Digital Security Training Resources for Security Trainers, Spring 2017 Edition

Authors:
Rachel Weidinger
(twitter.com/rachelannyes)
Cooper Quintin (twitter.com/cooperq)
Martin Shelton (twitter.com/mshelton)
matt mitchell (twitter.com/geminiimatt)

Inspired by: A session and discussion at Aspiration Tech Dev Summit 2016
Document written in: English
Currently translated to: English
First Published: November 18, 2016
Last Updated:
April 10, 2017
Expiration Date/Best By:
June 2017
License: Digital Security training resources for security trainers, Winter 2016 Edition by Rachel Weidinger, Cooper Quintin, Martin Shelton, and matt mitchell is licensed under a Creative Commons Attribution 4.0 International License. This license lets others distribute, remix, tweak, and build upon our work, even commercially, as long as they credit us for the original creation. This is the most accommodating Creative Commons license offered.

Getting questions about how to increase security? Us too. Right now we can use a lot more security trainers to meet the demand. This post is the first in a series to get you on the path to helping out. The contents are a roundup of security training resources, pulled together to help trainers. These links are current as of April 2017. The links and resources were chosen because of their author’s balanced approach and use of plain language over technical jargon.

This post is an answer to the questions: “Where can I get up-to date security training links? What tools should I use and why?” We hope to address other topics including ‘things to think about when you are giving a digital security training,’ and go deeper into specifics like operational security in future posts.

The goal of this post is narrow: to provide resources to trainers focused on basic security hygiene, the digital equivalent of doing healthcare by teaching “hand washing.”

We do not believe that security trainings will fix the political problems in the U.S. and elsewhere, and much advice in these guides depends on the good will of the U.S. government (e.g., legal access to strong encryption). However, we believe that operational security advice and digital security tools are still useful for protecting vulnerable communities from some real dangers they now face.

It is organized into three sections:

  • Toolkits that are up to date today
  • How to keep up to date as a trainer
  • Toolkits that are out of date but still worth reviewing

Have an update to suggest? We’re interested. Send it to one (or all!) of us on Twitter. We aim to update resources on a quarterly basis, with the next expected update in Summer 2017.

Toolkits that are up to date today

Since we last updated this guide the number of resources available has grown by leaps and bounds. The authors are excited to see so many people taking the time to publish new digital security guides. Unfortunately the reasons that so many new resources are necessary—the increased use of hacking by law enforcement and governments for the purposes of spying on their citizens and a global trend toward authoritarianism—are less exciting. As with all new resources we urge you to exercise caution and critical thinking when reading and recommending them since the quality of information may vary greatly. Here are some tips on reading skeptically.

There are a lot of resources available online but sadly for many reasons they often fall out of date. Like expired medicine, this can be very dangerous. Below is a list of up to date resources/toolkits that we reviewed for clarity and content.

How To Lead A Digital Security Workshop, Motherboard: February, 2017
Pro tip: We wrote this! Learning about this digital safety stuff is one thing. Teaching it to others is quite another. This article has some really great useful tips for how to convey and share knowledge in an effective way. Knowledge is power!

Tactical Tech’s Training Curriculum is a newer resource for security trainers, with an easy way to create customized curriculum PDFs. You plan your class, you pick which modules of learning you want, which workshops you would like your participants to go through, then you click PRINT PDF (remember each pdf needs to be printed). As of November 2016 this was just published.
Pro tip: This webpage has two scrollbars, use the inner one to scroll down. Click on workshops in the left column, then ‘view the full session’ for any workshop card in the main column, scroll to the bottom of that card to find links to update yourself. click on ‘session breakdown’ tab for examples on how to teach this topic.

Electronic Frontier Foundation (EFF) has a robust series of resources available on Surveillance Self Defense, so many that it can be tricky to navigate. Start with looking at the ‘playlists’ for different types of needs. 
Pro tip: These pages have a “Last updated” stamp on the bottom. It is really important that you take the date into account, especially for timely things like discussion of hardware, software, and apps. Ideas on approaches and methods have a longer shelf-life. Some pages are from 2016 others 2014. Here are a few of the most popular pages: “Security starter pack,” “Activist or protester?” “LGBTQ youth,” “Journalist on the move?” A great trainer will understand the information in these and how to apply them to different at risk groups.

