“Three may keep a secret if two are dead.”
~ Benjamin Franklin
A voluntary communications web, within the community, would be preferable to a single point of failure system. Even an old-style telephone switchboard, with independent power, would enable some independent comms between 2 or more families. A wireless network might also be established, using open-source VPN technology, mesh-nets and the emerging WISPr standard.
INFOSEC is about providing, for your information, the same level of protection from intrusion, attack, or theft that you would mitigate using physical security (PHYSEC). If you think of INFOSEC in similar terms to securing your home? – you are seeing the right picture. Of course, the differences between INFOSEC and PHYSEC can be quite wide when it comes to specific actions or measures taken to protect your information, your property.
Different kinds of communities would have varying needs of INFOSEC and IT management, but here are some useful questions:
- Are you a knowledge/technology based co-op community?
- How large is your community? – if it is small, communication might be primarily a personal responsibility, with the addition of community-only comms, possibly CB.
- If you’re a knowledge-technology mainly community, with incubators, small start-ups, and remote workers? – then you will likely want to implement a highly secure gateway, DMZ, and intranet. If your community is more primitivist or off-the-grid, then this kind of internet access would be a personal decision.
From the anarchist community perspective, any shared resource would have shared security responsibilities – but what does this mean? Does this imply that each community should have a CIO or web-master? Someone who manages the technology? Would this be, most likely, an internal service within the community, in which the local expert works with other communities to implement highly secure communications pathways, and gets paid for this? It is our contention that this will be an emergent, open-source, service. Community standards and protocols will be adopted.
When planning for information security and communications, consider the following:
- Low Tech vs High Tech: not all information security is about high-tech, sometimes it can deal with low tech methods, including a mail-system (like USPS) that members of the resilient ways community might implement, on a network-association basis.
- How do you share INFOSEC responsibilities?: there might not be an easy way to distribute responsibility for infosec across the community, because of the required specialized knowledge.
- Are there emerging, open-source, standards and technology that can support your endeavor?: technologies like MESH-NET (the linking together of WiFi routers), or the emerging WISPr standard, and TOR networks, there is reason to be hopeful that our resilient communities could operate using technologies outside the scope or control of central state authorities.
- Do you recruit, for your communities, anarchists with skill/background specifically in this area?: per the concept of a resilient community, it might be useful, especially for tech co-ops, to look, specifically, for anarchists with the skills to manage and support a local network, and to coordinate other forms of communication.
- Cost: the amount of networking/security you have is also a function of resources, time. It is best to plan, with some thought, so you do not “over buy” or “under buy” and to recognize that if this is managed as a shared resource (meaning shared ownership), it is not “once and done”. IT/Infosec, and the infrastructure to support it is a long-haul, continuous improvement, subject.
- Re-cycling and the LINUX way: one way to manage costs in the context of IT and INFOSEC is to seek open-source solutions. These solutions have the additional benefit, in many cases, to help in recycling old computers and equipment – often, the difference between a “broken” PC/Server and one that is not is whether it currently runs some variant of the LINUX OS. Again – we are not implying that Microsoft, and other companies, engineer obsolescence into equipment via the operating system, but it is strange how many “broken” computers come back to life once you install LINUX.
- Teaching classes on encryption, managing our email server, and adopting PGP based email strategies: with little effort, even the least “techie” computer user can be taught to use encryption tools, like PGP. In the case of the LINUX world, gpg, the open PGP encryption tool, is freely available – and there are various UI wrapped versions of this tool for those who intimidated by the command line or shell.
- Using off-shore locations for computer operations you don’t want the government to meddle with: this is a strategy that many tech companies, who operate on the fringe of what the government allows, do. They research nations, their security agreements with the USA, and find spots where a server can be deployed with a degree of protection from U.S. government intrusion or attack.
At the Resilient Ways Foundation, we recommend that INFOSEC/IT planning receive as much respect as planning for the physical security of your community.