Networks </li></ul></ul></ul></ul><ul><ul><li>Strategic Partnerships </li></ul></ul>
  3. 3. What is Net Freedom? <ul><li>What techniques are used to control and censor online content? </li></ul><ul><li>What are the main threats to internet and digital media freedom? </li></ul><ul><li>What are the positive trends and uses of these technologies? </li></ul>
  4. 4. How Do We Measure Net Freedom <ul><li>Obstacles to Access </li></ul><ul><li>Limits on Content </li></ul><ul><li>Violations of User Rights </li></ul>
  5. 6. What We Found:
  6. 7. More Net Freedom than Press Freedom <ul><li>Every country except the UK scored better on FOTN than Freedom of the Press </li></ul><ul><li>Differences most noticeable in partially free countries. </li></ul>
  7. 8. Growing Civic Activism <ul><li>Bloggers and other internet users are using digital media in creative ways to mobilize: </li></ul><ul><ul><li>Facebook activists in Colombia, Egypt, Iran </li></ul></ul><ul><ul><li>Use of Twitter for political change in Moldova </li></ul></ul><ul><ul><li>Text messages report election violence in Kenya </li></ul></ul><ul><ul><li>“ Sneakernets ” in Cuba </li></ul></ul>
  8. 9. But Also…Growing Threats <ul><li>Conditions deteriorated in many countries over the review period. </li></ul><ul><li>11 of the 15 countries censored some political content. </li></ul><ul><li>Six of the 15 countries sentenced a blogger or online journalist to prison. </li></ul><ul><li>Five introduced new internet-restricting legislation. </li></ul>
  9. 10. Legal Repercussions and Violence <ul><li>Legal repercussions: </li></ul><ul><ul><li>Use of general media legislation against online activities as well as development of internet-specific legislation </li></ul></ul><ul><ul><li>“ Libel Tourism” a danger in the UK </li></ul></ul><ul><li>Extra-legal harassment and violence: </li></ul><ul><ul><li>Detentions, intimidation, torture </li></ul></ul><ul><ul><li>Technical violence: hacking, DDoS attacks, Cyber espionage </li></ul></ul><ul><li>Surveillance and infringements on privacy in a wide range of environments </li></ul>
  10. 11. Restricting Access <ul><li>Seven of the 15 countries studied had blocked ‘Web 2.0’ applications such as: </li></ul><ul><ul><li>Facebook </li></ul></ul><ul><ul><li>YouTube </li></ul></ul><ul><ul><li>Twitter </li></ul></ul><ul><ul><li>Flickr </li></ul></ul><ul><li>Iran restricts broadband and Mobile SMS </li></ul><ul><li>“ Just in Time” blocking (elections, key events) </li></ul><ul><li>Software Licenses : Copyright violations? </li></ul><ul><li>Flag for removal: Social Media </li></ul>
  11. 12. Censorship <ul><li>Some censorship in every country studied, though not always political/social content. </li></ul><ul><li>Wide range of techniques for removing content: </li></ul><ul><ul><li>Technical filtering </li></ul></ul><ul><ul><li>Manual removal because of government directives, judicial orders, intimidation </li></ul></ul><ul><li>China’s apparatus is the most sophisticated, multi-layered, and includes censored SMS. </li></ul><ul><li>Significant lack of transparency in censorship procedures, including in some democracies. </li></ul>
  12. 13. What Censorship Looks Like <ul><li>We compared the results from three searches using Google, a top search engine in the U.S. with results from Baidu, the top search engine in China. </li></ul><ul><li>The search terms were: </li></ul><ul><li>Freedom House </li></ul><ul><li>Falun Dafa </li></ul><ul><li>Tiananmen Square </li></ul>
  13. 14. Freedom House
  14. 15. Falun Dafa
  15. 16. Tiananmen Square
  16. 17. Going the Distance for Access <ul><li>Residents in the Xinjiang province of China faced crippling restrictions of email, SMS, and the Internet after the government clamped down on civil unrest in the area. </li></ul><ul><li>Business owners and residents of Xinjiang were forced to travel 24 hours by car and hundreds of miles by train and airplane to reach the nearest internet café. </li></ul>Would you travel over 600 miles just to check your email?
  17. 18. Censorship : New Threats <ul><li>Just in Time Blocking </li></ul><ul><ul><li>Key website and/or services blocked ahead of significant events (protest, election, strike) </li></ul></ul><ul><ul><ul><li>Communications infrastructure turned off (Iran) </li></ul></ul></ul><ul><ul><ul><li>Servers seized </li></ul></ul></ul><ul><ul><ul><li>Targeted Censorship: Block key sites at critical time. </li></ul></ul></ul><ul><ul><ul><li>Distributed Denial of Service (DDoS) attack </li></ul></ul></ul><ul><ul><ul><li>Flag for removal: </li></ul></ul></ul><ul><ul><ul><ul><li>Use “abuse reporting” mechanisms to suspend accounts </li></ul></ul></ul></ul><ul><li>Software Licenses </li></ul><ul><ul><li>NGO’s targeted for copyright violations </li></ul></ul><ul><li>Cripple Blackberry Security </li></ul>
  18. 19. Censorship : Just in time blocking
  19. 20. Censorship : Software Licenses
  20. 21. Censorship : Software Licenses - 2
  21. 22. Cripple Blackberry Security
  22. 23. Tech for Free Expression <ul><li>Training </li></ul><ul><ul><li>Surveillance (Mobile, Internet, etc..) </li></ul></ul><ul><ul><ul><li>Use easy to understand examples: Post card, unlocked car .. </li></ul></ul></ul><ul><ul><li>Information Security: </li></ul></ul><ul><ul><ul><li>Secure communications, Circumvention tools </li></ul></ul></ul><ul><ul><ul><li>Human Factors: Don’ t underestimate what damage one person can do : </li></ul></ul></ul><ul><ul><ul><ul><li>Wikileaks (Private Manning & Dept of State) </li></ul></ul></ul></ul><ul><li>Materials Development </li></ul><ul><ul><li>AV strategy: Videos, Cartoons, New Media, etc </li></ul></ul>
  23. 24. Materials Development
  24. 25.
