, 36 tweets, 8 min read
My Authors
Read all threads
In 2017, my activist organization @fightfortheftr was targeted by the hacking-for-hire firm covered today in Reuters. Since Zbay (my new project) is partly inspired by this experience, I thought I'd share some thoughts here...
reuters.com/article/us-ind…
The Reuters report builds on extensive investigation by security experts @EFF and @citizenlab, see here eff.org/deeplinks/2017… and here citizenlab.ca/2020/06/dark-b… for background.
The attackers also targeted groups working to hold ExxonMobil accountable for funding disinformation on climate change. NYT covers that aspect of the story here nytimes.com/2020/06/09/nyr…
First, quick background on me and Zbay: I'm Holmes Wilson, the founder of Zbay, and previously co-founder & co-executive director of Fight for the Future, where I'm still on the board.

Zbay is a peer-to-peer messaging app & marketplace based on Zcash
@fightfortheftr was targeted alongside other allied organizations working on #netneutrality, just after our massive online protest to defend rules prohibiting ISPs from blocking & throttling specific services or protocols from an FCC chaired by a former telecom lobbyist.
(Incidentally, #netneutrality matters a *ton* for crypto and decentralization. Without net neutrality rules—or a strong threat of rules—near-monopoly ISPs could decide to block decentralized protocols the way they once blocked Bittorrent & Skype, out of self-interest or whimsy.)
So, my org was in the fight of its life against really tough odds (we ended up losing, though we kept the deterrent *threat* of rules alive) and my co-founder had been awake for nearly 48 hours and at 5am clicked on a spoofed LinkedIn message that looked like it was from me.
The link was to a convincing LinkedIn login page, but something seemed weird, so she tried an old password that she didn’t use anymore. The attackers tried it against a list of her accounts and soon got into a long-since-abandoned Gmail account.
As often happens in this situations, she realized it pretty much right away, texted our CTO, and the next morning we were all on high alert.
Which was good, because another colleague had just received a very convincing, seemingly urgent Facebook message from a family member. And everybody on our team was getting them.
For context, organizational doxxing can be a *devastatingly* effective way to attack an institution or political organization, instantly rendering them vulnerable to adversaries.
We knew this well, as seen from the other side. We’d used @Snowden’s revelations to build campaigns against the NSA for 2+ years. Great for us, but unpleasant for the NSA, I’ve gathered.
The 2016 US presidential race was fresh in everyone's memory, too. Security expert Bruce Schneier has a great overview of the organizational doxxing tactic and how well it works: schneier.com/blog/archives/…
It wasn't even that we were a particularly secretive organization. Unlike the NSA or even a presidential campaign, our work was mostly public. We even tried to send the most important parts of our strategic thinking to our 1M+ email list whenever we could.
The primary danger from organizational doxxing is that, no matter who you are, there is an inevitable amount of conversation, gossip, or straight up shit-talking that seems benign between friends but, once leaked, will let your adversaries (or allies) undermine you for years.
We already had an extremely strict internal policy against negative or snarky gossip (because it’s really dishearteningly common in many political and NGO cultures!) but in a team of ~10 people working full time under stress, some will slip by. This is a statistical certainty.
Another danger is that, even when you're speaking/working in good faith, leaked internal conversations among full-time activists can be complex enough that they become really ambiguous or obscure to outsiders, and can be made to look sinister.
For anyone who says they don’t have anything to hide: if you’re human, you have said things that can be made to look sinister or uncaring in some way, things that would horrify people you care about—or just make them *feel bad*.
Leaked comms, it turns out, are painful for everyone, which is why we all act to create bubbles of privacy in little ways all the time, even if it feels so automatic or natural that we don’t notice ourselves doing it.
There's also something so raw and voyeuristic about leaked emails that it can trick readers into a presumption that they’re peering into some deep dark skullduggery. (2016's "PizzaGate", where emails about lunch became a Rorschach test for paranoia/trauma, is an extreme example.)
So, given the size of the threat, we went into battle mode: we stopped everything, reached out to infosec experts, and raised funds to hire a security consultant, assess our weaknesses, shore up holes, and size up our attackers.
For the organization, the attack helped, in a way: in just a few weeks we improved our security posture immensely. The attack got us to go beyond Gsuite + 2fa and take the security steps that are inconvenient enough to hurt a little but are unequivocally worth it.
But while the attackers got nothing of value, the attack worked, albeit in a less catastrophic way than we feared: it forced us to divert resources from creative offense to paranoid defense at a key moment where the return on offense & creativity would have been unusually high.
It also affected us in possibly worse ways that were harder to measure.

We were at war, and someone we couldn't see had us in their sights.

Being the target of a funded attack of unknown scope is fucking stressful.
For me personally it was a little extra bad, because I was living with my family in Rio de Janeiro, Brazil, already listening to volleys of automatic gunfire at night. I was actually pretty safe, but my central nervous system didn’t quite agree.

(Thread continues...)
For anyone whose home city is saturated with physical violence, paranoia takes on other levels, and as the risk goes up, the individual, psychological weight of the attack on activists becomes even more damaging.
And it *pains* me to say the attack worked in this way, because whoever commissioned it could be reading this tweet right now, sharing it with their boss.

Any clarity I provide about the hidden efficacy of these dirty tricks increases their value, and likelihood.
I'm admitting the attack hurt us to:

a) urge anyone doing valuable political work to take preemptive steps to limit their exposure to these attacks

and...

b) underline the need for tools that protect *everyone* by default, because not every activist will protect themselves!
Oh, and an important detail:

Given our attacker's business model, and given the tiny number of opposition stakeholders, we can now be fairly certain that funding for the attack came—in a hard-to-trace trickle, no doubt—from one of a handful of household-name telecom companies.
To let that sink in: one or more household-name US or EU-based companies funded criminal activity to advance an unpopular policy outcome, i.e. these companies' ability to block and throttle the sites, services, and protocols we all use their networks for, every day.
Journalists, activists, and political campaigns can have tremendous leverage over every cause we can imagine caring about. It’s shocking how effective small teams can be sometimes!
So if the state of infosec is such that money can mount a devastating, untraceable attack that puts these changemakers in a quagmire (or worse!) we've handed over some of that power to the most unprincipled among us.
Effective agents of social change come with a wide variety of backgrounds, skills, and resources. It is neither realistic, or desirable, to expect them all to become infosec experts!

We need tools that give everyone a tight grip on their security, out of the box, by default.
From my experience as an activist, I believe that:

- Free software apps
- using e2e encryption
- running on updated devices
- with encrypted storage
- connected over p2p networks
- that trust no central servers

...offer the best protection we can give journalists and activists.
So now I'm working on Zbay, to make such an app for anyone fighting for positive social change who needs this degree of protection. We have a *long* way to go to achieve this vision, but you can try out our beta here: zbay.app
If you’d like to learn more or help out, you can learn more about how to do that here github.com/ZbayApp/zbay

Or message me in Zbay (my username is `holmes`)
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Zbay

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!