TA3M Seattle For July 2018: Cancelled – see you in August!

For a variety of reasons, we’re going to skip July and hopefully be back in August with the same agenda. See you then!

We are going to take a month off and plan to reconvene in August. Enjoy
some of that great Seattle summer weather that is sure to start any day

In August, our agenda should:
* Michelle on Galv.world
* Possibly a few more shorter talks
* Discussion on topics, including:
* Ham radio license prep
* Personal Risk Profile / Modeling
* Privacy in the home
* Privacy software options and tradeoffs
* Smart Meters
* Working with other groups, eg: Wikimedia, DC206, Neg9, SeaGL/GSLUG,

A few other announcements:

* OSCon 20 year anniversary is coming up in Portland, July 18 – next week!
The OSI will be hosting a day of community-led lightning talks, open
source related activities, and an after party on Wednesday (July 18th).
Entrance is free, courtesy of OSCON, but registration for the Expo Plus
pass is required using the promo code EXPOFREE.


* SeaGL CFP ends: July 29th, 2018 – Midnight PDT. You can get help with
your talk submission or vague idea via IRC and the organizers are THE
BEST. #seagl on freenode.

* FSF Day Against DRM Tuesday Dept 18:


* Register to vote! Then vote. Help your friends / family to vote!
Elections are coming RIGHT up.



TA3M Seattle for June 2018: Community, Communications, Assholes and Infiltrators

Networking and food 6:30-7:00. Presentation starts at 7:00. Community
discussion after presentation.

Food is pizza, pizza and 2 kinds of vegetarian salad, about 1/3 of the
pizzas are also vegetarian. Lesson learned from last month.



Community, Communications, Assholes and Infiltrators
By Lisha Sterling

Over the past three years, Geeks Without Bounds (GWOB) has been working
on a number of community Internet projects — from “Canoe Net” in the
Ecuadoran jungle to WiFi at Standing Rock. Along the way, we’ve learned
that communications technology is both a boon for low resource
communities and a potential weakness that allows powerful enemies of the
community to track and destroy the very things the community stands for.
Mobile networks are vulnerable to cell site simulators (aka IMSI
Catchers, aka Stingrays). An Internet connection opens you up to all
manner of possible attack. Social media gives the government and
corporations information that can be used against you. And yet, without
these communications tools low resource communities have little if any
chance to compete, engage in global discussions, or improve their local
situation. Learn about how we are working to help communities from India
to “Indian Country” connect to the Internet and each other, and how we
are helping them stay safe(r) once they connect.

Lisha Sterling is the executive director of Geeks Without Bounds, a
nonprofit organization that supports open source technology in low
resource situations. She writes about cybersecurity for activists at
nonviolent-conflict.org. She is the board member in charge of
information security for Frontline Wellness United (a nonprofit
organization providing free medical, dental and mental health services
to activists and whistleblowers) and also serves on the board of Gods
and Radicals (a nonprofit cooperative Pagan Anti-Capitalist publisher),
where she has recently been writing about lessons learned while
coordinating the technology team at the Water Protector camps in
Standing Rock, ND in 2016-2017.



We’ll have dedicated time for community Q&A with the speaker and meet &
greet after the talk. We’ve had a lot of this at past meetings – let’s
keep it going!



This month, for the first time, we’ll be hosted at the South Lake Union
branch of WeWork. Thanks to Meetup.com and Michelle for arranging it!

WeWork – South Lake Union
500 Yale Avenue North
Seattle WA 98109

Note: Try to get there on time. Building doors lock after hours. A TA3M
organizer will be waiting for stragglers until about 7:10, After that,
look for a yellow-sticky on door for a number to call to get someone to
get you in.

