How to make an Impeachment Slackbot

If you’re using Slack to organize, here’s a fun and easy way to make Slackbot deliver random articles of impeachment for Donald J. Trump. Depending on your team’s Slack setup, you might need administrative permissions to do this, but by default anyone can make a Slackbot response.

Step One:

Click the dropdown next to your team name, and find the option to “Customize Slack.”

customize slack

Step Two:

Click the “Slackbot” tab and then select “Add New Response”

slackbot tab

add new response - slack

Step Three:

Choose a keyword and enter in the first field. NOTE: You probably don’t want to use something used frequently, because Slackbot can get annoying. We chose “impeachmf”!

add new slackbot response

Step Four:

In the second field, paste this text. Or choose your own. Line breaks will serve to separate the Slackbot responses.

Trump has repeatedly put his own interests above those of the country.
Trump has used the presidency to promote his businesses.
Trump has accepted financial gifts from foreign countries.
Trump has lied to the American people about his relationship with a hostile foreign government.
Trump has tolerated cabinet officials who use their position to enrich themselves.
Trump has called for the prosecution of his political enemies and the protection of his allies.
Trump has tried to shake the public’s confidence in one democratic institution after another, including the press, federal law enforcement and the federal judiciary.
Trump has continued to own and promote the Trump Organization.
Saudi Arabia has showered the Trump Organization with business, and Trump has stood by the Saudis despite their brutal war in Yemen and their assassination of a prominent critic.
A Chinese government-owned company reportedly gave a $500 million loan to a Trump-backed project in Indonesia; two days later, Trump announced that he was lifting sanctions on another well-connected Chinese company.
Trump lied to the American people during the 2016 campaign about business negotiations between his company and Vladimir Putin’s government.
The president of the United States lied to the country about his commercial relationship with a hostile foreign government.
Trump directed a criminal plan to evade campaign finance laws.
Trump rejected, with no factual basis, the findings of multiple intelligence agencies about Russia’s role in the 2016 campaign.
Obstruction of justice is certainly grounds for the removal of a president. It was the subject of the first Nixon article of impeachment passed by the House Judiciary Committee.
Trump has called for Comey, Hillary Clinton and other political opponents of his to be jailed.
Trump has described journalists as “the enemy of the people” — an insult usually leveled by autocrats.
Trump has rejected basic factual findings from the C.I.A., the Congressional Budget Office, research scientists and others.
No other president since Nixon has engaged in behavior remotely like Trump’s. To accept it without sanction is ultimately to endorse it.
We already have overwhelming evidence that the president has committed impeachable offenses, including, just to name a few: obstructing justice; violating the emoluments clause; abusing the pardon power; directing or seeking to direct law enforcement to prosecute political adversaries for improper purposes; advocating illegal violence and undermining equal protection of the laws; ordering the cruel and unconstitutional imprisonment of children and their families at the southern border; and conspiring to illegally influence the 2016 election through a series of hush money payments.
Members of Congress have a sworn duty to preserve our Constitution. Leaving a lawless president in office for political points would be abandoning that duty.
“The damage inflicted by President Trump’s naïveté, egotism, false equivalence, and sympathy for autocrats is difficult to calculate” —Sen. John McCain
Trump pledged to ban entry to the United States on the basis of religion, and did his best to follow through.

Save your response, and then test it out in Slack!

impeachbot

Sources for our Slackbot responses, and recommended reading & listening:

 

 

 

One simple Twitter trick to help our vision-impaired friends

People with vision impairment sometimes use screen-reading software to help them navigate the web.  The software dictates audio based upon what’s on the screen. This works best when the information is text-based, and when it’s organized well. Unfortunately, not all webpages fit this description.

Images, especially, are hard to parse with a screen reader. It’s long been considered a best practice to add additional “meta” information to images so that they can be read by screen readers (and also by search engines, but that’s another story). Unfortunately, the meta information requires manual input, and most people posting images online either don’t do it, or do it poorly. We are guilty of this, and will strive to do better.

Twitter has a feature that makes adding image descriptions easier. By default, though, this feature is disabled—which is a real shame. Since discovering this feature, we have used it on most of our tweets that contain images. (Further down we’ll explain why we’re not 100% consistent.)

