Pluralistic: 05 Mar 2022

doctorow · 5 March 2022 15:37

Originally published at: Pluralistic: 05 Mar 2022 – Pluralistic: Daily links from Cory Doctorow

Today's links

How to be safer while using Telegram in Russia and Ukraine: A guide from EFF's Eva Galperin.
Hey look at this: Delights to delectate.
This day in history: 2007, 2012
Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading

EFF's mobile security banner, featuring black silhouettes of people walking back and forth with white icons of mobile phones in their pockets. The phones are joined by white lines.

How to be safer while using Telegram in Russia and Ukraine (permalink)

Those of us with roots in Ukraine and Russia have a somewhat different picture of events as they unfold. In addition to viral videos, OSINT, pundits, and even sensible commentary, we're also part of heartbreaking conversations with our families.

My own roots are in Russia, Ukraine, Poland, Belarus and Romania. The messages I've received from my cousins aren't for public consumption, but suffice to say they've been haunting and frightening.

I'm hardly unique. The post-Soviet diaspora sent people from the region all over the world. My EFF colleague Eva Galperin is one such person. As someone with roots in the conflict zone who is also EFF's Director of Cybersecurity with a long history of fighting for the digital rights of vulnerable people, there's no one I pay more attention to when it comes to personal security and digital technology in this conflict.

Eva has just published EFF's guide to "Telegram Harm Reduction for Users in Russia and Ukraine." It's extremely timely, given the central role that Telegram channels have played in both the domestic discussions in Ukraine and Russia, and the international picture of events as they unfold:

https://www.eff.org/deeplinks/2022/03/telegram-harm-reduction-users-russia-and-ukraine

As with any security discussion, this one begins with understanding what a user might want to be secure from, and what they want to be secure to do. Telegram has some strengths in the regional context, but also some significant weaknesses.

If you're a Ukrainian in Ukraine, your first priority is often physical security. You might decide to trade off perfect secrecy – including from Telegram itself – for access to news and communications with the people you care about.

But some Ukrainians are in more sensitive contexts and need to know that their telecoms are secure from insider threats (hypothetical untrustworthy Telegram employees), government warrants, or Telegram itself.

If that's your worry, Telegram has some significant problems, some of which you can address by overriding its defaults, and others that can only be addressed by using a more secure alternative like Signal or Whatsapp.

What are those problems? Telegram channels and groups (including private groups) aren't encrypted "end to end," which means Telegram itself has access to messages in those groups. Telegram might be compelled to reveal those messages (though they have an admirable history of standing up to Russian orders to do so). What's more, there's no way to set group/channel messages to auto-delete after a fixed interval, which means the data will linger on Telegram's servers and on group participants' devices, which might be seized or hacked.

Telegram's private, one-to-one chats are not encrypted by default. To turn this on, users must select "secret chat" in the app when they start a conversation (you should do this). Even with encryption on, Telegram can see "metadata" about the chat: who is talking to whom and when. That may seem low-risk, but figuring out the contents of chats from metadata is easier than you think:

https://www.eff.org/deeplinks/2013/06/why-metadata-matters

Another important risk to Ukrainians is account takeover attacks. This is especially salient if you're running a high-profile group/channel or participating in a private group with sensitive information.

Securing a Telegram account involves many of the same steps we should all use for all our accounts:

Use strong passwords that are different for every service, and use a password manager to track all those passwords:

https://ssd.eff.org/en/module/animated-overview-using-password-managers-stay-safe-online

Use two-factor authentication to protect your account, and make sure you have a different strong password for the email address used for that 2FA:

https://ssd.eff.org/en/module/how-enable-two-factor-authentication

If you are concerned about having your phone seized by hostile parties who might coerce you into unlocking it, you should set your private chat messages to "self-destruct" (auto-erase) within a short timeframe. Again, this is not available for Telegram channels or group chats, be they private or public.

Russians using Telegram need to consider that communications breaches could lead to arrest, violence or state intimidation. Russians practicing independent journalism and/or opposing the war (especially in public demonstrations) face significant risk. These people need to guard against device seizures, account takeovers, and other hack attacks.

Because Russians in Russia are further from the immediate physical peril of the conflict, they may have the time and resources to secure their communications, especially group communications. The best way to do that is to switch to apps with more group security than Telegram, like Signal/Whatsapp or Threema/Wire, which don't require a phone number to sign up and don't link your account to your phone number.

https://www.eff.org/deeplinks/2022/03/telegram-harm-reduction-users-russia-and-ukraine#otherapps

Russians who are worried about device seizures can use disappearing messages (which are available for group comms on some of these other apps) to mitigate this risk.

Eva notes that due to sanctions and Russian state censorship, it can be hard for Russians to install some of these apps. Russians who must use Telegram, or choose to do so, can refer to the advice for the Ukrainian context.

Remember that security compromises can come from your counterparties. Your device might be secure, but if the people you communicate with are compromised, the messages you send to them might also be exposed. Or, as Eva puts it: "Security is a team sport and it only works when we look out for one another."

(Image: EFF, CC BY 3.0)

Hey look at this (permalink)

Socialist Modernism in Germany (book, 800 copy run): https://urbanicagroup.ro/ushop/publications/album/socialist-modernism-book-socialist-modernism-in-germany-including-postage-in-european-union/ (h/t Bacu)
10 Lessons from Seeing Samuel Delany this Week https://robinsonmusicwriter.com/2019/04/06/10-lessons-from-seeing-samuel-delany-this-week/ (h/t samueldelany.tumblr.com)

This day in history (permalink)

#15yrsago Cheap Laffs: the history of the gag https://memex.craphound.com/2007/03/05/cheap-laffs-the-history-of-the-gag/

#10yrsago UK police/spies colluded with giant construction firms to build illegal blacklist database of whistleblowers, trade-unionists https://www.theguardian.com/technology/2012/mar/03/police-blacklist-link-construction-workers

Colophon (permalink)

Currently writing:

Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Friday's progress: 508 words (69712 words total).
Vigilant, Little Brother short story about remote invigilation. Friday's progress: 286 words (4032 words total)
A Little Brother short story about DIY insulin PLANNING
Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION
Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE
A post-GND utopian novel, "The Lost Cause." FINISHED
A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: The Internet Heist (Part II) https://craphound.com/news/2022/02/13/the-internet-heist-part-ii/
Upcoming appearances:

Competition & Regulation in Disrupted Times (Charles River Associates/Brussels), Mar 31
https://www.cra-brusselsconference.com/
Emerging Technologies For the Enterprise, Apr 19-20
https://2022.phillyemergingtech.com

Recent appearances:

The Policy Implications of Web3 (Stanford Cyber Policy Center)
https://www.youtube.com/watch?v=Fir5ujS-Dkg
Big Tech & Surveillance Capitalism (Shaun Attwood):
https://www.youtube.com/watch?v=cqzeMlvENPs
Bringing Back Luddites (Oh No Ross and Carrie)
https://ohnopodcast.com/investigations/2022/2/14/ross-meets-cory-doctorow-bringing-back-luddites-edition

Latest book:

"Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

Upcoming books:

Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.