TA3M Seattle June: Community, Communications, Assholes and Infiltrators

Monday, Jun 18, 2018, 6:30 PM

WeWork (Main Reception Lounge)
500 Yale Ave N Seattle, WA

7 Members Attending

Networking and food 6:30-7:00. Presentation starts at 7:00. Community  discussion after presentation.  Food is pizza, pizza and 2 kinds of vegetarian salad, about 1/3 of the  pizzas are also vegetarian. Lesson learned from last month.  =====  PRESENTATION:  Community, Communications, Assholes and Infiltrators  By Lisha Sterling  Over the past three…

Check out this Meetup →


TA3M Seattle for May 2018: Newsroom Security in the US and Abroad

WHAT: TA3M Seattle (Tech Activism, 3rd Mondays) May meeting
WHEN: May 21st, 6:30-9:00pm (3rd Mondays)
WHERE: UW Communications Building (CMU) Room 104

Networking [and food] 6:30-7:00. Presentation starts at 7:00.

There should be food provided, probably not pizza, maybe Thai, and
probably not via the CloudFlare funding this month. 🙂



Newsroom Security in the US and Abroad
by Norman Shamas

In the past decade media organizations and newsrooms have become high
value targets for digital attacks. Whether it is governments purchasing
spyware to illegally surveil reporters in the diaspora, like the
government of Ethiopia has been caught doing twice, or information
campaigns to discredit news sources, newsrooms have become targets of
government ‘cyber warfare’.

Norman will lead a conversation on some of the current threats and state
of security in newsrooms in the US and around the globe (primary focus
on South Africa) followed by a conversation on a new training guide for
US-based newsrooms(1[]), which Norman helped write.

This week’s TA3M will be interactive and an open discussion. If you are
interested in walking through any of the modules, feel free to reach out
to Norman and let them know 🙂

Norman Shamas is an activist and educator whose work focuses on
human-centered information and digital security and privacy.

[1] https://the-field-guide-to-security-training-in-the-newsroom.readthedocs.io/en/latest/



This month we’ll be hosted at the UW Communications Building, home to UW
Department of Communication. Thanks, Salt and Mako, for hosting us!

UW CMU 104
University of Washington (UW)
Communications Building (CMU)
Room 104
2023 King Lane Northeast
Seattle, WA 98195

Note we’re not at UW CompSci bldg or at SURF Incubator this month!


As seen at LinuxFestNorthWest, here will be some new TA3M Seattle (and
Seattle Privacy and Emerald Onion) stickers and ‘postcards’, thanks to
#6 for the artwork help.


TA3M Seattle for April 2018: Firmware Security and SPC, Emerald Onion Updates

April  16 @ 6:30 pm – 9:00 pm

SURF Incubator
999 3rd Ave Suite 700
Seattle, 98104 United States

6:30 – 7 Casual chat, Cryptoparty / PGP key exchange / Signal
Verification, Intro slide(s)

We’ll have pizza! **


7-7:30 Emerald Onion Update

Emerald Onion has been online for 10 months now! They will provide an update of current work, and future ideals. More info at https://emeraldonion.org/

7:30 – 8:00 Seattle Privacy Coalition General Meeting
8:00-9:00 – Firmware Malware Self-Defense

Paul English and Lee Fisher, PreOS Security

For attackers, platform firmware is the new software.

Activists, journalists, lawyers – regardless of your threat model, the first steps are to secure the operating system, passwords / phrases, use 2 factor authentication and disk encryption.

Firmware security is an advanced topic, but well worth understanding, particularly with data on portable devices and the risk of the Evil Maid Attack.

Most systems include hundreds of firmwares – UEFI or BIOS, PCIe expansion ROMs, USB controller drivers, s torage controller host and disk/SSD drivers. Firmware-level hosted malware, bare-metal or virtualized, is nearly invisible to normal security detection tools, has full control of your system, and can often continue running even when the system is “powered off”. Security Firms (eg, “Hacking Team” sell UEFI 0days to the highest bidder), and government agencies include firmware-level malware (eg, Wikileak’ed Vault7 CIA EFI malware). Defenders need to catch-up, and learn to defend their systems against firmware-level malware. In this presentation, we’ll cover the NIST SP (147,147b,155,193) secure firmware guidance, for citizens, rather than vendors/enterprises. We’ll discuss the problem of firmware-level malware, and cover some open source tools (FlashROM, CHIPSEC, etc.) to help detect malware on your system. We’llbe discussing a new open source tool we’ve just released to help make it easier for you to do this check.