To enable Twitter image descriptions, follow these steps (full instructions are here):

  1. Click on your profile icon and select Settings and privacy from the dropdown (or press the “g” key quickly, followed by the “s” key).
  2. Click Accessibility from the list of settings.
  3. Find the Compose image descriptions checkbox.
  4. Check the box to turn the setting on or off.
  5. Click Save changes.

Once you enable the feature, you’ll have an additional option to add a description to any image you post. Take the time to do this, and don’t be lazy about it. When writing your description of the image, imagine you are describing it to someone over the phone. If you’re posting a screen-shot of text (like someone’s Facebook post, or another tweet), post that same text into the image description. Otherwise, people with vision impairment have no idea what you are posting.

This feature is not foolproof, but it’s a start. Since we enabled it, we’ve noticed a few things that can prevent you from making your images fully accessible:

  • It takes more time. If you’re in a hurry, you can be tempted to bypass the image description or to be lazy about it. Resist that temptation!
  • The mobile app applies the same description to multiple images. On iOS at least, if you post multiple images in the same tweet, you get only one description field that applies to all images in the tweet. Until Twitter changes this, you’ll have to write a description that can be applied to all images in your tweet. (Or tweet the images separately, or use Twitter from a desktop browser.)
  • Third-party apps don’t include image descriptions. If you’re using something like Tweetdeck or Hootsuite to schedule tweets, there is no place to add image descriptions. This is unfortunate. We don’t schedule many tweets in advance, but when we need to, image-tweets will be missing descriptions.

Accessibility on the web is always evolving, and mistakes will always happen. Adding image descriptions is a simple way to start being a better ally to our friends in the disability community, but it’s only a start. We would love to hear how we can do better in the comments.

Example of Twitter description field

Example of a Twitter image description

Effective Facebook Use for Indivisible Groups

This informative guide to the ins and outs of Facebook was put together by an Indivisible working group last year: How to Use Facebook Effectively.

94% of Indivisible groups were using Facebook as of April 2017 and that makes sense—68% of Americans adults are on Facebook and 58% use it daily. Facebook is an effective way for activist groups to do outreach and share events (see: The Women’s March), but major problems develop for groups that try to use it as their only communications tool—and those challenges grow as groups grow.

This document gives you the information and guidance you need to make Facebook work for your group, including what functions are better handled on other platforms.

Good organization and communication are so critical to our efforts. If you’re an admin or an active user of an Indivisible Facebook group or page – or if you’re not even sure what the difference is between a “group” and a “page” – then take some time to read this short guide.

And pass it on!

Introducing IT: Indivisible Technology

Introducing a new effort: Indivisible Technology Austin, the IT group that can help you #resist.

If you hate the Trumpist agenda but love technology, we’d love to have your help. We’ll have regular working meetings for whoever can join – the first will be on Thursday, Oct. 5. We also plan to have a Challenge Team in the upcoming ATX Political Hackathon. There’s lots to do, and the more help we have, the more we can achieve. Sign up today!

We’ll be posting the occasional technology-related items here on the blog, and the first one, on the critical topic of information security, is below. You may have seen similar posts in this space before, and you’ll probably see more in the future – this stuff is important!

This is from a resource page provided by the national-level Indivisible site:

DIGITAL SECURITY CHECKLIST

  1. Identify a trusted security expert or advisor for your group if possible.
  2. Take an inventory of your main communications systems and assess what your top information security priorities and risks might be.
  3. Keep all your systems up to date; install legitimate security patches.
  4. Review the privacy settings on your social media accounts.
  5. Use strong passwords on all your important accounts.
  6. Enable 2-Factor Authentication whenever possible.
  7. No security system is perfect; assume anything you write or send online may become public.

Read all the details here about each of these points, share this information widely, and take steps today to keep your online activity safe. If you have questions or need help, let us know.

Five Easy Ways to Increase Your Digital Safety & Security TODAY

In a previous blog post, I created a list of a dozen or so things anyone could do to increase their online/digital security.

It’s time to revisit this topic, but this time with a bit more focus. A dozen security tasks seems like a lot, doesn’t it? Well, don’t worry, you can massively increase your own digital security/safety by doing just a few things, so I figured I would just concentrate on five items.

