Current Digital Security Resources

July 2017 Edition

Time flies. Original image: danielhedrick [CC BY-NC 2.0]

Digital technology doesn’t die — it just ages really, really fast. Even the richest digital security resources become quickly out-of-date, and while there are a remarkable number of toolkits and guides for learning digital self-defense, relatively few have information you can use right now. This “meta-guide” highlights current resources, and tips on keeping them timely and relevant.

The following guides and toolkits were included based on a few key requirements: relevance, practical advice, accessible language, clear organization, and of course, up-to-date information. My hope is that the resulting list is rich with knowledge that can be put to work both by experts and non-experts today. I’ve broken up this list into categories based on the intended audience, followed by articles on specific security tools and practices.

Guides for a general audience, or multiple groups

  • (Regularly updated) Surveillance Self-Defense, by the Electronic Frontier Foundation (@EFF). Surveillance Self-Defense is a thorough resource organized into multiple “playlists” of step-by-step guides for several different groups. Each playlist includes a list of modules with information relevant to each group.
  • (Last updated February 2017) A First Look at Digital Security, by Anqi Li & Kim Burton, Access Now (@accessnow). A short, beginner-friendly primer booklet on threat modeling, illustrated through personas for multiple security needs.
  • (Last updated November 2016) The Motherboard Guide to Not Getting Hacked, by Lorenzo Franceschi-Bicchierai (@lorenzoFB) & Joseph Cox (@josephfcox), Vice Motherboard (@motherboard). This introductory article covers the basics of threat modeling, updates, authentication practices, and a dozen general tips for protecting yourself from surveillance or a data breach.
  • (Regularly updated) Securing Your Digital Life Like a Normal Person, by Martin Shelton (@mshelton). A short, beginner-friendly primer covering privacy browser extensions, circumvention tools, disk and communication encryption, and tips for strengthening authentication.
  • (January 2017) 11 tips for Protecting Your Privacy and Digital Security in the Age of Trump, by Olivia Martin (@_olivemartini_). An introduction to digital security with brief descriptions and links to resources on threat modeling, strong authentication, secure communications, device encryption, browser security. The article also includes guidance on update hygiene, VPNs, and phishing.
  • (Regularly updated) A DIY Guide to Feminist Cybersecurity, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). This fairly exhaustive guide covers tools for blocking online tracking, circumvention and anonymity tools, defending against malware, strong authentication practices, privacy on social media, as well as device and communication encryption. Note: There’s a lot of great information for defending against untargeted mass surveillance (e.g., using a VPN) which is not directly related to the threat model outlined.

Resources for journalists

  • (Last updated November 2016) Source Guide to Defending Accounts Against Common Digital Attacks, by Martin Shelton (@mshelton), OpenNews Source (@source). A guide with summaries and links to several resources for defending online accounts from hijacking. The guide includes an overview of newsroom digital security, resources for strengthening authentication, as well as defending against phishing and malware.
  • (April 2014) Security for Journalists (Part 1), by Jonathan Stray (@jonathanstray), OpenNews Source (@source). A beginner-friendly introduction to threat modeling, strengthening authentication, identifying phishing attacks, as well as device encryption. While this resource came out in 2014, its lessons are still applicable today.
  • (July 2016) Digital Self Defense for Journalists: An Introduction, by Martin Shelton (@mshelton), OpenNews Source (@source). This introduction covers the basics of threat modeling, circumvention tools, authentication practices, communication and device encryption, anonymity tools, security-enhancing browser extensions, backups, identifying phishing attacks, and general tips.
  • (July 2016) Digital Security For Freelancers, by Rory Peck Trust (@rorypecktrust). An enormous number of articles written for freelance journalists covering the basics of circumvention tools, social network privacy, communication and device encryption, encrypting files, file metadata, authentication, avoiding malware, and more general advice.
  • (December 2016) Secure Journalism at Protests, by Martin Shelton (@mshelton) & Geoffrey King (@geoffwking). This short guide introduces the basics of risk assessment, communications encryption, the use of secondary devices, securing mobile devices, concerns with live streaming, and face blurring software, as well as physical threats to data and personal safety. The guide also addresses legal concerns and journalists’ rights when covering events, when to talk to a lawyer, and resources for finding pro bono representation.
  • (January 2017) Surveillance Self-Defense for Journalists, by The Intercept (@theintercept). A brief primer with basic, intermediate, and advanced steps for journalists. The guide links to external resources for Signal, privacy-enhancing browser plugins, tools for strengthening authentication, communication encryption and circumvention tools, as well as links to resources on isolating suspicious files with virtual machines and Qubes OS.
  • (January 2017) Journalists in Distress: Securing Your Digital Life, by Canadian Journalists for Free Expression (@canadaCJFE). The guide includes background information describing how data flows online and in mobile networks, as well as information on browser privacy and security, encrypted communications, social media privacy, internet cafe concerns, strong authentication, and information about technical threats from authorities. The guide also includes exhaustive external links for getting help from supportive organizations and external links to additional security resources.
  • (June 2017) Protecting Your Sources When Releasing Sensitive Documents, by Ted Han (@knowtheory) & Quinn Norton (@quinnnorton). The guide introduces common concerns with metadata, printer micro-dots, as well as information deliberately hidden in documents. The guide also walks through some “cleaning” techniques for removing unwanted file metadata and micro-dots.
  • (February 2017) Source Protection in 2017: A Starter Guide, by Quinn Norton (@quinnnorton). The guide introduces some practical security tools and practices for communicating with sources in a way that preserves their anonymity. This includes the basics of choosing appropriate messaging standards, including Jabber for encrypted chats, as well as secure, anonymity-preserving messengers, Ricochet and Cryptocat (when accessed through the Tor anonymity network). The guide also examines differences between end-to-end and server-side encryption in the context of source protection, and more fundamentally, the need to focus on the protection of sources as people with many needs.

