The Digital Security Exchange Is Live

Last year I wrote about the Digital Security Exchange. The project is live:

The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats.

We do this by pairing civil society and social sector organizations with credible and trustworthy digital security experts and trainers who can help them keep their data and networks safe from exposure, exploitation, and attack. We are committed to working with community-based organizations, legal and journalistic organizations, civil rights advocates, local and national organizers, and public and high-profile figures who are working to advance social, racial, political, and economic justice in our communities and our world.

If you are either an organization who needs help, or an expert who can provide help, visit their website.

Note: I am on their advisory committee.

Posted on April 11, 2018 at 6:33 AM • 16 Comments

Comments

JoshApril 11, 2018 9:59 AM

Hi there - this is Josh from Digital Security Exchange. While the DSX proper is focused on U.S. groups (and possibly Canada), we're working on an out-of-the-box platform that can be deployed with regional partners, so they can set up DSX-like instances in their regions.

Bauke Jan DoumaApril 11, 2018 10:29 AM

@Josh

"(...) and public and high-profile figures who are working to advance social, racial, political, and economic justice in our communities and our world."

Would this apply to e.g. George Soros, him being a 'high-profile' figure often portraying himself as working toward some form of justice?

To which --TL;DR, so lemme try here-- what about funding? Will that be limited to the same category of individuals --ostentibly of high morals-- as well?

HmmApril 11, 2018 1:07 PM

I get it, a security portal landing page that also detects colorblindness. Innovative.

"I think a Santa Fe pastel color scheme... but I want a screenload of blinding electric blue also. Do it."

"Just throw some polygons in a pile center screen, we'll build a city or something. IDK, it's fine."

Or is this part of the protocol, driving off all but the most determined security eyeballs? :p

Anyone who makes it past the landing page has been vetted to some degree.

(In all seriousness up-front links to a EULA or PPolicy might be a nice addition in these blinding times)

justina.colmenaApril 11, 2018 8:37 PM

"DSX" ... "digital resilience"

That is military-speak.

"U.S. civil society"

In other words, civilian, i.e., non-military. It's all in Pentagon-ese, not plain English. As usual, the good stuff is classified, all of it is proprietary, they do not eat their own dog food, and we "civilians" remain unprotected from foreign nation-state and domestic organized criminal computer hacking.

alooApril 11, 2018 10:37 PM


"The DSX endeavors to provide the highest level of protection for user data. We will only disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when subject to a subpoena or other judicial or administrative order."

Including, but limited to?

"administrative order" - I'm picking nits but there are a lot of administrations.

Peter QuinceApril 12, 2018 7:40 AM

"We will only disclose personally identifiable information about you to third parties in limited circumstances..."

So let's back up a little bit. First, I spent twenty-six years working for Uncle Sam, and I can smell something going on here.

They want to have access to civil society groups and activists. They have a "platform" they want to "deploy", perhaps even overseas. They might disclose personally identifiable information about you, the activist. Wait a second: exactly what kind of activists are we talking about here? And what is "racial justice" supposed to mean? Are we talking about Richard Spencer?

Their language and their targeting of activists is suspicious to say the least. What about fairness? What activists are we talking about? Why not approach people like this: (1) We are going to protect your privacy no matter what (2) we are never going to collect on anyone, period (3) our goal is to protect U.S. civil society groups, no matter what their affiliation (4) we refuse to support any kind of illegal activity, especially anything designed to undermine the U.S. Constitution

(5)

Since we care, we are going to cut to the chase and teach you how to encrypt offline and teach you how to use symmetric, asymmetric, and hybrid cryptographic products so that they actually work. We going to show you the scary fact of how the internet is just a big collection platform that cannot be secured. We are going to talk about the TOR Network, TAILS, and setting up hidden partitions encrypted with a cascade of TWOFISH/AES256, etc. We are going to tell you how to use End-to-End encrypted email providers like Protonmail, along with their VPN, and how not to trust U.S. companies unless you absolutely must. We are going to show you how to make strong PGP keys.

Lastly, we are going to directly tell you not to let anyone have access to your network because they might be working for someone else.

Hacker UnoApril 12, 2018 9:23 AM

@Josh

I tried to register as a provider and upon submittal, received the message that you can't process my request at this time.

Tried a second time and received the same result.

Suggestions?

Josh LevyApril 12, 2018 10:10 AM

@Hacker Uno thanks for the report. We've gotten a number of submissions over the last couple of days so the form isn't *totally* broken but we'll look into this.

echoApril 12, 2018 2:28 PM

@Peter Quince

I drafted a comment acknowledging Soros and his philanthropy (and opposition to Brexit) and a number of troubling views I have heard from some clients who fit a profile but deleted this as I felt I was waffling and a few suspicions I had may have been overwrought. By chance I just read this article which goes on to describe a new kind of extremist, young, and tech savvy organisation in the UK. The likes of the EDL are largely punch drunk thugs and dissaffected groups. GI is something else entirely and the kind of threat domain UK police and local goverment are spectacularly ill-equiped to deal with. This is changing but they can still be more reactive than active.

https://www.independent.co.uk/news/uk/home-news/generation-identity-racist-white-supremacists-conference-london-antifascist-network-a8301851.html

“While small, they are incredibly active, and the worrying thing is they are very professional, very organised and tech savvy, and their imagery is very professional. Their website is streets ahead of other far-right groups in Britain. And they’re young. “By using this slick marketing and presentable imagery, and distancing themselves from the more rough and tumble elements of the British far right, they’re attracting a younger more professional type of person. And all of this belies what is actually a very extreme ideology.”

The REAL George SorosApril 12, 2018 7:41 PM

Soros here,

You guys need hobbies. Hangliding or something? I'm not even the richest manipulator in Europe.

Best, G

AnonymousssApril 13, 2018 2:17 AM

I am for this idea. I am suspicious of any implementation of any good idea like everyone.

Everyone needs this service, needs best practices. The needy will not seek it out.

That's the problem. Ugly landing pages will not find them.

DroneApril 14, 2018 7:24 AM

Be careful. This is how Certification and Standards SCAM organizations sometimes start (and many Labor Unions too)...

1. Start claiming to be a benevolent non-profit collective community organization in a particular trade, industry or field.

2. One you reach a critical membership size, launch and monetize "Education" and "Certification" services which must be periodically and endlessly renewed. In parallel launch a service that brings together employers and (certified) job seekers. Certification now becomes a prerequisite to employment. Your customer base is now captive and perpetually under your control. Employers won't hire non-certified workers for fear of litigation.

3. Next add member "Services" such as health and auto insurance plans, and credit unions. Introduce membership "Benefits" for using these services that make it less costly and troublesome to maintain certification. [Note: For Professional organizations with salaried members, this is usually as far as it goes. For trade and industry organizations with hourly employees, the path to full-blown Unionization is wide open. See Step-4.]

4. Some of these scams get big enough to take over collective bargaining with industries and employers. It is at this point the corrupt U.S. Federal Labor Laws and the highly partisan National Labor Relations Board (NLRB) are brought in to leverage the once so-called benevolent non-profit collective community organization into a full-force Labor Union. Now members MUST join and be certified if they want to keep their jobs and their wages are garnished without their say-so and given to the Union who in-turn gives the money to a political party who will make laws and departments protect the Union while using the money to pay for party's re-election.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.