Community Defense in Depth: Teaching digital security and privacy practices for the public good

Good afternoon folks. Uh welcome to Besides Las Vegas Proving Grounds. Uh this talk title is community defense in depth teaching digital security and privacy practices for the public good. Uh and it will be given by Melanie Gonzalez. Uh before we begin, just a quick announcement. Uh we'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our gold sponsors, uh Formal and Drop Zone AI. It's their support along with other sponsors, donors, and volunteers that make this event possible. Uh and then just one quick reminder, this is being recorded, so uh for the benefit of those watching later and those in the room, please remember to put your cell phones on silent. Uh with that, I'll

pass it over to Melanie. >> Okay. Hi, everybody. Um can you hear that? Okay. Hi. Okay. Hi everybody. Welcome to my talk, Community Defense and Depth, teaching digital security and privacy practices for the public good. And my name is Melanie Gonzalez. And I'm super excited to be here with to speak to y'all at BSI Las Vegas. And a little bit about me, I'm a for the past eight years I've been a journalist. And for the past three years, I've been learning cyber security as well as teaching digital safety and security practices to the wider public. >> Oh, well, because with the with the Okay. [laughter] Okay. >> Thank you. Okay. Thank you. Um Okay. So, I'll I'll

move on. So, I want to tell you guys a story originally reported by 404 media. It's about a woman in Texas who went out of state to get an abortion. And her family, concerned for her safety, decided to contact their local sheriff's department for a wellness check. The sheriff's department located the woman. No arrests were made. It was just a simple wellness check. But it did bring into question who has access to our data, especially since they found the woman using this device by Flock Security. It's an automatic license plate reader. Not only does it read the license plate number, the car, and the make and model of the vehicle, but also where you can commonly see the vehicle.

And this data is available nationwide. It covers block securityurities device covers um 49 states. And [snorts] so in 2022, the US Supreme Court overturned Row versus Wade. And it seemed like in countries where I had covered abortion and reproductive justice such as Argentina, it seemed like they were moving forwards while here in the United States were moving backwards. And during this time, the governor of California, Gavin Newsome, said that California would be a sanctuary state for abortion. But through my reporting, I found that this wasn't true because at least 40% of counties within California lack access to an abortion provider. And that has um significant impacts on people living in rural areas. And so as I began learning cyber

security, um I learned more about how everybody wants our data, data brokers, law enforcement, um people trying to hurt the more trying to hurt the more marginalized of us in society. And so I wondered how can the community be benefit from threat modeling. And so that's what I will talk about to you today. >> [snorts] >> So threat modeling is harm reduction. Not every tool is 100% secure, but we can make it harder for the people who want our data. By securing our devices, we also secure the people we connect with using those devices. And um black and brown communities are disproportionately affected by surveillance and policing. And OAS defines threat modeling as the process of improving security by

identifying threats and counter measures to mitigate them. And we can identify targets from the attacker's point of view. I use Stride, but there's other threat models out there such as Pasta and OASP. I recommend everybody do their research and see what works for you. Stride is what works for me. And I do also want to say that um a person's race, age, um economic factors and disability also affect their threat their threat model. So I will introduce two personas based on real life situations and people that I've threat modeled. So here we have Cat, the journalist. Cat is 28 years old, a Latina, lives in the United States, but travels internationally for work. She's a

runner, guitar player, and chess player. And the situation that we're threat modeling for her is she's returning to the US after a reporting trip abroad, and we need to protect her data as she deals with customs officials. She has beginner tech and digital safety experience and her her with regards to digital safety, the best advice her newsroom could give her was don't read the comments because newsrooms usually do not have the funds to pay for this type of training and freelancers have even less resources. And CAT works mostly in English but does on the ground reporting in Spanish and Portuguese. And the assets we're trying to protect are her laptop, her phone, and camera. And um nowadays, journalists don't work

across platforms. It's not just one doing the writing and one doing the shooting. It's um being able to be a jack of all trades kind of. and in cat situation it's important that the um that the US US border does not just it's not just the border between US and Canada or US and Mexico it um ex extends everywhere the um wherever the United States ends. So the that also includes the coastlines and within the 100 mile border zone, customs and border officials do have d um do have the authority to stop and question people without a warrant, but the fourth amendment um still applies, which is your right to refuse the search of your

device. and um San Francisco, Los Angeles, New York, Miami, some of our favorite major cities are all within this 100 mile border zone. So, let's get into stride for Cat. Somebody who disapproves of her reporting or such as a nation state actor could get access to her login. Because of Cat's work, she is bringing bringing this bringing it with an investigation, she is bringing these facts and issues to light and that can anger some people because in a way she's pointing the finger at somebody, right, by writing and covering about this stuff. So, they may want to access her documents and social media that she may use to make that initial contact with sources. and the mitigation. I like to call this