Paul is CEO and Lee is CTO of PreOS Security, a local firmware security startup focused on helping enterprises defend their systems firmware. Lee co-founded TA3M Seattle, Paul is one of TA3M Seattle’s main organizers. PreOS Security has been funding TA3M’s pizza up until recent Cloudflare transition


…and also thanks to TA3M organizers, we’ve also got a meetup.com thingie.
Join us on Meetup.com!

TA3M Seattle

Seattle, WA
29 Members

TA3M Seattle is a tech-activist organization dedicated to empowering all people to protect themselves and their data through privacy awareness training, local outreach, self-p…

Next Meetup

Firmware Security. Seattle Privacy Coalition Mtg, Emerald On…

Monday, Apr 16, 2018, 6:30 PM
11 Attending

Check out this Meetup Group →

(note: RSVPing via meetup.com will assist with food and space planning. If you’d rather not use
meetup.com, a more private / secure channel RSVP would be welcome)


Pizza sponsored by Cloudflare.


Be prepared that there will be an opt-out group photo, taken from the back of the room to fulfill the sponsorship requirements.

Securing my data for international travel II: Aftermath

By Regus Patoff, Anonymous Person

[For Part I, see https://seattleprivacy.org/securing-my-data-for-international-travel/.]

So, I returned alive from my trip and I have much to report. First, I’ll disclose the countries I visited:

  • The United Kingdom.  Despite its legal history of fostering civil liberties, the present-day UK consistently favors perceived national security over free-speech protections. When I travel there, I worry about its key disclosure laws.
  • Russia. Authoritarian kleptocracy, long history of civil repression and, nowadays, rampant public/private corruption. I say all this with affection.
  • Mongolia, a sparsely populated country of 6 million people transitioning from Soviet satellite to non-aligned parliamentary democracy. It’s a strange mix of residual police state and aspiring rust-belt capitalism.
  • China. Economic superpower with global aspirations, and operator of the world’s most comprehensive system of censorship and domestic surveillance.

And let us not forget the United States. The problem with US border crossings is the supposed legality of detaining taciturn, rude, or otherwise suspicious citizens and seizing their electronic devices for study. Think 50 shades of gray coercion, and don’t think about the 4th Amendment.

Border Experiences

Despite all fears going into this, I had no data-related problems at any of the borders. The officials showed no interest in my devices beyond being startled by my over-stuffed electronic organizer bag. The varying protocols for laptops (do take them out, don’t take them out), metal items, shoes, etc., were no weirder or more inconsistent than in the US. Obviously, if I had provoked a secondary screening at any of checkpoints, my experience would have been different.

The single incident of interest was my travel companion’s apparently random interrogation (carried out discreetly in The Small Room) in a provincial Russian airport. The official, in plainclothes, young, smart, ironic, and courtly, with excellent English, was not a normal border goon. He asked the usual border questions (where are you going, what do you do for a living, etc.) along with a strange one: “Have you encountered any other people like me, who ask a lot of questions?”

The final border crossing, back into the US was unusually easy, especially considering the countries newly stamped on my passport. I think that my own attitude (unconcerned, curious) helped matters, and I had the attitude I did because I had prepared carefully. I had rigorously deleted all my data, per the protocol, as I was walking down the jetway. I had resolved not to be provocative or aggressive. Instead, I would be willing to answer questions about the destinations of my travel, even though it’s a verbal game when they ask, since they already know. My companion and I had also agreed that we would refuse to answer any questions about people we visited or traveled with. We found it very calming to have worked out our personal boundaries before crossing the national boundary. We knew what to do. Happily, we didn’t have to do anything.

Censorship, or, Unexpected Annoyances

My border-crossing protocol was to use Google Backups, factory-reset all my Android devices (I carried nothing else) before crossing borders, and then to restore them after entry. This worked fine in the UK and Russia, where I easily found fast and functional Internet connections to download my backups and reinstall my applications, though it was more time-consuming than when testing under more ideal conditions.

China was another matter. The Great Firewall effectively blocks the entire Google mega-system. Sometimes it doesn’t block things outright — it just throttles selected targets so severely that connections time out and fail. I could not access my backups, and I had no access to Google Play, so there was no easy way to restore my non-default apps. Since I carried a T-Mobile SIM card, I had (in theory) uncensored access to the Internet — the Chinese government avoids the bad PR of blocking visitors’ mobile connectivity. Yet with T-Mobile’s degraded (but free!) 2G roaming, it was effectively impossible to download apps over the cell network.

