Skip Navigation

PSA: be careful with the orgs you join

https:// twitter.com /abolishnato/status/1762158199304528019

this is frankly really scary. if you're in a socialist org, please make sure that they're not so lax with security like this. also, why the actual fuck are they using google products. we are fucking doomed here in the west man. To be clear I think this is probably more on the local chapter of your org than the national org, but even then I really think national orgs need to be giving out a lot more training about this kind of thing, and quite frankly booting out the leadership of local chapters if they're lax like this.

tweet text here

PSL security culture: I left almost a year ago, their members locally know I don’t like them, but I’m still in some shared folder where I can see sensitive event and recruiting information

I highly recommend to the people joining orgs to take serious steps and ask questions around security. What if this got into the wrong hands? Out of courtesy I’m censoring the names. I have plenty more screenshots of events in case they try to refute this but I recommend they just hold this L quietly

*4 images showing proof

25
25 comments
  • I think they need us terminally online selfhoster Linux tankies to help them in this regard

    68
  • The local socialist org where I live collaborates on Google docs. It's cringe.

    39
    • We wrote our party program with it from start to finish lol. I've given up on trying to talk about security.

      21
  • I don't know. You can waste a lot of effort on convincing people of the need for security, establishing significant security, not weirding people out in the process, and actually sticking to it, only to find out that it's not as good as you think/it's yet another program with some sketchy back door built in. Or you do everything right and there's a fed in your group in person, a tactic they've used for at least a century. Or there isn't, but a serious adversary can piece together who's in the group and when you're meeting based on public posts and phone data.

    This isn't saying orgs should take zero steps on information security, more that you're never going to be able to hide a domestic political group from the U.S. government. Expect leaks and wreckers from the start and you can set up ways to minimize their harm.

    29
    • copying a comment i made further down:

      I understand that people use the google stuff because of how easy it is. Obviously the most sensitive stuff should be kept person to person and not put on the computer, but even with less sensitive information i think we should be doing better than potentially offering up all that info to the feds for essentially free, make them commit resources to infiltrate our groups, not just work with google real quick to get access to whatever they need. Even if our solutions are somewhat clunky, we should 100% be willing to put the time/resources into training people to be tech literate enough to use them. My point here is that we shouldn't be making it as easy as possible for feds to infiltrate, make them expend more resources by trying to turn informants or even having to insert actual agents

      13
  • What would be an alternative to Google's spreadsheets? Best thing I can think of is a Nextcloud deployment. I would just prefer to host this kind of shit in a private git repository somewhere but of course that would understandably not fly with 99% of the people.

    24
    • There are free NextCloud providers. CryptPad also seems promising and can also be self-hosted. I can't think of any good reason to use Google Drive/Sheets/... aside from a short adjustment period when switching to an E2EE equivalent

      22
    • Someone that works for whatever org you work with owns a domain. Make it run by the org. You can make nextcloud have logins for your known members to see sensitive data.

      18
    • im not exactly sure either. In this case, I dont even know why you need a spread sheet for this case exactly (in one of the screenshots it looks like they just had who was responsible for what during an event?). I understand that is 100% why people use them, the ease of use, but we need to come up with better solutions imo. Obviously the most sensitive stuff should be kept person to person and not put on the computer, but even with less sensitive information i think we should be doing better than potentially offering up all that info to the feds for essentially free, make them commit resources to infiltrate our groups, not just work with google real quick to get access to whatever they need. Even if our solutions are somewhat clunky, we should 100% be willing to put the time/resources into training people to be tech literate enough to use them

      16
  • Definitely, I was in PCUSA for a few months and they acted like feds. I’m almost worried what my info could be done with by them.

    24
  • The security concern is understandable and we should take necessary measures and keep important things between trusted people in real life, but we need to be honest with ourselves that we are under surveillance at all times anyways.

    We've expressed more than communist sympathies online and in real life. We are high on the watch list (that literally everyone is on anyways).

    Organizing definitely has pig and fed supervision and even infiltration. You should assume there is someone untrustworthy around you at all times.