Online articles of note. There have been a number of instructive pieces on security:

DIY Feminist Cybersecurity, Noah Kelley, @ciakraa: 2017
Pro tip: This is a useful guide because if you skip all the way down to the lilac colored Find the right tools for your security needs” section, there are three flavors of security levels: “Casual,” “Friends and family,” and “Advanced.” Each is a good roundup for different risk levels/threat models. It’s also available in Spanish.

How To Run A Rogue Government Twitter Account With An Anonymous Email Address and A Burner Phone, The Intercept: February 20th, 2017
Pro tip: There are more and more alternative (alt-) government accounts on social networks like Twitter. The U.S. Government pressured twitter to reveal the owner and details behind @ALT_uscis. Twitter sued, and the government has since backed off — for now. To ensure there is nothing to link a person to their account, follow this step-by-step guide.

Surveillance Self Defense for Journalists, The Intercept: January 18, 2017
Pro tip: As an adversarial journalism outfit, The Intercept has arguably the best infosec/opsec skills of any newsroom. They know that journalists don’t have time to read a long post. This is a fast read that asks reporters to categorize digital safety knowledge (beginner, intermediate, advanced) and gives a prescriptive list of things to do for each level.

Journalists in Distress: Securing Your Digital Life by Canadian Journalists for Freedom of Expression
Pro tip: This page provides a matrix to give basic education on a variety of topics facing reporters.

Security Basics by Olivia Martin: January, 2017
Pro tip: Digital Security can be overwhelming often people have one simple question, “Where do I begin?” In this post Olivia walks through 11 important things anyone can do right now. Its a great read for beginners and pros too.

Upgrading WhatsApp Security, Martin Shelton: Feb 6, 2017
Pro tip: This post walks you through step by step how to set up and use WhatsApp as securely as possible. For many people its easier to communicate securely using WhatsApp because that is where most of the people they chat with are. Also because WhatsApp is the number one messenger in the world it tends to go unnoticed when you are using it.

Don’t Panic! Download “A First Look at Digital Security”, Anqi Li & Kim Burton: Updated February, 2017
Pro tip: The authors have a lightweight approach to threat modeling and use of beautifully drawn cartoons to get the point across. They share threat models that others can adopt or apply to their own.

Getting Started With Digital Security, Dia Kayyali: November 16, 2016
Pro tip: There are many “getting started” type guides but this one is from an activists’ point of view and goes over an example of a “threat model” an activist faces. The author offers culturally relevant and specific guidance. The article is great for anyone working with people who document or record abuse. It has a link to the WITNESS library of materials which are translated into 15 languages. Also it has a nice list of training information.

Surveillance Self-Defense Against the Trump Administration, Micah Lee: November 12, 2016
Pro tip: In this post Micah begins with basic recommendations like encrypting your phone then lays out a very secure workflow highly technical movement building organizations and groups. This includes a tor hidden service (potentially with stealth auth). It is highly technical.

Security Tips Every Signal User Should Know, Micah Lee: July 2, 2016
Pro tip: You may have heard “use signal, use tor” but this article explains a recommended “safest” use of Signal. We couldn’t agree more. It was written before the disappearing messages feature came out, so we recommend you turn that on for all messages so they last at longest a week. Verification and safety numbers have also changed since this article was written, but it is still is a must-read for any Signal user. We look forward to an updated version of this article from Micah Lee.

Chatting in Secret While We’re All Being Watched, Micah Lee: July 14, 2015
Pro tip: This article can be summed up by one of its leading claims: “it’s possible to communicate online in a way that’s private, secret and anonymous.” Micah Lee then uses a series of easy to follow examples based on Romeo and Juliet to show how. Empowering and well thought out.

Encrypting Your Laptop Like You Mean It, Micah Lee: April 27, 2015
Pro tip: The cornerstone of digital safety is hardware encryption/full disk encryption of the devices we use the most, our laptops and phones. Here Micah walks through the options starting with what is already there.

