Digital Security Training Resources for Security Trainers, Fall 2019 Edition

Cooper Quintin
CryptoFriends
Published in
16 min readApr 11, 2017

Authors:
Rachel Weidinger
(twitter.com/rachelannyes)
Cooper Quintin (twitter.com/cooperq)
Martin Shelton (twitter.com/mshelton)
matt mitchell (twitter.com/geminiimatt)

Inspired by: A session and discussion at Aspiration Tech Dev Summit 2016
First Published: November 18, 2016
Last Updated:
October 17, 2019
Expiration Date/Best By:
April 2020
License: Digital Security training resources for security trainers, Fall 2019 Edition by Rachel Weidinger, Cooper Quintin, Martin Shelton, and matt mitchell is licensed under a Creative Commons Attribution 4.0 International License. This license lets others distribute, remix, tweak, and build upon our work, even commercially, as long as they credit us for the original creation. This is the most accommodating Creative Commons license offered.

Getting questions about how to step up security? Us too. We’ve been saying this for a while, but it’s still true: right now we can use a lot more security trainers to meet the demand. We’re also experiencing more moments where people are called on to be ‘accidental security trainers’ filling in as best they can in a moment of need. These resources are meant to serve as a resource hub.

This post is one in a series to get you on the path to helping out. The contents are a roundup of security training resources, pulled together to help trainers. These links are current as of October 2019. The links and resources were chosen because of their authors’ balanced approaches and use of plain language over technical jargon.

If you’re new to this, you might also be interested in our post How to Lead a Digital Security Workshop, republished on Motherboard. The how-to post walks you through considerations for how the heck to run a workshop. This here post will help you stay up on the ever-changing security game. Together, you’ll have enough to start facilitating workshops.

This post is an answer to the questions: “Where can I get up-to date security training links? What tools should I use and why?” Because this info goes out of date, we update this post as often as we can manage. This one has an expiration date of April 2020, as a guideline for how quickly this information can become un-fresh.

The goal of this post is narrow: to provide resources to trainers focused on basic security hygiene, the digital equivalent of doing healthcare by teaching “hand washing.”

We do not believe that security trainings will fix the political problems in the U.S. and elsewhere, and much of the advice in these guides depends on the good will of the U.S. government (e.g., legal access to strong encryption). However, we believe that operational security advice and digital security tools are still useful for protecting vulnerable communities from some real dangers they now face.

We’ve organized this guide into three sections:

  • Toolkits that are up to date today
  • How to keep up to date as a trainer
  • Toolkits that are out of date but still worth reviewing

Have an update to suggest? We’re interested. Send it to one (or all!) of us on Twitter. We aim to update resources on a quarterly basis, with the next expected update in Spring 2020.

“… up to date …”

Toolkits that are up to date today

Since we first wrote this guide in 2016, the number of resources available has grown. The authors are excited to see so many people taking the time to publish new digital security guides. Unfortunately, the reasons these resources are necessary—the growth of hacking by law enforcement and governments, spying on their citizens, and a global trend toward authoritarianism—are less exciting. As with all new resources, we urge you to exercise caution and critical thinking when reading and recommending them, because the quality of information varies. Here are some tips on reading skeptically.

“There are a lot of resources available online but sadly for many reasons they fall out of date.”

There are a lot of resources available online but sadly for many reasons they fall out of date. Like expired medicine, this can be very dangerous. Below is a list of up to date resources/toolkits that we reviewed for clarity and content.

Security Education Companion, by the Electronic Frontier Foundation: regularly updated.
This is a huge compendium of teaching materials and resources for security trainers. The SEC is designed to encourage and support people who want to become security and privacy resources within their own communities. It is also useful for experienced security trainers, providing useful curriculum and teaching tools. EFF has really built out the section about being an educator, including Am I the Right Person?, Cultural Sensitivity, and training challenges like When Different Threat Models Are in the Same Room. The resource also incorporates input and iterative feedback from the loose-knit community of digital security trainers. Pro tip: Under the teaching materials section, it includes printable handouts formatted as easy-to-edit Powerpoint/LibreOffice slides, so you can quickly remix your materials for your community.

