One thing that makes the Tech Learning Collective different than other technical schools is our explicitly political approach. Our teachers have to be more than just competent technologists, they must also be politically engaged. Similarly, we prioritize enrollment for students who are committed to social justice and have demonstrated that commitment through concrete actions. This makes our classrooms sites of political praxis, sharpening our student’s ability to critically scrutinize the implications of modern technologies and the impact of tech companies from an ethical standpoint. Practically speaking, it also means that we introduce computer security topics far earlier in our programs than most other schools do.
These days, politics and computer security or online privacy are inseparable. From prime time reporting like the Russian intelligence agency intervention in the so-called election “hacking” scandals of 2016 or Cambridge Analytica’s ethically questionable data mining of Facebook, to an endless stream of reports showing targeted surveillance of activists by federal United States law enforcement agencies and corporations, most news outlets (finally!) routinely run stories about these issues. Moreover, marginalized groups simply face more risk than others. Given all this, and given the fact that the Tech Learning Collective was created specifically to empower the people who are not well-served by the tech mainstream, we feel an even stronger obligation to prepare our students for the hostile reality they will face while using their computer.
To meet this challenge, the Tech Learning Collective has adopted a security-first approach to technology education. This means that even our “beginner” workshops often contain some security content, and many of our public workshops either have security-forward materials or are entirely about online security and privacy topics. This approach is a sharp departure from most tech bootcamps in which security considerations are a footnote, an afterthought, or simply omitted because it’s not the subject of the class. And even when security is the subject at hand in a traditional classroom, that environment itself, with all its predetermined course objectives, becomes a barrier to a good cybersecurity education.
Integrating security content for novice students taking starter classes isn’t easy, because security vulnerabilities are often subtle bugs or design flaws that aren’t always immediately apparent to even highly experienced technologists. However, such flaws are also often illustrative of how a given technology works. By looking both at how something functions correctly and in what situations it fails or is vulnerable to manipulation, we give students a far more complete understanding of the underlying technology.
This means that we always teach cybersecurity topics from both an offensive and a defensive perspective. From picking locks to launching phishing attacks, we teach our students what attackers know along with how attackers think in order to better prepare our students to counter these threats. On the other side of the coin, we also offer deep dives into defensive tools that help students of all skill and experience levels protect their privacy online, such as workshops detailing how to make the most out of Tor and secure email.
For example, students are introduced to the Address Resolution Protocol early in our networking courses. This fundamental component of traditional TCP/IP networking associates a physical network interface controller (NIC) with a logical network address (IP address) and is a topic that is covered by every decent network engineering course. However, ARP is an unauthenticated protocol, so many sophisticated attacks start by manipulating a computer’s ARP cache with tools like Ettercap. Actually seeing an ARP cache poisoning attack in action and understanding how such a technique can trick a computer into communicating with a device it doesn’t intend to can be super helpful for internalizing exactly how ARP works. Plus, it clarifies the situations in which you might want to take extra precautions.
To help students judge which cyberattacks they should be concerned about in their day-to-day lives, and also simply to keep folks from getting too overwhelmed, we chose to adopt the Anarcho-Tech NYC Collective’s “Persona-based training matrix.” The persona-based training matrix is a teaching tool consisting of a three-by-three (3×3) grid. Each cell of the grid represents a level of risk that you might be facing. On our site, the persona matrix looks something like this:
As you might have noticed, many of our workshops now have descriptions that include a “persona matrix” in order to help you assess whether the topic of the workshop is relevant to your particular situation. In this model, risk levels are evaluated based on a coarse grouping of who you are and who you are defending yourself from. Each row of the grid represents a coarse grouping of defender profiles, with people at the least risk in the top or first row and people at the most risk in the bottom or last row. Meanwhile, each column represents a similarly coarse grouping of adversaries who pose a risk to you. The weakest or least-resourced attackers are represented by the first or left-most column, while the most powerful adversaries are represented by the last or right-most column.
In general, once you identify in which defender group (row) you belong and which level of adversarial power you are threatened by (column), you should concern yourself with the cell at which those concerns intersect as well as all the cells above and to the left of that one.
A given cyberattack or defensive technique, such as ARP cache poisoning, is loosely associated with one or more cells in the grid. If the attack technique lands in a cell that is relevant to your risk profile, we recommend you take some time to learn about it. Otherwise, don’t stress too much. You probably have enough on your plate!
With so many good and free tools available to you, along with a whole arsenal of cyberweapons available to attackers, this framework provides an easy way for you to gain some clarity and cut through the fear, uncertainty, and doubt generated by the frenetic news cycle and the latest Internet privacy listicle. To be sufficiently safe, most people only need to pick up a few basic, easy to learn, and easy to use privacy tools: a secure messaging application (like Signal), a password manager (like KeePass or LastPass), and a few of the built-in features of their existing computers, like the full-disk encryption software available for free on every modern laptop and smartphone.
Of course, the more you learn about cybersecurity and the more proficient you become with the tools available to you, the safer you can be. Moreover, since we take our politics and our mission seriously, some of the Tech Learning Collective’s workshop materials are designed for activists and advocacy groups that are at a higher risk of cyberattack than others. It’s important to us that these students also receive the training they need to stay safe.
As more cells in our persona matrix for a given workshop turn red, people in more varied situations will find the workshop materials relevant to them. For example, the persona matrix for our Gone Phishing workshop is all red:
This is because personally-targeted phishing campaigns (known as “spear phishing” in cybersecurity jargon) are often used by governments to hack into activist’s personal devices. However, phishing is also a technique frequently used by petty theives to rob people whose only missteps are having a bank account and not being wary of, or not being able to identify, fraudulent emails. Since the persona matrix for this workshop is all-red, it means that everyone, regardless of their risk level, can benefit from the material presented in this workshop. Put another way, it means that the workshop covers both introductory material and also touches on more sophisticated material.
We hope that this gives you a clearer idea of how we approach cybersecurity topics at the Tech Learning Collective. To learn more about our approach to computer security and how we use the Anarcho-Tech NYC Collective’s persona matrix, read “About our Persona-based Training Matrix,” or book our introductory workshop, “Digital Defenses for the People: Practical Digital Security,” for your group or at your venue.