Current Digital Security Resources

April 2017 Edition

Time flies. Original image: danielhedrick [CC BY-NC 2.0]

Digital technology doesn’t die — it just ages really, really fast. Even the richest digital security resources become quickly out-of-date, and while there are a remarkable number of toolkits and guides for learning digital self-defense, relatively few have information you can use right now. This “meta-guide” highlights current resources, and tips on keeping them timely and relevant.

The following guides and toolkits were included based on a few key requirements: relevance, practical advice, accessible language, clear organization, and of course, up-to-date information. My hope is that the resulting list is rich with knowledge that can be put to work both by experts and non-experts today. I’ve broken up this list into categories based on the intended audience, followed by articles on specific security tools and practices.

Guides for a general audience, or multiple groups

  • (Regularly updated) Surveillance Self-Defense, by the Electronic Frontier Foundation (@EFF). Surveillance Self-Defense is a thorough resource organized into multiple “playlists” of step-by-step guides for several different groups. Each playlist includes a list of modules with information relevant to each group.
  • (Last updated February 2017) A First Look at Digital Security, by Anqi Li & Kim Burton, Access Now (@accessnow). A short, beginner-friendly primer booklet on threat modeling, illustrated through personas for multiple security needs.
  • (Last updated November 2016) The Motherboard Guide to Not Getting Hacked, by Lorenzo Franceschi-Bicchierai (@lorenzoFB) & Joseph Cox (@josephfcox), Vice Motherboard (@motherboard). This introductory article covers the basics of threat modeling, updates, authentication practices, and a dozen general tips for protecting yourself from surveillance or a data breach.
  • (Regularly updated) Securing Your Digital Life Like a Normal Person, by Martin Shelton (@mshelton). A short, beginner-friendly primer covering privacy browser extensions, circumvention tools, disk and communication encryption, and tips for strengthening authentication.
  • (January 2017) 11 tips for Protecting Your Privacy and Digital Security in the Age of Trump, by Olivia Martin (@_olivemartini_). An introduction to digital security with brief descriptions and links to resources on threat modeling, strong authentication, secure communications, device encryption, browser security. The article also includes guidance on update hygiene, VPNs, and phishing.
  • (Regularly updated) A DIY Guide to Feminist Cybersecurity, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). This fairly exhaustive guide covers tools for blocking online tracking, circumvention and anonymity tools, defending against malware, strong authentication practices, privacy on social media, as well as device and communication encryption. Note: There’s a lot of great information for defending against untargeted mass surveillance (e.g., using a VPN) which is not directly related to the threat model outlined.

Resources for journalists

  • (Last updated November 2016) Source Guide to Defending Accounts Against Common Digital Attacks by Martin Shelton (@mshelton), OpenNews Source (@source). A guide with summaries and links to several resources for defending online accounts from hijacking. The guide includes an overview of newsroom digital security, resources for strengthening authentication, as well as defending against phishing and malware.
  • (April 2014) Security for Journalists (Part 1), by Jonathan Stray (@jonathanstray), OpenNews Source (@source). A beginner-friendly introduction to threat modeling, strengthening authentication, identifying phishing attacks, as well as device encryption. While this resource came out in 2014, its lessons are still applicable today.
  • (July 2016) Digital Self Defense for Journalists: An Introduction, by Martin Shelton (@mshelton), OpenNews Source (@source). This introduction covers the basics of threat modeling, circumvention tools, authentication practices, communication and device encryption, anonymity tools, security-enhancing browser extensions, backups, identifying phishing attacks, and general tips.
  • (July 2016) Digital Security For Freelancers, by Rory Peck Trust (@rorypecktrust). An enormous number of articles written for freelance journalists covering the basics of circumvention tools, social network privacy, communication and device encryption, encrypting files, file metadata, authentication, avoiding malware, and more general advice.
  • (December 2016) Secure Journalism at Protests, by Martin Shelton (@mshelton) & Geoffrey King (@geoffwking). This short guide introduces the basics of risk assessment, communications encryption, the use of secondary devices, securing mobile devices, concerns with live streaming, and face blurring software, as well as physical threats to data and personal safety. The guide also addresses legal concerns and journalists’ rights when covering events, when to talk to a lawyer, and resources for finding pro bono representation.
  • (January 2017) Surveillance Self-Defense for Journalists, by The Intercept (@theintercept). A brief primer with basic, intermediate, and advanced steps for journalists. The guide links to external resources for Signal, privacy-enhancing browser plugins, tools for strengthening authentication, communication encryption and circumvention tools, as well as links to resources on isolating suspicious files with virtual machines and Qubes OS.
  • (January 2017) Journalists in Distress: Securing Your Digital Life, by Canadian Journalists for Free Expression (@canadaCJFE). The guide includes background information describing how data flows online and in mobile networks, as well as information on browser privacy and security, encrypted communications, social media privacy, internet cafe concerns, strong authentication, and information about technical threats from authorities. The guide also includes exhaustive external links for getting help from supportive organizations and external links to additional security resources.

Resources for harassment and abuse

Resources for activists and protesters

Resources for security trainers

Resources for lawyers

  • (January 2017) Operational Security for Lawyers, by Ansel Halliburton (@anseljh), Lawyerist (@lawyerist). There aren’t many resources available for lawyers, but this is a good one. The guide covers the basics of threat modeling, strong authentication practices, secure messaging with Signal, anonymous filesharing, and describes many issues with basic email security. The guide also describes the role of other basic practices (e.g., patching) for security hygiene.

Resources for dangerous situations

  • (March 2017) DIY Cybersecurity for Domestic Violence, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). A (beautifully illustrated) guide to security concerns in situations involving intimate partner abuse. The guide examines security concerns through various scenarios, including when partner harassment over phone calls and social media, stalking, and targeted surveillance. The guide also examines what happens when partners have access to your online accounts, when your sex life is being used against you, and when you want to leave your partner. Each scenario comes with a series of corresponding defenses.
  • (March 2017) Digital Privacy at the U.S. Border, Sophia Cope (@scopesetic), Amul Kalia (@amullionaire), Seth Schoen, and Adam Schwartz (@Adam_D_Schwartz), Electronic Frontier Foundation (@eff). In light of the looming U.S. travel ban targeted at individuals traveling to and from primarily Muslim countries, the Electronic Frontier Foundation Part released this whitepaper to examine travelers’ security options at the U.S. border. The paper examines the basics of risk assessment, as well as legal, technical, and practical concerns when you are preparing to leave, arriving at the border, and what to do afterwards. The guide also examines your rights, U.S. border policy, a wide range tools you can use to protect yourself, and their constraints.

Guides to specific tools and practices

While many of the above resources are broad overviews or contain many step-by-step guides, other recent resources are narrowly focused on specific tools and practices.

Signal for encrypted messaging and voice calls

  • (Regularly updated) Signal for Beginners, by Martin Shelton (@mshelton). A primer on using Signal for first-timers. The guide covers how to set up the app, the basics of messaging, using the desktop app, making messages disappear, verification methods, as well as potential security weak points.
  • (July 2016) Security Tips Every Signal User Should Know, by Micah Lee (@micahflee) via The Intercept. Covers tips for securing your device, setting screen locks, verification methods, as well as archiving and deleting messages. Note: This guide is current with some exceptions (e.g., Signal has transitioned to “safety numbers” instead of fingerprints for verification; separate voice verification has been phased out.)
  • (November 2015) Signals, Intelligence, by the grugq (@thegrugq). A useful resource for understanding how Signal’s encryption works and the various forms of metadata it exposes in routine use.

WhatsApp for encrypted mobile messaging, voice, and video calls

  • (February 2017) Upgrading WhatsApp Security, by Martin Shelton (@mshelton). A short guide that walks through improving WhatsApp’s security by turning off and removing cloud backups, adjusting privacy settings, encryption key change notifications, and using session verification, as well as information on securing the device itself (e.g., with device encryption).

