Current Digital Security Resources
May 2017 Edition
Digital technology doesn’t die — it just ages really, really fast. Even the richest digital security resources become quickly out-of-date, and while there are a remarkable number of toolkits and guides for learning digital self-defense, relatively few have information you can use right now. This “meta-guide” highlights current resources, and tips on keeping them timely and relevant.
The following guides and toolkits were included based on a few key requirements: relevance, practical advice, accessible language, clear organization, and of course, up-to-date information. My hope is that the resulting list is rich with knowledge that can be put to work both by experts and non-experts today. I’ve broken up this list into categories based on the intended audience, followed by articles on specific security tools and practices.
Guides for a general audience, or multiple groups
- (Regularly updated) Surveillance Self-Defense, by the Electronic Frontier Foundation (@EFF). Surveillance Self-Defense is a thorough resource organized into multiple “playlists” of step-by-step guides for several different groups. Each playlist includes a list of modules with information relevant to each group.
- (Last updated February 2017) A First Look at Digital Security, by Anqi Li & Kim Burton, Access Now (@accessnow). A short, beginner-friendly primer booklet on threat modeling, illustrated through personas for multiple security needs.
- (Last updated November 2016) The Motherboard Guide to Not Getting Hacked, by Lorenzo Franceschi-Bicchierai (@lorenzoFB) & Joseph Cox (@josephfcox), Vice Motherboard (@motherboard). This introductory article covers the basics of threat modeling, updates, authentication practices, and a dozen general tips for protecting yourself from surveillance or a data breach.
- (Regularly updated) Securing Your Digital Life Like a Normal Person, by Martin Shelton (@mshelton). A short, beginner-friendly primer covering privacy browser extensions, circumvention tools, disk and communication encryption, and tips for strengthening authentication.
- (January 2017) 11 tips for Protecting Your Privacy and Digital Security in the Age of Trump, by Olivia Martin (@_olivemartini_). An introduction to digital security with brief descriptions and links to resources on threat modeling, strong authentication, secure communications, device encryption, browser security. The article also includes guidance on update hygiene, VPNs, and phishing.
- (Regularly updated) A DIY Guide to Feminist Cybersecurity, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). This fairly exhaustive guide covers tools for blocking online tracking, circumvention and anonymity tools, defending against malware, strong authentication practices, privacy on social media, as well as device and communication encryption. Note: There’s a lot of great information for defending against untargeted mass surveillance (e.g., using a VPN) which is not directly related to the threat model outlined.
Resources for journalists
- (Last updated November 2016) Source Guide to Defending Accounts Against Common Digital Attacks by Martin Shelton (@mshelton), OpenNews Source (@source). A guide with summaries and links to several resources for defending online accounts from hijacking. The guide includes an overview of newsroom digital security, resources for strengthening authentication, as well as defending against phishing and malware.
- (April 2014) Security for Journalists (Part 1), by Jonathan Stray (@jonathanstray), OpenNews Source (@source). A beginner-friendly introduction to threat modeling, strengthening authentication, identifying phishing attacks, as well as device encryption. While this resource came out in 2014, its lessons are still applicable today.
- (July 2016) Digital Self Defense for Journalists: An Introduction, by Martin Shelton (@mshelton), OpenNews Source (@source). This introduction covers the basics of threat modeling, circumvention tools, authentication practices, communication and device encryption, anonymity tools, security-enhancing browser extensions, backups, identifying phishing attacks, and general tips.
- (July 2016) Digital Security For Freelancers, by Rory Peck Trust (@rorypecktrust). An enormous number of articles written for freelance journalists covering the basics of circumvention tools, social network privacy, communication and device encryption, encrypting files, file metadata, authentication, avoiding malware, and more general advice.
- (December 2016) Secure Journalism at Protests, by Martin Shelton (@mshelton) & Geoffrey King (@geoffwking). This short guide introduces the basics of risk assessment, communications encryption, the use of secondary devices, securing mobile devices, concerns with live streaming, and face blurring software, as well as physical threats to data and personal safety. The guide also addresses legal concerns and journalists’ rights when covering events, when to talk to a lawyer, and resources for finding pro bono representation.
- (January 2017) Surveillance Self-Defense for Journalists, by The Intercept (@theintercept). A brief primer with basic, intermediate, and advanced steps for journalists. The guide links to external resources for Signal, privacy-enhancing browser plugins, tools for strengthening authentication, communication encryption and circumvention tools, as well as links to resources on isolating suspicious files with virtual machines and Qubes OS.
- (January 2017) Journalists in Distress: Securing Your Digital Life, by Canadian Journalists for Free Expression (@canadaCJFE). The guide includes background information describing how data flows online and in mobile networks, as well as information on browser privacy and security, encrypted communications, social media privacy, internet cafe concerns, strong authentication, and information about technical threats from authorities. The guide also includes exhaustive external links for getting help from supportive organizations and external links to additional security resources.
Resources for harassment and abuse
- (Last updated April 2016) Zen and the Art of Making Tech Work for You, by Tactical Tech (@info_activism). An exhaustive community-built resource on digital security especially for women and trans activists. Covers doxing, managing online identities, compartmentalization practices, safe online and offline spaces, as well as collaboration tools.
- (Regularly updated) Crash Override Network Resource Center, by Crash Override (@CrashOverrideNW). A gateway to several security guides on account authentication, preventing doxing, and what to do if it happens to you.
- (Last updated May 2016) Speak Up & Stay Safe(r): A Guide to Protecting Yourself From Online Harassment, by Feminist Frequency (@femfreq). A thorough guide describing tactics for combating doxing, privacy on social media and gaming platforms, compartmentalization practices, strengthening authentication security, personal website security, physical mail privacy, and related advice.
- (Regularly updated) Privacy Guide for Activists with Haters, by Kathy Levinson. A brief resource covering standard anti-doxing and authentication tactics, as well as responding to emergencies when targeted for harassment by large groups.
- (Regularly updated) Online Harassment Resources, by Heartmob (@theheartmob). Guides with information on countering doxing, strengthening social media privacy and account authentication, legal support, as well as organizational support and self-care resources.
- (October 2016) Best Practices for Conducting Risky Research and Protecting Yourself from Online Harassment, by Alice Marwick (@alicetiara), Lindsay Blackwell (@linguangst), & Katherine Lo (@lawlkat), Data & Society (@datasociety). Covers how university faculty, advisors, and researchers should respond to online harassment when conducting sensitive work. The document also provides several tips for emotional support, defending against doxing, authentication practices, privacy in social media accounts, and defending against phishing.
Resources for activists and protesters
- (November 2016) Getting Started with Digital Security: Tips and Resources for Activists by Dia Kayyali (@DiaKayyali). This guide thoughtfully covers the basics of threat modeling, and contains links to several resources for digital-self defense for activists and filmmakers.
- (Last updated November 2016) Digital Security Tips for Protesters by Bill Budington (@legind), EFF (@EFF). Several tips for securing your devices and communications, as well as avoiding digital and physical surveillance when attending protests.
- (November 2016) How journalists and activists can identify and counter physical surveillance, by Rory Byrne (@roryireland), Security First (@_SecurityFirst). Covers the tell-tale signs you’re being watched in public spaces, what to look out for, and various potential responses.
- (August 2016) A Guide To Online Security For Activists, by Jillian York (@jilliancyork), Electronic Intifada (@intifada). Inspired by the growth of digital threats to boycott, divestment, and sanctions movements, this guide covers the basics of defending websites from DDoS attacks, surveillance of mobile communications and social networks, as well as avoiding malware.
- (Regularly updated) Privacy Guide for Activists with Haters, by Kathy Levinson. Covers standard anti-doxing and authentication tactics, as well as responding to emergencies when targeted for harassment by large groups.
