Digital Security Training Resources for Security Trainers, Winter 2017 Edition

Authors:
Rachel Weidinger
(twitter.com/rachelannyes)
Cooper Quintin (twitter.com/cooperq)
Martin Shelton (twitter.com/mshelton)
matt mitchell (twitter.com/geminiimatt)

Inspired by: A session and discussion at Aspiration Tech Dev Summit 2016
Document written in: English
Currently translated to: English
First Published: November 18, 2016
Last Updated:
November 18, 2017
Expiration Date/Best By:
February 2018
License: Digital Security training resources for security trainers, Winter 2017 Edition by Rachel Weidinger, Cooper Quintin, Martin Shelton, and matt mitchell is licensed under a Creative Commons Attribution 4.0 International License. This license lets others distribute, remix, tweak, and build upon our work, even commercially, as long as they credit us for the original creation. This is the most accommodating Creative Commons license offered.

Getting questions about how to increase security? Us too. Right now we can use a lot more security trainers to meet the demand. This post is the first in a series to get you on the path to helping out. The contents are a roundup of security training resources, pulled together to help trainers. These links are current as of November 2017. The links and resources were chosen because of their author’s balanced approach and use of plain language over technical jargon.

This post is an answer to the questions: “Where can I get up-to date security training links? What tools should I use and why?” We hope to address other topics including ‘things to think about when you are giving a digital security training,’ and go deeper into specifics like operational security in future posts.

The goal of this post is narrow: to provide resources to trainers focused on basic security hygiene, the digital equivalent of doing healthcare by teaching “hand washing.”

We do not believe that security trainings will fix the political problems in the U.S. and elsewhere, and much of the advice in these guides depends on the good will of the U.S. government (e.g., legal access to strong encryption). However, we believe that operational security advice and digital security tools are still useful for protecting vulnerable communities from some real dangers they now face.

We’ve organized this guide into three sections:

  • Toolkits that are up to date today
  • How to keep up to date as a trainer
  • Toolkits that are out of date but still worth reviewing

Have an update to suggest? We’re interested. Send it to one (or all!) of us on Twitter. We aim to update resources on a quarterly basis, with the next expected update in Spring 2018.


“… up to date …”

Toolkits that are up to date today

Since we last updated this guide, the number of resources available has continued to grow by leaps and bounds. The authors are excited to see so many people taking the time to publish new digital security guides. Unfortunately, the reasons these resources are necessary—the growth of hacking by law enforcement and governments, spying on their citizens, and a global trend toward authoritarianism—are less exciting. As with all new resources, we urge you to exercise caution and critical thinking when reading and recommending them, because the quality of information varies. Here are some tips on reading skeptically.

“There are a lot of resources available online but sadly for many reasons they fall out of date.”

There are a lot of resources available online but sadly for many reasons they fall out of date. Like expired medicine, this can be very dangerous. Below is a list of up to date resources/toolkits that we reviewed for clarity and content.


Security Education Companion, by the Electronic Frontier Foundation: regularly updated. 
This is a huge compendium of teaching materials and resources for security trainers. The SEC is designed to encourage and support people who want to become the security and privacy expert within their own communities. It is also useful for experienced security trainers, providing useful curriculum and teaching tools. Pro tip: Under the teaching materials section, it includes printable handouts formatted as easy-to-edit Powerpoint/LibreOffice slides, so you can quickly remix your materials for your community.

Tactical Tech’s Training Curriculum is a newer resource for security trainers, with an easy way to create customized curriculum PDFs. You plan your class, you pick which modules of learning you want, which workshops you would like your participants to go through, then you click PRINT PDF (remember each pdf needs to be printed). This was published in November 2016.
Pro tip: This webpage has two scrollbars, use the inner one to scroll down. Click on workshops in the left column, then ‘view the full session’ for any workshop card in the main column, scroll to the bottom of that card to find links to update yourself. click on ‘session breakdown’ tab for examples on how to teach this topic.

How To Lead A Digital Security Workshop, by Motherboard: February, 2017.
Learning about this digital safety stuff is one thing. Teaching it to others is another. This article includes useful tips on how to convey and share knowledge in an effective way. Knowledge is power! Pro tip: We wrote this!

Electronic Frontier Foundation has a robust series of resources available on Surveillance Self Defense — so many that it can be tricky to navigate. Start with looking at the ‘playlists’ for different types of needs. 
Pro tip: These pages have a “Last updated” stamp on the bottom. It is really important that you take the date into account, especially for timely things like discussion of hardware, software, and apps. Ideas on approaches and methods have a longer shelf-life. Some pages are from 2017 others 2014. Here are a few of the most popular pages: “Security starter pack,” “Activist or protester?” “LGBTQ youth,” “Journalist on the move?” A great trainer will understand the information in these and how to apply them to different at risk groups.