the eat your green beans of cyber security because a lot of people do not want to hear about strong strong unique passwords. But Cat should make sure for every tool or app she uses while reporting has its own unique password tampering. So getting back to the threat actors do not that do not want this um these issues to come to light or made public. They may want to they may want to delete delete her interviews, delete any data she's collected, delete any um public um public documents, public records requests that she's filed. And once that happens, this could derail Cat's credibility. for example, her editor or her supervising producer may decide to pull a story because because

there's not enough there's not enough facts. And so what CAT can do is upload files to a secure data storage before travel such as Crypad. um CripPad with Crypad um a person doesn't need to upload any personal information to create their to be able to upload documents to Crypad. Uh, Proton Drive is also an option, but Crypad is into unencrypted. And of course, Cat should always create backups of her interviews and notes and power off her devices before approaching um customs customs officials while at an airport or other border crossing. Repudiation, I am going to cover repudiation in the next persona that we're going to cover. So, I'm going to skip that for now. So, information disclosure. Once once

you approach customs to do the whole thing you need to do at the border, they may decide to look through look through your device, take a take a quick um take a quick throw through your scroll through your screen and see what you have, what they can just view on screen. or they can plug it into a device that um extracts all the data on your device. So that includes photos, messages, any other documents and once that's in their possession, they can hold on to it forever. They can um also share that data with other agencies as well as if they want to look look through that data again because it's already in their possession, they do not need a warrant.

And so for the mitigation, CAT could decide if some data needs to be created. I always like to say the easiest data to protect is the data you don't create. Um but that may be difficult in CAT situation since she is a reporter. So she could opt to use again again we talked about Cripad, but also um message with her sources using signal or meet in person. And when it comes to dealing with border officials, if Cat is a citizen, a US citizen, she can assert the right to not have the device searched without a warrant. Though at border crossings, um CBP has been known to um detain people for a couple of hours and if she is not

a citizen, um it is possible that she gets deported back to her home country. >> [snorts] >> Some more some more mitigations is to switch to privacy focused browsers such as Brave and Duck.Go or Tour for highly sensitive browsing. And this is another tool. It's by um a tech journalist called Yel Grower. It's called Big Ass Data Broker Optout List. And it's really interesting because it puts the it puts your data back into your hands, especially if a service like delete me isn't um isn't um available to you because of economic factors. But it's cool to denial of service. So when it comes to Cat again, she's bringing these issues to light, practicing her first amendment

right to report. there are people that are going to do what they can to try to silence her and not um not allow her to let these issues come to light. And especially women reporters are especially targeted by harassment and threats. And in cases of physical violence against a journalist, they often started out as the online harassment and the threats and doxing. And so what cat can do is save and document the threats in the event that she decides to file a police report. And what also happens is that um these people will also these threat actors will also go after friends and family. So Cat should also let the people closest to her know what's going on so

that they can also take care of themselves. So, elevation of privilege. Once the threat actor has Cat's information, they're able to log in. They can do they they potentially can do a lot of damage. Um, if they have access to her messages, they can they can fi find the contact info of somebody of a source that Cat is interviewing and speaking with in who needs to be remain an who needs to remain anonymous. So, um, they could potentially dox that source and that could put them in danger. They can also learn more about the movements of Cat's colleagues, of other reporters that she works with, be it in her newsroom or people she's in contact

with. [snorts] And so, Cat can pra practice the principle of lease privilege. Not everyone needs the same amount of information and not all the and not every tool or app she uses in her reporting needs to hold contain the same data. And so with cat we see more travel focused advice but um you know even if you are a reporter you can kind of fall take what you can can from this threat model if you're traveling. with the next person. We're going to see a little bit more on the ground. So, here's Ricardo. He's 20. He's an LGBTQ plus activist, but not out to his job. And he lives in the United States in the dorms.

He's an anime lover and a late night foodie, late night food truck foodie. And the situation that we are threat modeling for him today is he needs to secure his data while distributing mutual aid at a protest. So snacks, water, first aid kits. But we also need to let him know that um the these security practices are things he should incorporate into his everyday, not just an event like a protest. and his tech usage. He's social media savvy but le less informed on his operational security. And he needs to have a public profile so that people can know where to donate or where they can go to receive his to see receive his aid. And one thing about his safety practices

is he's um he's a huge selfie taker. He's pretty careless about his privacy and he usually posts pictures with um the location highly visible to the audience. And the assets that we're protecting for him today are his Venmo and banking information as well as his cell phone. So, spoofing. Um, when it comes to spoofing, um, when it comes to dealing with law enforcement on the ground, they can compel a person to turn over to, um, unlock their phone if they have facial recognition um, enabled on that device. And Ricardo is also um susceptible to social engineering attacks such as fishing with which um a threat actor may want to use to gain access to his money.