Resources for harassment and abuse

Resources for activists and protesters

Resources for security trainers

  • (April 2017) Security Training Resources for Security Trainers, Spring 2017 Edition, by Rachel Weidinger (@rachelannyes), Cooper Quintin (@cooperq), Martin Shelton (@mshelton), matt mitchell (@geminiimatt). A “meta-guide” for finding information on the current state of U.S. digital security training. This is the second release in the quarterly guide (update from Winter 2016).
  • (February 2017) How to Lead a Digital Security Workshop, by Rachel Weidinger (@rachelannyes), Cooper Quintin (@cooperq), Martin Shelton (@mshelton) and matt mitchell (@geminiimatt), via Motherboard. How to get started on digital security training for first-timers. The short guide encourages new and would-be security trainers with some considerations for effective training. These considerations include how to think about practical security advice, planning and logistics, building knowledge, focusing on teaching narrowly-scoped mastery, as well as self-presentation and audience engagement in security trainings.
  • (Regularly updated) Training Curriculum, by Tactical Tech (@info_activism). Tactical Tech’s training curriculum is a new resource for planning lessons in digital security. You can select lesson modules, workshop information, and print out corresponding PDF handouts.
  • (Last updated July 2016) SAFETAG: A Security Auditing Framework and Evaluation Template for Advocacy Groups, by Internews (@internews). A thorough security auditing framework that adapts traditional risk assessment and penetration testing for small non-profit human rights organizations. The guide walks through how auditors can examine how information moves through the organization. This information flow is dependent on the likely involved actors, as well as organizational threats, assets, capacity, activities, vulnerabilities, and barriers to adoption for security practices.
  • (Last updated July 2016) Resources for the Global Digital Safety Training Community, by LevelUp with help from many contributors. An enormous trove of resources on building curricula around digital security and instruction tips.

Resources for lawyers

  • (January 2017) Operational Security for Lawyers, by Ansel Halliburton (@anseljh), Lawyerist (@lawyerist). There aren’t many resources available for lawyers, but this is a good one. The guide covers the basics of threat modeling, strong authentication practices, secure messaging with Signal, anonymous filesharing, and describes many issues with basic email security. The guide also describes the role of other basic practices (e.g., patching) for security hygiene.

Resources for dangerous situations

  • (March 2017) DIY Cybersecurity for Domestic Violence, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). A (beautifully illustrated) guide to security concerns in situations involving intimate partner abuse. The guide examines security concerns through various scenarios, including when partner harassment over phone calls and social media, stalking, and targeted surveillance. The guide also examines what happens when partners have access to your online accounts, when your sex life is being used against you, and when you want to leave your partner. Each scenario comes with a series of corresponding defenses.
  • (March 2017) Digital Privacy at the U.S. Border, by Sophia Cope (@scopesetic), Amul Kalia (@amullionaire), Seth Schoen, and Adam Schwartz (@Adam_D_Schwartz), Electronic Frontier Foundation (@eff). In light of the looming U.S. travel ban targeted at individuals traveling to and from primarily Muslim countries, the Electronic Frontier Foundation Part released this whitepaper to examine travelers’ security options at the U.S. border. The paper examines the basics of risk assessment, as well as legal, technical, and practical concerns when you are preparing to leave, arriving at the border, and what to do afterwards. The guide also examines your rights, U.S. border policy, a wide range tools you can use to protect yourself, and their constraints.

Guides to specific tools and practices

While many of the above resources are broad overviews or contain many step-by-step guides, other recent resources are narrowly focused on specific tools and practices.

Signal for encrypted messaging and voice calls

  • (Regularly updated) Signal for Beginners, by Martin Shelton (@mshelton). A primer on using Signal for first-timers. The guide covers how to set up the app, the basics of messaging, using the desktop app, making messages disappear, verification methods, as well as potential security weak points.
  • (May 2017) How to Keep Your Chats Truly Private with Signal, by Micah Lee (@micahflee) via The Intercept, A thorough, step-by-step guide on using Signal as securely as possible. The guide includes a short video overview, and information on securing your mobile device, hiding lock screen messages, deleting old messages, exchanging video and photos, group chat, voice and video, adding contacts, verification, and using the desktop app.
  • (November 2015) Signals, Intelligence, by the grugq (@thegrugq). A useful resource for understanding how Signal’s encryption works and the various forms of metadata it exposes in routine use.