    But this does not mean we stop organizing, or slow down, or cower. If we have this weird pursuit of perfect privacy, we will do absolutely nothing. Because it doesn't exist.

    At some point we need to break through this fear of "getting got" because of bad security and recognize that it doesn't take anything for the feds and pigs to do terrible things anyways. If you're actually organizing in real life, if you're actually active, you're eventually going to need to be clear on your goals. And that right there blows your "security".

    If we are too scared to put ourselves in ANY amount of danger just through supervision, how do you expect us to actually carry a revolution forward?

    I'd ask you all to consider the concept of revolutionary suicide, or at the very least, revolutionary sacrifice. It's true, engaging in this may lead us to prison or death. And no amount of security is going to prevent that from happening when the going gets going. Is that worth it to you? Do you have the drive to live a life free that is so strong you'd give up everything for it? I say this not as a finger pointing or "you're weak" thing, but a genuine question. I don't blame you if the answer is no.

    Once again, before I get crucified, I am not advocating against basic security measures to filter out feds and keep classified information in the hands of trusted people. I am pushing back at the overall theme I see specifically with online lefties that prioritizes security so heavily that we can't share our names or general locations with these established orgs as if the feds don't have this already. I'm pushing back against the overwhelming fear some people seem to have (justifiably) because we don't need that right now. We need resistance. And that is dangerous.

    19
    • physical location is most needed to be kept safe from right wing local stochastic terrorists rather than feds at least, you're right about that. The big thing here, that i more meant to focus on, is that they let some random person who left the party get access to sensitive information for months, that is extremely bad, just because I might be on a fed list somewhere, doesn't mean i want to be doxxed by a bitter former party member and face repercussions from anticommunist locals. I advocate for keeping the most sensitive information (like if your group is going to go sabotage something, etc.) off of computers and kept person to person anyways

      I’d ask you all to consider the concept of revolutionary suicide, or at the very least, revolutionary sacrifice. It’s true, engaging in this may lead us to prison or death. And no amount of security is going to prevent that from happening when the going gets going. Is that worth it to you? Do you have the drive to live a life free that is so strong you’d give up everything for it? I say this not as a finger pointing or “you’re weak” thing, but a genuine question. I don’t blame you if the answer is no.

      great thing we should all be considering, but one I'm not sure you can truly answer until the feds have got you in a jail cell threatening you with life if you dont betray your comrades to become their informant (as an example of extreme situation). I think I'm ok with it, but am I actually? we will see.

      5
      • First part makes definite sense. Completely unacceptable to have that kind of thing just laying around for anyone, especially considering the pettiness that is sometimes present within leftist organizing lol.

        Last part also good point. Yeah, I mean, shit we don't really know until we are there. But I think we can get more and more of an idea and closer to saying yes as we get more involved in this organizing. We are in danger for before the feds have us in the cell. But yet we continue. That to me signals something brave

        3
  • https://lemmygrad.ml/comment/3730331

    This is my comment made a bit earlier to encourage tech literate comrades to join their local org as they can help improve their IT infrastructure and opsec.

    https://twitter.com/hornetnezt/status/1762437507675779517

    I do agree with this person. I think this would have been handled better privately even though this info is helpful. In the pre-branch I am in, we do take opsec seriously and want to find alternatives to improve our security. I'm sure other local branches would be open to change if more IT comrades joined and made their voice heard.

    I believe PSL worked with tools that were most convenient and accessible to them at the time. Plus, while I hate big tech tools and prefer self-hosted solutions, the security of Google, Microsoft, and other mainstream products is nothing to scoff at (ignoring backdoors built in for the feds), though your privacy goes down the drain. PHP originally self-hosted their git repository and had to migrate to their mirror on GitHub after they were compromised.

    Time is of the essence to build class consciousness among the proletariat. We have been raising awareness of the genocide in Palestine, and I don't believe our organization is working in vain by running a campaign and accruing members and resources. Our current campaign isn't simply to win office. Of course there's extremely little chance we will win. The campaign is an invitation for workers to join a communist organization to fight for a better world, and the presidential election is definitely not a time to be quiet as more people are paying attention to politics now. Revolution is not going to happen overnight, and we are still in early stages of emerging in the US.