Videos of note

There have been a number of instructive videos on security:

What is Threat Modeling? Motherboard: November, 2017. 
Fantastic, short, video explanation of what threat modeling is and why you should do it. Great for a training introduction! Pro tip: There are a ton of good videos on this site called “Motherboard Shorties.” Take a look for more gems!


Articles of note

There have been a number of instructive pieces on security:

Two Passwords are Always Better Than One, Jessy Irwin: November, 2017.
Many security professionals and trainers have rightly pointed out the flaws in SMS based two-factor authentication, or 2FA, for short. In this article the author makes a strong case as to why security trainers should help people understand the importance of 2FA and how speaking poorly about SMS based 2FA might only serve to confuse the people we are trying to help.

So What The Hell is Doxxing?, Decca Muldowney : November 4, 2017.
This article looks into what “dropping documents” is and how it effects people. It looks into some of the methods used by doxxers & how to protect your information from them. Pro tip: The article includes links to opt-out forms to remove or hide information on data broker sites.

How to Use Signal Without Giving Out Your Phone Number, by Micah Lee: September, 2017. 
One of the downsides of Signal is that you have to give out your phone number to anyone you want to talk to, which may not be ideal if you are working with strangers, people you don’t trust, or if you are using your phone number for two-factor authentication. This guide will show you how to use Signal with an alternate phone number, allowing you to preserve the privacy of your real phone number. Pro tip: While reading up, consider checking out two other resources on the same topic here and here.

DIY Feminist Cybersecurity, Noah Kelley: 2017. 
This is a useful guide because if you skip all the way down to the lilac colored Find the right tools for your security needs” section, there are three flavors of security levels: “Casual,” “Friends and family,” and “Advanced.” Each is a good roundup for different risk levels/threat models. It’s also available in Spanish.

How To Run A Rogue Government Twitter Account With An Anonymous Email Address and A Burner Phone, The Intercept: February, 2017.
There are more and more alternative (alt-) government accounts on social networks like Twitter. The U.S. Government pressured twitter to reveal the owner and details behind @ALT_uscis. Twitter sued, and the government has since backed off — for now. To ensure there is nothing to link a person to their account, follow this step-by-step guide.

Surveillance Self Defense for Journalists, The Intercept: January, 2017.
As an adversarial journalism outfit, The Intercept has arguably the best infosec/opsec skills of any U.S. newsroom. They know that journalists don’t have time to read a long post. This is a fast read that asks reporters to categorize digital safety knowledge (beginner, intermediate, advanced) and gives a prescriptive list of things to do for each level.

Journalists in Distress: Securing Your Digital Life, Canadian Journalists for Freedom of Expression: January 2017. 
This page provides a matrix to give basic education on a variety of topics facing reporters.

Security Basics, by Olivia Martin: January, 2017. Digital Security can be overwhelming often people have one simple question, “Where do I begin?” In this post Olivia walks through 11 important things anyone can do right now. Its a great read for beginners and pros too.

Upgrading WhatsApp Security, Martin Shelton: February, 2017.
Pro tip: This post walks you through step by step how to set up and use WhatsApp as securely as possible. For many people its easier to communicate securely using WhatsApp because that is where most of the people they chat with are. Also because WhatsApp is the number one messenger in the world it tends to go unnoticed when you are using it.

Don’t Panic! Download “A First Look at Digital Security, Anqi Li & Kim Burton: Updated February, 2017.
The authors have a lightweight approach to threat modeling and use of beautifully drawn cartoons to get the point across. They share threat models that others can adopt or apply to their own.

Getting Started With Digital Security, Dia Kayyali: November 16, 2016.
Pro tip: There are many “getting started” type guides but this one is from the point of view of an activist. It goes over an example of a threat model an activist faces, offering specific and culturally relevant guidance. The article is great for anyone working with people who document or record abuse. It’s also a nice segway into the WITNESS library of related materials, which are translated into 15 languages.

Surveillance Self-Defense Against the Trump Administration, Micah Lee: November, 2016. 
In this post Micah begins with basic recommendations like encrypting your phone then lays out a very secure workflow highly technical movement building organizations and groups. This includes a tor hidden service (potentially with stealth auth). It is highly technical.

Cybersecurity for the People: How to Keep Your Chats Truly Private with Signal, Micah Lee, May 2017. 
In this post, Micah Lee demonstrates how to set up and use Signal for private messaging, video, and voice chat. To maximize Signal’s security, he also describes how to lock down your mobile device, verifying the security of your conversations, as well as how to use the desktop app. Pro tip: For related articles on this topic, see this article from the Freedom of the Press Foundation, and the Electronic Frontier Foundation (iOS, Android).

