Trying to help a Russian dissident with computer security
January 2, 2017 2:37 PM Subscribe
I do volunteer work with Russian dissidents. I would like to help one of my dissident friends with his computer security. Let's call my friend Victor.
I would like MetaFilter's feedback about my plan for Victor. Also, I would like a recommendation for a pouch that he can put his mobile phone into that will protect him from snooping.
Victor is an important dissident and I'm sure that he is being subjected to the highest level of surveillance. He lives in Britain. I have not yet talked to him about this issue, as I want to become informed first so I can go to him with a specific plan. But the impression I get is that he doesn't really know anything about security and may not have taken even basic measures.
I'm sure he knows that his phone calls and online activity are monitored, but I think he may not know that his laptop and mobile phone may be used to spy on him even when they are turned off. I know he should learn about encryption, but I think the first order of business is to make sure that he's not being spied on even during what he thinks are private conversations.
To that end, I was planning to suggest the following:
1) He should put a piece of tape over the camera on the laptop.
2) He should take his laptop to a computer repair place and ask them to unhook the microphone. If he needs a microphone for Skype, he should buy a separate one that he uses just for that and keeps unplugged the rest of the time.
3) If he has a desktop, then if he has microphone for that he needs to keep it unplugged unless he is actually using it. And he should put a piece of tape on the camera, if there is one.
4) He should get a pouch to put his mobile phone in that acts as a Faraday cage to block snooping.
Is there anything else we should be worrying about, in terms of his face-to-face conversations being spied on? Do we have to worry about the landline?
I'm researching the pouches that are marketed to protect privacy on mobile phones, and I don't have much confidence in what I'm seeing. Can anyone recommend something?
Also, I'm wondering if there's any place he can go to get a professional to help him with these things. Is there a nonprofit organization that could refer someone?
Victor is an important dissident and I'm sure that he is being subjected to the highest level of surveillance. He lives in Britain. I have not yet talked to him about this issue, as I want to become informed first so I can go to him with a specific plan. But the impression I get is that he doesn't really know anything about security and may not have taken even basic measures.
I'm sure he knows that his phone calls and online activity are monitored, but I think he may not know that his laptop and mobile phone may be used to spy on him even when they are turned off. I know he should learn about encryption, but I think the first order of business is to make sure that he's not being spied on even during what he thinks are private conversations.
To that end, I was planning to suggest the following:
1) He should put a piece of tape over the camera on the laptop.
2) He should take his laptop to a computer repair place and ask them to unhook the microphone. If he needs a microphone for Skype, he should buy a separate one that he uses just for that and keeps unplugged the rest of the time.
3) If he has a desktop, then if he has microphone for that he needs to keep it unplugged unless he is actually using it. And he should put a piece of tape on the camera, if there is one.
4) He should get a pouch to put his mobile phone in that acts as a Faraday cage to block snooping.
Is there anything else we should be worrying about, in terms of his face-to-face conversations being spied on? Do we have to worry about the landline?
I'm researching the pouches that are marketed to protect privacy on mobile phones, and I don't have much confidence in what I'm seeing. Can anyone recommend something?
Also, I'm wondering if there's any place he can go to get a professional to help him with these things. Is there a nonprofit organization that could refer someone?
This post was deleted for the following reason: Some issues here; please contact us -- taz
If your bad actors have physical access to more or less anything, it's game over. So physical security is a very relevant consideration here, but that's outside of the remit of the question. Some more general IT security points:
- The wireless router is a soft, high-value target. Keep the firmware up to date, flash it regularly, and use a strong password. Even better, don't use wireless and rely on cabled connections.
- Beware of any/all 'smart' Internet of Things gadgets, they're a security nightmare. General rule: the dumber the tech, the less it can hurt you. That applies for phones too.
- It's possible to hide malware in USB firmware. So treat USB devices like needles. They get plugged in one device and only that device.
- If any hardware arrives in the mail, it does not get plugged in. Buy peripherals from bricks-and-mortar shops. If someone (say) sends him a USB stick which they claim contains super-important incriminating information, treat that thing with extreme caution.
- I know it's boring, but promptly apply all security patches to all software and hardware.
- If he can manage without Adobe Flash on his computer, he should do so. It's a perennial attack vector.
- Social engineering attacks may seem stupid but can snare even highly sophisticated victims if done well. If he's the target of a well-resourced intelligence agency, he needs to keep his wits about him any time he's sharing information.
posted by Urtylug at 3:15 PM on January 2, 2017 [3 favorites]
- The wireless router is a soft, high-value target. Keep the firmware up to date, flash it regularly, and use a strong password. Even better, don't use wireless and rely on cabled connections.
- Beware of any/all 'smart' Internet of Things gadgets, they're a security nightmare. General rule: the dumber the tech, the less it can hurt you. That applies for phones too.
- It's possible to hide malware in USB firmware. So treat USB devices like needles. They get plugged in one device and only that device.
- If any hardware arrives in the mail, it does not get plugged in. Buy peripherals from bricks-and-mortar shops. If someone (say) sends him a USB stick which they claim contains super-important incriminating information, treat that thing with extreme caution.
- I know it's boring, but promptly apply all security patches to all software and hardware.
- If he can manage without Adobe Flash on his computer, he should do so. It's a perennial attack vector.
- Social engineering attacks may seem stupid but can snare even highly sophisticated victims if done well. If he's the target of a well-resourced intelligence agency, he needs to keep his wits about him any time he's sharing information.
posted by Urtylug at 3:15 PM on January 2, 2017 [3 favorites]
Oh, and any device that's using a default password (particularly the wireless router), change it now.
It's really silly, but sometimes a Google search for "$THINGMODEL default password" is all that's required to complete an attack.
posted by Urtylug at 3:23 PM on January 2, 2017 [1 favorite]
It's really silly, but sometimes a Google search for "$THINGMODEL default password" is all that's required to complete an attack.
posted by Urtylug at 3:23 PM on January 2, 2017 [1 favorite]
He probably shouldn't use Skype, full stop.
posted by pompomtom at 3:40 PM on January 2, 2017 [1 favorite]
posted by pompomtom at 3:40 PM on January 2, 2017 [1 favorite]
In terms of nonprofits to refer him to, Security Without Borders recently launched to help out with things like this.
From their page: "Security Without Borders is an open collective of hackers and cyber security professionals who volunteer with assisting journalists, human rights defenders, and non-profit organizations with cyber security issues."
posted by escapepod at 3:58 PM on January 2, 2017 [1 favorite]
From their page: "Security Without Borders is an open collective of hackers and cyber security professionals who volunteer with assisting journalists, human rights defenders, and non-profit organizations with cyber security issues."
posted by escapepod at 3:58 PM on January 2, 2017 [1 favorite]
This was just released today: A DIY Guide to Feminist Cybersecurity
Made for its stated purpose, but the tips are universal. It's comprehensive but takes time to explain things to those who might be less tech savvy.
Good luck to your dissident friend.
posted by bluecore at 4:06 PM on January 2, 2017 [1 favorite]
Made for its stated purpose, but the tips are universal. It's comprehensive but takes time to explain things to those who might be less tech savvy.
Good luck to your dissident friend.
posted by bluecore at 4:06 PM on January 2, 2017 [1 favorite]
This transparency report outlines what UK telcos have to do to remain within the law to operate in the U.K. Tl;dr they are mandated to share communication metadata with U.K. Government agencies, but not necessarily content of communication. So end to end encryption might help protect your friend against some people/orgs, but not all.
posted by mgrrl at 4:16 PM on January 2, 2017
posted by mgrrl at 4:16 PM on January 2, 2017
The EFF has a Surveillance Self Defense resource page that may be of use.
posted by nalyd at 5:43 PM on January 2, 2017
posted by nalyd at 5:43 PM on January 2, 2017
Cory Doctrow will know the score in the UK, even though he's recently moved to the States. He may have some EFF contacts for Victor. He may even be on Blue, not sure...? Memail me if you want contact details.
posted by mollymillions at 6:32 PM on January 2, 2017
posted by mollymillions at 6:32 PM on January 2, 2017
He needs a clean laptop with camera and microphone hardware physically disable that boots Tails from DVD. No hard drives or writable storage! Get a new burner mobile phone every two weeks. I read Snowden made people put theirs in the freezer while they talked face to face. If this dude lacks basic knowledge about online security, he needs professional guidance. An amateur helping him out might just give him a false sense of security. If he really is a high level Russian target, they already own him.
posted by LoveHam at 7:02 PM on January 2, 2017 [3 favorites]
posted by LoveHam at 7:02 PM on January 2, 2017 [3 favorites]
+1 to what LoveHam said -- if the Russian government is genuinely treating him as a top priority target and putting all their resources into tracking his activity, and he doesn't know much about computers and has done nothing to protect himself, he should assume everything is fully compromised. All his physical devices, all his online accounts, email, Facebook, text message history, every password he's ever used, every word he's ever typed on his laptop, he should assume Russia has full access to all of it. If he wants to be safe, he would need to get new hardware and accounts and start over with professional help. 2fa for everything (using mobile app not SMS), burner phone, never plug any device into anything unless he fully controls what's at both ends of the wire, never access his devices or accounts in Russia or any country that co-operates with Russia, etc.
posted by phoenixy at 9:52 PM on January 2, 2017 [1 favorite]
posted by phoenixy at 9:52 PM on January 2, 2017 [1 favorite]
The phone pouch will do precisely zip. If his phone is capable of receiving calls, it's periodically talking to a tower and therefore capable of being tracked. Therefore, no pouch can possibly prevent tracking while leaving the phone in a usable state; and if you're going to carry around a phone that's not in a usable state, removing the battery kills tracking far more effectively than any pouch could.
posted by flabdablet at 10:34 PM on January 2, 2017
posted by flabdablet at 10:34 PM on January 2, 2017
This thread is closed to new comments.
posted by julie_of_the_jungle at 2:57 PM on January 2, 2017