Security resources

[Last updated December January 19 2017.]

If you have useful security resources that you'd like others to know about, feel free to reply and share them here.

To get us started…

General guides / for multiple groups
[Electronic Frontier Foundation] Surveillance Self-Defense Guide
[Martin Shelton (@mshelton)] Securing Your Digital Life Like a Normal Person
[Martin Shelton] Password Managers for Beginners
[Martin Shelton] Signal for Beginners
[Tactical Tech] HomeApp Centre
[Harlo Holmes (@harlo), Freedom of the Press Foundation] Anti-phishing and Email Hygiene
[Micah Lee, Freedom of the Press Foundation] Security Tips Every Signal User Should Know
[Micah Lee, Freedom of the Press Foundation] Encryption Works
[Computer Incident Response Center Luxembourg] The Digital First Aid Kit
[Digital Defenders Partnership] The Digital First Aid Kit
[Anqi Li & Kim Burton, Access Now] A First Look at Digital Security
[Lorenzo Franceschi-Bicchierai & Joseph Cox] The Motherboard Guide to Not Getting Hacked
[Tactical Tech & Front Line Defenders] Security-in-a-box
[Riseup] Communications Security
[(bluehat)] A Citizen's Guide to Digital Freedoms
[Tactical Tech and Front Line Defenders] Security in-a-Box: Tools and Tactics for Digital Security
[equalit.ie, Transitions Online] Online Learning
[Micah Lee] Encrypting your laptop like you mean it
[Micah Lee] Surveillance Self-Defense Against the Trump Administration

Journalists
[Martin Shelton] Digital Self Defense for Journalists: An Introduction
[Martin Shelton] Source Guide to Defending Accounts Against Common Attacks
[Committee to Protect Journalists] Journalist Security Guide
[Jonathan Stray (@jonathanstray) ] Security for Journalists (Part 1)
[Jonathan Stray] Security for Journalists (Part 2)
[Jose Luis Sierra (Knight ICFJ Fellow)] Salama: Risk Assessment For Journalists and Bloggers
[Tim Jenkin / Center for Investigative Journalism] Operational Security for Journalists (Lecture)
[Center for Investigative Journalism] Information Security for Journalists
[Susan E. McGregor (@susanemcg)] Digital Security & Source Protection for Journalists
[Rory Peck Trust] Digital Security For Freelancers
[Canadian Journalists for Free Expression Journalists in Distress: Securing Your Digital Life
[The Intercept Surveillance Self-Defense for Journalists

Combating gendered abuse
[Tactical Tech] Gender and Tech Resources
[CrashOverride] Coach: Crash Override's Automated Cyber Security Helper
[Feminist Frequency] Speak Up & Stay Safe(r): A Guide to Protecting Yourself From Online Harassment
[Safe Hub Collective] A DIY Guide to Feminist Cybersecurity

Academics
[Marwick, Blackwell, & Lo] Best Practices for Conducting Risky Research and Protecting Yourself from Online Harassment

Resources for security trainers
[Rachel Weidinger, Cooper Quintin, and matt mitchell] Security training resources for security trainers, Winter 2016 Edition
[Internews / LevelUp] Resources for the Global Digital Safety Training Community
[Internews] SaferJourno: Digital Security Resources for Media Trainers
[Tactical Tech] Training Curriculum: Teach others about data and privacy
[equalit.ie] Security Training Curricula (Last updated August 2013)

Activists
[(bluehat)] Privacy Guide for Activists with Haters
[Dia Kayyali, Witness] Getting Started with Digital Security: Tips and Resources for Activists
[Electronic Frontier Foundation] Digital Security Tips for Protesters
[Rory Byrne (@rorybyrne)] How journalists and activists can identify and counter physical surveillance
[Jillian York, Electronic Intifada] A Guide To Online Security For Activists
[WITNESS] A Library of Free Resources for Video Activists, Trainers and Their Allies
[Kade Crockford] Security Culture is Good

Human Rights Defenders
[Association for Progressive Communications] Digital Security First Aid Kit for Human Rights Defenders

Other utilities
[PhishTank] Submit and identify phishing attempts
[Julio Cesar Fort] Public Pentesting Reports
[Internews] Security Auditing Framework and Evaluation Template for Advocacy Groups (SAFETAG)
[r00tz asylum] Whitehat hacking for kids

I'll occasionally update this post to add more.