- (Regularly updated) A Library of Free Resources for Video Activists, Trainers and Their Allies, by WITNESS (@witnessorg). Dozens of detailed videos and illustrated guides covering the security of recording devices, as well as techniques for recording interviews, production, and archiving videos. WITNESS also offers practical advice on reporting on sensitive or hostile environments.
Resources for security trainers
- (April 2017) Security Training Resources for Security Trainers, Spring 2017 Edition, by Rachel Weidinger (@rachelannyes), Cooper Quintin (@cooperq), Martin Shelton (@mshelton) and matt mitchell (@geminiimatt). A “meta-guide” for finding information on the current state of U.S. digital security training. This is the second release in the quarterly guide (update from Winter 2016).
- (February 2017) How to Lead a Digital Security Workshop, by Rachel Weidinger (@rachelannyes), Cooper Quintin (@cooperq), Martin Shelton (@mshelton) and matt mitchell (@geminiimatt), via Motherboard. How to get started on digital security training for first-timers. The short guide encourages new and would-be security trainers with some considerations for effective training. These considerations include how to think about practical security advice, planning and logistics, building knowledge, focusing on teaching narrowly-scoped mastery, as well as self-presentation and audience engagement in security trainings.
- (Regularly updated) Training Curriculum, by Tactical Tech (@info_activism). Tactical Tech’s training curriculum is a new resource for planning lessons in digital security. You can select lesson modules, workshop information, and print out corresponding PDF handouts.
- (Last updated July 2016) SAFETAG: A Security Auditing Framework and Evaluation Template for Advocacy Groups, by Internews (@internews). A thorough security auditing framework that adapts traditional risk assessment and penetration testing for small non-profit human rights organizations. The guide walks through how auditors can examine how information moves through the organization. This information flow is dependent on the likely involved actors, as well as organizational threats, assets, capacity, activities, vulnerabilities, and barriers to adoption for security practices.
- (Last updated July 2016) Resources for the Global Digital Safety Training Community, by LevelUp with help from many contributors. An enormous trove of resources on building curricula around digital security and instruction tips.
Resources for lawyers
- (January 2017) Operational Security for Lawyers, by Ansel Halliburton (@anseljh), Lawyerist (@lawyerist). There aren’t many resources available for lawyers, but this is a good one. The guide covers the basics of threat modeling, strong authentication practices, secure messaging with Signal, anonymous filesharing, and describes many issues with basic email security. The guide also describes the role of other basic practices (e.g., patching) for security hygiene.
Resources for dangerous situations
- (March 2017) DIY Cybersecurity for Domestic Violence, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). A (beautifully illustrated) guide to security concerns in situations involving intimate partner abuse. The guide examines security concerns through various scenarios, including when partner harassment over phone calls and social media, stalking, and targeted surveillance. The guide also examines what happens when partners have access to your online accounts, when your sex life is being used against you, and when you want to leave your partner. Each scenario comes with a series of corresponding defenses.
- (March 2017) Digital Privacy at the U.S. Border, Sophia Cope (@scopesetic), Amul Kalia (@amullionaire), Seth Schoen, and Adam Schwartz (@Adam_D_Schwartz), Electronic Frontier Foundation (@eff). In light of the looming U.S. travel ban targeted at individuals traveling to and from primarily Muslim countries, the Electronic Frontier Foundation Part released this whitepaper to examine travelers’ security options at the U.S. border. The paper examines the basics of risk assessment, as well as legal, technical, and practical concerns when you are preparing to leave, arriving at the border, and what to do afterwards. The guide also examines your rights, U.S. border policy, a wide range tools you can use to protect yourself, and their constraints.
Guides to specific tools and practices
While many of the above resources are broad overviews or contain many step-by-step guides, other recent resources are narrowly focused on specific tools and practices.
Signal for encrypted messaging and voice calls
- (Regularly updated) Signal for Beginners, by Martin Shelton (@mshelton). A primer on using Signal for first-timers. The guide covers how to set up the app, the basics of messaging, using the desktop app, making messages disappear, verification methods, as well as potential security weak points.