Here are the five that top my list:

  1. Create and use strong passwords for all online accounts and identities. Stop using your birthday, anniversary, dog’s name, and favorite teacher’s last name in your passwords. And stop reusing the same password (or slight variations on the same theme) on all your online accounts (Facebook, online banks, commerce, etc). Instead, use a password manager like 1Password or LastPass – these apps can create and store random, impossible-to-guess passwords. If you want to login somewhere, just have the software feed the username and password to the site, and you’re in. My goal is to never know another password – except for the one that opens up my password manager. That one I keep memorized!
  2. Enable two-factor authentication (2FA) or two-step verification (2SV) everywhere. When you log in to your bank or other important online accounts, you can opt to receive an alphanumeric code via text message. This simple expedient increases your security a lot – think about it: even if hackers do guess or steal your password, they won’t be able to get in without that second code. Getting a text confirmation is an example of 2SV, which is not the same as 2FA. 2FA is when you use your thumbprint, or a code from a secure token in your physical possession as the “second factor” in your login attempt (the “first factor” is your password). Either way, 2SV and 2FA makes it much harder for unauthorized people to get into your most important accounts.
  3. Protect all devices with passcodes, PINs, and passwords. Make sure that all smartphones, laptops, and other computing devices are protected by strong passwords, passcodes, and long PINs (at least 6 digits – and if your devices support alphanumeric PINs then by all means do that too!). That way, if your devices are lost, stolen, or subpoenaed, they won’t automatically be wide open to a stranger’s prying eyes/fingers.
  4. Keep your software and systems up to date. Hollywood movies would have us believe that hackers break into computers using really sophisticated software packages that bypass encryption and defeat firewalls. Not really. The majority of breaches occur because the bad guys detect a completely out-of-date version of an OS or software running on your phone or laptop. The out-of-date version has a well-known security problem, which they use to get into the system – and from there they start to take over that machine or device and then move on to other systems. Keeping your systems updated and patched can be a giant pain, but it’s an essential part of security hygiene.
  5. Be cautious about what you publish on social media. We’ve all gotten pretty used to sharing a lot about our lives: favorite books and movies, photos of family and friends, news about vacations and promotions, photos of social gatherings at favorite haunts. Unfortunately, every post of Facebook, Twitter, Instagram and other services helps to paint a portrait of your interests, routines, and social circle. Any and all of that can be used against you by someone who wants to gain your trust, or exploit your absence (think about all the homes broken into because people post vacation photos while they’re on vacation!). If you can’t lock your accounts or make them private, just be very aware that everything you post on social media is something you are telling the entire world.

Increase Security Awareness: Honeypots

We live in interesting, complex times – and a lot of it is due to the internet. Its power and reach is immense. We use it to organize, to get our message out, and to build movements.

But there are plenty of bad actors out there who want to use the internet’s power against us. In pop culture, you always see the bad guys using really complex code to break into computer systems and databases. In reality, hackers and other bad guys use more straightforward attempts at trickery:

  • They’ll send phishing emails to trick you into changing your password on a site that looks exactly like your bank or email provider.
  • They’ll set up honeypots (i.e., decoys) to trick you into signing up for services that appear legitimate but are actually anything but.
  • There’s lots more besides – like seeding popular websites with malware (this is called a watering hole attack – think all the animals on the savannah going to a watering hole, not knowing a predator lurks nearby). If you visit popular porn sites, for example, beware! You’re likely getting hit with malware. So update your antivirus protection. And if you need information on this, tune in later.

Let’s take the second case here – honeypots. Far-right groups are now setting up websites and online petitions to trick antifa groups (that’s anti-fascist brigades, BTW) into divulging their personal information. This is part of a deliberate campaign being waged to help identify and unmask these people – mostly because antifa has been extremely effective at countering far-right activities.

 

At first glance, these fake online petitions and sites look totally legitimate, down to the URL, which might be something like antifascism.org cited above. Everything about the design, web copy, and stated goals is meant to trick antifa members. Once a member of antifa logs in and signs the petition (often by providing their name and email address) they’ve now set themselves up for doxxing by the groups running the petition.