Resources from this thread have been loosely adapted into a "meta-guide", which can be found here: Current Digital Security Resources.

Hi all. Thanks for linking to my Source posts. I've recently started revising my training approach to try to organize it around the problems journalists face (e.g. first contact, transferring files, etc.) This is a talk I gave two weeks ago about all this.

Here are some posts I've written about operational security. In general, I don't focus on writing about journalist specific issues, but rather on using existing case studies to explore some relevant facet of security. This partial collection of posts and presentations is, I think, sufficiently generic and relevant that any reader will be able to find lessons to apply to their own personal security.

Security Guides

• Operational PGP - a guide to secure email, using PGP.
• Free Security Advice - generic security advice, simply secure.

Mobile Phones

• A Fistful of Surveillance
• Anonymity is Hard

Secure Messengers

• Operational Telegram
• Signal, Intelligence
• Operational WhatsApp

Observations on Operational Security

• Clandestiny is a Constant
• In Search of OPSEC Magic Sauce
• Ignorance is Strength
• You Can't Get There From Here
• Man Hunting, The Sport of Security Forces
• Operational security and the real world

Presentations on Security

• COMSEC: Beyond Encryption [PDF]
• OPSEC for Hackers [PDF]
  • Video

Additional posts that I recommend (although they may be more off topic) by @OaklandElle:

Social Media OPSEC
OPSEC for Activists

I maintain a blog at Brown Hat Security on various mostly-infosec related topics.

The folks over at Alienvault have a section with guest posts that I've contributed to; there's a wide variety of content there on various subjects, albeit a bit scattershot.

There's some very useful tools available through Shodan for basic evaluation and information gathering.

In a similar vein, Censys offers highly useful information as well.

May also be of interest:
"Difficult Targets" (Lecture). Tim Jenkin, Matt Kennard, Stefania Maurizi, Paul von Ribbeck, Matthias Spielkamp. Logan CIJ 2016.

The main thing I'm working on right now is a trust-nothing guide to PGP.

It's at https://paranoidmode.com

It's a gitbook managed in this github repo: https://github.com/ojkelly/paranoidmode.com (contributions welcome).

I've found every PGP tutorial to either be missing information, out of date, or unsafe. So the intention is to keep this forever up to date.

The intended audience is someone that is either a programmer, journalist, network administrator or sysadmin. Anyone who regularly uses PGP.

I'm not convinced we should advocate PGP/GnuPG at all.

Hi everyone,

Great resources list. I just wanted to make a blatant plug for a tool which has tried to pull together lots of different guides into the one place. It's called Umbrella - and it's a free, open source, Android app to help journalists/activists/aid workers manage their digital and physical security.

The lessons give you simple, practical advice on what to do and what tools to do it with – covering everything from sending a secure email to conducting physical counter-surveillance. You can choose your level of ability or type of protection needed and get answers that reflect your needs. Users can mark, customise and share simple checklists for quick reminders. It also has a series of security information feeds from places like the UN and Centers for Disease Control to keep you updated on the move.

You can find out more general information here: https://www.secfirst.org

Or download directly from the Google Play Store:

Amazon App Store:

-Code: https://github.com/securityfirst/Umbrella_android
-Code audit: https://secfirst.org/blog.html
-F-Droid Repo: https://secfirst.org/fdroid/repo
-F-Droid Fingerprint: 39EB57052F8D684514176819D1645F6A0A7BD943DBC31AB101949006AC0BC228

If you want to reuse the content in the app then feel free:
https://github.com/securityfirst/Umbrella_content

We're always looking for feedback, so please drop us a mail!
-Rory

this link right here: https://github.com/securityfirst/Umbrella_content/tree/master/md/en

i'm all about it!

Thanks!

Just wanted to point out, it's is a community effort!

A lot of the hard work (esp around the digital stuff and tool guides) and content was originally done by Tactical Tech/Frontline Defenders Security in a box (CC BY-SA 3.0) https://securityinabox.org

and Surveillance Self Defence by EFF (CC BY-SA 3.0) https://ssd.eff.org

It has some strange formatting as things are a direct port of Umbrella App (to make it easier for pulling/pushing changes etc).

As one of the original authors of (what became) EFF's SSD and the concomitant training courses, I'd advise taking it with a grain of salt. I mean, obviously everyone should take everything with a grain of salt, but, that includes SSD. I was young...

Overall, I remain anxious about any "use this tool to be safe" narrative; even when hedged (as such narratives tend to be, for a desultory sheen of credibility), they feel very dangerous. And I know people don't know how much to heed the hedges, or what the hedges mean.

There's just no substitute for knowing your adversary's capabilities, and knowing your own, and then doing what your adversary can't do. But there's no recipe for that.

It is very likely that an excellent security solution might be to not use any computer stuff at all. Yet you rarely see that advice. Why is that...

I fully accept your point, but realistically 80% of users in a training don't know how to properly assess changing digital risks or are not willing to fully implement a security solution which exactly measures that risk.

Unfortunately we also lack resources which allow you to essentially type in which country you are in and job role etc and see what measures you should be taking. It's available for physical stuff like kidnap but not really digital yet. Though I know that Seamus Touhy at Internews is doing his best to start this process by collection digital threat intelligence resources into a spreadsheet, for use by digital trainers.

The "don't use a computer" solution at all is often used in trainings but we have to be realistic and admit that a) it only applies in 0.01% of cases and that b) most trainees and people generally struggle with it when conducted over anything other than a short period of time. Often at best what you get is them decided that might be an option but implementing in a superficial way. E.g they take paper notes yet leave them unlocked on their desk with a cleaner who earns minimum wage etc etc etc...

So... can we see Seamus' spreadsheet? Sounds useful.

Let me ping him a message, just to see if he is OK with pushing it out

I believe that Rory is referring to the threat intel spreadsheets I created for Rights Con.

The raw link spreadsheet contains a large (150+) dump of unsorted resources, organizations, etc that I have used, or thought about using for digital security risk modeling as well a variety of resources submitted by others before the workshop.

The clean list contains a very short list (38) of hand picked resources by the participants during the session that they thought were especially useful.

I am still planning on cataloging these resources to make it easier for others to use so if you have organizations, mailing lists, websites, wikis, news feeds, data sets, etc. that you use to build your situational awareness, inform risk/threat assessments, or get up to date information or analysis on human rights & Internet freedom issues and incidents please feel free to submit a resource. I know there are a bunch that still missing from both lists that I have not had a chance to add. I hope there are even more than that I don't know about.

Enjoy!

I quite liked this one for ease of use and overall completeness:

https://github.com/jlund/streisand

Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

Hello everyone,

I am the founder of Privacy for Journalists. It is a website helping reporters protect their information sources with the following:

Main Sections
Threat Modeling - To help journalists understand their adversaries and motives
Practial Guides - Illustrated guides to set up and configure various tools such as PGP, Ricochet, BitLocker and others
Useful Links - A collection of various security tips, legislations, Meetups, associations and other events aiming to defend privacy
Community - Chat on Slack to discuss best practices with each other

Anybody care to comment on "What's App" and security given recent Facebook developments? Personally, I use Signal but...

This is an awesome and practical article that was published in the TOR blog:

https://blog.torproject.org/blog/technology-hostile-states-ten-principles-user-protection

And is mostly toward people designing systems. Love it! And it could also help to navigate what to look for in the software we use.

" ...
To that end, we decided to enumerate some general principles that we follow to design systems that are resistant to coercion, compromise, and single points of failure of all kinds, especially adversarial failure. We hope that these principles can be used to start a wider conversation about current best practices for data management and potential areas for improvement at major tech companies.

Ten Principles for User Protection

1. Do not rely on the law to protect systems or users.
2. Prepare policy commentary for quick response to crisis.
3. Only keep the user data that you currently need.
4. Give users full control over their data.
5. Allow pseudonymity and anonymity.
6. Encrypt data in transit and at rest.
7. Invest in cryptographic R&D to replace non-cryptographic systems.
8. Eliminate single points of security failure, even against coercion.
9. Favor open source and enable user freedom.
10. Practice transparency: share best practices, stand for ethics, and report abuse.
    ..."