Securing Your Digital Life Like a Normal Person, Martin Shelton: December 14, 2015
Pro tip: The article answers the question, “What can I, Normal Person, do to improve my security?” Covering how to be safer when browsing the web, how to encrypt all the things, how to secure web logins, and more.

@geminiimatt PGP guide to sending and receiving encrypted email from Mac, Windows, and Chromebook without using an email client. Great for gmail.com users, and for passing encrypted messages through Twitter DM or Facebook secure chat!

EFF’s PGP guide using Thunderbird for Windows, Mac, and on Linux.

EFF’s guide to using Signal on Android, and on iOS.

Twitter threads of note. Sometimes infosec Twitter has some real gems to share, unfortunately locked behind the walls of Twitter and buried by the latest trending info. We made an effort to avoid anything too opinionated it is however the essence of Twitter and there may be various ideas expressed as the threads grow. 
Pro tip: Approach with an open and analytical mind.

Below are two great threads about an important topic, VPNs (virtual private networks):

Nima Fatemi tweet on using: VPNs versus using Tor
Swift On Security tweet about the how hard it is to find independent info on VPN providers

How to keep up to date, as a trainer

Security is a constantly shifting target. What is useful today will one day be dangerous. Part of setting secure habits is keeping up to date. Here is how we do it:

You can ask questions to the Access Now Digital Security Helpline.

Just send an encrypted email message! (That should include your PGP key if it’s not on a key server so they can write you back.)

Follow @geminiimatt’s “THE LIST” on Twitter for ongoing infosec community news and updates.

You may have to sift through many differing opinions, large and fragile egos, and historic rivalries. But if you let the noise wash over you, you will eventually find some loose consensus and some gems of wisdom within. Consider it a launching point for further research, discussion, and information.

Read Bruce Schneier’s Blog.

We linked tons of it above, and recommend continuing to read Micah Lee’s work at The Intercept.

Read EFF’s blog.

Mainstream media occasionally writes broad roundups on digital privacy, like this article from Consumer Reports in September of 2016. Many leading minds in digital security lend pro tips, but overall it’s too broad and disorganized to be a practical training tool. These kinds of articles are definitely worth you reading, mostly so you know how non-technical publications cover digital security.

Go to security conferences! There are security conferences all over the US and the world that are great resources for staying up to date on the latest info and meeting other hackers and security trainers. Here are some of our favorites: BSIDES, DEFCON, HOPE, CCC, Toor Camp, Dev Summit (where this guide was born), ENIGMA, and finally USENIX CONFS.

PODCAST are a great way to learn more about digital security daily, weekly, monthly.

Listen to podcasts! There are so many great podcasts on security but here are a few short and impactful ones for when you want to learn more and keep up to date.

Daily Stormcasts by SANS Internet Stormcasts, 5–10 minutes duration, daily release

Crypto Gram Security Podcasts, 20 minutes, release monthly

The Cyberwire, 60 minutes, daily release

Risky Business, 60 minutes, weekly release

Security Now with Steve Gibson, 2 hours 30 minutes, weekly

The CyberSecurity Podcast by CSM Passcode and New America, 30 minutes, monthly ( now that CSM has moved away from Passcode the future of this podcast is unknown ).

Down the Security Rabbit Hole, 1 hour, weekly

Toolkits that are out of date but still worth reviewing

The nature of security advice is that it changes as we learn new things and new techniques are discovered. Unfortunately this means that many guides end up going out of date if they are not constantly maintained. If you find a guide that is out of date consider contacting the author and asking them to update the guide or take it down. Here are some guides which are out of date but might still be worth updating or reviewing.

Tactical Tech’s Security in a Box is in 15 languages, is four years old, and is no longer frequently maintained . Careful when recommending anything out of this without looking into it with great care.

A roundup of resources from Level Up, from June 2016.

Frontline Defenders

Hey you just read a long post. Thanks for adding to your security training skills. You rock.

YOUR AUTHORS:

Show your support

Clapping shows how much you appreciated Cooper Quintin’s story.