What is doxxing? It’s the repugnant practice of publishing someone’s information on the internet with the stated goal of harassing them. In the past, doxxing victims have had vital information published: names, home/work addresses, phone numbers, and social security numbers.

In this particular case, the far-right / neo-nazi groups want to doxx antifa to make them personally vulnerable and less effective in their actions.

Okay, so what’s the remedy here?

  1. As always, be aware. Use caution and think twice before committing to any online activity. There’s no need to be so paranoid you don’t log into the internet at all, just be aware of what you’re doing and what’s happening around you.
  2. Specifically, use caution when divulging your contact information anywhere on the internet. Do you know the people setting up the service or petition? If not, do you really want to divulge your personal information?
  3. Consider the creation of a secondary identity to fill in these kinds of forms. Never use your work email/identity, and think twice before using your primary personal one.
  4. Consider the use of Tor browser – it anonymizes your traffic and makes it much harder to identify sites you visit and the activities you engage in on the internet.
  5. Coincidentally, we’ve just published an article on the many Meetups that have recently cropped up claiming to be Indivisible. Just so you know, the Central Texas meetups have not been organized by us – so use caution.

#Resist Meetups and Other Groups

Update: We heard from Meetup.com: they set up all of these groups. Part of their statement:

“#Resist is an extension of the Meetup platform designed to help members
easily find and host Meetup events with a civic engagement focus.”

We weren’t alone in our concerns that 1,000 groups springing up overnight was a Honeypot attempt by people wishing to undermine the Indivisible movement. If you are thinking of organizing from the top down, please be 100% transparent about it. We will assess Meetup’s new toolset. 

Update #2: Here is a link to the Meetup to Resist site.


Today we noticed nearly 1,000 groups pop up on Meetup.com that look a *lot* like Indivisible. The Austin and Central Texas-area Meetup groups are not affiliated with Indivisible Austin or our local district groups.

We know that many groups are excited about using the Indivisible Guide to plan their actions, which is amazing. In the Austin area, our groups are working closely with the guide’s authors, and with the national group.

This movement is mostly decentralized and leaderless, so anyone can start a group if they wish. Still, we encourage you to exercise caution when signing up for a new group. Check this website for information about our affiliations and partnerships (we link to the known district-based groups from the district webpages). It also helps if you know a group’s organizers personally. Ask for a meeting or phone call!

We’ll update this post as we learn more.

How to Customize Signal to Be More Like Slack (and vice-versa)

We posted recently about our concerns with using Slack for team communications.

Here’s the thing: A lot of us love Slack. It is life-changing software that makes team collaboration roughly 1.3 gazillion times easier. And if you’re a geek, the API integrations are heavenly. Slack is great…for work or to organize a neighborhood barbecue.

Slack (and nearly every other piece of cloud-based software) is not so great if you have any concerns about the privacy of your users or the security of your information. Which, as we head in into authoritarian rule, is a concern.

There are more secure Slack alternatives, like Semaphor, which we are exploring. But for now we’re using Signal, which is free and easy to use.

But… Signal is not Slack. It’s much simpler, more like a group-text app, with none of Slack’s bells and whistles or API integrations. So…

To make Signal be more Slack-y, here are some steps you can take:

  1. Disable notifications. Signal is exactly like SMS text messaging, which, if you’ve ever been part of a family group text around the holidays, you know can be annoying. The minute more than six people are in a Signal group, your phone’s buzzing will get out of hand.
  2. Keep groups small. Think of them like Slack channels. Not everyone needs to be in every channel. Also, unlike on Slack, Signal has no group moderation. In other words, you can’t boot people from a group. Another reason to keep groups small and manageable.
  3. Don’t be afraid to create new groups. Just like on Slack, where there’s a Fear of Creating Channels (FoCC), you don’t need to shoehorn conversations into existing groups just because the group was set up that way. Create a new group, even if you’re only going to use it for a day or two. There is no limit to the number of groups you can create.
  4. Use 1-1 communication whenever possible. Not everyone needs to know everything. Just like Slack, Signal is great for private, one-to-one conversations. And don’t forget to set messages to disappear!

Now, because you are probably going to use Slack despite what we recommend, here are some steps to make Slack more Signal-y. 