Pretty Good Privacy (PGP) email encryption

  • (June 2016) PGP Guide for Thunderbird + Enigmail for Windows, Mac, and Linux by Tactical Tech (@info_activism) and Front Line Defenders (@FrontLineHRD). A step-by-step resource for setting up PGP email encryption using GPG alongside the Thunderbird email client with the Enigmail plugin.
  • (Regularly updated) PGP Guide by matt mitchell (@geminiimatt). A step-by-step resource for setting up PGP encryption using the GPG binary. This approach guides new users to understand how the encryption works, and how to use GPG anywhere — not just email (e.g., Twitter DMs, Facebook).

Password managers

Anti-phishing

  • (Last updated December 2016) Anti-phishing and Email Hygiene, by Harlo Holmes (@harlo), Freedom of the Press Foundation. This guide covers threat modeling, authentication practices, as well as common phishing tactics and how to avoid them.

Two-factor authentication

  • (Regularly updated) Two Factor Auth, by Josh Davis (@HopefulJosh) and dozens of contributors. Two Factor Auth is a list of popular websites, and information on whether they support two-factor authentication. It offers links with instructions for setting up two-factor authentication on each web service.

Virtual Private Networks

Laptop encryption

  • (Last updated May 2015) Encrypting your laptop like you mean it, by Micah Lee (@micahflee). A detailed resource on disk encryption for Mac devices with FileVault, Windows PCs with BitLocker, and Linux machines at the time of installation. The guide covers several attacks for stealing data from an unencrypted device.

Slightly less up to date, but worth reviewing

It’s an older guide, but it checks out.

Guides for a general audience, or multiple groups

  • (Last updated September 2016) The Digital First Aid Kit, a collaboration between several digital rights organizations and individual security specialists. Note: Only minor changes are needed here (e.g., TextSecure + Redphone are now just Signal for Android).

Resources for journalists

Resources for activists and human rights defenders

Resources for security trainers

  • (March 2014) SaferJourno: Digital Security Resources for Media Trainers, by Internews (@internews).
  • (August 2013) Security Training Curricula, by eQualit.ie (@eQualitie). This guide provides general tips and resources (e.g., a pre-training questionnaire) for leading digital security trainings. Focusing on Windows, it also offers resources for teaching about password security, how the internet works, SSL, secure communications, disk encryption, secure deletion, as well as anonymity and circumvention tools. Available in English and Russian.

Keeping it real, current

There are many excellent guides available today, and even security professionals can have a tough time keeping up. Many of the guides are clearly one-time articles, but for some, it’s unclear whether they intend to stay updated. When I could not find information about when each guide was updated, I reached out to many of the groups who developed these resources.

We can do better. If we don’t want new learners to be misled about the relevance of the information, we should try to be transparent about the timeliness of our security resources.

When developing security resources, we should aim to…

  • Be clear about when the guide has been updated (e.g., the EFF notes the dates its Surveillance Self-Defense modules are updated), and if possible, what changed. For example, Tactical Tech often uses revision histories, while Internews makes some resources available on GitHub.
  • Be transparent if the information is expected to get out of date. There are many ways to do that. (e.g., matt mitchell uses “best by” dates.)
  • Be clear about the level of commitment to updating the information. In some cases, it’s fairly clear that the document will not be updated (e.g., in large news publications), but often our commitment to keeping guides updated is not clear to the unfamiliar reader.

What do you think?

It’s likely there are other great resources to add. Did I forget something? Have an update to suggest? Reach out on Twitter at @mshelton or one of several encrypted channels. You can also look at this document’s history or suggest edits here. I intend to update it regularly.


This document was inspired by conversations on Tinfoil.press, where we’ve gathered dozens of security resources. I also want to highlight the security training resource guide by Rachel Weidinger, Cooper Quintin, and matt mitchell that first appeared in late 2016, calling out the need for up-to-date information for security practitioners in these unusual times. Thanks for all the hard work from everyone who teaches, demonstrates, builds software, or publishes to defend safe access to information. ❤

Last updated April 12 2017.