- (May 2017) How to Keep Your Chats Truly Private with Signal, by Micah Lee (@micahflee) via The Intercept, A thorough, step-by-step guide on using Signal as securely as possible. The guide includes a short video overview, and information on securing your mobile device, hiding lock screen messages, deleting old messages, exchanging video and photos, group chat, voice and video, adding contacts, verification, and using the desktop app.
- (November 2015) Signals, Intelligence, by the grugq (@thegrugq). A useful resource for understanding how Signal’s encryption works and the various forms of metadata it exposes in routine use.
WhatsApp for encrypted mobile messaging, voice, and video calls
- (February 2017) Upgrading WhatsApp Security, by Martin Shelton (@mshelton). A short guide that walks through improving WhatsApp’s security by turning off and removing cloud backups, adjusting privacy settings, encryption key change notifications, and using session verification, as well as information on securing the device itself (e.g., with device encryption).
Pretty Good Privacy (PGP) email encryption
- (June 2016) PGP Guide for Thunderbird + Enigmail for Windows, Mac, and Linux by Tactical Tech (@info_activism) and Front Line Defenders (@FrontLineHRD). A step-by-step resource for setting up PGP email encryption using GPG alongside the Thunderbird email client with the Enigmail plugin.
- (Regularly updated) PGP Guide, by matt mitchell (@geminiimatt). A step-by-step resource for setting up PGP encryption using the GPG binary. This approach guides new users to understand how the encryption works, and how to use GPG anywhere — not just email (e.g., Twitter DMs, Facebook).
- (Last updated November 2016) Password Managers for Beginners, by Martin Shelton (@mshelton). A beginner-friendly guide describing why password managers are useful, branching into three step-by-step guides for getting started with 1Password, LastPass, and KeePass.
- (Last updated December 2016) Anti-phishing and Email Hygiene, by Harlo Holmes (@harlo), Freedom of the Press Foundation. This guide covers threat modeling, authentication practices, as well as common phishing tactics and how to avoid them.
- (Regularly updated) Two Factor Auth, by Josh Davis (@HopefulJosh) and dozens of contributors. Two Factor Auth is a list of popular websites, and information on whether they support two-factor authentication. It offers links with instructions for setting up two-factor authentication on each web service.
- (May 2017) Two-Factor Authentication for Newsrooms, by Martin Shelton (@mshelton). This guide examines how to use two-factor authentication by breaking it down into multiple methods, and walking through how to set it up, using Gmail as one example. It also describes some considerations for its use in a team setting.
Virtual Private Networks
- (June 2016) The Impossible Task of Creating a “Best VPNs” List Today, by Yael Grauer (@yaelwrites). This article lays out the many, many issues with choosing a VPN, including logging, using preshared keys, and outdated encryption protocols.
- (March 27, 2017) The Motherboard Guide to VPNs, by Lorenzo Franceschi-Bicchierai (@lorenzoFB), Vice Motherboard (@motherboard). The basics of choosing a VPN, and a few practical recommendations for specific VPNs.
- (Last updated May 2015) Encrypting your laptop like you mean it, by Micah Lee (@micahflee). A detailed resource on disk encryption for Mac devices with FileVault, Windows PCs with BitLocker, and Linux machines at the time of installation. The guide covers several attacks for stealing data from an unencrypted device.
Slightly less up to date, but worth reviewing
It’s an older guide, but it checks out.
Guides for a general audience, or multiple groups
- (Last updated September 2016) The Digital First Aid Kit, a collaboration between several digital rights organizations and individual security specialists. Note: Only minor changes are needed here (e.g., TextSecure + Redphone are now just Signal for Android).