  1. Admins can set their teams to require two-factor authentication (2FA) for everyone on the team. This is the very first step you need to do when setting up your team. If you are logging into Slack without 2FA, do not participate on that Slack team and notify your admin immediately. This is very basic, Security 101 — but it’s a step toward making Slack more Signal-y.
  2. Set messages to disappear. This feature is configurable at the channel and individual level, and its important that you do this right now. Choose whatever time period makes sense (a day? a week?) for your needs. This is not 100% secure (your messages will still be stored in the cloud somewhere, and presumably available via hacking or subpoena), but at least if someone swipes your phone they can’t search your entire message history.

We’re still exploring these issues and would love your feedback. What security concerns do you have in Trump’s America? What precautions are you taking? Let us know in the comments, or… on Signal.

Why Slack Isn’t Such a Good Idea

Disclaimer: I can’t tell you what to do. I am not dictating a policy here, nor do I have the means to enforce one. This is a discussion of basic security concepts as they apply to Indivisible teams & data and how Slack measures up. It also includes some mitigations to take if you do decide to use Slack.

Anything I say below can be applied to any/all communication technologies and methods: social media, email, signal, slack, face-to-face communication. Please keep our member & leadership data safe in the Era of Trump.

There’s been a lot of talk about using Slack as a communication tool to help keep all of our fast-growing Indivisible teams coordinated and moving forward. Although it has a very shiny interface and is fun and easy to use, it leaves a lot to be desired when it comes to security. In fact, lots of companies are leaping into the space to provide secure chat.

GROAN. YES! I can hear you groaning. “Oh, its the security guy, he’s always the party pooper.” Well guess what, I’m here to give you a few tidbits on security.

Focus on Security Essentials

Let’s think about what is most important to our cause:

  • Our member and leadership data. As in, anything that can personally identify them. Think to yourself, what happens if data about your members or leaders (names, emails, phone numbers, addresses) gets leaked or is hacked?Those people get PERSONALLY affected, is what happens. Think about that for a second. How effective will your teams be if they’re all doxxed? Or if just your leaders are doxxed? Or if people get fired because their Trump-loving boss figures out what they’re doing? Or if someone in a bright Red county loses all their business customers overnight because of a data breach? When you think about risk in this way, things come into sharp focus.
  • Our plans. Think how our adversary could mess with us if they knew what we were about to do. What if you’re planning to show up to a congressperson’s office and do all that planning in an open forum, and then the Congressperson decides to avoid you? And it’s because you talked about your plans on an open channel and all your efforts come to naught.
  • Our ability to coordinate and control effectively. Think about people with bad agendas inserting themselves into conversations. Impersonating users because they stole their passwords and assumed their identities or stolen their devices. Issuing commands to go one place across town when we were supposed be some other place. Or cancelling an event when in fact we were supposed to be there. In an era where Russians have likely hacked our elections, do you think any of this is far fetched? ARE YOU THINKING LIKE A SECURITY PERSON YET?

If you can secure these three aspects of our information security, you can go a long way toward keeping our members and initiatives safe across all of our Indivisible chapters.

The above should form the foundation of how you evaluate security on any platform: texting, email, Signal, Slack, whatever. If you can keep the three aspects of our operations secure, you know you’re on the right track.

So, think this through:

  1. You want your most sensitive data (member information, leadership data, plans) in your most guarded and secret places. That would be Signal for example.
  2. You want action messages and final plans to be on public spaces: blogs, social media, emails, mass texts.
  3. At all times you want to make sure that the person(s) you’re communicating with are actually, for real, the person(s) you intend to communicate with. And not someone who is impersonating them because they stole a password or cloned their phone number.

How Does Slack Rank Security-Wise?

Now that we have some basics down, let’s talk about Slack. It’s so SHINY and PRETTY. But you should know by now that pretty things aren’t necessarily good for you. Let’s see how it stacks up to our three criteria above.

