Hackpads are smart collaborative documents. .

Sam Klein

1560 days ago
Unfiled. Edited by Sam Klein 1560 days ago
Sam K Welcome to the pattern hackpad
 
  • It's easy to create linked pads.  Just type "@" and you can link to any pad or person - or create a new pad.  Give it a try!
  • Any people you mention using '@' linking will get automatically notified and invited.
 
  • type here to try it out
 
  • You can create todo items like these by clicking on the checkbox button above.
  • Join hackpad
  • Explore hackpad
 
======
@Interviews
 
1398 days ago
Unfiled. Edited by Sam Klein 1398 days ago
Mailing list. How to notify people that they're on that list. Setting boundaries. Less upkeep that other methods.
 
Note your next of kin.
 
 
Have things in your life that people need to be aware of when cleaning out your shit? By which I mean your sex toys and anarchistic literature and wrz servers and Picard blow-up dolls?
 
Advance Directives
Are a thing to do. Seriously. This details who gets what, how to deal with your shit, what to do with your body, if you want to be frozen, resuscitated, zombified, etc.
 
Wills
Name your executors (and at least one backup).   Talk to them in advance - this is a lot of work. 
 
  • Digital + ephemeral things
Archives, disk drives, cloud drives
 
Mail accounts
 
Domains, websites
Provide for maintenance or transfer
 
Copyright
Unless you specify otherwise, copyright in all of your creations passes on to your next of kin.  Alternatives: declare a blanket license or specify who this passes to.
 
  • Financial things
Accounts 
Keep a list of your various accounts.  Banks, credit, Dogecoin.
 
Accountants
Death, then taxes.  Make sure you have an accountant who knows about your finances.  They will be needed to resolve tax and will issues around your estate.
 
Logistics
Plan ahead for the cost of death.  Put some funds aside; or account for these expenses in your will.  Funeral pyre, moving ark, other clean-up. 
 
 
1398 days ago
Unfiled. Edited by Willow Brugh 1398 days ago
Willow B Recovery from being Compromised
 
We have this friend who recently had his stuff physically messed with after meeting with someone at CCC. Sam brought up the idea of what sorts of precautions can be made when you enter social groups which put you at risk, what to expect, and what to do after things are broken into. People which are this-shaped might be:
* Lawyers who provide services to at-risk communities
* Journalists who don't want to be scooped or killed.
* Hackers getting into the political side of things.
 
People who might have something to say on the matter:
* Friends who get detained all the time at airports
* Shipping your encrypted harddrive separately
* TOOOL on different threat models
 
I figured, based on your existing work, you might have some of the components to this, or be working on this already. Thoughts?
 
* rapid response - what to do when you've been owned.  whether and how to use or throw out owned gear.  who else in your network this might affect, how, and what to say to them.  how to evaluate immediate risk.
* medium-term response - things to worry about (safety, security, of you and your extended network), considerations in future decisions (general prevention, increased prevention), possible disaster modes.
 
First of all, let me tell you that we are barely scratching the surface with these notes and ideally this is something that should be taken offline or, to give it proper justice, be considered it with a more in-depth discussion.
 
> I see two things to address
> * rapid response - what to do when you've been owned. whether and how to use or throw out owned gear. who else in your network this might affect, how, and what to say to them. how to evaluate immediate risk.
 
re: owned (by software of hardware means, we can discuss methodologies separately) gear. Personally, a compromised device becomes a very vulnerable channel. With appropriate prevention tools (eg truecrypt) some of the risks can be mitigated, but there’s a whole lineup of them that need to be applied.
 
In the worst case scenario, everybody whose contacts details are on the device are at risk. Add to these ones also all the contacts the “victim” has on social networks, chatrooms, etc. Their contact details might not be directly on the disks, but if the machine is owned, we have to assume that all the passwords are toast, including those to online spaces. Contacting all these people for malicious purposes, and guessing someone’s passwords can be done in a few hours max. Bear in mind that I don’t differentiate between “sensitive" and non sensitive contacts, they should be treated in the same way.
 
Best way to contact them? Phone first of all, more trustworthy than emails or social networks. Communication from third parties (kind of web-of-trust) can also be useful and encouraged. As far as you’re concerned, any digital communication can be considered fake.
 
Risk assessment, there is something that first of all must be done in the prevention phase. I usually ask people to prepare a sort of matrix that more or less goes like this:
 
- What do I want to keep secret?
- Who are your adversaries and what do they want to know?
- What can they do to find out?
- What is the risk if they succeed?
 
This is very basic and I amend/expand it according to the people I work with, but it also be something dynamic because over time the variables can change. I know this might not answer directly your “immediate risk evaluation” question, but true rapid response is also the result of a deep preparatory work. 
 
> * medium-term response - things to worry about (safety, security, of you and your extended network), considerations in future decisions (general prevention, increased prevention), possible disaster modes.
 
I realise now that my last point on the matrix can, and should, address all these questions. As I said, the variables are different according to each org, individual, region, etc. So there’s not an answer that can be valid for everybody and it is something that has to be compiled on a case-by-case basis.
 
Absolutely.  I'm interested in the part that we can do completely publicly, online.  The parts that require secure channels seem less valuable to publishing guides that everyone can find and use.  Is there a public space where you'd be comfortable continuing this discussion?  Somewhere that TacTech already shared discussions about these things? 
 
 
Comments:
Do you think most people are capable of filling out the matrix you describe?  I would guess few naturally think about network effects, and introspection is difficult.  It's not enough to think only about 'your' exposure, once you start thinking about the risks and exposures of your network.
 
I also wonder if "case by case" is a red herring here.  At one level it is trivially true: everyone's different.  At another, a good guide should list and organize the major clusters of risks, adversaries, vulnerabilities, exploits, and traces. That way a reader can think about the ones that apply to them.  
 
Many key things a target may not know, but a researcher in the field would.  What is easy and hard; whether and how to classify an attacker; forensic options for learning from an attack; how to reassess the estimated security of other facets of life; how to reassess overall risk; what to do first when cleaning up [passwords, TFA, informing your network -- pointing *them* to a guide on "what to do when your friend's been hacked"]
 
 
> ideally this is something that should be taken offline or, to give it proper justice, 
> > be considered it with a more in-depth discussion.
> Absolutely. I'm interested in the part that we can do completely publicly, online. The parts that require secure channels seem less valuable to publishing guides that everyone can find and use. Is there a public space where you'd be comfortable continuing this discussion? Somewhere that TacTech already shared discussions about these things? 
 
Beside our toolkits, Tactical Tech has not a public space where we discuss these things. However we often engage directly in discussions like the one we are having now, or during events, meetings, etc. If you have suggestions about a public space for this, please send it over and we’ll see what could be the best way to contribute.
 
> Comments:
> Do you think most people are capable of filling out the matrix you describe? I would guess few naturally think about network effects, and introspection is difficult. It's not enough to think only about 'your' exposure, once you start thinking about the risks and exposures of your network.
 
Absolutely, in fact that matrix is just the base for something that can actually become more complex but still usable. The format I sent you can be valid mainly for NGOs that need to improve their internal understanding of digital security (bearing in mind that there’s a very fine line between logistical and digital security). But in many cases, building up on that matrix is a great exercise which ended up covering all the elements, including the exposure of all their networks.
 
> I also wonder if "case by case" is a red herring here. At one level it is trivially true: everyone's different. At another, a good guide should list and organize the major clusters of risks, adversaries, vulnerabilities, exploits, and traces. That way a reader can think about the ones that apply to them. 
 
Totally agree. Tactical Tech, in general, works mainly on prevention but our expertise was also built, unfortunately, on terrible episodes that organisations and activists had to face. So, yes, I’m fully aware of the issues above and I’d also like to see some kind of guide that highlight that. I’m not aware of anything so comprehensive at the moment, as I always stumble on bits and pieces on the Net but I’ll ask our list of editors and see if they know something. Having said that, if there’s a plan to build a guide like that, I’m happy to contribute.
 
> Many key things a target may not know, but a researcher in the field would. What is easy and hard; whether and how to classify an attacker; forensic options for learning from an attack; how to reassess the estimated security of other facets of life; how to reassess overall risk; what to do first when cleaning up [passwords, TFA, informing your network -- pointing *them* to a guide on "what to do when your friend's been hacked”]
 
Yup, as you said, it’d be nice to have an umbrella guide for these rapid response scenarios (some of these are mentioned on our Security in a Box already). Willow, have you heard of anything similar, so complete, in your network?
 
> Yes, but phone is hard to scale. I'm not sure how web-of-trust should be triggered for a whole web, would like to read more about it. I don't really think in terms of individual breaches: when a group is compromised, you really want everyone in the group to reaffirm their [control of their] identity, and patched security, to the satisfaction of everyone else. 
 
Agreed, I am of the idea that each individual is a network of networks and all of them must be alerted about possible risks. In general, I’d say that:
1) The “victim” must be able to find a way to confirm its identity (hence the phone or web of trust, etc. we can discuss various methodologies)
2) The information must be propagated in the quickest way possible, especially if the person exposed is a key member of a network.
 
My 2c. And I’ll let you know if i get any pointers to any existing “rapid response guide”.
 
1424 days ago
Unfiled. Edited by Sam Klein 1424 days ago
Sam K Tx thoughts
 
TED
 
Tx : 6k events.  Community: ?
  • Handle cranks. (Powell)  
  • Handle variations in regional quality (contextual)
  • Fulfill local needs/innov.  
  • NEXT: Innovation-capture chain - help realize, rebroadcast, connect across communities
 
 
[ Licensing ]
  • Simple for 100 people.  $2500 for a small event, 2-3 sessions, streaming.
  • Start with 10 speakers. prep 2 wks out, help. promise great video/photos, option for feature on T.com
  • ID a niche (honor that community) shout-outs to global support: translators, transcriptors
  • For larger events, can cover costs in event cost? Try TEDActive, Global, &c.
  • Other options for small gatherings - salons, bars & camps  (see the 12 variants)
 
[ Teams ]
  • 15 in NY: roles?
  • 1000 worldwide (annual organizers)
 
[ Infra ]
  • ted.com - 2007 launch for "ted talks"
  • tedx.com - 2009. site unused, redirects
  • translation - OTP, coord with Amara (and more? other talks for in-kind?).  covers all vids? 
  • fellows - 40/y across 2
  • no equiv for x.  for instance for x-pollination, or sharing videography
  • no equiv recognition for great local work and support of local events (Tx champs?)
 
[ Training ]
  • Quality of production
  • bootstrap: facilitate crossover, online review & crit.  build community of practice who can visit new spaces
 
  • Quality of speakers
  • bootstrap: online training, timing.  compare with TV & awards-MC process, cross-cert
  •  
[ Fixes ]
  • Use *.tedx.com -- poll all of the sites.  which are active?  what chains do they use? pick the best sites, invite their creators/hosts to help design a shared platform, or shared skins on a collective host.  build that tech community, working together on an open platform to showcase speakers, photos, videos; and accept nominations and registration.
 
  • Mandate video sharing, promote transcribing.  Make that the point.  
 
  • Create a community of practice.
  • share a curated space for organizing vids, transcripts, slidedecks, translations around a topic
  • provide speaker services to help speakers find other venues
  • provide event services to help orgs get started: TED-friendly vendors and venues and videogs in every city.
 
  • Honor great community work
  • curation. reuse (in series, lists, classes), transcription
  • support and email response
  • champions, fellowship ladder
 
1440 days ago
Unfiled. Edited by Willow Brugh , Sam Klein 1440 days ago
  • They didn't show up to call. New fail attempt: get Lindsay and Lisha to define what they want to do with GWOB for the next quarter.
Willow B
  • And they did that. No failings today, I guess
Sam K
  • Now get them to publicly commit to that :-) 
 
1440 days ago
Unfiled. Edited by Sam Klein 1440 days ago
SJ: Berkman, Wikipedian, OLPC.
Sam K 1NNi6RmrFttBjgjnBQjBNuf6KnDUHya1HF
Amy: Berkman fellow.  Twitter mining
Kay: Berkman, OKFN. Public Domain & open data hacker
Willow Brugh: Berkman affiliate.  Globe-trotter.
Sara Watson: Berkman fellow.  writing about big data issues.
Anders Brownworth: started Cambridge BTC meetup. Do R+D at Bandwidth.com. Implimented a thing in node.js for BTC
Ryan Selkis - prior Venture Cap, banking. Good-Benefits (GoodBits), FDIC(?) for crypto. Allows consumers to remove the volitility from bitcoins. Hedgeplay, not insurance.
 
  • Getting paid by employers
 
 
1441 days ago
Unfiled. Edited by Sam Klein , Willow Brugh 1441 days ago
First week of Jan Daily Draftsort
 
 
 
 
 
Willow
  • Clean the house, print chore sheet 
  • Finish draft for Meredith
  • Wrap up rec for my own grad school
Willow B
  • Ethan's in
  • Ask Deb
  • Deb's in
  • Prep for Codesign kit work tomorrow with Bex
  • Start on drawings
  • Outline work time for upcoming quarter on recipe book
  • Followup on FIT with Galit and Desi
  • Draw Eva's talk from 30c3
  • Server stuff!
 
  • review Mon salon.
  • Mail JZ, salon orgs, meetup orgs. Local B-founders.
 
 

Contact Support



Please check out our How-to Guide and FAQ first to see if your question is already answered! :)

If you have a feature request, please add it to this pad. Thanks!


Log in