COMMUNICATE SAFELY: RiseUp's warrant canary & what to do

1.  
2. ##############################################################################
3.  
4. /######//########///##/////######//#######/##///##////##////##////##/#####////
5. ##////##////##/////####///##////##/##//////##///##///####///###///##/##///##//
6. ##//////////##////##//##//##///////##//////##///##//##//##//####//##/##////##/
7. /######/////##///##////##/##//####/######//#######/##///##//##/##/##/##////##/
8. //////##////##///########/##////##/##//////##///##/########/##//####/##////##/
9. ##////##////##///##////##/##////##/##//////##///##/##////##/##///###/##///##//
10. /######/////##///##////##//######//#######/##///##/##////##/##////##/#####////
11.  
12. ##############################################################################
13. ### STAGEHAND Issue #1 ## Title: Communicating Safely ## Date: 24 Nov 2016 ###
14. ##############################################################################
15.  
16. RiseUp's warrant canary has gone missing. We believe they are fighting a court
17. battle to keep their users safe.
18.  
19. https://c4ss.org/content/47015
20.  
21. They have a lot of experience and they're good guys, but what if they lose?
22. Service providers on our side are great, but you need to take personal
23. responsibility for your own safety.
24.  
25. Here is a loose guide as to how to do that, which is state of the art as
26. of the day the RiseUp canary croaked – 24 November 2016.
27.  
28. We're not saying this twice: RiseUp is not the only group having trouble,
29. they're just the only group whose canary has been noted missing. *P00F*
30.  
31. ########################
32. # Know Your Opposition #
33. ########################
34.  
35. What hunts you?
36.  
37. The so-called "Alt Right"? GamerGate? "B-tards"?
38.  
39. Corporate security?
40.  
41. Local or state police?
42.  
43. Federal police or intel?
44.  
45. Everybody gets scared shitless and paranoid when things start happening. If
46. you are vocal about opinions, maybe the "Alt-Right" trolls want you. Attending
47. -or worse- organising protests? Local LE are interested as well as the
48. targeted company. Dealing with people planning national protests or cracking
49. corporate web sites? That gets you federal attention.
50.  
51. ################################################
52. # Stupid Stuff You Should Stop Doing Right Now #
53. ################################################
54.  
55. Email in any form. Really, just stop putting anything more important than cute
56. pictures and dank memes in there.
57.  
58. Facebook is a place to broadcast to derps. Don’t do planning there, encourage
59. people to find other places for private discussions.
60.  
61. Twitter. About as bad as Facebook, use it to broadcast, don’t treat DMs like
62. they aren’t being read and that site is really grabby about IP addresses.
63.  
64. SMS texts are easily read and snooped upon, they show who sent them, who read
65. them, when it happened, and where each of you were. Your mobile phone is a
66. tool of the enemy, hold it like you would a cat you’re about to give a bath.
67. Or a porcupine.
68.  
69. ########################
70. # What Actually Works? #
71. ########################
72.  
73. There are reasons to consider all of the following:
74.  
75. 01) IRC
76. 02) XMPP / Jabber
77.  
78. 03) Slack
79. 04) MatterMost
80.  
81. 05) Telegram
82. 06) WhatsApp
83.  
84. 07) Signal
85. 08) Semaphor
86. 09) Ricochet
87.  
88. ########################################
89. # Why are they split into four groups? #
90. ########################################
91.  
92. IRC & Jabber are old school, you can find clients for every desktop and mobile
93. OS, and they all support OTR, which is "Off The Record" encryption. If you’re
94. smart about networks you can use some of these services over Tor, concealing
95. your IP address.
96.  
97. Slack & MatterMost are groupware. If you’re organizing stuff these are handy,
98. you can add OTR protection for person to person conversations there, but the
99. central server has plain text (readable, snoopable text) of any shared room.
100. You’ll find a lot of these in use, just be mindful that they’re a slightly
101. kinder, gentler sort of Facebook in terms of security.
102.  
103. Telegram and WhatsApp both claim to offer end to end encryption, which is what
104. OTR provides, but these are proprietary apps. Unless you can examine network
105. traffic in great detail how do you personally know what they are doing? These
106. are both really popular, but we have concerns.
107.  
108. Signal is a chat app that requires a phone, Semaphor doesn’t force you to give
109. up identifying information, and Ricochet only runs on Tor. Best of all, these
110. are all Free Software or Open Source Software. That means they can be examined
111. and are more likely to do what you want them to do.
112.  
113. #######################
114. # Let’s go one by one #
115. #######################
116.  
117. IRC is the original chat network. Plain text service on port 6667, TLS
118. encrypted on 6697, there's generally no need to sign up, many of them used to
119. work via Tor, but the world is full of neckbeards and they all got fat
120. feasting on Cheetos while hanging out on IRC. If you don’t know this
121. environment, just stay away, it’s dangerous. If you do use it, why aren’t you
122. already using Tor and TOR?
123.  
124. Jabber is a person to person service first, with chat rooms being the
125. secondary use, a bit like IRC turned upside down. Same thinking is necessary -
126. don’t usually need to give a working email to get an account, TLS encryption
127. is the norm, and most of these still working with Tor exit nodes. Use OTR
128. everywhere and chat with confidence. If you’re new and you get an invite it’s
129. probably OK, it’s not like you’re going into the Star Wars cantina that is
130. IRC.
131.  