  1. The encryption used on Slack is controlled by Slack. Which means no end-to-end encryption like on Signal. Which means that Slack admins can, according to their privacy rules and their own technical stack, look at your conversations. Even if they aren’t willing to do it, they can be subpoenaed to do so. So this means we can’t keep member/leadership data safe on Slack. Nor can we keep our plans safe on it.
  2. All conversations are kept on their servers. You don’t own those conversations. Slack has the data. In a centralized place. Where hackers can get into it. Which has happened. So, once again, our data is not safe on the platform.
  3. CAN I JUST ALL-CAPS REMIND YOU ALL THIS STUFF ON SLACK CAN BE SUBPOENAED? Okay, let’s see, let me give you an example. Hulk Hogan’s trial against Gawker, paid for by Peter Thiel, WHO IS ON TRUMP’S SIDE. Part of this involved Slack chat messages. Is it safe? Is it secure? NO GANDALF IT IS NOT.

Given all three things above, I’m personally never going to use Slack. There’s no end-to-end encryption, I don’t own the data (which hangs around forever and can be looked at by their admins) and it can all be subpoenaed.

I’m out.

You’re Totally Going to Use Slack, Aren’t You?

Here’s where the real world intrudes. As much as the security guy shouts from the rooftops about something, most people will do their own thing.

It’s okay, security people are used to being ignored until something horrible happens. At which point they can say, “I told you so!” while drinking numerous beers and catching up on favorite episodes of Firefly.

I can’t stop you from using Slack. I also can’t stop you from standing up in the middle of Main Street with a megaphone and telling anyone who cares to listen what our most secret plans are.

So you’re going to use Slack. Great! Here are some things to think about if you so choose to do this thing I’m begging you not to:

  1. Remember that Slack is an open channel. NEVER fully identify a member or leader on there. First names only. NEVER divulge emails or phone numbers. NEVER EVER EVER.
  2. Only use Slack to divulge last-minute coordination efforts, never for planning and discussion. Use Signal and face-to-face meetings for planning. Use Slack, social media,  and email to alert the necessary teams of final decisions.
  3. Turn on 2-factor authentication in Slack (this option was made available because they they were hacked, but okay they took a right step).
  4. Force everyone on your team to use 2-factor authentication. This way you’ll have some assurance you’re talking to the right person. Or at least, a real person. Try googling “how to not get catfished” if you want an entertaining evening.

Okay, that’s it. Go forth and do your thing. Remember to keep yourselves and other members of Indivisible safe!

Using Signal to Communicate Securely

You want to contribute to defeating the Trump agenda, but you don’t know where to start. At the same time, you’re a bit nervous about doing anything in public because, well, let’s face it, Trump seems hell-bent on establishing himself as an autocrat. And we all know how autocrats respond to dissent!

So how does one securely communicate with others who wish to dissent? Certainly not by using social media, email, or texting.

The media are replete with stories about folks who thought they were having private discussions on Twitter, Facebook or other platforms that were in fact, totally public–usually because of a silly user error. Likewise, there are plenty of stories out there about folks whose private communications were subpoenaed or hacked. And we all know what happened to Hillary Clinton’s campaign once the hackers penetrated their emails.

So if you can’t use Twitter or Facebook to organize, and if regular phone calls, emails, and texting are similarly insecure, what tool can you use to securely communicate?

Use Signal!

We suggest you use Signal, a free iOS and Android application made by Whisper Systems. With it, you can securely text, group chat, share videos and documents, and call others via the platform.

Everything is done via end-to-end encryption so Whisper Systems has no visibility into what you’re doing — even if they’re subpoenaed, they have no information to give out. Even the amount of metadata they collect (who participated, when they participated, etc) is severely curtailed.

And by curtailed we mean, they know when you sign up for Signal, and the last time you used it, and that’s about it. For more information, check out this story.

Getting Started

Here’s how to get started:

  1. Download the Signal app onto your phone. (On iOS, you’ll find it in the App Store. Android users can find it on Google Play.)
  2. Once the app is on your phone, sign up by registering your mobile phone number.
  3. They’ll send you a six-digit confirmation code via SMS.
  4. Enter that confirmation code into the app and you’re signed up!
  5. The final step is giving Signal access to your contacts – you’ll need that in order to identify other Signal users.

The first time you open Signal and start a chat or call, you’ll see all the folks from your Contacts who have downloaded Signal. If you don’t have their registered Signal phone number, you won’t see them.

A great tip is to ask folks if they’re on Signal – once they download and register, you can start talking securely.

Here’s a great article on how to use Signal. It’s a great write up by the good folks at EFF.