Digital Security Trainer (Voluntary Role Call)?


#1

Hey everyone,

So a couple of folks in this space who are digital security trainers have been thinking for awhile about ways to build the community cooperation aspects out a bit more (with boards like this, www.opentech.events calendar etc). Something that came up a few times was that sometimes people find it hard to find trainers with specific locations, skills, experience, language, methodology, background etc etc.

So a possible solution suggested was creating a trainer roll call, where we could (publicly) list our experience and would make it easier to be contacted. For example, sometimes at Security First we get asked to run a training in XYZ language in XYZ country but we don't know off the top of our heads who might be a good starting point to contact; to ask advice; partner with; sub-contract etc.

These past few days and weeks has also seen more and more people approaching a number of us because of recent political events. Many of them are looking at this topic for the first time, so struggling to know who to go to. Hopefully we can make this a beneficial tool for lots of folks in this community.

Before anyone jumps on me about the security aspects of this, I would propose that we assume and want this information to be public (otherwise how could people reach us)? Thus I guess it might rule out some of the best (local) trainers. Though if it works further down the line maybe we can think of something better? Also, I feel like there might be scope to expand this to other parts of the community like devs, designers etc.

I'm thinking maybe we can start with something very quick and basic like:

-What is your name?
-What's your background?
-What training do you do?
-What (geographic and/or sector) parts of the world do you feel comfortable training in?
-How do I learn more? How can a non-technical person contact you if they wish?

Feel free not to answer, add/remove/edit topics or tell me that this is a stupid idea (I'm sure plenty will!). If it takes off, maybe we can make it an updated pad or spreadsheet.

I'll go first:

-What is your name?
Rory Byrne

-What's your background?
I help run an organisation called Security First and we build a mobile app called Umbrella. I've worked on digital and physical training for various human rights, donor, humanitarian and media organisations for over ten years. More info here: https://secfirst.org/team.html

-What training do you do?
Really depends on need of the organisation and resources. Digital security tends to be about 50%/60% of a training as we also do a lot of physical security training. We try to adhere to community standards like "Level-Up" as much as possible. I would say probably a difference is that we tend to do a lot of operational security stuff like dealing with physical surveillance, insider threats, meetings, protests and arrests etc. We usually try and run mixed levels of training, with short trainings to try and get as many people an organisation up to a basic level and then longer trainings for those at most risk.

-What (geographic and/or sector) parts of the world do you feel comfortable training in?
Most of our work has been concentrated over Europe, Middle East, Africa and the US. Though from time to time we do stuff in Latin America and Asia.

-How do I learn more? How can a non-technical person contact you if they wish?
https://secfirst.org/contact.html


#2

A post was split to a new topic: Assume Tinfoil is all public, folks!


#3

Rory,

Given the recent changes in government (i.e., the more-or-less covert security/surveillance regime will now be public and promoted instead of hidden and denied), it's an excellent idea to have training sessions in as many venues as possible. It can be sort of a "digital resistance".

I'm wondering if these will be free meetings, how they will be advertised to recruit attendees, how they will be tailored to the specific audience (e.g., crypto ingenues vs. relative sophisticates) and so on. If it's simply another commercial enterprise, I don't expect an enthusiastic turn-out from the general public. Maybe it's not intended to be that way. Perhaps you can expand your original post in case I've misinterpreted it.

Keith


#4

Sure,

Basically i've had a number of conversations in various parts of the activist / digisec / internet freedom community in the past few weeks that revolve around the issue that there is basically not enough people to do the work that needs to be done. This applies across everything from trainers to tool developers. We keep hitting a supply issue which means it's the same faces and people to do what looks like what will be an ever increasing amount of work.

It's also actually quite hard to for organisations not already connected to our community to do things like find a trainer to run a crypto-party, training, SAFETAG audit etc - especially outside of the main places like SF, NY, London, Berlin. The idea I was floating was to see was there support for creating a kind of public roll call that NGO's (looking at these issues for the first time) could use for at least getting the ball rolling about who they should speak to. Of course there is an understandable security aspect of that, especially for those who don't have the freedom to operate in a more public way.

...anyway, it was just a thought about one possible method to solve the problem but my sense is that it probably won't work, so back to the drawing board!


#5

Rory,

This is a very frustrating problem because (in my experience) most people simply don't care about the issue. Even when I've bludgeoned friends, relatives, etc. to use Signal (for example), I'm given some imbecile platitude in reply to the effect that, "I've got nothing to hide". Well, I don't either, but that's hardly the point: some other entity (not you) decides what's worth monitoring, when to monitor it and how to use the results. Take, for instance, proprietary, for-profit, "predictive policing" algorithms are already trolling social media web sites and presenting skewed "threat profiles" to police. Those are viewed by them before interactions and who can guess how they may prejudice behavior and influence the outcome? Widespread use of license plate readers? Metadata monitoring? Web tracking? I'm guessing most people know about these in some fashion, but they don't seem to mind nor to care about hypothetical bad outcomes.

I don't have a great deal of confidence that any sort of proactive, useful and generally seamless method for addressing this problem will appear. Unfortunately, the Obama administration received a sharp scimitar in the form of the security/surveillance/carceral state from its predecessor and - as others have noted - honed it to a razor edge. It will be handed off to the present administration, for better or for worse.


#6

-What is your name?
Seamus Tuohy

-What's your background?
Principal technology and information security consultant for Prudent Innovation. Previously a Senior Technologist and Technical Risk Advisor for Internews. Co-architect of the SAFETAG digital security risk assessment framework for civil-society organizations, developer of CoPilot (a censorship simulating hotspot for digi-sec trainers), and have provided security guidance, training, and direct support to at-risk & targeted populations globally.

-What training do you do?
Historically, I have focused on concrete digital security practices/fundamentals and digital security awareness. Recently, I have been shifting away from public focused work towards more organizational & program level training for those working with at-risk or targeted populations. This has included some intensives on "applied risk assessment fundamentals" for civil society orgs, and "how to assess risk assessments" for donors.

-What (geographic and/or sector) parts of the world do you feel comfortable training in?
I've worked all over. My trainees do best when they are English speakers. I can slow down enough for a second language audience, but translators still hate me. As a somewhat bubbly man I find that people from FSU states often doubt my credibility, and therefore don't get as much as they could, if they are dropped in a short training with me without any context.

-How do I learn more? How can a non-technical person contact you if they wish?
http://prudentinnovation.org/#contact