Encrypting Your Laptop Like You Mean It, Micah Lee: April, 2015.
Pro tip: The cornerstone of digital safety is hardware encryption/full disk encryption of the devices we use the most, our laptops and phones. Here Micah walks through the options starting with what is already there.

Securing Your Digital Life Like a Normal Person, Martin Shelton: Regularly updated. 
The article answers the question, “What can I, Normal Person, do to improve my security?” Covering how to be safer when browsing the web, how to encrypt all the things, how to secure web logins, and more.

@geminiimatt PGP guide to sending and receiving encrypted email from Mac, Windows, and Chromebook without using an email client. Great for gmail.com users, and for passing encrypted messages through Twitter DM or Facebook secure chat! See also: EFF’s PGP guide using Thunderbird for Windows, Mac, and on Linux.


Twitter threads of note. Sometimes infosec Twitter has some real gems to share, unfortunately locked behind the walls of Twitter and buried by the latest trending info. We made an effort to avoid anything too opinionated it is however the essence of Twitter and there may be various ideas expressed as the threads grow.

Pro tip: Approach with an open and analytical mind.

Below are two great threads about an important topic, VPNs (Virtual Private Networks).

@SwiftOnSecurity tweet about the how hard it is to find independent information on VPN providers.

Relatedly, consider reading Motherboard’s article on how to choose a VPN for users with different levels of technical proficiency.

And if you’re interested in learning more about defending against doxxing — information-dumping as a harassment tactic — check this out, from Decca Muldowney at ProPublica. Yael Grauer also wrote a useful article on opting out of data brokers, which share and sell access to personal data.


“…keeping up to date…”

How to keep up to date, as a trainer

Security is a constantly shifting target. What is useful today will one day be dangerous. Part of setting secure habits is keeping up to date. Here is how we do it:

You can ask questions to the Access Now Digital Security Helpline. Just send an encrypted email message! (That should include your PGP key if it’s not on a key server so they can write you back.)

Follow @geminiimatt’s “THE LIST” on Twitter for ongoing infosec community news and updates.

You may have to sift through many differing opinions, large and fragile egos, and historic rivalries. But if you let the noise wash over you, you will eventually find some loose consensus and some gems of wisdom within. Consider it a launching point for further research, discussion, and information.

Read Bruce Schneier’s Blog.

We linked tons of it above, and recommend continuing to read Micah Lee’s work at The Intercept.

Read EFF’s blog.

Mainstream media occasionally writes broad roundups on digital privacy, like this article from Consumer Reports in September of 2016. Many leading minds in digital security lend pro tips, but overall it’s too broad and disorganized to be a practical training tool. These kinds of articles are definitely worth you reading, mostly so you know how non-technical publications cover digital security.

Go to security conferences! There are security conferences all over the US and the world that are great resources for staying up to date on the latest info and meeting other hackers and security trainers. Here are some of our favorites: BSIDES, DEFCON, HOPE, CCC, Toor Camp, Dev Summit (where this guide was born), ENIGMA, and finally USENIX CONFS.

Podcasts are a great way to learn more about digital security every day.

Listen to podcasts! There are so many great podcasts on security but here are a few short and impactful ones for when you want to learn more and keep up to date.

Daily Stormcasts by SANS Internet Stormcasts, 5–10 minutes duration, daily release

Crypto Gram Security Podcasts, 20 minutes, release monthly

The Cyberwire, 60 minutes, daily release

Risky Business, 60 minutes, weekly release

Security Now with Steve Gibson, 2 hours 30 minutes, weekly

Down the Security Rabbit Hole, 1 hour, weekly


“…out of date…”

Toolkits that are out of date but still worth reviewing

The nature of security advice is that it changes as we learn new things and new techniques are discovered. Unfortunately this means that many guides end up going out of date if they are not constantly maintained. If you find a guide that is out of date consider contacting the author and asking them to update the guide or take it down. Here are some guides which are out of date but might still be worth updating or reviewing.

Security In-A-Box is out of date but still a usefult read.

Tactical Tech’s Security in a Box is in 15 languages, is four years old, and is no longer frequently maintained . Careful when recommending anything out of this without looking into it with great care.

Level UP guide is out of date now, but allows contributions to refesh its content.

A roundup of resources from LevelUp, from June 2016 is no longer up to date, however it is up to us to add updates and reach out to the project with contributions to keep it fresh.

Frontline Defenders

Hey, you just read another long post. Thank you for adding to your security training skills! You rock.

Your authors: