Creation of a Resistance cell

The creation of a Resistance cell is an even more responsible undertaking than a direct action action alone. You are always “at work”, the security requirements are even higher.

1. Follow the security policy “paranoid ZeroTrust” in communication within the cell especially carefully. Otherwise, in case of accidental detention or information leakage from one, everyone else will be taken.
2. No group chats in Telegram. Use Session, Element.
3. No one from the cell should keep anything suspicious. No flyers, printed instructions, fuel supplies or explosives. Instructions to remember by heart or keep in an encrypted cloud, “tangible assets” to hide in secret caches.
4. No one from the cell should shine with political topics. Otherwise, you will end up on the list of “on whom you can hang a capercaillie.” People with fines for defamation, picketing or something like that, with searches come just like that, because “on a pencil”.
5. If you know each other in “peaceful life”, be twice as careful. If someone pierces alone, they will go to friends – to look for accomplices.
6. For “surfing the internet”, searching for information, communicating with sympathizers and other resistance movements, use Tails.
7. Have a plan on how to quickly destroy mobile devices with partisan chats, flash drives with Tails. To quickly erase information from the device, use special applications. If everything is really bad and they saw the door for you at 6:00 in the morning, you can weld the flash drive and the phone in the microwave, or smash it with a hammer, against the wall, break it with your hands, drown the fragments in the toilet.
8. Lead an ordinary apolitical life, portray the layman. Do not chat or even hint about your activities to friends, acquaintances, relatives. Vanity is the enemy of the partisan, a mortal sin.
9. No shares to “prove” something. A well-prepared action with serious damage will say everything for you without words.
10. Don’t be fooled by “cash-for-share” offers Please contact us for support in the development of the cell and the expansion of activities. We’re here for just that. Send me an email in the channel description.

Zero Trust

The topic of digital security is replete with numerous terms. Some are well-known: VPN, router, phishing. Others are less common. Have you heard the phrase Zero Trust? Teplitz explains what it is and how useful Zero Trust can be in terms of security.

Trust by default

In English, there is the concept of implicit trust – trust, which is implied by default. It is easy to observe in relationships between people.

So the patient trusts his doctor, and the taxi passenger trusts the driver. We believe that a chef in a restaurant is skillful, experienced and responsible. Which means we won’t have to spend the rest of the week holding the toilet handle. We believe that the elevator will not fall down the shaft if you press the button for the first floor. Of course, elevators sometimes break down, but we believe that specialists (whose professions and, moreover, we don’t know their names) monitor the serviceability of all mechanisms.

Of course, there are other, sad examples of trust by default. People all over the world believe in terrible propaganda TV shows, because “they won’t lie on TV.” It happens that the suspect leaves his fate in the hands of an unscrupulous lawyer by appointment, who plays on the same team with the prosecutor and the judge. 

We can say that we live in a world of presumption of trust. It extends to information technology. By running an anti-virus program, we expect that the program will not add a couple of fresh viruses to our computer.

At the same time, we often act on the principle of “trust, but verify.” If you have a toothache, you are unlikely to run with this problem to the first first-aid post that comes across. Rather, you ask friends and acquaintances for contacts of a good dentist. 

Collins Dictionary reinforces the emphasis : implicit trust – unconditional trust. With this meaning, this phrase is often used in conversations and publications. “Buying an apartment is not easy, and the money is big. Do you trust your realtor? – “Fully. He’s from a reputable company, I’ve worked with him before.”

Inside the protected perimeter

Imagine a secure structure (network, project, device, service) that requires authentication to connect to. A simple example is the local area network of an organization. People who have successfully authenticated and logged into the network are considered “friends”. (Trust but check). Network components, such as computers, also deserve trust. If we are part of an organization’s network, then by default we trust the computers included in this network.

In this case, verification does not necessarily occur every time you connect to a secure system. A classic example: the user enters a password (and, if necessary, a second factor for authentication) only the first time. The system offers to mark the device as trusted. The user agrees, because it is convenient. In the following days, he will not have to enter the password and the second factor again.

However, our communications today are far from the image of a lonely small secure local area network. Remember how many different messengers you have on your smartphone. We use dozens and hundreds of accounts. We contact a lot of people. Due to the pandemic, the volume of online communication has skyrocketed. This growth was facilitated by remote connections, the transfer of work from local computers to cloud services and online events. Try counting the webinars and other online meetings you’ve attended over the past couple of years. Which of these was inside the protected perimeter? Probably not much.

