Do a "Practical digital security" workshop using our shiny new Persona-based commsec training matrix

[fabacab]

Collaborators from AnarchoTechNYC and the Better Angels collective have put together a pretty great "Persona-based commsec training matrix" (see #6), now it's time to actually use it!

Last weekend, the Better Angels Collective used this matrix as part of a "Practical digital security" workshop that got some good feedback, and they even helpfully included a "How to facilitate…" section.

Let's try this approach either at AnarchoTechNYC itself and/or some other venues, such as:

• Verso books?
• A tech collective-organized event at The Base?
• Somewhere else?

All we need are:

• [x] A projector
• [x] Wi-Fi
• [x] whiteboard + eraser + markers
• [x] Physical space (a host?)
• [x] A confirmed time
• [x] Maybe some "outreach" or "publicizing" but probably not much, word of mouth should be cool enough

[fabacab]

Assigning @emhoracek who I know has some venue connections; LMK if you can follow up on this? If not, re-assign it back to me and/or to someone else to pick up. Thanks!

[emhoracek]

I just asked the other folks at Position if they're cool hosting (can't imagine why not, but I like to check in), if so then I'll set up at time at Verso. Should have a yes or no by tomorrow evening.

[emhoracek]

Verified that Position can host a workshop at Verso! Pretty slim picking for dates in December, though, only Mon 19, Wed 21 or Thurs 22 in the evening (> 7pm). In January, it's less busy, but that seems like a long time to wait.

After we choose a date, I'll double-check for double-booking with everyone who shares the space, and then we'll be set for the space!

[fabacab]

@emhoracek:

Verified that Position can host a workshop at Verso!

Great!

Pretty slim picking for dates in December, though, only Mon 19, Wed 21 or Thurs 22 in the evening (> 7pm).

I can make a number of those options work. Are you asking me/us to choose one of these dates?

[emhoracek]

Yes! I already filtered for days that I can be there to host.

[fabacab]

I prefer Wednesday the 21st, say 7:30pm? This date is nice because it's a week in between bi-weekly Tech Collective meetings at the Base. I can commit to facilitating this event at that time and place.

Would that work?

If so, it looks like you've already checked wi-fi and a projector in the issue's task list, above, so I'm assuming Verso has those on offer for events. Yay!

Once we confirm this date and time all that's left is to let folks know we'll be doing that. How should we go about that?

[emhoracek]

Okay, Verso loft is now booked for 12/21 at 7:30pm.

Verso does have wifi and a projector for events! Position also has whiteboards we'd be happy to lend. :D

I'm not sure how to let people know about it? Just word-of-mouth? That may be enough for a good workshop size.

[fabacab]

Oh yeah, a whiteboard is needed for this format, too.

Word of mouth seems fine to me. :) I'm pretty swamped at the moment but will ping a few folks I know privately.

[emhoracek]

I'm going to make a flyer so I can send it to WAM (women action media) NYC.

[emhoracek]

What do you think?

[fabacab]

@emhoracek I think you're a superhero.

[emhoracek]

Thanks :D

Are you still up for facilitating? I heard your ankle is messed up. :( In terms of accessibility, the building does have elevators and you don't have to use stairs to get to an elevator, but there's a long hallway from them to the actual loft office. Also, Jay St is partly cobblestone, which I imagine would suck to use crutches on.

[fabacab]

AFAIK I'm the only person who's facilitated the kind of thing I hope this workshop will be (i.e., the kind of thing described here, because bluntly I think almost all digital security trainings I have ever been to have been complete shit and almost totally useless at best for the majority of beginners who attend them); so I was still planning on doing so. But I definitely am having misgivings because I don't actually think my facilitating this specific workshop will make or break La Revolución or anything haughty like that. So in other words, it was still on my calendar as a commitment that I'd fulfill, but I'm feeling pretty ¯\_(ツ)_/¯ about it.

[emhoracek]

You're probably right about this particular workshop not being immediately crucial to smashing the state and it's certainly not worth you endangering your health!

The thing I want to get out of this would be for me to learn how to facilitate these workshops in the way you describe. So then I can go on to "Train the trainers" and all that. If you can't make it, I'll stumble through it on my own or with the assistance of any volunteers I can rustle up. I don't have your security knowledge, but I've worked with tech beginners before and I know where to look for resources, and that seems more key to this particular workshop's success (correct me if I'm wrong!!).

[fabacab]

I've worked with tech beginners before and I know where to look for resources, and that seems more key to this particular workshop's success (correct me if I'm wrong!!).

Not at all, you're exactly on target. I'd go so far as to say that security experts generally make shitty educators because they have "expert blind spot" and don't appreciate how overloading less-experienced people with too much information is a barrier to entry. But I'll rant about that another time.

The Persona-based commsec training matrix is designed to make sure that the above overload doesn't happen. Note, for instance, that GPG/PGP is all the way at the bottom-right of the table, because it's only practically useful if you're a targeted activist being hunted by The State. Even Tor is waay down there in the middle of the matrix, not at the top-left box. This is intentional and it goes against the refrain of "Use Signal. Use Tor. Get a VPN" that we often hear bandied about by "crypto people." Instead, there are things like "Check for your legal name in one of the data vendors linked from Privacy International's Data Brokers list" or "Check the Settings screen on your smartphone's camera!" and "Did you know Instagram published the locations of your photos?"

These are things that most "how to be secure on the Internet" guides totally overlook, because almost all of those guides assume your adversary is the NSA, which is totally ridiculous for most people, including most self-described "activists," most of the time.

And the matrix is designed to make that point without having to say that explicitly. Similarly, the in-person workshop is designed to teach super-important and often "advanced" security best practices without ever needing to learn terms like "threat model" or "SIGINT" or "data in motion" or any of this totally absurd jargon that isn't relevant or interesting or necessary for most people to gain much if any knowledge about.

Most people already know what "threat modeling" is, they just don't say to themselves "My threat model is…." Instead, they just say, "I'm worried about my ex figuring out where I work now." <-- THAT'S A THREAT MODEL. No need to talk to this person in the infantalizing, patronizing way most security "experts" do by saying shit like "Well if you've never done it before, you should do a risk assessment and come up with a threat model." Like FOH they're at a security training because they've already done a risk assessment, they just didn't use those words with themselves when they did it, ya know?

So that's why "hokey" exercises like asking people to spend five minutes finding a feature or setting on their own devices that they don't fully understand or didn't see before is so useful. Almost everyone—including the "experts" in the room—tend to find at least one or two preference items that they didn't know was there before. I consistently find new shit that Google or whoever slips into their apps without telling us, and I've been focusing on security stuff for years.

TL;DR: Most experts aren't helpful people. They're just containers of super specialized knowledge. You don't have to be an expert to facilitate this, you just have to have enough understanding of the lay of the land in a realistic way (which is what the linked persona matrix hopes to offer trainers) to know what information to exclude from the discussion given a specific participant's actual concerns.

Not sure if that helps and again, I'm totally up for facilitating like I said I would. I'm actually doing very little else this week specifically so I can use my energy to get to Verso and back on Wednesday night. But if something does stop me from being there I have no doubt you'll do just fine, or maybe even just great.

[emhoracek]

Okay, awesome! I'll plan for you to attend, but also study up with the facilitation guide and security matrix. If you want to come early, I'm ordering dinner too. 🍛 🍕 🍝

[fabacab]

If you want to come early, I'm ordering dinner too.

This is the most reliable way to get me somewhere on time.

[fabacab]

@emhoracek I found a ride to Verso day-of, so I'll be there in time for 🍕 ! :)

[jeromio]

I can't make it, but Barack is planning to attend.