  25. 26. Discussion(I) <ul><li>Review of existing communication methods </li></ul><ul><ul><li>What is used for communications ? </li></ul></ul><ul><ul><li>Issues to discuss: </li></ul></ul><ul><ul><ul><li>Corresponding with partners, field monitors, donors, etc </li></ul></ul></ul><ul><ul><ul><ul><li>What type of information is being transmitted? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>What is are the risks & vulnerabilities </li></ul></ul></ul></ul><ul><ul><ul><ul><li>High Risk Environments </li></ul></ul></ul></ul><ul><li>Understanding the vulnerabilities </li></ul><ul><ul><li>Need to explain in simple to use language </li></ul></ul><ul><ul><li>Sending messages via insecure networks </li></ul></ul><ul><ul><ul><li>Post office Example (post cards) </li></ul></ul></ul><ul><ul><ul><li>Internet </li></ul></ul></ul><ul><ul><ul><li>Mobile Networks (location tracking, remote access of phone, etc..) </li></ul></ul></ul>
  26. 27. Discussion (II) <ul><ul><li>Privacy should be maximized </li></ul></ul><ul><ul><ul><li>Don’t leak key information (credentials: username & passwords) </li></ul></ul></ul><ul><ul><ul><li>HTTPS Everywhere </li></ul></ul></ul><ul><ul><ul><ul><li>Importance of Persistent HTTPS & minimizing history/logs </li></ul></ul></ul></ul><ul><ul><ul><li>Facebook </li></ul></ul></ul><ul><ul><ul><ul><li>Privacy Settings </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Real Names Policy : There are ways to protect yourself </li></ul></ul></ul></ul><ul><ul><li>Secure Email </li></ul></ul><ul><ul><ul><li>Which webmail service is most/least secure </li></ul></ul></ul><ul><ul><ul><li>Gmail (Review of Settings - Best Practices) </li></ul></ul></ul><ul><ul><ul><ul><li>Standard gmail </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Google Apps (two factor authentication) </li></ul></ul></ul></ul><ul><ul><ul><li>Hushmail </li></ul></ul></ul><ul><ul><ul><li>Vaultletsoft (Install / Account creation / Features / Best Practices) </li></ul></ul></ul>
  27. 28. Discussion (III) <ul><ul><li>Blackberry </li></ul></ul><ul><ul><ul><li>Devices are all the same </li></ul></ul></ul><ul><ul><ul><li>There are vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Security varies : Business & Consumer configuration </li></ul></ul></ul><ul><ul><li>Chat </li></ul></ul><ul><ul><ul><li>Skype: Vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Alternatives : Open Standards Based (Jabber, Guardian Project) </li></ul></ul></ul><ul><ul><li>Website </li></ul></ul><ul><ul><ul><li>Not just about servers : Domain name registration, bandwidth, etc </li></ul></ul></ul><ul><ul><ul><li>Hosting : Pick a jurisdiction that provides protection (US, Amazon EC2..) </li></ul></ul></ul><ul><ul><li>Anti-censorship / Anonymity </li></ul></ul><ul><ul><ul><li>Psiphon (Proxy), Hotspot Shield (VPN), TOR (Anonymity) </li></ul></ul></ul>
  28. 29. Discussion (III) <ul><ul><li>Data Security </li></ul></ul><ul><ul><ul><li>VPN – Secure Tunnel </li></ul></ul></ul><ul><ul><ul><ul><li>What to do when you don’t trust the network </li></ul></ul></ul></ul><ul><ul><ul><li>Encryption (Truecrypt) </li></ul></ul></ul><ul><ul><ul><ul><li>Plausible Denialability </li></ul></ul></ul></ul><ul><ul><ul><li>Secure Documentation: Martus </li></ul></ul></ul><ul><ul><ul><ul><li>Remote backup </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Securely collaborate </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Encrypted Data </li></ul></ul></ul></ul><ul><ul><li>Deleting Data </li></ul></ul><ul><ul><ul><li>What happens when one deletes data ? </li></ul></ul></ul><ul><ul><ul><li>Do you need to delete, or prevent self-incrimination </li></ul></ul></ul><ul><ul><li>Wiping Tools </li></ul></ul><ul><ul><ul><li>Darik's Boot and Nuke (&quot;DBAN&quot;) </li></ul></ul></ul>
  29. 30. Resources <ul><ul><li>Super Peif : Awareness raising </li></ul></ul><ul><ul><ul><li>http:// </li></ul></ul></ul><ul><ul><li>Secure NGO in a Box </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Guardian Project </li></ul></ul><ul><ul><ul><li> / </li></ul></ul></ul><ul><ul><li>Hotspot Shield </li></ul></ul><ul><ul><ul><li>http:// hotspotshield .com/ </li></ul></ul></ul><ul><ul><li>Martus </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Truecrypt </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Darik’s Boot and Nuke (DBAN) </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Vaultletsoft </li></ul></ul><ul><ul><ul><li>http:// www. vaultletsoft .com </li></ul></ul></ul>
  30. 31. Freedom House is an independent watchdog organization that supports the expansion of freedom around the world. Freedom House supports democratic change, monitors freedom, and advocates for democracy and human rights. Robert Guerra – [email_address] P roject Director, Internet Freedom Freedom House Support the right of every individual to be free. Donate now. For more information contact: