Technical Discussions Related to Security

I didn’t find a thread for discussing Technical Aspects of IT and related Infrastructure related to security So here one it.

We recently had an action in WA where the police knew what we were planning and told our Police Liaison so when they first made contact. We were not particularly secretive about our intentions so there is nothing to show that the police did not simply gain this information through good old detective work and putting two and two together, but it does prompt us to review our security processes. So here is an Interesting article about the technical possibility of phones to be used for spying. Bare in mind that this sort of recording breaks every privacy agreement I’ve ever read, so I don’t believe phone companies are doing it across the board on a regular basis. This article just explains what is technically possible especially with a warrant. :wink:

A device with bad modem isolation cannot prevent the modem from accessing and controlling key parts of the hardware. For instance the main CPU’s RAM, its storage, the GPS, the camera, user I/O and the microphone. This situation is terrible for privacy/security as it provides plenty of opportunities to efficiently spy on the user, that could be triggered remotely over the mobile telephony network. That mobile telephony network is accessible to the mobile telephony operator, but also to attackers setting up fake base stations for that purpose.
Good modem isolation
On the other hand, when the modem is well-isolated from the rest of the device, it is limited to communicating directly with the SoC and can only access the device’s microphone when allowed by the SoC. It is then strictly limited to accessing what it really needs, which considerably reduces its opportunities to spy on the user. While it doesn’t solve any of the freedom issues, having an isolated modem is a big step forward for privacy/security. However, it is nearly impossible to be entirely sure that the modem is actually isolated, as any documentation about the device cannot be trusted, due to the lack of effective hardware freedom. On the other hand, it is possible to know that the modem is not isolated, when there is proof that it can access hardware that could be used to spy on the user.

There’s a page on the French base on security and organising actions. I repost it here for consideration, filtered through google translate.

Protecting ourselves and others: securing our actions

In order to try that as much as possible that our actions can be carried out, we invite you all to respect some precautionary rules when preparing them.

:spy:Learn how to protect your digital freedom: read these operational security posts .

:one: Protect yourself before action

:small_blue_diamond: Never give the place, date and time of the actions to people other than the coordination team.

:small_blue_diamond: Use a code name for the location / target of your action so that you can talk about it out loud without disclosing it.

:small_blue_diamond: Switch off and isolate his phone at the start of each meeting / discussion concerning an action, whether physical or on a campfire.

:small_blue_diamond: Where possible, favor physical meetings in a private location over virtual meetings.

:small_blue_diamond: Make maximum use of a computer for online campfire meetings, not your phone.

:small_blue_diamond: Do not talk about stocks, their logistics etc. on an unencrypted telephone line.

:small_blue_diamond: Use a VPN as well as TOR for everything related to preparing for the action.

:two: Protect yourself in action

:small_orange_diamond: Avoid taking your personal phone in action, instead prefer an old phone with a prepaid card.

:small_orange_diamond: Switch off your phone once the action has started and do not switch it on (including at the police station).

:small_orange_diamond: Remove all applications relating to XR before an action, the phone numbers of other members and delete all conversations with them.

:small_orange_diamond:Disable USB debugging on your phone and encrypt it on startup (see Phone security 1 ).

:three: The essential digital security rear base

For the safety and well-being of the rebels, the manual of action teaches us how to organize a rear base. One of its aspects concerns digital security.

:warning: Before the action

Each coordo designates a “security” referent, who is responsible for contacting the administrators and moderators of the Base to indicate the action to come. The information given may be approximate, initially, for the purposes of discretion. This is to help prepare the suspension of Base and Mattermost accounts in the event of arrests.

:arrow_right:To do this, send an @moderators message to the Base to establish contact. The exchange of information will be done confidentially.

:arrow_right: Anticipate as much as possible: leave it to the Moderation team to organize themselves so that a member is available on the day of your action.

:arrow_right: Plan to provide a list of rebels in action.

  • Do not send it via the Base. Also avoid Mattermost. Agree with your contact to send it by protonmail or by Signal.
  • Specify if some rebels do not have exactly the same nicknames on the Base and on Mattermost; if so, give both.
  • Send the list to your contact:
    • sorted by groups, if your action requires several rebel teams. Please give each of these groups a simple and clear identifier. For example a letter, a number, a color.
    • In alphabetical order.
    • Online, with the @: @pseudo, @pseudo, @pseudo, @pseudo, @pseudo, @pseudo, etc.

:warning: In the event of police custody

The referent must very quickly warn their contact in the Administration or Moderation team of any police custody, so that they can take the necessary measures.

Once again, the safety of all rebels is at stake!

To contact us, in order of preference (and knowing that it is better to be warned several times than none):

I’m curious what the @Nat-WG-IT think of this advice and process? Could we set up a similar process for Australia?

This process aligns with the expectation, that I’ve recently been advocating too: that affinity groups need to organize their own support team for any action, including Regen, Police Liaison, Media and Outreach, Security and Comms, etc.

In regard to device lockdown measures, I believe we have a process starting to form here but it’s not formalized and much lighter that the one @ManicMax shared above. I think we could certainly learn from and adapt the above to Australia.

The main thing I’d want to change to begin with is that in the French version there appears to be an expectation that sometimes people are breaking the law while attempting NOT to get Arrested. This might be appropriate in France but here in Australia, carrying out civil disobedience, by definition, requires you to be arrested. Rebels even own up to and take responsibility for wheat pasting and chalk spraying.

If you attempt NOT to be arrested you create the situation where the police need to investigate and track you down, which places everyone involved in XR at risk of being watched more closely by police.

I think it’s very important that we maintain our difference from criminals. Criminals don’t want to get caught, we in XR only break the law with the intention of getting caught and accepting the consequences of our actions. Of course we will also argue the our actions are justified given the emergency of Climate Change and this contributes to the cause and highlights the point we are making.

Recent Canberra actions seemed to have mixed awareness and compliance with these guidelines. Some folk had ensured all their devices were left behind and secured before heading to actions.
There were panicked messages about removing people from Signal groups, as their phones had been confiscated by the authorities. Sent some messaging through Signal groups to suggest securing devices ahead of actions, at least passing to affinity contacts ahead of the heat of the moment.

Process wise, I think it would help if people did more medium and long term communication through MatterMost. Which they can delete and re-install from their devices without interrupting the flow and history.

Save Signal for lighter weight, more immediate and small group messaging so not much lost if you need to delete app, or be removed from groups.

The WA scenario where the confiscations happened unexpectedly at people’s houses are obviously more problematic. Kind of implies some people maybe need to stick with web access to MM, instead of installed client or app.

Shame we have to be so ridiculously cautious about legitimate, non-violent direct action targeted specifically at Government [the XR demands and mandate], mostly because of the anti-lockdown, anti-vaxxer and extreme right groups that the authorities are obviously and rightly much more worried about.