Resources for journalists
- (May 2016) Information Security for Journalists, by Silkie Carlo (@silkiecarlo) & Arjen Kamphuis (@ArjenKamphuis), the Center for Investigative Journalism (@cijournalism). This guide focuses on security concerns for investigative journalists, particularly those with sophisticated attackers. This guide examines threat modeling, hardware security, enhancing operating system security (e.g., with TAILS), disk and communications encryption (e.g., PGP and OTR), file data and metadata, browser privacy tools, circumvention software, and strong password practices. Note: Only minor changes are needed (e.g., Jitsi is now well developed as a standalone client, and a web service).
- (June 2014) Digital Security & Source Protection for Journalists, Susan E. McGregor (@susanemcg).
- (August 2014) Security for Journalists (Part 2), by Jonathan Stray (@jonathanstray), OpenNews Source (@source).
- (January 2015) Journalist Security Guide: Technology Security, by the Committee to Protect Journalists. Note: This resource is part of a larger guide covering physical, legal, and a wide range of other concerns for journalists.
Resources for activists and human rights defenders
- (Some is current, some needs an update) Security in-a-Box: Tools and Tactics for Digital Security, by Tactical Tech (@info_activism) and Front Line Defenders (@FrontLineHRD). Security in-a-box offers articles on understanding digital security threats and defenses broadly (“tactics”) as well as an enormous number of step-by-step guides for using dozens of digital security tools.
- (Date unclear) Digital Security First Aid Kit for Human Rights Defenders, by the Association for Progressive Communications (@APC_News). This resource uses a visual map to highlight a wide range of digital security concerns, and connected areas of interest.
Resources for security trainers
- (March 2014) SaferJourno: Digital Security Resources for Media Trainers, by Internews (@internews).
- (August 2013) Security Training Curricula, by eQualit.ie (@eQualitie). This guide provides general tips and resources (e.g., a pre-training questionnaire) for leading digital security trainings. Focusing on Windows, it also offers resources for teaching about password security, how the internet works, SSL, secure communications, disk encryption, secure deletion, as well as anonymity and circumvention tools. Available in English and Russian.
Resources for specific tools and practices
- (July 2016) Security Tips Every Signal User Should Know, by Micah Lee (@micahflee) via The Intercept. Covers tips for securing your device, setting screen locks, verification methods, as well as archiving and deleting messages. Note: This guide is fairly current, with some exceptions (e.g., Signal has transitioned to “safety numbers” instead of fingerprints for verification; separate voice verification has been phased out.)
Keeping it real, current
There are many excellent guides available today, and even security professionals can have a tough time keeping up. Many of the guides are clearly one-time articles, but for some, it’s unclear whether they intend to stay updated. When I could not find information about when each guide was updated, I reached out to many of the groups who developed these resources.
We can do better. If we don’t want new learners to be misled about the relevance of the information, we should try to be transparent about the timeliness of our security resources.
When developing security resources, we should aim to…
- Be clear about when the guide has been updated (e.g., the EFF notes the dates its Surveillance Self-Defense modules are updated), and if possible, what changed. For example, Tactical Tech often uses revision histories, while Internews makes some resources available on GitHub.
- Be transparent if the information is expected to get out of date. There are many ways to do that. (e.g., matt mitchell uses “best by” dates.)
- Be clear about the level of commitment to updating the information. In some cases, it’s fairly clear that the document will not be updated (e.g., in large news publications), but often our commitment to keeping guides updated is not clear to the unfamiliar reader.
What do you think?
It’s likely there are other great resources to add. Did I forget something? Have an update to suggest? Reach out on Twitter at @mshelton or one of several encrypted channels. You can also look at this document’s history or suggest edits here. I intend to update it regularly.
This document was inspired by conversations on Tinfoil.press, where we’ve gathered dozens of security resources. I also want to highlight the security training resource guide by Rachel Weidinger, Cooper Quintin, and matt mitchell that first appeared in late 2016, calling out the need for up-to-date information for security practitioners in these unusual times. Thanks for all the hard work from everyone who teaches, demonstrates, builds software, or publishes to defend safe access to information. ❤
Last updated May 17, 2017.