How To Lead A Digital Security Workshop, by Motherboard: February, 2017.
Learning about this digital safety stuff is one thing. Teaching it to others is another. This article includes useful tips on how to convey and share knowledge in an effective way. Knowledge is power! Pro tip: We wrote this!

Electronic Frontier Foundation has a robust series of resources available on Surveillance Self Defensewith updated navigation to get to what you need faster. Start with looking at the ‘playlists’ for different types of needs.
Pro tip: These pages have a “Last reviewed” stamp on the top. It is really important that you take the date into account, especially for timely things like discussion of hardware, software, and apps. Ideas on approaches and methods have a longer shelf-life. Some pages are from 2019 others 2014. Here are a few of the most popular pages: “Security starter pack,” “Activist or protester?” “LGBTQ youth,” “Journalist on the move?” A great trainer will understand the information in these and how to apply them to different at risk groups.

Security Planner from Citizen Lab: Last updated June 26, 2019. The Citizen Lab has created this interactive guide to help readers identify personalized security tips by walking through their devices, services, and security concerns. It provides a detailed list of security recommendations with step-by-step articles on how to learn more, based on their circumstances.

Videos of note

There have been a number of instructive videos on security:

What is Threat Modeling? Motherboard: November, 2017.
Fantastic, short, video explanation of what threat modeling is and why you should do it. Great for a training introduction! Pro tip: There are a ton of good videos on this site called “Motherboard Shorties.” Take a look for more gems!

“How to Protect Your Data Using Just Apps”
Futurism,
Short Videos with Matt talking about some basic protections for smartphones. February 2018

“How to Protect Your Browser History”
Futurism

“How to Protect Your Online Identity”
Futurism

“Cybersecurity for the People: How to Protect Your Privacy at a Protest”
The Intercept
by Micah Lee w/
matt mitchell

“Hacker Redefined: Organizational Security”
Mozilla : Open Web Fellowship

Articles of note

There have been a number of instructive pieces on security:

Two Passwords are Always Better Than One, Jessy Irwin: November, 2017.
Many security professionals and trainers have rightly pointed out the flaws in SMS based two-factor authentication, or 2FA, for short. In this article the author makes a strong case as to why security trainers should help people understand the importance of 2FA and how speaking poorly about SMS based 2FA might only serve to confuse the people we are trying to help.

Comic: How to Protect Yourself Against Spearphishing, Joyce Rice and Micah Lee: November 19 2017. When you receive an email suggesting you log into a specific website, most of the time you may not pay close attention to the link. But a phishing website is designed to look like a legitimate, trusted website, while it belongs to an attacker who wants to trick you into sharing your credentials. If you log into their phony website, they will use your very real credentials to log into the legitimate website, masquerading as you. Spearphishing is an even more specific type of attack, targeting a specific individual by finding more information about them before sending a targeted email or message. This beautifully illustrated explainer shares both an example and how to protect yourself against phishing generally.

The Best VPN Service for 2019: Reviews by Wirecutter, Yael Grauer: August 19, 2019. Writing for tech and consumer goods review site Wirecutter, Yael applies their rigorous, practical selection method to VPNs. Expect this to get regular updates, as with most of their tech product reviews. What’s a VPN, you ask? Yael writes, “Using a VPN can stop your computer or mobile device from revealing your IP address to websites, services, and the rest of the Internet when you connect.”

So What The Hell is Doxxing?, Decca Muldowney : November 4, 2017.
This article looks into what “dropping documents” is and how it effects people. It looks into some of the methods used by doxxers & how to protect your information from them. Pro tip: The article includes links to opt-out forms to remove or hide information on data broker sites.

Privacy Recipe: creating an online persona Sometimes it is near impossible to use a service without providing some information or signing up. The best solution to that is of course creating a new person who can sign up for you keeping your identity and data safe. This guide explains how. pro tip: Great if you need a virtual phone number or are learning the more advanced opsec.

Simple Opt-Out This is exactly as advertised, a simple web site that list some services with terms you might not have known about and a simple way to opt out of that agreement. Many people never really read the “terms of usage” and many services allow opt out later. pro tip: Some services let you opt out of the most privacy violating terms and still use the service with little to no change. Its never too late to OPT OUT.

You too can hop in with Anonymous Tapir and Anonymous Sloth.

Big Ass Data Broker Opt-Out List: Yael Grauer, October 16, 2019. A list of approaches for removing data from data brokers — companies that sell bulk access to consumers’ personal data. The removal methods vary widely, so the list categorizes each of the approaches for removing data from each respective data broker portal.

How to Use Signal Without Giving Out Your Phone Number, Micah Lee: September, 2017.
One of the downsides of Signal is that you have to give out your phone number to anyone you want to talk to, which may not be ideal if you are working with strangers, people you don’t trust, or if you are using your phone number for two-factor authentication. This guide will show you how to use Signal with an alternate phone number, allowing you to preserve the privacy of your real phone number. Pro tip: While reading up, consider checking out two other resources on the same topic here and here.

DIY Feminist Cybersecurity, Noah Kelley: 2017.
This is a useful guide because if you skip all the way down to the lilac colored Find the right tools for your security needs” section, there are three flavors of security levels: “Casual,” “Friends and family,” and “Advanced.” Each is a good roundup for different risk levels/threat models. It’s also available in Spanish.

Surveillance Self Defense for Journalists, The Intercept: January, 2017.
As an adversarial journalism outfit, The Intercept has arguably the best infosec/opsec skills of any U.S. newsroom. They know that journalists don’t have time to read a long post. This is a fast read that asks reporters to categorize digital safety knowledge (beginner, intermediate, advanced) and gives a prescriptive list of things to do for each level.

Journalists in Distress: Securing Your Digital Life, Canadian Journalists for Freedom of Expression: January 2017.
This page provides a matrix to give basic education on a variety of topics facing reporters. Also available in Arabic and Français.

Security Basics, Olivia Martin: January, 2017. Digital Security can be overwhelming often people have one simple question, “Where do I begin?” In this post Olivia walks through 11 important things anyone can do right now. Its a great read for beginners and pros too.

A First Look at Digital Security, by Floriana & Sage Cheng: Updated March 2019.
The authors have a lightweight approach to threat modeling and use of beautifully drawn cartoons to get the point across. They share threat models that others can adopt or apply to their own.

Getting Started With Digital Security, Dia Kayyali: November 16, 2016.
Pro tip: There are many “getting started” type guides but this one is from the point of view of an activist. It goes over an example of a threat model an activist faces, offering specific and culturally relevant guidance. The article is great for anyone working with people who document or record abuse. It’s also a nice segway into the WITNESS library of related materials, which are translated into 15 languages.

Surveillance Self-Defense Against the Trump Administration, Micah Lee: November, 2016.
In this post Micah begins with basic recommendations like encrypting your phone then lays out a very secure workflow highly technical movement building organizations and groups. This includes a tor hidden service (potentially with stealth auth). It is highly technical.

Cybersecurity for the People: How to Keep Your Chats Truly Private with Signal, Micah Lee, May 2017.
In this post, Micah Lee demonstrates how to set up and use Signal for private messaging, video, and voice chat. To maximize Signal’s security, he also describes how to lock down your mobile device, verifying the security of your conversations, as well as how to use the desktop app. Pro tip: For related articles on this topic, see this article from the Freedom of the Press Foundation, and the Electronic Frontier Foundation (iOS, Android).

Encrypting Your Laptop Like You Mean It, Micah Lee: April, 2015.
Pro tip: The cornerstone of digital safety is hardware encryption/full disk encryption of the devices we use the most, our laptops and phones. Here Micah walks through the options starting with what is already there.

Securing Your Digital Life Like a Normal Person, Martin Shelton: Regularly updated.
The article answers the question, “What can I, Normal Person, do to improve my security?” Covering how to be safer when browsing the web, how to encrypt all the things, how to secure web logins, and more.

“…keeping up to date…”

How to keep up to date, as a trainer

Security is a constantly shifting target. What is useful today will one day be dangerous. Part of setting secure habits is keeping up to date. Here is how we do it:

You can ask questions to the Access Now Digital Security Helpline. Just send an encrypted email message! (That should include your PGP key if it’s not on a key server so they can write you back.)

Look at Martin Shelton’s Current Digital Security Resources page, which includes dozens of security guides and related articles.

Follow @geminiimatt’s “THE LIST” on Twitter for ongoing infosec community news and updates.

You may have to sift through many differing opinions, large and fragile egos, and historic rivalries. But if you let the noise wash over you, you will eventually find some loose consensus and some gems of wisdom within. Consider it a launching point for further research, discussion, and information.

Read Bruce Schneier’s Blog.

We linked tons of it above, and recommend continuing to read Micah Lee’s work at The Intercept.

Read EFF’s blog.

Mainstream media occasionally writes broad roundups on digital privacy, like this article from Consumer Reports in September of 2016. Many leading minds in digital security lend pro tips, but overall it’s too broad and disorganized to be a practical training tool. These kinds of articles are definitely worth you reading, mostly so you know how non-technical publications cover digital security.

Go to security conferences! There are security conferences all over the US and the world that are great resources for staying up to date on the latest info and meeting other hackers and security trainers. Here are some of our favorites: BSIDES, DEFCON, HOPE, CCC, Toor Camp, Dev Summit (where this guide was born), ENIGMA, and finally USENIX CONFS.

Podcasts are a great way to learn more about digital security every day.

Listen to podcasts! There are so many great podcasts on security but here are a few short and impactful ones for when you want to learn more and keep up to date.

Daily Stormcasts by SANS Internet Stormcasts, 5–10 minutes duration, daily release

Darknet Diaries, variable length, release ~2 weeks

Cyber: Motherboard, ~25 minutes, weekly

Crypto Gram Security Podcasts, 20 minutes, release monthly

The Cyberwire, 60 minutes, daily release

Risky Business, 60 minutes, weekly release

Security Now with Steve Gibson, 2 hours 30 minutes, weekly

Down the Security Rabbit Hole, 1 hour, weekly

Use free professional resources & watch webinars:

Bright Talk is an online portal for different types of professional resources. The cyber security area tends to have some pretty high quality presentations from commercial vendors and large organizations.

Cybrary is how it sounds — a “cyber” library. Get it? In all seriousness, Cybrary provides free educational resources for IT professionals, including security resources, typically in a video format.

Professor Messer offers step by step videos to help you pass many of the cybersecurity certification exams. Getting certified is great for a career but also the path of studying and testing helps cement knowledge.

“…out of date…”

Toolkits that are out of date but still worth reviewing

The nature of security advice is that it changes as we learn new things and new techniques are discovered. Unfortunately this means that many guides end up going out of date if they are not constantly maintained. If you find a guide that is out of date consider contacting the author and asking them to update the guide or take it down. Here are some guides which are out of date but might still be worth updating or reviewing.

Security In-A-Box is out of date but still a useful read.

Tactical Tech’s Security in a Box is in 15 languages, is six years old, and is no longer frequently maintained. Careful when recommending anything out of this without looking into it with great care.

Level UP guide is out of date now, but allows contributions to refresh its content.

A roundup of resources from LevelUp, (github: https://github.com/levelupcc/level-up ) from June 2016 is no longer up to date, however it is up to us to add updates and reach out to the project with contributions to keep it fresh.

Tactical Tech’s Training Curriculum is a newer resource for security trainers, with an easy way to create customized curriculum PDFs. You plan your class, you pick which modules of learning you want, which workshops you would like your participants to go through, then you click “print PDF” (remember: each pdf needs to be printed). This was published in November 2016.

Frontline Defenders

@geminiimatt PGP guide to sending and receiving encrypted email from Mac, Windows, and Chromebook without using an email client. Great for gmail.com users, and for passing encrypted messages through Twitter DM or Facebook secure chat! See also: EFF’s PGP guide using Thunderbird for Windows, Mac, and on Linux.

Hey, you just read another long post. Thank you for adding to your security training skills! You rock.

Your authors:

--

--

Cooper Quintin
CryptoFriends

Cooper is a security researcher and programmer at EFF. He has worked on projects such as Privacy Badger, Canary Watch, Ethersheet, and analysis of state sponsor