Digital Security training resources for security trainers, Winter 2017 Edition

Authors:
Rachel Weidinger
( https://twitter.com/rachelannyes )
Cooper Quintin ( https://twitter.com/cooperq )
Martin Shelton ( https://twitter.com/mshelton )
matt mitchell ( https://twitter.com/geminiimatt )

Inspired by: a session & discussion at Aspiration Tech Dev Summit 2016
Document written in: english translated to: english
First Published: November 18, 2016
Last Updated:
January 9, 2017
Expiration Date/Best By:
March 2017
License: Digital Security training resources for security trainers, Winter 2016 Edition by Rachel Weidinger, Cooper Quintin , Martin Shelton , matt mitchell is licensed under a Creative Commons Attribution 4.0 International License. This license lets others distribute, remix, tweak, and build upon our work, even commercially, as long as they credit us for the original creation. This is the most accommodating of creative commons licenses offered.

Getting questions about how to increase security? Us too. Right now we could use a lot more security trainers to meet the demand. This post is the first in a series to get you on the path to helping out. The contents are a roundup of security training resources, pulled together to help trainers. These links are current as of mid-November 2016. The links & resources were chosen because of their author’s balanced approach and use of plain speak over technical jargon.

This post is an answer to the questions: “Where can I get up-to date security training links? What tools should I use and why?” We hope to address other topics including ‘things to think about when you are giving a digital security training,’ and go deeper into specifics like opsec in future posts.

This goal of this post is narrow: to provide resources to trainers focused on basic security hygiene, the digital equivalent of doing healthcare by teaching hand washing.

We do not believe that security trainings will fix all of the problems that we face with the political changes in the US & elsewhere. And most of the advice in these guides is built on continued goodwill by U.S. Government, like allowing strong encryption. However, we believe that operational security advice and computer security tools are still useful in protecting vulnerable communities from some of the dangers that they currently face.

It is organized into three sections:

  • Toolkits that are up to date today
  • How to keep up to date, as a trainer
  • Toolkits that are out of date but still worth reviewing

Have an update to suggest? We’re interested. Send it to one (or all!) of us on twitter. It is our goal to update resources on a quarterly basis, with the next expected update in Spring 2017.

*Toolkits that are up to date today*

There are a lot of resources available online but sadly for many reasons they often fall out of date. Like expired medicine, this can be very dangerous. Below is a list of up to date resources/toolkits that we reviewed for clarity and content.

Tactical Tech’s Training Curriculum (https://twitter.com/info_activism) is a just released resource for security trainers, with an easy way to create customized curriculum PDFs. You plan your class, you pick which modules of learning you want, which workshops you would like your participants to go through, then you click PRINT PDF (remember each pdf needs to be printed). As of November 2016 this was just published. protip: This webpage has two scrollbars, use the inner one to scroll down. Click on workshops in the left column, then ‘view the full session’ for any workshop card in the main column, scroll to the bottom of that card to find links to update yourself. click on ‘session breakdown’ tab for examples on how to teach this topic.

Electronic Frontier Foundation (EFF) has a robust series of resources available on Surveillance Self Defense, so many that it can be tricky to navigate. Start with looking at the ‘playlists’ for different types of needs. protip: These pages have a “Last updated:” stamp on the bottom. It is really important that you take that into advisement. Especially for timely things like discussion of harwarde, software, & apps. Ideas on approaches and methods have a longer shelf-life. Some pages are from 2016 others 2014. Here are a few of the most popular pages: Security Starter Pack , Activist or protester? , LGBTQ Youth , Journalist on the move? A great trainer will understand the information in these & how to apply them to different at risk groups.

Online articles of note. There have been a number of recent pieces on security training :

Don’t panic! Download “A First Look at Digital Security”, Anqi Li & Kim Burton : November 17, 2016 
protip: The authors have a lightweight approach to threat modeling and use of beautifully drawn cartoons to get the point across. They share threat models that others can adopt or apply to their own.

Getting Started With Digital Security, Dia Kayyali : November 16, 2016
protip: There are many “getting started” type guides but this one is from an activists’ point of view and goes over an example of a “threat model” an activist faces. The author offers culturally relevant and specific guidance. The article is great for anyone working with people who document or record abuse. It has a link to the WITNESS library of materials which are translated into 15 languages. Also it has a nice list of training information.

Surveillance Self-Defense Against the Trump Administration, Micah Lee : November 12, 2016
protip: In this post Micah begins with basic recommendations like encrypting your phone then lays out a very secure workflow highly technical movement building organizations & groups. This includes a tor hidden service (potentially with stealth auth). It is highly technical.

Security Tips Every Signal User Should Know, Micah Lee : July 2, 2016
protip: You may have heard “use signal, use tor” but this article explains a recommended “safest” use of Signal. We couldn’t agree more. It was written before the disappearing messages feature came out, so we recommend you turn that on for all messages so they last at longest a week. Also verification & safety numbers have changed since this article was written. It still is a must read for any Signal user. We look forward to an updated version of this article from Micah Lee.

Chatting in Secret While We’re All Being Watched, Micah Lee : July 14, 2015
protip: This entire article can be summed up by this one sentence from it it’s possible to communicate online in a way that’s private, secret and anonymous.” Micah Lee then uses a series of easy to follow examples based on Romeo & Juliet to show how. Empowering and well thought out.

Encrypting your Laptop Like You Mean It, Micah Lee : April 27, 2015
protip: The cornerstone of digital safety is hardware encryption/full disk encryption of the devices we use the most, our laptops & phones. Here Micah walks through the options starting with what is already there.

Securing Your Digital Life Like a Normal Person, Martin Shelton : December 14, 2015
protip: The article answers the question, “What can I, Normal Person, do to improve my security?” Covering how to be safer when browsing the web, how to encrypt all things, how to secure logins into social media & web sites, & more.

Surveillance Self Defense for Journalists, The Intercept : January 18, 2017
protip: Adversarial journalism outfit, The Intercept has arguably the best infosec/opsec skills than any other newsroom. They know that journalists don’t have time to read a long post. This is a fast read that asks reporters to categorize digital safety knowledge (beginner, intermediate, advanced) and gives a prescriptive list of things to do for each level.

@geminiimatt PGP guide to sending & receiving encrypted email from Mac, Windows, & Chromebook without using an email client. Great for gmail.com users, & for passing encrypted messages through Twitter DM or Facebook secure chat!

EFF’s PGP guide using thunderbird for WINDOWS, Mac, and on LINUX.

EFF’s guide to using signal on Android, and on iOS.

Twitter threads of note. Sometimes infosec twitter has some real gems to share, unfortunately locked behind the walls of twitter and buried by the latest trending info. We made an effort to avoid anything too opinionated it is however the essence of twitter & there may be various ideas expressed as the threads grow. protip: Approach with an open and analytical mind.
Below are two great threads about an important topic, VPNs (virtual private networks):

Nima Fatemi tweet on using: VPNs versus using Tor
Swift On Security tweet about the how hard it is to find independent info on VPN providers

*How to keep up to date, as a trainer*

Security is a constantly shifting target. What is useful today will one day be dangerous. Part of setting secure habits is keeping up to date. Here is how we do it:

You can ask questions to the Access Now Digital Security Help line.

Just send an encrypted email message (that includes your pgp key if its not on a key server so they can write you back)

Follow @geminiimatt’s THE LIST on Twitter for ongoing infosec (information security) community news and updates.

You may have to sift through many differing opinions, large and fragile egos, and historic rivalries. But if you let the noise wash over you, you will eventually find some loose consensus and some gems of wisdom within. Consider it a launching point for further research, discussion, & information.

Read Bruce Schnier’s Blog.

We linked tons of it above, and recommend continuing to read Micah Lee’s work at The Intercept.

Read EFF’s blog.

There are occasionally great pieces written on digital privacy, like this article from Consumer Reports in September of 2016. With many leading minds in digital security lending pro tips. Not everything in the article belongs in a digital security training but are definitely worth you knowing. http://www.consumerreports.org/privacy/66-ways-to-protect-your-privacy-right-now/

Go to security conferences! There are security conferences all over the US and the world that are great resources for staying up to date on the latest info and meeting other hackers and security trainers. Here are some of our favorites: BSIDES, DEFCON, HOPE, CCC, Toor Camp, Dev Summit (where this guide was born), ENIGMA, and finally USENIX CONFS.

Listen to podcast! There are so many great podcasts on security but here are a few short and impactful ones for when you want to learn more & keep up to date.

Daily Stormcasts by SANS Internet Stormcasts, 5–10 minutes duration, daily release

The Cyberwire, 60 minutes, daily release

Risky Business, 60 minutes, weekly release

Crypto Gram Security Podcasts, 20 minutes, release monthly

Security Now with Steve Gibson, 2 hours 30 minutes, weekly

The CyberSecurity Podcast by CSM Passcode & New America, 30 minutes, monthly

Down the Security Rabbit Hole, 1 hour, weekly

*Toolkits that are out of date but still worth reviewing*

The nature of security advice is that it changes as we learn new things and new techniques are discovered. Unfortunately this means that many guides end up going out of date if they are not constantly maintained. If you find a guide that is out of date consider contacting the author and asking them to update the guide or take it down. Here are some guides which are out of date but might still be worth updating or reviewing.

Tactical Tech’s Security in a Box is in 15 languages, is four years old, and is no longer frequently maintained . Careful when recommending anything out of this without looking into it with great care.

A roundup of resources from Level Up, from June 2016.

Frontline Defenders

Thanks for adding to your security training skills.

YOUR AUTHORS: