Current Digital Security Resources

July 2018 Edition

Time flies. Original image: danielhedrick [CC BY-NC 2.0]

Last updated July 11, 2018.

Digital technology doesn’t die — it just ages really, really fast. Even the richest digital security resources become quickly out-of-date, and while there are a remarkable number of toolkits and guides for learning digital self-defense, relatively few have information you can use right now. This “meta-guide” highlights current resources, and tips on keeping them timely and relevant.

The following guides and toolkits were included based on a few key requirements: relevance, practical advice, accessible language, clear organization, and of course, up-to-date information. My hope is that the resulting list is rich with knowledge that can be put to work both by experts and non-experts today. I’ve broken up this list into categories based on the intended audience, followed by articles on specific security tools and practices.

Guides for a general audience, or multiple groups

  • (Regularly updated) Surveillance Self-Defense, by the Electronic Frontier Foundation (@EFF). Surveillance Self-Defense is a thorough resource organized into multiple “playlists” of step-by-step guides for several different groups. Each playlist includes a list of modules with information relevant to each group.
  • (Last updated April 2018) A First Look at Digital Security, by Floriana Pagano & Anqi Li (@AngelDAlucard), Access Now (@accessnow). A short, beginner-friendly primer booklet on threat modeling, illustrated through personas for multiple security needs. The printable booklet also provides space to help readers create their own personas to map out their unique threat model.
  • (Last updated November 2017) The Motherboard Guide to Not Getting Hacked, by Vice Motherboard (@motherboard). This introductory article covers the basics of threat modeling, updates, authentication practices, and a dozens of “dos” and “don’ts” for protecting yourself from a data breach. The guide also walks through mobile security, as well as simple tools and techniques for countering passive surveillance.
  • (Regularly updated) Securing Your Digital Life Like a Normal Person, by Martin Shelton (@mshelton). A short, beginner-friendly primer covering privacy browser extensions, circumvention tools, disk and communication encryption, and tips for strengthening authentication.
  • (January 2017) 11 tips for Protecting Your Privacy and Digital Security in the Age of Trump, by Olivia Martin (@_olivemartini_). An introduction to digital security with brief descriptions and links to resources on threat modeling, strong authentication, secure communications, device encryption, browser security. The article also includes guidance on update hygiene, VPNs, and phishing.
  • (Regularly updated) A DIY Guide to Feminist Cybersecurity, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). This fairly exhaustive guide covers tools for blocking online tracking, circumvention and anonymity tools, defending against malware, strong authentication practices, privacy on social media, as well as device and communication encryption. Note: There’s a lot of great information for defending against untargeted mass surveillance (e.g., using a VPN) which is not directly related to the threat model outlined.
    Related reading: (April 2017) DIY Online Security Guide for Every Woman, by Chayn (@chaynhq).
  • (December 2017) The Wired Guide to Digital Security, by Wired (@wired). A resource with branching guides for three different types of users: the civilian, public figure, and “spy.” Each category comes with suggested reading, including authentication tools and practices, anti-doxxing techniques, techniques for avoiding phishing, device security, and counter-surveillance tools. The “spy” category includes guidance for those with advanced surveillance threats (e.g., sniffing out bugs).
  • (December 2017) Security Planner, by the Citizen Lab (@citizenlab). This interactive guide is designed to help readers quickly identify the security tips most relevant to them by walking through questions about where you handle private information (e.g., which devices and services?), specific security concerns, as well as information about your unique circumstances. In turn, it provides a detailed list of security recommendations with step-by-step articles on how to learn more.

Resources for journalists

  • (Last updated November 2016) Source Guide to Defending Accounts Against Common Digital Attacks, by Martin Shelton (@mshelton), OpenNews Source (@source). A guide with summaries and links to several resources for defending online accounts from hijacking. The guide includes an overview of newsroom digital security, resources for strengthening authentication, as well as defending against phishing and malware.
  • (April 2014) Security for Journalists (Part 1), by Jonathan Stray (@jonathanstray), OpenNews Source (@source). A beginner-friendly introduction to threat modeling, strengthening authentication, identifying phishing attacks, as well as device encryption. While this resource came out in 2014, its lessons are still applicable today.
  • (July 2016) Digital Self Defense for Journalists: An Introduction, by Martin Shelton (@mshelton), OpenNews Source (@source). This introduction covers the basics of threat modeling, circumvention tools, authentication practices, communication and device encryption, anonymity tools, security-enhancing browser extensions, backups, identifying phishing attacks, and general tips.
  • (June 2018) Digital Security For Freelancers, by Rory Peck Trust (@rorypecktrust). An enormous number of articles written for freelance journalists covering the basics of circumvention tools, social network privacy, communication and device encryption, encrypting files, file metadata, authentication, avoiding malware, and more general advice.
  • (December 2016) Secure Journalism at Protests, by Martin Shelton (@mshelton) & Geoffrey King (@geoffwking). This short guide introduces the basics of risk assessment, communications encryption, the use of secondary devices, securing mobile devices, concerns with live streaming, and face blurring software, as well as physical threats to data and personal safety. The guide also addresses legal concerns and journalists’ rights when covering events, when to talk to a lawyer, and resources for finding pro bono representation.
  • (January 2017) Surveillance Self-Defense for Journalists, by The Intercept (@theintercept). A brief primer with basic, intermediate, and advanced steps for journalists. The guide links to external resources for Signal, privacy-enhancing browser plugins, tools for strengthening authentication, communication encryption and circumvention tools, as well as links to resources on isolating suspicious files with virtual machines and Qubes OS.
  • (January 2017) Journalists in Distress: Securing Your Digital Life, by Canadian Journalists for Free Expression (@canadaCJFE). The guide includes background information describing how data flows online and in mobile networks, as well as information on browser privacy and security, encrypted communications, social media privacy, internet cafe concerns, strong authentication, and information about technical threats from authorities. The guide also includes exhaustive external links for getting help from supportive organizations and external links to additional security resources. One thing that distinguishes this guide: It is available in English, Arabic, and French.
  • (June 2017) Protecting Your Sources When Releasing Sensitive Documents, by Ted Han (@knowtheory) & Quinn Norton (@quinnnorton). The guide introduces common concerns with metadata, printer micro-dots, as well as information deliberately hidden in documents. The guide also walks through some “cleaning” techniques for removing unwanted file metadata and micro-dots.
  • (February 2017) Source Protection in 2017: A Starter Guide, by Quinn Norton (@quinnnorton). The guide introduces some practical security tools and practices for communicating with sources in a way that preserves their anonymity. This includes the basics of choosing appropriate messaging standards, including Jabber for encrypted chats, as well as secure, anonymity-preserving messengers, Ricochet and Cryptocat (when accessed through the Tor anonymity network). The guide also examines differences between end-to-end and server-side encryption in the context of source protection, and more fundamentally, the need to focus on the protection of sources as people with many needs.
  • (Regularly updated). Speaking Securely with Sources, by Martin Shelton (@mshelton), OpenNews Source (@source). A guide with summaries and links to several resources on the legal and technical aspects of secure conversations with sources. The guide includes an overview of digital security basics for journalists, as well as resources on security tradeoffs among several encryption and anonymity tools. It also includes resources on setting up confidential tip pages, legal considerations for whistleblowers, setting up Signal and WhatsApp safely, as well security considerations for potential tipsters.
  • (April 2018) Online Harassment Field Manual, by PEN America (@penamerican). This large-scale resource places the security concerns of journalists, their employers, and allies in the broader context of online harassment and safety. It illustrates these concepts through real-world stories and quotes from writers and reporters. The guide examines practical security tools and techniques to prepare for and respond to coordinated harassment. But it also examines approaches for psychological care when experiencing harassment, such as how to coordinate a support community, confronting harassers, and resources for obtaining additional emotional or mental health support. Additionally, it offers suggestions on documenting and reporting harassment.

Resources for harassment and abuse

  • (November 2017) So What the Hell Is Doxxing?, by Decca Muldowney (@deccamuldowney), ProPublica (@propublica). The article briefly examines the tactics of doxxing, as well its ethics and effectiveness. It offers tips defending against these attacks, including the use of two-factor authentication, strengthening passwords and social media privacy settings, removing email addresses from the sites you use, and scrubbing publicly available information from data brokers and “people search” sites.
  • (October 2017) The Big Ass Data Broker Opt-Out List, by Yael Grauer (@yaelwrites). A list of methods for removing your data from data broker services, whose core business is selling access to personal data. Because the removal methods vary, the list conveniently categorizes each of the conditions for removing your data, using emoji!
  • (Last updated April 2016) Zen and the Art of Making Tech Work for You, by Tactical Tech (@info_activism). An exhaustive community-built resource on digital security especially for women and trans activists. Covers doxxing, managing online identities, compartmentalization practices, safe online and offline spaces, as well as collaboration tools.
  • (Regularly updated) Crash Override Network Resource Center, by Crash Override (@CrashOverrideNW). A gateway to several security guides on account authentication, preventing doxxing, and what to do if it happens to you.
  • (Last updated May 2016) Speak Up & Stay Safe(r): A Guide to Protecting Yourself From Online Harassment, by Feminist Frequency (@femfreq). A thorough guide describing tactics for combating doxxing, privacy on social media and gaming platforms, compartmentalization practices, strengthening authentication security, personal website security, physical mail privacy, and related advice.
  • (Regularly updated) Privacy Guide for Activists with Haters, by Kathy Levinson. A brief resource covering standard anti-doxxing and authentication tactics, as well as responding to emergencies when targeted for harassment by large groups.
  • (Regularly updated) Online Harassment Resources, by Heartmob (@theheartmob). Guides with information on countering doxxing, strengthening social media privacy and account authentication, legal support, as well as organizational support and self-care resources.
  • (October 2016) Best Practices for Conducting Risky Research and Protecting Yourself from Online Harassment, by Alice Marwick (@alicetiara), Lindsay Blackwell (@linguangst), & Katherine Lo (@lawlkat), Data & Society (@datasociety). Covers how university faculty, advisors, and researchers should respond to online harassment when conducting sensitive work. The document also provides several tips for emotional support, defending against doxxing, authentication practices, privacy in social media accounts, and defending against phishing.

Resources for activists and protesters

Resources for security trainers

  • (Regularly updated) Security Education Companion, by the Electronic Frontier Foundation (@EFF). A large-scale resource for learning about inclusive education for a variety of digital security tools and practices. The resource — geared toward beginning trainers — provides background on how to consider the needs of your audience before getting started. It includes lesson modules on threat modeling, authentication practices, social media privacy, end-to-end encrypted mobile apps, phishing and malware, as well as privacy-enhancing browser extensions. The guide also includes a number of teaching resources, including animated GIFs and editable, printable handouts for security trainings.
  • (November 2017) Security Training Resources for Security Trainers, Spring 2017 Edition, by Rachel Weidinger (@rachelannyes), Cooper Quintin (@cooperq), Martin Shelton (@mshelton), matt mitchell (@geminiimatt). A “meta-guide” for finding information on the current state of U.S. digital security training (update from Winter 2016).
  • (February 2017) How to Lead a Digital Security Workshop, by Rachel Weidinger (@rachelannyes), Cooper Quintin (@cooperq), Martin Shelton (@mshelton) and matt mitchell (@geminiimatt), via Motherboard. How to get started on digital security training for first-timers. The short guide encourages new and would-be security trainers with some considerations for effective training. These considerations include how to think about practical security advice, planning and logistics, building knowledge, focusing on teaching narrowly-scoped mastery, as well as self-presentation and audience engagement in security trainings.
  • (Regularly updated) Training Curriculum, by Tactical Tech (@info_activism). Tactical Tech’s training curriculum is a new resource for planning lessons in digital security. You can select lesson modules, workshop information, and print out corresponding PDF handouts.
  • (Regularly updated) SAFETAG: A Security Auditing Framework and Evaluation Template for Advocacy Groups, by Internews (@internews) with help from many community contributors. A thorough security auditing framework that adapts traditional risk assessment and penetration testing for small non-profit human rights organizations. The guide walks through how auditors can examine how information moves through the organization. This information flow is dependent on the likely involved actors, as well as organizational threats, assets, capacity, activities, vulnerabilities, and barriers to adoption for security practices.
  • (Last updated July 2016) Resources for the Global Digital Safety Training Community, by LevelUp with help from many contributors. An enormous trove of resources on building curricula around digital security and instruction tips.
  • (Regularly updated) The Field Guide to Security Training in the Newsroom, by OpenNews (@opennews) and BuzzFeed Open Lab (@openlab), with help from many open source contributors. This resource supports beginner and “accidental” newsroom security advocates. It walks through how to think and communicate strategically about newsroom security, as well as suggested lesson plans for security trainings. Rather than reproduce existing guides, it also organizes dozens of external resources on getting up security software for newsrooms.

Resources for lawyers

  • (March 2017) Computer Security Tools & Concepts for Lawyers, by Kendra Albert (@KendraSerra). With an eye to lawful process and a realistic security concerns for legal professionals and their clients, this resource introduces the basics of threat modeling, social engineering, and encryption. It also provides several recommendations on how to better address technical security concerns, such as using password managers and two-factor authentication, as well as secure communications, device and file encryption, data minimization practices, and more.
  • (January 2017) Operational Security for Lawyers, by Ansel Halliburton (@anseljh), Lawyerist (@lawyerist). The guide covers the basics of threat modeling, strong authentication practices, secure messaging with Signal, anonymous filesharing, and describes many issues with basic email security. The guide also describes the role of other basic practices (e.g., patching) for security hygiene.

Resources for dangerous situations

  • (March 2017) DIY Cybersecurity for Domestic Violence, by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). A (beautifully illustrated) guide to security concerns in situations involving intimate partner abuse. The guide examines security concerns through various scenarios, including when partner harassment over phone calls and social media, stalking, and targeted surveillance. The guide also examines what happens when partners have access to your online accounts, when your sex life is being used against you, and when you want to leave your partner. Each scenario comes with a series of corresponding defenses.
  • (March 2017) Digital Privacy at the U.S. Border, by Sophia Cope (@scopesetic), Amul Kalia (@amullionaire), Seth Schoen, and Adam Schwartz (@Adam_D_Schwartz), Electronic Frontier Foundation (@eff). In light of the looming U.S. travel ban targeted at individuals traveling to and from primarily Muslim countries, the Electronic Frontier Foundation Part released this whitepaper to examine travelers’ security options at the U.S. border. The paper examines the basics of risk assessment, as well as legal, technical, and practical concerns when you are preparing to leave, arriving at the border, and what to do afterwards. The guide also examines your rights, U.S. border policy, a wide range tools you can use to protect yourself, and their constraints.

Guides to specific tools and practices

While many of the above resources are broad overviews or contain many step-by-step guides, other recent resources are narrowly focused on specific tools and practices.

Signal for encrypted messaging, voice, and video calls

  • (Regularly updated) Signal for Beginners, by Martin Shelton (@mshelton). A primer on using Signal for first-timers. The guide covers how to set up the app, the basics of messaging, using the desktop app, making messages disappear, verification methods, as well as potential security weak points.
  • (May 2017) How to Keep Your Chats Truly Private with Signal, by Micah Lee (@micahflee) via The Intercept, A thorough, step-by-step guide on using Signal as securely as possible. The guide includes a short video overview, and information on securing your mobile device, hiding lock screen messages, deleting old messages, exchanging video and photos, group chat, voice and video, adding contacts, verification, and using the desktop app.
  • (November 2015) Signals, Intelligence, by the grugq (@thegrugq). A useful resource for understanding how Signal’s encryption works and the various forms of metadata it exposes in routine use.
  • (August 2017) How to Use Signal Without Giving Out Your Phone Number: A Gendered Security Issue, by Jillian York (@jilliancyork). This article examines why Signal’s convention of using phone numbers as identifiers is a security issue, and provides a workaround: using a second SIM to register your app. The article describes how to use a second SIM, as well as practical concerns for keeping the phone number active.
  • (September 2017) Using Signal Without Giving Your Phone Number, by Martin Shelton (@mshelton). A step-by-step guide on using Google Voice and Twilio to set up a second number for registering Signal.
  • (September 2017) How to use Signal Without Giving Out Your Phone Number, by Micah Lee (@micahflee). This guide examines the security challenges introduced by Signal’s convention of using phone numbers as identifiers, and how to set up a second Signal number using a secondary user profile on Android, as well as one or more Signal desktop users in Google Chrome. It also briefly touches on how to get started with more advanced options, such as using Android over virtual machines and Signal command line tools.

WhatsApp for encrypted messaging, voice, and video calls

  • (February 2017) Upgrading WhatsApp Security, by Martin Shelton (@mshelton). A short guide that walks through improving WhatsApp’s security by turning off and removing cloud backups, adjusting privacy settings, encryption key change notifications, and using session verification, as well as information on securing the device itself (e.g., with device encryption).

Wire for encrypted messaging, voice, and video calls

  • (January 2018) Wire for Beginners, by Martin Shelton (@mshelton). A primer on installing and using Wire. The guide walks through setting up the app, the basics of messaging, how to set up the desktop app, making messages disappear, lock screen security, verification methods, and how to shore up potential security holes.

Pretty Good Privacy (PGP) email encryption

  • (June 2016) PGP Guide for Thunderbird + Enigmail for Windows, Mac, and Linux by Tactical Tech (@info_activism) and Front Line Defenders (@FrontLineHRD). A step-by-step resource for setting up PGP email encryption using GPG alongside the Thunderbird email client with the Enigmail plugin.
  • (Regularly updated) PGP Guide, by matt mitchell (@geminiimatt). A step-by-step resource for setting up PGP encryption using the GPG binary. This approach guides new users to understand how the encryption works, and how to use GPG anywhere — not just email (e.g., Twitter DMs, Facebook).

Password managers

Anti-phishing

Two-factor authentication

  • (Regularly updated) Two Factor Auth, by Josh Davis (@HopefulJosh) and dozens of contributors. Two Factor Auth is a list of popular websites, and information on whether they support two-factor authentication. It offers links with instructions for setting up two-factor authentication on each web service.
  • (May 2017) Two-Factor Authentication for Newsrooms, by Martin Shelton (@mshelton). This guide examines how to use two-factor authentication by breaking it down into multiple methods, and walking through how to set it up, using Gmail as one example. It also describes some considerations for its use in a team setting.
  • (July 2017) Why You Need a Security Key for Gmail, by Pinboard (@Pinboard). Complete with screenshots, this step-by-step guide demonstrates how to set up two-factor authentication with a security key (using a Yubikey) for your Google account.

Virtual Private Networks

Disk encryption

  • (Last updated May 2015) Encrypting Your Laptop Like You Mean It, by Micah Lee (@micahflee). A detailed resource on disk encryption for Mac devices with FileVault, Windows PCs with BitLocker, and Linux machines at the time of installation. The guide covers several attacks for stealing data from an unencrypted device.

Private browsing

  • (July 2018) What Does Private Browsing Mode Do?, by Martin Shelton (@mshelton). A short primer on what data private browsing mode protects, and doesn’t protect. The article begins with a general explanation of what other parties see when you connect to websites (e.g., your ISP, network administrator, and the website itself). It then examines what data is “forgotten” locally in private browsing mode, and highlights data that may not be forgotten by other entities.

Denial o f service mitigation

  • (Last updated October 2017) Keeping Your Site Alive, by the Electronic Frontier Foundation (@EFF) This guide examines how to defend against distributed denial of service (DDoS) attacks, which can render a server (e.g., a personal website) inaccessible by overloading it with more junk traffic than it can accept, preventing the delivery of legitimate traffic. The guide examines how a DDoS attack works, outlining multiple types of traffic used in attacks. It unpacks how to assess risk, and how to set up defenses with various web hosting options, DDoS protection services, backups, and site mirroring tools.

Slightly less up to date, but worth reviewing

It’s an older guide, but it checks out.

Guides for a general audience, or multiple groups

  • (Last updated September 2016) The Digital First Aid Kit, a collaboration between several digital rights organizations and individual security specialists. Note: Only minor changes are needed here (e.g., TextSecure + Redphone are now just Signal for Android).

Resources for journalists

Resources for activists and human rights defenders

Resources for security trainers

  • (March 2014) SaferJourno: Digital Security Resources for Media Trainers, by Internews (@internews).
  • (August 2013) Security Training Curricula, by eQualit.ie (@eQualitie). This guide provides general tips and resources (e.g., a pre-training questionnaire) for leading digital security trainings. Focusing on Windows, it also offers resources for teaching about password security, how the internet works, SSL, secure communications, disk encryption, secure deletion, as well as anonymity and circumvention tools. Available in English and Russian.

Resources for specific tools and practices

  • (July 2016) Security Tips Every Signal User Should Know, by Micah Lee (@micahflee) via The Intercept. Covers tips for securing your device, setting screen locks, verification methods, as well as archiving and deleting messages. Note: This guide is fairly current, with some exceptions (e.g., Signal has transitioned to “safety numbers” instead of fingerprints for verification; separate voice verification has been phased out.)

Keeping it real, current

There are many excellent guides available today, and even security professionals can have a tough time keeping up. Many of the guides are clearly one-time pieces. For others, it’s which intend to stay updated. When I could not find information about when each guide was updated, I reached out to many of the groups who developed these resources.

We want people new to security to have good information, and to be confident that they’re getting fresh information. This is why it’s so important to be transparent about the timeliness of our resources.

When developing security resources, we should aim to…

  • Be clear about when the guide has been updated (e.g., the EFF notes the dates its Surveillance Self-Defense modules are updated), and if possible, what changed. For example, Tactical Tech often uses revision histories, while Internews makes some resources available on GitHub.
  • Be transparent if the information is expected to get out of date. There are many ways to do that. (e.g., matt mitchell uses “best by” dates.)
  • Be clear about the level of commitment to updating the information. In some cases, it’s fairly clear that the document will not be updated (e.g., in large news publications), but often our commitment to keeping guides updated is not clear to the unfamiliar reader.

What do you think?

It’s likely there are other great resources to add. Did I forget something? Have an update to suggest that meets all of the same requirements outlined above? Reach out on Twitter at @mshelton or one of several encrypted channels.

Thanks for all the hard work from everyone who teaches, demonstrates, builds software, or publishes to defend safe access to information. ❤