If this guide feels like too much, start with these 10 things.
Digital Security for Everyone
This guide is designed for beginners and non-technical people with the aim of increasing security across our whole community. The content is based on research, working with security experts and on the ground experience working with community activists and people who believe government and corporations do not have the right to spy on people by default.
Produced by Glenn Todd. Contribution by Gabor Szathmari and experience from FLAC. Eye Image by Eiti Kimura. Entire resource is licensed Creative Commons Attribution 4.0 International License. Updated July 2020.
Security is always changing so do some extra research yourself about recommended tools.The safety of tools can change suddenly if we learn of new exploits or risks with tools. Sometimes great tools get sold to dodgy corporations. Please use these recommendations in context with some healthy cynicism and common sense.
2 hour discussion on the content of this guide.
Many people believe that they are not worth spying on. There are many reasons to protect yourself and your community.
Sort of yes and mostly no.
Security has many levels and protects you from different levels of spies. It is important to understand, the people more likely to target you are probably the least sophisticated. This means any improvement to your security will go a long way.
If only a few people are protecting themselves they become targets, as it is assumed they have something worth spying on. When you and others start protecting themselves, then it gets very difficult and expensive to spy on everyone.
Don’t let Paranoia stop you organising
Although they come with risks, digital tools allow us to leverage our actions and communications in unprecedented ways. If we stop using the these tools due to security, we have lost before we have even started. Use the tools wisely. Some risks are involved but missing the big opportunities is a far bigger risk.
Convenience VS Security
Some security technologies can be less than convenient. Typing long passcodes into your phone and surfing with slower internet speeds via tor. It is up to you how much you balance security and convenience. Many security approaches and technologies do not impact on convenience so apply as many security lessons as you practically can.
High end security is very complex and can make using your technology less convenient. The aim of this guide is to implement good security and not perfect security. Unless you understand the technologies of a technical level, always assume your system is compromised and use your technology wisely. You may have perfect encrypted messaging but your system may have malware that is recording your keystrokes.
Digital literacy – learn your technology
Computers have given us powerful tools that also need maintenance and management. Learning the basics of how your computers and phones work, will make you far more savvy in understanding digital security
Encryption involves using advanced mathematics to scramble your data, making it impossible to access without your key (password). The Snowden leaks has proven that encryption works and we can protect ourselves from spying.
Encrypting is usually a simple matter of turning encryption on via your devices settings. By enabling encryption you make hacking your device either impossible or very difficult and resource intensive.
Your data can be lost in many ways: Fire, theft, failure, arrest, loss etc. You can also lose data if you apply some security measures incorrectly. Make sure you have adequate backups before you start securing and encrypting.
Update your software regular – apply updates
There is a constant loop happening: Hackers find exploits in software and the software people patch them up. Make sure you apply the latest versions to all your software including operating systems, apps and websites to ensure you have the latest secure versions. Unpatched software is a very common way to be hacked.
Lock your computer and phones. Review security settings
Turn on auto-screen lock features using passwords and 2FA. Facial recognition lock can be unlocked by cops using your face (same with fingerprint). Review and configure security settings. Review and configure app settings (eg turn off location unless it explicitly needs location). Most apps have too much permissions on by default.
Phones have become very complex and usually ship with dodgy settings out of the box so the first and most important rule about modern smart phones is DON”T TRUST THEM. Make sure your are geek street smart.
Here are some ways to improve your phone security.
Secure Phone communications
Anything encrypted is better. SMS and voice was built to be intercepted and recorded (since the paper telegram days). Apple messenger and Facetime are respected, however requires iphone. Older phones have lots of vulnerabilities – not recommended
Weak passwords are a primary way to hack you. Simple passwords can be broken by a “brute force attack” where average computers have enough resources to crack them reasonably quickly. YOU NEED A PASSWORD MANAGER
Antivirus and scanners
Protect yourself from virus and malware which is a common way to hack you.
Your location is being tracked and recorded via your mobile device. Many private companies are recording and selling this info. Many drone assassinations in the Middle East are targeted via the location of a persons mobile device.
2FA – Two factor authentication
Sometimes called two-step verification. A process in which users provide two different methods to verify themselves. SMS or email codes in addition to your usual login user and password are common approaches. 2FA apps are a recommended approach. You will need to configure each service separately. Eg you email is seperate to your bank account.
Google has become so useful in many areas that it has become an important tool in many peoples life. Google is also an extensive tracking engine that is building a very extensive and detailed profile on you. Microsoft’s Bing engine is doing the same thing. Don’t log into Google or logout when not using google […]
Private Internet – Block ads and trackers
Minimise browser plugins as some have built in trackers. Cookies are stored in your browser to personalise your experience on websites and are also used to track you. Delete these regularly (every time you quit) to reduce their ability to build a profile on you. In Brave/Chrome > clear browsing data > on exit.
A VPN works by connecting your computer (using encryption) to another computer located somewhere else in the world. Your access to the internet then comes from that computer located somewhere else in the world. So if the computer is located in France, then you are surfing from France. This simple technology thwarts the mandatory data […]
Private Internet – Tor – Anonymous Browsing
Bounces internet users’ and websites’ traffic through “relays” run by thousands of volunteers around the world, making it extremely hard for anyone to identify the source of the information or the location of the user. Use tor with your VPN and ideally with a secure OS and burner laptop. Unfortunately Tor can slow your internet […]
Private Internet – Anonymous Connection
You could use a public wifi but be careful and use a VPN as they are insecure and can be used to hack you. You can also order an overseas SIM online with Australian data roaming – that doesn’t require ID.
Private internet – commerce
There are two major ways to buy things anonymously online. The first one is using Visa or Mastercard gift cards. These can be bought with cash at many supermarkets and at Australia Post. The other way is using the crypto-currency: Bitcoin. Please search for more information on the Bitcoin technology and how to use it.
So you want to be a ninja online? Like martial arts to be truly invisible online you need to spend a lot of time becoming an expert in the technology. There are no shortcuts to becoming a martial arts ninja but there are some ways to skill up without being a top level security geek.
Security culture is an agreement made by a group which outlines the minimum security, tools and security processes the group will use. This allow individuals to understand their personal risk as well as the risk to the group and the groups actions.
Slack, Google and similar tools are not encrypted: authorities can request the hosting companies to hand over the documents, user list and the chat logs. Nextcloud is a secure replacement for the google collaboration ecosystem
Crypt pad is realtime Collaborative docs simplar to google docs. Due to its secure nature it laks an easy way to group documents, requiring the need to create and manage an inventory of the secure URLs. You can also use a desktop text or document editor and share by encrypted channel (not realtime)
Google and similar tools are not encrypted: authorities can request the hosting companies to hand over your data. Secure email can be simplified by your group using only one email service such as riseup, tutanota, or protonmail. This means the “end to end” (from your email to your friends email) encryption is managed by the […]
- Keybase group chat/collaboration + files sharing (similar to slack) (easy to use) (unfortunately bought out by zoom)
- Semaphor I have not used this since the new version which is now free. Recommend by security geeks
- Matrix riot Security notices can be a barrier for non-tech people
- Signal Small groups – (large groups make it annoying to use as main sms replacement)
We are looking for a better option for video conferencing. It is important to know that regular phone conversations or popular VoIP tools like Skype or Google Hangouts have wiretapping capabilities built-in. Authorities can request Microsoft to record and hand over conversations with a warrant.
- jitsi The best ethical choice - turn on the encryption. Can be unstable
- Zoom only uses encryption for paid uses and it needs to be switched on. Zoom works with law enforcement and Chinese authorities so cannot be trusted
- Facetime Apple has a good reputation or security but requires an iphone or mac.
- Signal Signal is good for one on one video
Phones and laptops in meetings
Microphones and cameras can be remotely activated without you knowing and can be switched on remotely. Good practice is to gather all devices and remove them from meetings. Even if they have dead batteries, this encourages good security culture. Some people place tape over their laptop camera because someone watching you remotely is creepy.
(In our context ) A database is a collection of information on people. A CRM (Client Relationship Manager) is a specialised database for managing people’s information, interactions and relationships with people. As database tools become more advanced, we are increasingly building up a lot of information so we need to pay special attention to privacy […]
Email list management
Should be self-hosted somewhere overseas. The servers hosting the email list management software contain the list of all email subscribers. Ideally, all subscribers should use a brand-new email account solely dedicated for receiving emails from the email list.