Zero Trust Principle

Literally translated from English, Zero Trust is a model of zero trust. In fact, this means abandoning the idea of ​​a protected perimeter. Nobody gets trust automatically. No one gets it for long after a single authentication. Everyone outside or inside the perimeter must be verified in order to access critical information.

Zero trust, in particular, helps with insider risk. In the classical model, a person or device that is known and used to gains trust without any extra effort. But people, devices, and threats change over time. The one whom the whole team trusted for years is lured to his side by the villain. The person becomes a risk factor. A program that an organization has been using without a doubt suddenly receives an update from a developer with a critical vulnerability. Sometimes it happens. The update is installed automatically, the result is a data leak.

In the Zero Trust model, checks are required. Are they the same people/devices? Do they have the correct access rights? Do they fit the changing context? And so whenever a person/device wants to access a resource.

A simplified example of Zero Trust in real life is a secure room inside an office. Of course, all employees and visitors are monitored at the entrance to the building. But access to this room still requires individual authentication – a special card, a fingerprint, etc. Access rights must be confirmed each time a person wants to enter a room.

Advantages and disadvantages of Zero Trust

The main advantage of Zero Trust is the increased level of security compared to the traditional approach based on trust within a secure perimeter. Risks from insiders, threats associated with theft of logins and passwords are reduced. The Zero Trust model creates a culture of active and ongoing security monitoring.

Zero Trust has several features (although the list is not exhaustive):

• continuous monitoring of access to resources;
• principle of least rights by default;
• checking both users and devices;
• multi-factor authentication;
• microsegmentation (division of the entire structure, network into small zones with access control to each zone).

But does this require additional costs? Yes. For example, in a corporate environment, connecting a computer to an organization’s network may require additional software to be installed on the computer. The program will check how secure the device is. In particular, whether the operating system and major applications have been updated. It is important not only to verify the device, but also to make sure that it does not pose a threat. However, installing checkers on users’ devices can cause problems. On the one hand, these are technical compatibility issues. On the other hand, there is a psychological factor. Few people get excited about the fact that a corporate “watcher” is installed on their computer or smartphone (especially personal). The need to authenticate every now and then can also be annoying.

The implementation of the Zero Trust philosophy can be stalled by the fact that the organization uses traditional services that lack even two-factor authentication, let alone the rest. The more staff turnover, the more people work remotely, the more difficult it is to implement Zero Trust.

Perspectives of Zero Trust

The very concept of Zero Trust arose relatively recently. In April 1994, it was first proposed and substantiated in his work by Stephen Marsh , now a professor at the University of Ontario. But it took time for digital security experts not only to appreciate the new approach, but to start implementing it. They started talking about some kind of common standard for Zero Trust only in 2018 .

Cloudflare – a service that every self-respecting website administrator and “security” knows – uses Zero Trust in its Cloud One networking product . The concept of zero trust is promoted by industry giants such as Microsoft and IBM . Dozens of technical solutions are already available on the market that can help companies implement Zero Trust.

Although IT industry experts show enthusiasm, it seems to us that it is more about the corporate environment. The concept of zero trust will take at least a few years to find its place in the hearts of NGO leaders. In addition to general difficulties, as well as a lack of funding and competent technical support, the introduction of Zero Trust in teams of civil activists will be hampered by the horizontal nature of the relationship. In the coming years, hope should be placed on the “digital champions” – the most computer-savvy members of activist teams. They can contribute to the gradual growth of a culture of respect for safety. Here are some practical tips for these people.

• Provide mandatory verification for access to the most important resources. (And to register it in security policies).
• Improve existing authentication mechanisms. For example, disable the “remember password” function and, on the contrary, enable the option to log out after a certain period of inactivity. Use two-factor authentication wherever you can (and don’t forget about backup codes ). 
• Refuse to issue maximum or “average” permissions by default. For example, if a person enters a corporate multi-channel chat for the first time, this does not mean that he should be automatically subscribed to all channels. It is better if there are only one or two such “automatic” channels, and access to other channels will be on request.
• Monitor access rights. Eliminate situations when a person leaves the team, but can still log into the site control panel (database, etc.). Do not allow access rights to be distributed by people who should not be doing it. For example, when sharing a Google Doc with a colleague, we recommend unchecking the first checkbox, which allows the colleague to share the document with someone else in turn.

These measures will be useful for security in and of themselves. In addition, they will pave the way for the gradual implementation of the Zero Trust concept in the future.