Security questions for beginners
We want Tinfoil to be welcoming to anyone with questions about digital security. Recognizing that security can often include foreign-sounding language and concepts, this thread is for helping new users get started learning.
If you have questions or suggestions, add them to the thread. Alternatively you can reach out at @tinfoilpress on Twitter or tinfoilhelp at gmail.
Introductory digital security guides
It's easy to get started with a little background reading. These beginner-friendly digital security guides are designed to introduce key concepts and tools.
- Before thinking about digital security tools, consider beginning with A First Look at Digital Security by Access Now. This guide covers how to think about and analyze security concerns.
- Securing Your Digital Life Like a Normal Person introduces basic digital security practices for ordinary users.
- For more specific security concerns for different groups, such as journalists, protesters, human rights defenders, and other groups, read Surveillance Self-Defense by the Electronic Frontier Foundation. You also can find a large number of up-to-date resources for multiple groups here: Current Digital Security Resources.
Learn about encryption basics
A short primer on what encryption is, and how it works.
Here are some foundational concepts related to digital security you should know.
Key concept glossary
- Adversary / attacker: An entity whose goal is to disrupt the privacy, integrity, or availability of personal information. An adversary can be a person (e.g., your network administrator), a group (e.g., a small hacking group or for-profit company), countries (e.g., a foreign government agency) or organizations (e.g., Facebook).
Threat modeling: Threat modeling is the concept of understanding what threats you face, and the appropriate methods for responding to those threats. Threats and appropriate responses can vary depending what kinds of information you want to protect, the kind of adversary you're concerned about, their capabilities, the likelihood of an attack, and the potential consequences of a breach.
For example, if you're concerned about a remote hacker breaking into your email account to gather personal information, strengthening authentication using two-factor authentication can help. However, if you are concerned about a government doing the same thing, they may have other legal resources at their disposal, such as sending a subpoena to the company that stores your email. Threat modeling is about understanding likely methods for an attacker to get the information you want to protect, and the appropriate responses for protecting it.
- Attack surface: The different points where an attacker can get unauthorized access to a computing system. A "larger" attack surface involves more points of vulnerability in a system, whereas a "smaller" attack surface is comparatively less vulnerable to attack.
- Operational security (opsec): Operational security refers to the practice of identifying critical information, and withholding related information from adversaries, typically by avoiding disclosure of potentially relevant information in the first place. For example, if you don't want an adversary to know the name of your home town, don't take pictures of landmarks or talk about them in social media. As @grugq says, it's all about keeping your mouth shut.
Basic attack glossary
- Malware: Malware is software designed to give a third party unauthorized access or otherwise make use of a user's system.
- Social engineering: Social engineering refers to psychologically manipulating people into performing actions or divulging information to an unauthorized party. Social engineering attacks are most successful when gaining the trust or favor of a target. For example, social engineering attacks commonly aim to get sensitive information (e.g., a network login) from a group by simply calling a third party on the phone (e.g., a front desk person at a company) and pretending to be a trustworthy source (e.g., another company employee).
- Phishing: Phishing refers to attempts to receive sensitive information, such as a password or credit card number, by disguising oneself as a trustworthy source (e.g., your bank) in electronic communications (e.g., via email or instant message). Most common phishing attacks begin with sending an email with a link to a fake login page, such as a fake Google login page, encouraging the user to send their login credentials to an adversary. Learn more about phishing.
- Spear phishing: Spear phishing is just like phishing, only the attacker uses information they have gathered about you to personalize their attack. For example, they may use your publicly accessible social media posts about a visit to your local bank; they can send you an email pretending to be from your precise bank location.
Basic encryption (crypto) glossary
- "Cleartext" / "plaintext": An unencrypted, human-readable message.
- Encrypt: A message scrambled so it can't be read without the correct information to unscramble it.
- Decrypt: To reverse the encryption process to make a scrambled message readable.