132. Slack/MatterMost are corporate tool and clone, but you can run your own MM
133. server which is nice, if you’re into that sort of thing. These are good work
134. group environments, but think carefully about how much of a trail there is and
135. what an enemy would do. Maybe you should use the gateway service and chat with
136. your favorite OTR capable Jabber client rather than using the TLS-only
137. official client.
138.  
139. Lots of people on Telegram, jihadi warriors and cryptocoins guys. Political
140. types are on WhatsApp. Both claim to be end-to-end. Nobody has seen a
141. situation where they are providing stuff you thought was private to The Man.
142. But they’re closed source, which means that experts can't easily examine them
143. and say what they do. The only reason to use these is if you find an existing
144. community of practise you want to join. If you’re tight with a group using
145. these, try to get them to move uptown.
146.  
147. Signal needs a phone to sign up, can’t do it with just a scammed Google Voice,
148. and the desktop client, a Chrome app, needs a med check. Still, you can
149. encrypt your voice calls. Get everybody moving this way if you can. Semaphor
150. is by the Spideroak cloud guys. You can register without really giving up
151. much. We don’t know any big groups using it, so we think it’s cool because
152. Spideroak, but we wish we had more time in grade using it. Ricochet is Tor-
153. only, you just download it, it creates a new random string name for you, and
154. then you have to find people. This is the best thing going, AS LONG AS YOU’RE
155. NOT MAILING YOUR RICOCHET ID AROUND IN PLAIN TEXT.
156.  
157. #######################
158. # Aspects to Consider #
159. #######################
160.  
161. Those are some opinions by people who use crypto and who might have done some
162. stuff they should not have. Here are the things we think about when examining
163. an app.
164.  
165. 01) Do you have to give up an email to use the system?
166. 02) Do you have to give up a cell phone number to use the system?
167. 03) Is there a corporate middle man who can sell you out?
168. 04) Is there end-to-end encryption?
169. 05) Is the client Free/Open Source Software?
170. 06) Is the server Free/Open Source Software?
171. 07) Will the service work over Tor?
172.  
173. If you use email, that's fucked. You’re inside the machine. Email leaves a big
174. fat trail of who talks to who, when they talked, what IP addresses they were
175. using.
176.  
177. Cell phones are just as bad as email. Worse, they can give up your location
178. due to GPS and Wi-Fi reception, EVEN IF YOU TURN LOCATION SERVICES OFF. You
179. have to be willing to buy burners, do so in an anonymous fashion, use them at
180. a location you don’t normally frequent, and then throw them away when you are
181. done. That’s about $25 to $30 in cost every time you want to create something.
182. And if you use that piece of shit WhatsApp, it *insists* the associated phone
183. not only be still in service, it’s got to be reachable online. Fuck those guys
184. for any serious organising.
185.  
186. If you have a service like Slack, there is a place where a warrant can be
187. served, or a subpoena if you get into a civil mess. Same goes for MatterMost,
188. unless you are running a server of your own offshore. Groupware is nice, but
189. it’s a group hug for Big Brother.
190.  
191. Many of these things claim end to end encryption, but unless you can download
192. the client on your own, compile it, and test it, who knows. Signal, Semaphor,
193. Ricochet. There are others, we don’t have time to check them all, which is why
194. we explain HOW we review tools, not just making blind recommendations. Bottom
195. line: Free/Open Source Software and proven end-to-end encryption are BFFs.
196. Your two baes forever.
197.  
198. And finally, can you access the service via Tor? If you’re going outside the
199. lines, you’d better make sure you’re doing so from an undisclosed location.
200. That’s a whole other thing, how to internet without leaving a trail. There are
201. VPNs (most are shite) and proxies and Tor and I2P. You may have a high speed
202. service, even to on your mobile, but if you want to be safe the things that
203. work feel like an analog modem did back in the nineties.
204.  
205.  
206. ######################
207. # What is STAGEHAND? #
208. ######################
209.  
210. If you spend any time in a black box theatre you’ll see stage hands. They’re
211. setting up the scenery before the show, making sure the lights and sound are
212. right, and very rarely you’ll see someone all in black pop up during a scene,
213. adjusting a prop for the actors.
214.  
215. That’s us, that’s what we do. We read white papers... and indictments. We
216. evaluate software and write a bit of our own. We build *stuff* for people. We
217. keep an eye on trends in activism, in privacy, in surveillance. When we detect
218. a need, sometimes we publish this zine.
219.  
220.  
221. This isn't our first kerfuffle, so we know it’s important to make clear what
222. we don’t do.
223.  
224. 01) We are programmers, observers, researchers. There's no STAGEHAND ops other
225. than this zine.
226.  
227. 02) At this time there is no STAGEHAND IRC channel, Twitter, nor any other
228. official outlet.
229.  
230. 03) We occasionally add new members, when we can’t get what we need by
231. following and reading, but this takes eighteen to twenty four months. If you
232. thought you would ask, that's how you know you aren't right for this. We’ll
233. call you.
234.  
235. 04) When we publish STAGEHAND Issue #2, it will include six lines of text
236. that, when checksummed with MD5 will produce the following result. This is how
237. you will know Issue #2 is authentic, and we’ll include a less ghetto signing
238. method for future issues, too.
239.  
240. MD5(STAGEHAND.txt)= 170f72c233cf70ace661410636257996