Oh Shit! What Now?

The Oh Shit! What now? Collective plans study

groups, discussions, and workshops aimed at

equipping folks with radical skills to share with

others.

For more information, visit our website:

http://ohshitwhatnow.org/

📷: Computer Board with Key

Flickr / Blue Coat Photos, CC SA license

Take Back Your Online Privacy

Basic online security tips for activists and

everyday humans

Why Security Matters

● The internet is not free -- you are the product

● Marginalized people are targets online

● You have a right to privacy

● You have a right to be online safely

● If everyone is secure, spies must work harder

Threat Modeling

When Conducting an Assessment, There are Five Main Questions you Should

Ask Yourself:

1. What do you want to protect?

2. Who do you want to protect it from?

3. How likely is it that you will need to protect it?

4. How bad are the consequences if you fail?

5. How much trouble are you willing to go through in order to try to prevent those?

See "Surveillance Self Defense" (ssd.eff.org) for more

Current Events: Equifax Hack

● Largest breach of private financial data in history

● 143M consumers affected

● Check your credit, check if you're affected

● Don't use Equifax

● Freeze your credit (small fee)

● Class-action lawsuits being formed

● Chatbot can't really make a lawsuit happen for you

📷: Sound fiinancial advice.

Eddit Murphy is always thinking!

Current Events: Facial Recognition

● Facial recognition coming standard in phones

● Don't use a face lock!

● Bleeding edge tech can ID masked protesters

● Facial recognition arms race coming?

● Future anti-surveillance fashion & makeup

Current Events: Beware Google Apps

● Jounalist Alexa O'Brien is losing her YouTube???

● YouTube videos posted in defense of Chelsea Manning contain "terrorist"

content

● Linked Google Docs being deleted also

● Interconnected apps & the cloud a liability for activists

● Backup if you use Google

What is 'Doxing' (one x dammit)

“Doxing is the act of publishing someone’s personal information, of which there would be a reasonable

expectation of privacy and dubious value to the conversation, in an environment that implies or

encourages intimidation or threat.”

-Crash Override Definition

See www.crashoverridenetwork.com

Basic Concepts

● Create layers around your identity. Create false identities.

● Think about what you share.

● Think about where and how you share it.

● Take precautions in advance to prevent future doxing.

● When in doubt, don't share it in the first place.

That's not honey, Pooh!

It's a pot full of carnivorous frogs named Pepe.

Watch Out For Honeypots 🍯

● Intentional honeypots: Fake antifa / activist pages designed to collect

information / build networks.

● Unintentional Honeypots: Petitions, Crowdfunding Sites (Give Anonymously)

Facebook Fun Times

● Lock your friends list so only mutual friends visible.

● Delete / lock down personal information (email, phone number, address etc)

● Think about who / when you tag people

● Beware of Facebook groups that help map out networks

● On Events: Keep your guest list private, delete after the event

● Separate accounts: Business/family & activism

Other Concerns / Tips

● Watch out for geotagging in photos

● Protect your address & phone number

● Use PO Box, Google Voice

● Hide WhoIs information

● White Pages / Public Info Sites

Encryption: Lock It Down

● Encrypt your devices!

● iOS is encrypted if locked

● Android (version <7.0): Look in Settings > Security

● Android (version ≥7.0): Require password at startup

● Always lock / turn it off

● Use a long password (at least 8 characters)

● Don't give up access if you can help it

Encryption: Lock It Down 2

● MacOS: Use FileVault (Google It)

● Windows: Look under System > about “Device Description”

● Linux: Enabled during installation

● Use a password

● Turn it off or lock it

● Keep computers up to date

● Don't give up access if you can help it

📷: Meow meow purr.

Use Signal & Other Secure Apps

● Signal is Snowden Recommended

● Hide Signal messages on your lock screen

● Verify that you’re talking to the right person

○ via phone

○ via text

● Archive and delete messages

● Be careful who you let into your closed systems.

P@$$w0rd$ (Don't Use This)

● Use a password vault and secure passwords

● Use a passphrase when you must remember it

● Use 2 Factor Wherever You Can

● Save your 2FA Backup Codes

● Your recovery email must be secure

Being More Secure & Private Online

● Use HTTPS Everywhere

● Don't Sign Into Your Browser (Or Be Aware Of What You Give Up)

● Beware of scams & phishing

● Use secure search like Duck, Duck, Go

● Tor Browser as needed

● Think about what you store in the cloud (& encrypt)

● Don't use public Wi-Fi (without VPN & encryption)

● Beware of untrusted USB devices & ports

Secure Your Home Network

● Always change default password

● Do not use ISP supplied equipment as your router if you can help it

● Use ethernet (wired) connection whenever possible

● Use WPA2 wireless encryption, never use WPA1 or WEP,

● Never, ever, leave your home wireless network unsecured!

● Setting up device whitelisting for wireless devices can solve some of the vulnerabilities with wireless

encryption standards

● If your router supports it, set up a guest network

On Using a VPN

● Free VPNs sell your shit

● Not total anonymity, just 1 more layer

● How you pay for VPN might matter

● What to look for:

○ Foreign jurisdiction

○ No tracking / logs

○ Anonymous payment?

○ Easy to use app?

○ Support all your devices?

Some VPN Recommendations

● NordVPN (nordvpn.com), $5.75-$11.95/month

● BlackVPN (blackvpn.com), about $10/month

● Cryptostorm (cryptostorm.is), about $6/month, anonymous payment

● VPNArea (vpnarea.com), from $4.92/month

● Mullvad (mullvad.net), €5/month, could be forced to share data?

● VryVPN (www.goldenfrog.com/vyprvpn), $5-$10/month, easy but less secure

Basic Protest Tips

● Phones can be tracked even when off

● It only takes one loose link in the chain

● Turn off Bluetooth

● Use Burner phones

● Leave it at home, or turn it off before you arrive?

● Designated check-in time with friend

● Do not consent to search of phone

● Don't use fingerprint, pattern or face lock!

● You are not required to provide your password to a police officer

Some final ideas

● Don't panic, don't give up

● Implement security a step at a time

● Go low tech when you can

● Rediscover old methods

● Use social misdirection

● Use multiple, disposable identities

Oh Shit! What Now?

is Growing Resistance

Class schedule, resources, and calendar at

http://ohshitwhatnow.org

Feedback, class ideas, or other suggestions?

ohshit@ohshitwhatnow.org