Even in China, there are workarounds, though first there was triage. Signal was the one thing needful, if only to keep in touch with my travel companions. Fortunately, Signal is open-source software, and it has a GitHub.com page, and, apparently, the Great Firewall tolerates GitHub. I was able to download a Signal APK and install it manually. The same approach worked for a few other apps, not always from the most reputable sources.

I learned from this experience that the Great Firewall can be breached by the technically adept, especially by privileged foreigners who suffer no reprisals for visiting inappropriate websites. All in all, China’s censorship regime is a highly effective means of domestic social control. Battling it was not a fun way to spend my vacation.

Buying Connectivity

I had expected T-Mobile’s roaming to meet all my data needs, but with the slow the connection in China, the spotty coverage in Russia, and the expense of data in Mongolia (do not even THINK about using data there), buying local SIM cards was a good idea. In China, the process was alarming. I had to be photographed, and my passport was tied to the SIM, and I had to complete a lengthy form. There was considerable confusion among the staff, but that may be the result of choosing an out-of-the-way cell-phone dealer. It took an hour and cost $20 for a couple of gigabytes of data. It was worth it, though, for the much faster load times, which made reading the news a lot more pleasant. I had to overcome my distaste for Bing, because apparently Microsoft has cut a deal with China’s censors and is freely available. It’s the only choice for most Westerners since China’s Baidu search engine is an entirely Chinese affair.

Though I didn’t use it on my brief visit, WeChat is the one indispensable app in China. Though it started as a social platform, everybody uses it now for wireless payments. This requires a bank card and some ingenuity, I am told.

During a lengthy airport delay in Russia, I bought another SIM card, this time 3 gigabytes for $6, no mugshot, just passport number, all in 5 minutes.

Camera Troubles

My biggest data headache involved my biggest chunk of data — 1000 digital photographs. I did not find a good solution for protecting and exfiltrating this much data. I suppose you could manually encrypt your photos and carry them out, but that doesn’t protect them from confiscation. Uploading is extremely time-consuming and subject to bandwidth availability. I also had the absurd problem of just off-loading the data from the camera using the crap software provided by the manufacturer (Pentax). Next time I will have adapters to allow direct offloading of the memory card to an Android device…where I can remain uncertain what to actually do with the files.

A Lesson About Apps

Restoring the devices after a border crossing took more time than expected, and in China, it was near impossible. Next time, I will keep a stash of useful Android APK installer files I can load without an Internet connection.

It’s not totally easy to find these files, but it’s a lot easier doing it beforehand in the West than from behind the Great Firewall. Nowadays, Google Play deletes an APK package after installation, so you can’t just grab your installed packages like you once could. If you download an APK manually from a website, it should end up in a Download directory in your device storage.

Let’s find some of the applications on my list:

On https://signal.org/android/apk/, Signal rather sensibly displays the following:

Do it anyway — you have special needs, and doing this makes you advanced.

  • K9 Mail

Loads of FLOSS Android apps are hosted on GitHub. You can expect to find APKs there. K-9 mail, at https://github.com/k9mail/k-9/releases, has various APKs for past, current, and future (pre-) releases.

KeePassDroid, the preferred Android implementation of the cross-platform desktop key-manager KeePass, keeps its reference APKs at https://code.google.com/archive/p/keepassdroid/downloads and I guess we have little choice but to trust Google, right?

Orbot is the Android version of Tor developed by the Guardian Project. With Tor, you can browse the Web anonymously. Within limits. Relatively slowly. And though I didn’t try this in China, you can even use Tor to pierce the Great Firewall, which is probably illegal there. You can download the latest Orbot APK directly from https://guardianproject.info/releases/orbot-latest.apk.

Avoid the numerous, random download sites with cute names like “APKsupermarket.com” [not a real site but I’m sure it will be now]. These may inject adware or spyware or outright haXX0я malware into the package and make you very sorry afterwards as you sit in a cell being enhancedly interrogated.