[snorts] So for mitigations when dealing with law enforcement on the street, it's important to enable the passcode um because it has a higher standard um a higher expectation of privacy. Law enforcement cannot compel a person to unlock their phone because they have a passcode on it, but they like they can with biometrics and of course the strong passwords. For tampering, a threat actor may take control of Ricardo's social media or they may decide to delete his posts that contain the information about for people on where they can donate or where they can go to um see where he's distributing so they can, you know, get some of his um get some food and water and what have

you. Um, and they may want to do that because they disagree with what Ricardo's um what Ricardo's uh supporting. And they may also decide to steal money from his bin mode transactions. [snorts] And so what Ricardo can do is take sensitive information from the direct messages to an encrypted chat like Signal as well as keep Venmo transactions private. So repudiation, how does Ricardo verify people to make sure that they are who they say they are? So not only um not only is this important for vetting when um people who may want to collaborate with him on a project on do some more activism, but also um but also when dealing with banking and money issues

because who hasn't received scam calls from a bank, right? or pretending to be the IRS. So, you can verify the person behind the account, ask for a reference number, and then call and then call back with that reference number. Just be like, "Hey, let me I need a reference number." And call the bank back to with the reference number to verify if that was actually them calling. And also remember the IRS and your bank are not going to um are not going to um the IRS and the bank are not going to um ask for your personal information such as social security. [snorts] And when it comes to vetting people in real life, you can ask like do we have

friends in common who can vouch for you? And when it comes to social media, um there are profiles that pop up in times of crisis or um current major current events such as elections to spread misinformation and fear. So, it's important to watch out for recently created profiles and profiles that don't have a lot of friends or followers and if they're always posting especially inflammatory content. [snorts] So, information disclosure, threat actors can get a lot of information through social media, through photos, um details such as menus, um reflections, people can zoom in on eyeglass lenses and um figure out a person's location that way through those details as well as metadata. So, when it comes to street level

surveillance, this device right here, it's um it's a camera that takes a 360 view of what's around it and it reaches 25 ft tall. And it's often seen in downtown areas as well as um warehouses and construction sites. And another thing to look out for are um cell site simulators which intercept which trick a um a mobile device truth that tricks your cell phone into thinking it's an actual cell tower and that's how law enforcement can get data that way. And here's the MQ9 Reaper Predator B. It's a reconnaissance aircraft. Um it's responsible for air strikes on Afghanistan and Yemen. but most recently seen surveilling the crowd at the 2025 protests in downtown Los Angeles against

the ICE raids was surveilling the crowd. It takes pretty detailed shots of what's happening on the ground and it was also seen in at the 2020 George Floyd protests in Minneapolis, Minnesota. And so mitigations, turn off location on your device, but also um if Ricardo's going to a protest, it's better he just leave his phone at home. Uh be aware of surroundings, be aware of what's in the pictures that you're taking. Um sometimes, um you know, do people really need to see your vacation photos or can you wait till after you come back home to post them and share them on social media? And Ricardo can also switch to privacy focused browsers such as Duck.Go, Brave, and um Electronic

Frontier Foundation also has a privacy badger which um is an is an ad ad blocker and tour for highly sensitive browsing. And for denial of service, um people people who are against the cause that Ricardo is fighting for will also want to take him offline and prevent him from doing his work through harassment and doxing. And in this situation, community is key. Um Ricardo could appoint a friend to manage the fundraising and the Venmo page while he takes a break from doing that. So, um, people can still get the services and the mutual aid that they need to. And he can also appoint another friend who can, um, manage his social media by blocking and reporting their harassment. And

Ricardo may want to consider going p going private for a while and take a break. And elevation of privilege. Again, the attacker may access his banking info after logging into Venmo. And the mitigation for that is strong unique passwords for banking apps and multiffactor authentication. So with Ricardo, we see more on the ground. Um our previous persona cat could decide to use some of this if she's when she's on the ground reporting. So So now what what's one thing you you can do today to improve your privacy and security? And if you already know how to threat model, maybe you could help out a friend or a neighbor with their own threat modeling. Um, think about who

could benefit from threat modeling in your own community. And with that, um, big thanks to Bides Las Vegas and especially huge thanks to Lydia Giuliano for coaching me for my first Bides talk. [applause]

>> [applause] >> So questions, comments. >> Okay. Oh yes.

Um, honestly, that's the first time I'm hearing, so thank you for bringing question. >> So, go ahead. >> Okay. So um he mentioned that um there is a new addition to Stride called Striped >> Striped and he was asking if I had considered that or heard of that and I that that's the first time I'm hearing about it. So thank you. Now I have something new to research. [laughter]

>> All right, cool. Thank you. [applause]