Security resources

#9

Here are some posts I've written about operational security. In general, I don't focus on writing about journalist specific issues, but rather on using existing case studies to explore some relevant facet of security. This partial collection of posts and presentations is, I think, sufficiently generic and relevant that any reader will be able to find lessons to apply to their own personal security.

Security Guides

Mobile Phones

Secure Messengers

Observations on Operational Security

Presentations on Security

#10

Additional posts that I recommend (although they may be more off topic) by @OaklandElle:

Social Media OPSEC
OPSEC for Activists

#11

I maintain a blog at Brown Hat Security on various mostly-infosec related topics.

The folks over at Alienvault have a section with guest posts that I've contributed to; there's a wide variety of content there on various subjects, albeit a bit scattershot.

There's some very useful tools available through Shodan for basic evaluation and information gathering.

In a similar vein, Censys offers highly useful information as well.

#12

May also be of interest:
"Difficult Targets" (Lecture). Tim Jenkin, Matt Kennard, Stefania Maurizi, Paul von Ribbeck, Matthias Spielkamp. Logan CIJ 2016.

#13

The main thing I'm working on right now is a trust-nothing guide to PGP.

It's at https://paranoidmode.com

It's a gitbook managed in this github repo: https://github.com/ojkelly/paranoidmode.com (contributions welcome).

I've found every PGP tutorial to either be missing information, out of date, or unsafe. So the intention is to keep this forever up to date.

The intended audience is someone that is either a programmer, journalist, network administrator or sysadmin. Anyone who regularly uses PGP.

#14

I'm not convinced we should advocate PGP/GnuPG at all.

The great debate: embracing vs. moving away from PGP in trainings
#15

Hi everyone,

Great resources list. I just wanted to make a blatant plug for a tool which has tried to pull together lots of different guides into the one place. It's called Umbrella - and it's a free, open source, Android app to help journalists/activists/aid workers manage their digital and physical security.

The lessons give you simple, practical advice on what to do and what tools to do it with – covering everything from sending a secure email to conducting physical counter-surveillance. You can choose your level of ability or type of protection needed and get answers that reflect your needs. Users can mark, customise and share simple checklists for quick reminders. It also has a series of security information feeds from places like the UN and Centers for Disease Control to keep you updated on the move.

You can find out more general information here: https://www.secfirst.org

Or download directly from the Google Play Store:

Amazon App Store:

-Code: https://github.com/securityfirst/Umbrella_android
-Code audit: https://secfirst.org/blog.html
-F-Droid Repo: https://secfirst.org/fdroid/repo
-F-Droid Fingerprint: 39EB57052F8D684514176819D1645F6A0A7BD943DBC31AB101949006AC0BC228

If you want to reuse the content in the app then feel free:
https://github.com/securityfirst/Umbrella_content

We're always looking for feedback, so please drop us a mail!
-Rory

#16

this link right here: https://github.com/securityfirst/Umbrella_content/tree/master/md/en

i'm all about it!

#17

Thanks!

Just wanted to point out, it's is a community effort!

A lot of the hard work (esp around the digital stuff and tool guides) and content was originally done by Tactical Tech/Frontline Defenders Security in a box (CC BY-SA 3.0) https://securityinabox.org

and Surveillance Self Defence by EFF (CC BY-SA 3.0) https://ssd.eff.org

It has some strange formatting as things are a direct port of Umbrella App (to make it easier for pulling/pushing changes etc).

#18

As one of the original authors of (what became) EFF's SSD and the concomitant training courses, I'd advise taking it with a grain of salt. I mean, obviously everyone should take everything with a grain of salt, but, that includes SSD. I was young...

Overall, I remain anxious about any "use this tool to be safe" narrative; even when hedged (as such narratives tend to be, for a desultory sheen of credibility), they feel very dangerous. And I know people don't know how much to heed the hedges, or what the hedges mean.

There's just no substitute for knowing your adversary's capabilities, and knowing your own, and then doing what your adversary can't do. But there's no recipe for that.

