Discuss

last person joined: 9 hours ago 

Ask a question. Give advice. Share resources. Looking for software or hardware recommendations? Want to know how others are using text messaging in their work? Trying to find examples of IT policies? The NTEN Discuss forum is a great resource for all of the above and more! It's the general discussion list for the NTEN community, and folks all over the US (and the world) are sharing their questions, answers, and news about nonprofit technology.

Anti-surveillance technology?

  • 1.  Anti-surveillance technology?

    Posted Oct 04, 2018 18:31
    Hi everyone.
    This might be an odd question, but I was wondering if anyone has run across the need to invest in any sort of anti-surveillance technology? This would be for situations where employees are perhaps engaged in sensitive work or discussions where it's important to ensure that there REALLY isn't anybody listening in on your conversations. I probably just got myself put on a homeland security watchlist by posting this question, but any good resources/references would be appreciated!

    Thanks!

    ------------------------------
    Rob Foley
    IT Director - The Scholarship Foundation of St. Louis
    ------------------------------


  • 2.  RE: Anti-surveillance technology?

    Posted Oct 05, 2018 06:34
    Rob,

    If you haven't already looked, I'd suggest you start with the Electronic Frontier Foundation's Surveillance Self-Defense resources.

    Surveillance Self-Defense

    I'd specifically recommend starting with a threat modeling exercise with your concerned personnel to try to learn more about what risks people are worried about and how severe the consequences would be if those risks materialized. This will help you determine an appropriate level of effort (which you'll see below, might be significant).

    If the threat modeling exercise reveals significant concerns around sensitive conversations - I recommend applying highly disciplined operational security (opsec) to the sensitive conversations in question. There's a LOT more detail I would want to learn about your organizations' concerns before giving advice I would stand by, but here are some ideas to get you started.

    In Person Conversations:
    1. If you're concerned about office and/or home environments being bugged, you can hire a professional to do a sweep or even attempt it yourself. From my research on this in the past ( I haven't dug in for over a year), I've come to the conclusion that if the adversary is sufficiently sophisticated (state actor or otherwise well-resourced) neither you nor a professional you can hire you are likely to find anything. You can learn more about this from this pretty good Wired article from late 2017.
    2.  The most likely attack vectors for snooping are your own electronic devices. Believe it or not, there's been a demonstrated capability to use laser printers to capture audio (if you want to go down a rabbit hole - Google "Funtenna"). Assume any electronic device (phone, computer, printer, wireless access point, TV...any "smart" anything) might be able to capture audio (or even video).
    3. So, what do you do? Get physically away from all electronic devices and predicable locations for sensitive in-person conversations. Go for a walk in the woods or in a busy city and leave all your electronics behind. If the electronics have to be there, power them off and put them in a Faraday bag, but to the best of your ability get away from all the electronic devices in your normal environment (this again includes anything "smart" like a Fitbit, Apple Watch, etc.). 

    Remote conversations (not in person):
    This is pretty straightforward from my perspective. If you have to use devices (phones or computers) to communicate, limit sensitive conversations to this set of practices. Keep in mind that all the in-person concerns from above still apply here, so limit your exposure to only the electronic device you're using for the sensitive conversation.

    1. Only use Signal
    2. Only use Signal on approved devices. My recommendation is to use only fully patched iOS devices. You could persuade me to include fully patched Google Pixel phones. You couldn't persuade me to include any other type of device if the stakes are high (personal safety and/or existential levels of organizational risk).

    I hope that's helpful, Rob. If you wish to have a conversation to talk more about it, let me know. Or just talk into your nearest laser printer and I'll get back to you. ;-)

    -JP









    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------



  • 3.  RE: Anti-surveillance technology?

    Posted Oct 05, 2018 11:07
    Hi Joshua. This is extremely helpful. Really.
    Thank you very much for taking the time to reply.

    ------------------------------
    Rob Foley
    IT Director - The Scholarship Foundation of St. Louis
    ------------------------------



  • 4.  RE: Anti-surveillance technology?

    Posted Oct 07, 2018 22:33
    Phenomenal info, Josh. Thank you very much for sharing.

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------



  • 5.  RE: Anti-surveillance technology?

    Posted Oct 05, 2018 18:21
    Research dod approved phones there is a list available online. These phones allow you to disable speaker phone functions and some don't have them at all. Also ensure your system supports voice encryption most voip systems have this available.

    ------------------------------
    Anthony Caufield
    Organizer
    Tech4Good-LV
    North Las Vegas, NV
    ------------------------------



  • 6.  RE: Anti-surveillance technology?

    Posted Oct 06, 2018 17:05
    As context, I'm a co-founder of the Stop LAPD Spying Coalition and have done digital security work for almost 20 years. I'm also one of the folks who helps EFF with the companion to the Surveillance Self-Defense work, the Security Education Companion Credits | Security Education Companion --.

    There are two big things here:
    • Are the contents you are securing things you shouldn't be securing for statutory purposes? This is something government and finance are wrestling with. For example, if you're accused of engaging in non-501c3 activity and an email exists saying "let's use signal for that" then it could be construed you're acting outside of sector scope/activity...similarly with HR, Finance, and Program issues where an email trail is helpful.
    • Risk assessments/threat modeling is a waste of time if folks don't focus on the non-sexy threats, like an audit. It's important to avoid giving into paranoia that leads to investments of time and money to defend against threats that are possible but not plausible (e.g. worrying about federal law enforcement but not local law enforcement).

    That said, I'd also wonder what policies are in place to guide staff what channels or content are secured and which aren't. There's also a big piece with endpoint security. Whether it's a phone, tablet, laptop, desktop, that's one of the biggest vectors through which security programs fall apart.

    Security is largely about infrastructure and, if that infrastructure isn't there, security initiatives often stumble.

    Good luck.
    --ken
    ps: infrastructure includes budgeting for materials, services, staff time, & training

    ------------------------------
    Ken Montenegro
    Information Technology Director
    Asian Americans Advancing Justice Los Angeles
    Los Angeles, CA
    ------------------------------