- Verification (sometimes referred to as "authenticating"): Ensuring that the person you’re speaking with is the person you think they are. More about this important process: https://otr.cypherpunks.ca/help/authenticate.php
- Logging: Saving chat conversations on your device.
- End-to-end encryption: Most web services (e.g., Skype) are designed to allow the service to unscramble the message. An end-to-end encrypted conversation means that the encryption is designed so that no one except the intended conversational participants can unscramble the message.
Basic communication encryption glossary
- Signal: A popular end-to-end encrypted messaging app for iPhone and Android, developed by a nonprofit called Open Whisper Systems. Learn more about setting up Signal here.
- Jitsi: An end-to-end encrypted video and messaging client. Jitsi also has a browser-based equivalent called Jitsi Meet, which operates much like Google Hangouts.
- Off-the-record (OTR) messaging: An end-to-end encrypted messaging protocol. OTR is built into several messaging clients, such as Jitsi. Note, OTR as an encryption standard should not be confused with "off the record" messaging in Google Hangouts.
- Password manager: A password manager is a piece of software designed to help you create long, randomized passwords that you do not need to remember. You unlock your password "vault" with one strong password, which gives you access to your other login credentials. Examples include 1Password, LastPass, and KeePass. Learn more about password managers.
- Two factor authentication: (Sometimes 2FA, two-step verification, multi-factor authentication.) Normally when you log into an online account, you simply enter your password. With two-factor authentication, a second password ("factor") is used to log into a system. Typically this second factor is a code generated on your phone through SMS text messages, or an app. More about two-factor authentication here: https://ssd.eff.org/en/module/how-enable-two-factor-authentication
- Tor (The Onion Router): Tor allows users to access the web fairly anonymously by encrypting and bouncing users' traffic within its distributed network. Tor is most easily accessible through the Tor Browser, a modified version of Firefox. When on Tor, your traffic will bounce between three servers around the world, or "nodes" within the Tor network. Unlike when you normally browse the web, on Tor websites don't identify your original location, and you will likely appear to come from another country. By encrypting and tunneling traffic through a remote location, Tor can be helpful for accessing websites censored in your country, as well as avoiding network surveillance.
- TAILS: Tails (The Amnesic Incognito Live System) is an operating system that uses Tor, and includes a suite of tools for secure communication. The Tails OS typically boots off a USB device or CD. When ejected, the operating system erases itself, removing all traces of activity.
- Ricochet: Ricochet is an instant messenger that relies on Tor for anonymity.
PGP and public key cryptography glossary
- Pretty Good Privacy (PGP): An email encryption standard from the early 1990s. PGP is the inspiration for GPG.
- GNU Privacy Guard (GPG): Free and open source version of PGP. GPG is now widely used (not PGP). The terms “PGP” and “GPG” are often used interchangeably.
- Message signing: Signing allows other users to confirm that a message, in fact, came from you. Signing a message means generating a cryptographic code that corresponds to the combination of your private key and the message. Other PGP users can verify that a signed message came from the right source. More info: http://ask-leo.com/what_does_begin_pgp_signed_message_mean.html
- Public key cryptography: Encryption using one key to encrypt, and another to decrypt.
- Public key: The key used to “lock” (encrypt) a message. Give your public key to people so they can encrypt messages to you.
- Private (or “secret”) key: The key used to unlock (decrypt) a message. You want to keep your private key to yourself, so no one else can decrypt messages meant for you.
- Fingerprints: A short code that corresponds to the longer public key, which can be used to verify that you are sending an encrypted message to the correct key. Typically the fingerprint needs to be verified over a secondary "out of band" channel. For example, you can be fairly certain that a key belongs to the right person by comparing the fingerprint you have for them, to the fingerprint they personally give you on another channel (e.g., over Twitter direct messages or the phone, or in person). If the fingerprints are identical, you're fine, and if not, you have the wrong public key. Many encryption standards use fingerprints, including PGP and OTR.