It is very likely that an excellent security solution might be to not use any computer stuff at all. Yet you rarely see that advice. Why is that...

#19

I fully accept your point, but realistically 80% of users in a training don't know how to properly assess changing digital risks or are not willing to fully implement a security solution which exactly measures that risk.

Unfortunately we also lack resources which allow you to essentially type in which country you are in and job role etc and see what measures you should be taking. It's available for physical stuff like kidnap but not really digital yet. Though I know that Seamus Touhy at Internews is doing his best to start this process by collection digital threat intelligence resources into a spreadsheet, for use by digital trainers.

The "don't use a computer" solution at all is often used in trainings but we have to be realistic and admit that a) it only applies in 0.01% of cases and that b) most trainees and people generally struggle with it when conducted over anything other than a short period of time. Often at best what you get is them decided that might be an option but implementing in a superficial way. E.g they take paper notes yet leave them unlocked on their desk with a cleaner who earns minimum wage etc etc etc...

#20

So... can we see Seamus' spreadsheet? Sounds useful.

#21

Let me ping him a message, just to see if he is OK with pushing it out

#22

I believe that Rory is referring to the threat intel spreadsheets I created for Rights Con.

The raw link spreadsheet contains a large (150+) dump of unsorted resources, organizations, etc that I have used, or thought about using for digital security risk modeling as well a variety of resources submitted by others before the workshop.

The clean list contains a very short list (38) of hand picked resources by the participants during the session that they thought were especially useful.

I am still planning on cataloging these resources to make it easier for others to use so if you have organizations, mailing lists, websites, wikis, news feeds, data sets, etc. that you use to build your situational awareness, inform risk/threat assessments, or get up to date information or analysis on human rights & Internet freedom issues and incidents please feel free to submit a resource. I know there are a bunch that still missing from both lists that I have not had a chance to add. I hope there are even more than that I don't know about.

Enjoy!

#23

I quite liked this one for ease of use and overall completeness:

https://github.com/jlund/streisand

Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

#24

Hello everyone,

I am the founder of Privacy for Journalists. It is a website helping reporters protect their information sources with the following:

Main Sections
Threat Modeling - To help journalists understand their adversaries and motives
Practial Guides - Illustrated guides to set up and configure various tools such as PGP, Ricochet, BitLocker and others
Useful Links - A collection of various security tips, legislations, Meetups, associations and other events aiming to defend privacy
Community - Chat on Slack to discuss best practices with each other

#25

Anybody care to comment on "What's App" and security given recent Facebook developments? Personally, I use Signal but...

#26

This is an awesome and practical article that was published in the TOR blog:

https://blog.torproject.org/blog/technology-hostile-states-ten-principles-user-protection

And is mostly toward people designing systems. Love it! And it could also help to navigate what to look for in the software we use.

" ...
To that end, we decided to enumerate some general principles that we follow to design systems that are resistant to coercion, compromise, and single points of failure of all kinds, especially adversarial failure. We hope that these principles can be used to start a wider conversation about current best practices for data management and potential areas for improvement at major tech companies.

Ten Principles for User Protection

  1. Do not rely on the law to protect systems or users.
  2. Prepare policy commentary for quick response to crisis.
  3. Only keep the user data that you currently need.
  4. Give users full control over their data.
  5. Allow pseudonymity and anonymity.
  6. Encrypt data in transit and at rest.
  7. Invest in cryptographic R&D to replace non-cryptographic systems.
  8. Eliminate single points of security failure, even against coercion.
  9. Favor open source and enable user freedom.
  10. Practice transparency: share best practices, stand for ethics, and report abuse.
    ..."
#27

I put together a sort of "meta-guide" on current security resources. A lot of it is inspired by this thread. Check it out. https://medium.com/@mshelton/current-digital-security-resources-5c88ba40ce5c

You can also leave suggestions / comments for the document here:

#28

Tech Solidarity recently put together a security guide that excels at being as simple as possible, while also providing practical and effective advice.