    13
    • I do agree with this person. I think this would have been handled better privately even though this info is helpful. In the pre-branch I am in, we do take opsec seriously and want to find alternatives to improve our security. I’m sure other local branches would be open to change if more IT comrades joined and made their voice heard.

      I think you're a little too biased as a PSL member. quite frankly they had almost a year to notice this themselves, and speaks to an extreme problem with that local chapter that needs to be spoken about publicly. I'm not in PSL so I can't say what national does about this kind of thing but the leadership of that chapter needs to be reprimanded or even be forced to step down imo. Does national provide training for this kind of thing?

      2
      • Hey, I am just as critical in regards to security and socialist parties including my own, and I do want the party to improve on their opsec and prioritize open source, self-hosted, and encrypted/sandboxed/etc. tools, but blasting this onto twitter without the party's consent isn't very responsible. I don't know if you are the same user as the one on twitter, but I do apologize for the experience and this is something I believe the local chapter as well as the national party should improve upon. I joined the party with the goal to contribute my IT skills to make the party more secure.

        I'm still a bit new and still learning, and I am being careful about not sharing internal only information, but locally we do work on different trainings, and I may be helping organize one related to security. We need more IT comrades to help with the party in order to realize changes to our technical infrastructure, especially when we become larger and reach later stages of organizing and begin shining in the surveillance industrial complex's radar. Simply slandering the organization by posting internal information does not help, especially for this issue regarding a hole in their security.

        7
  • Holy fuck

    13
  • Maybe making physical spreadsheets would be better? Idk tho

    9
  • Our local PSL chapter used a private Nextcloud instance for most organizing efforts. For what it's worth, PSL national did start up an IT security protocol that chapters were supposed to be moving towards, with detailed guides for setting up various online infrastructure in a secure way. Out of all the socialist orgs I've been a member of, the PSL has ultimately been the one most interested in tightening digital security. DSA is Google Docs central (and Slack). SRA is Discord all the way down.

    7
  • You're blowing a small mistake up into something. As a PSL member (I've been in for a few months, I'm not brainwashed or anything, I just understand how things work on the inside):

    The PSL broadly does not engage in covert illegal actions, and the branches that may have tighter security. The stuff in the broadly accessible parts of the Google Drive is sometimes sensitive, but not secret. We're talking meeting notes and pics of events, not addresses and SSNs of members.

    The PSL expects members (with some exceptions, such as undocumented immigrants) to be public with their membership with their real name. There is no such thing as doxxing a PSL member (aside from posting addresses/SSNs/etc.) because our names and affiliations with the party eventually become a matter of public record anyways.

    Yes, they should have had tighter security. No, the leadership of the branch does not need to step down lmao. PSL branches are, like 90% of lefty orgs out there, 3-5 volunteers actually doing work and organizing stuff while the other 10-20 occasionally attend events and meetings.

    I've seen so many projects by other orgs fail due to overzealous security culture; jumping from telegram channel to signal group and constantly losing people every step of the way, no one using their real names and constantly changing their alias. Nothing actually gets done.

    I think the PSL strikes a good balance of security with ease of access. Most branches don't need the opsec of an insurgency cell. We're just organizing protests and hosting educational events. It doesn't really matter if some details get public.

    5
    • I’m not brainwashed or anything,

      brainwashing isnt real. but you are biased as a member, I'm glad this isn't a big deal for you. It is, for me.

      I’ve seen so many projects by other orgs fail due to overzealous security culture; jumping from telegram channel to signal group and constantly losing people every step of the way, no one using their real names and constantly changing their alias. Nothing actually gets done.

      good thing that's not what im advocating for then!

      PSL branches are, like 90% of lefty orgs out there, 3-5 volunteers actually doing work and organizing stuff while the other 10-20 occasionally attend events and meetings.

      eventually these branches are going to have to grow, i think this is a terrible argument against why leadership should step down, just stick with you think it's not a big deal, not that the branches are small.

      1
You've viewed 25 comments.