WhatsApp for encrypted mobile messaging, voice, and video calls

  • (February 2017) Upgrading WhatsApp Security, by Martin Shelton (@mshelton). A short guide that walks through improving WhatsApp’s security by turning off and removing cloud backups, adjusting privacy settings, encryption key change notifications, and using session verification, as well as information on securing the device itself (e.g., with device encryption).

Pretty Good Privacy (PGP) email encryption

  • (June 2016) PGP Guide for Thunderbird + Enigmail for Windows, Mac, and Linux by Tactical Tech (@info_activism) and Front Line Defenders (@FrontLineHRD). A step-by-step resource for setting up PGP email encryption using GPG alongside the Thunderbird email client with the Enigmail plugin.
  • (Regularly updated) PGP Guide, by matt mitchell (@geminiimatt). A step-by-step resource for setting up PGP encryption using the GPG binary. This approach guides new users to understand how the encryption works, and how to use GPG anywhere — not just email (e.g., Twitter DMs, Facebook).

Password managers

Anti-phishing

  • (Last updated December 2016) Anti-phishing and Email Hygiene, by Harlo Holmes (@harlo), Freedom of the Press Foundation. This guide covers threat modeling, authentication practices, as well as common phishing tactics and how to avoid them.

Two-factor authentication

  • (Regularly updated) Two Factor Auth, by Josh Davis (@HopefulJosh) and dozens of contributors. Two Factor Auth is a list of popular websites, and information on whether they support two-factor authentication. It offers links with instructions for setting up two-factor authentication on each web service.
  • (May 2017) Two-Factor Authentication for Newsrooms, by Martin Shelton (@mshelton). This guide examines how to use two-factor authentication by breaking it down into multiple methods, and walking through how to set it up, using Gmail as one example. It also describes some considerations for its use in a team setting.
  • (July 2017) Why you need a security key for Gmail, by Pinboard (@Pinboard). Complete with screenshots, this step-by-step guide demonstrates how to set up two-factor authentication with a security key (using a Yubikey) for your Google account.

Virtual Private Networks

Laptop encryption

  • (Last updated May 2015) Encrypting your laptop like you mean it, by Micah Lee (@micahflee). A detailed resource on disk encryption for Mac devices with FileVault, Windows PCs with BitLocker, and Linux machines at the time of installation. The guide covers several attacks for stealing data from an unencrypted device.

Slightly less up to date, but worth reviewing

It’s an older guide, but it checks out.

Guides for a general audience, or multiple groups

  • (Last updated September 2016) The Digital First Aid Kit, a collaboration between several digital rights organizations and individual security specialists. Note: Only minor changes are needed here (e.g., TextSecure + Redphone are now just Signal for Android).

Resources for journalists

Resources for activists and human rights defenders

Resources for security trainers

  • (March 2014) SaferJourno: Digital Security Resources for Media Trainers, by Internews (@internews).
  • (August 2013) Security Training Curricula, by eQualit.ie (@eQualitie). This guide provides general tips and resources (e.g., a pre-training questionnaire) for leading digital security trainings. Focusing on Windows, it also offers resources for teaching about password security, how the internet works, SSL, secure communications, disk encryption, secure deletion, as well as anonymity and circumvention tools. Available in English and Russian.

Resources for specific tools and practices

  • (July 2016) Security Tips Every Signal User Should Know, by Micah Lee (@micahflee) via The Intercept. Covers tips for securing your device, setting screen locks, verification methods, as well as archiving and deleting messages. Note: This guide is fairly current, with some exceptions (e.g., Signal has transitioned to “safety numbers” instead of fingerprints for verification; separate voice verification has been phased out.)

Keeping it real, current

There are many excellent guides available today, and even security professionals can have a tough time keeping up. Many of the guides are clearly one-time articles, but for some, it’s unclear whether they intend to stay updated. When I could not find information about when each guide was updated, I reached out to many of the groups who developed these resources.

We can do better. If we don’t want new learners to be misled about the relevance of the information, we should try to be transparent about the timeliness of our security resources.

When developing security resources, we should aim to…

  • Be clear about when the guide has been updated (e.g., the EFF notes the dates its Surveillance Self-Defense modules are updated), and if possible, what changed. For example, Tactical Tech often uses revision histories, while Internews makes some resources available on GitHub.
  • Be transparent if the information is expected to get out of date. There are many ways to do that. (e.g., matt mitchell uses “best by” dates.)
  • Be clear about the level of commitment to updating the information. In some cases, it’s fairly clear that the document will not be updated (e.g., in large news publications), but often our commitment to keeping guides updated is not clear to the unfamiliar reader.

What do you think?

It’s likely there are other great resources to add. Did I forget something? Have an update to suggest that meets all of the same requirements as I outlined above? Reach out on Twitter at @mshelton or one of several encrypted channels.

Thanks for all the hard work from everyone who teaches, demonstrates, builds software, or publishes to defend safe access to information. ❤

Last updated July 22, 2017.