Week 17 - mobile devices

#1

Forgive the markdown. I’ve been tasked with creating “documentation” at work so I’m trying to learn stuff. I’ve linked to these sides previously and I think mentioned they are greatly indebted to LFP’s online privacy basics class, and to Amber Adams, a Nashville hacker, who I first invited to do the workshops.

“We” refers to myself and Megan Adovasio-Jones, a librarian in the teen department at NPL. Megan is also my partner and we’ve done privacy workshops for last few years. Megan got tired of hearing teenage boys asks teenage girls for their Facebook passwords. Megan has an activist posture professionally helped/helps facilitate Civil Rights and a Civil Society, and the Great Stories Club at NPL. We also do panels at fan cons a lot and anytime we do anything “professional” we always have to have a how-much-cosplay-can-we-get-away-with discussion. We debated who would apply for LFI. As I had started the workshops previously, I applied to LFI but I would not be here without Megan.

0 Likes

#2

This is such ambitious work, nice job. How long was this workshop in the end? How many people attended/what kinds of questions did you get? You have such a huge focus on FOSS, which is so awesome and also so different from most privacy classes, which tend to focus on the basics. So I’m curious about how info about these tools, which had to be totally new for the majority of people, were received.

I hope Megan will apply for LFI next time.

0 Likes

#3

Here is my assignment. I didn’t make it pretty yet, but the info I’d include as a basic introduction for a program is there. I’d like to add a few more sources for additional information.

0 Likes

#4

content looks good. I suggest including some suggested apps at the end too!

0 Likes

#5

@librarianbryan, that’s some awesome stuff! Thanks for sharing!!

Here are my slides. I kind of started it as a building block that I can come back to and expand when teaching this stuff.

3 Likes

#6

Four hours total–two in the morning and two in the afternoon. This is staff training for regional libraries. Here in TN, public libraries are broken into regional library districts, the directors of which are tasked with providing professional development / staff training to all the libraries in their district. There were around twenty librarians. We were asked if we could do an all day workshop. “Sure.” We’ll be doing this again in February for a different library region and thanks to LFI it will be a lot better!

Around twenty librarians. The questions were the same type of questions we ask in here. How do know which VPN to trust? Why use a Faraday pouch when you can just turn your phone off? About the FOSS stuff, people seem to get it unless they are totally lost. At the beginning, we talk about FOSS to establish a baseline. Conceptually, they understand it but I don’t know how many people, if any, are changing their behavior. I definitely try to never be the FOSS troll @Sarah_in_Oregon described during NYC meetup.

0 Likes

#7

I don’t normally do slides all the time in my classes, but I do use them a lot as a tool for myself to try to break things down into small chunks. Anywho - my slides on how I’d teach a short session on mobile device privacy. I included cell site simulators in the deck, because I haven’t figured out how else they would casually work their way into my other kinds of instruction work.

0 Likes

#8

looks great Josh! this kind of breakdown of different messaging apps and their use cases is asked for a lot!

also @mtkinney I love the question in your threat modeling exercise “are your security concerns the same as theirs?” great framing that I don’t often see. also I like how every one of these slides is interactive!

0 Likes

#9

I know we’re winding down, but I was just listening to an episode of Reply-all this morning that talked about SIM swapping, which I hadn’t heard of before (although now I wonder if it was in one of our readings or lectures and I totally missed it). It’s where a hacker gets your phone carrier to switch your phone number over to a different SIM card. Your phone immediately can’t connect to cell towers, and if you have 2 factor authentication set up with your phone, they can use it to reset passwords and access your accounts.

My main thoughts after listening to this:

  1. I’m buying a Yubikey
  2. There’s a substantial amount of blackhat hacking that relies more on being an amoral turd than on actual technical prowess
  3. I found this exchange particularly interesting:

PJ: Like the basic problem with this whole system is we treat a phone number–the thing we give every single person–like it’s a really good password.
ALEX: Kind of.
PJ: The tech companies are like, “Your password has to have seven upper and lowercase things and be completely unique and blah blah blah, but if you forget it, we’ll just use your phone number.”
ALEX: Right.
PJ: So your phone number is like your social security number now.
ALEX: Right. And we should be protecting it, not giving it out.

0 Likes

#10

talked about SIM swapping, which I hadn’t heard of before (although now I wonder if it was in one of our readings or lectures and I totally missed it)

I’ve actually never heard it called SIM swapping, but I think we only touched on the concept briefly when we talked about 2FA. If we did talk about it I would have mentioned that for some threat models, SMS 2FA is not optimal because they might become victim to this kind of attack. You mention Yubikeys as an alternative, and you can also use a secure 2FA app like Authy or Authenticator that doesn’t send plain text SMS.

PJ: Like the basic problem with this whole system is we treat a phone number–the thing we give every single person–like it’s a really good password.
ALEX: Kind of.
PJ: The tech companies are like, “Your password has to have seven upper and lowercase things and be completely unique and blah blah blah, but if you forget it, we’ll just use your phone number.”
ALEX: Right.
PJ: So your phone number is like your social security number now.
ALEX: Right. And we should be protecting it, not giving it out.

It’s definitely true that we should be more cautious about giving out our phone numbers, but I can’t say that I’ve ever encountered this specific situation where a company uses my phone number to authenticate me over my password with no other information required. Is this something that other people have encountered?

0 Likes

#11

My family listens to this podcast and have all added yubikeys to their christmas lists. This podcast does a good job of taking complex (or they seem complex to me) topics and talking about them in ways that are immediately relateable. SIM swapping is terrifying to me. Also, deleted Snapchat long before this course, but the episode was like a pat on the back for me haha

2 Likes

archived #12
0 Likes