Current Digital Security Resources

October 2019 Edition

Time flies. Original image: danielhedrick (CC BY-NC 2.0)

This project is now retired. Last updated October 22, 2019.

Digital technology doesn’t die — it just ages really, really fast. Even the richest digital security resources become quickly out-of-date, and while there are a remarkable number of toolkits and guides for learning digital self-defense, relatively few have information you can use right now. This “meta-guide” highlights current resources, and tips on keeping them timely and relevant.

The following guides and toolkits were included based on a few key requirements: relevance, practical advice, accessible language, clear organization, and of course, up-to-date information. My hope is that the resulting list is rich with knowledge that can be put to work both by experts and non-experts today. I’ve broken up this list into categories based on the intended audience, followed by articles on specific security tools and practices.

Guides for a general audience, or multiple groups

Resources for journalists

Resources for harassment and abuse

Resources for activists and protesters

Resources for security trainers

Resources for lawyers

(March 2017) Computer Security Tools & Concepts for Lawyers , by Kendra Albert (@KendraSerra). With an eye to lawful process and a realistic security concerns for legal professionals and their clients, this resource introduces the basics of threat modeling, social engineering, and encryption. It also provides several recommendations on how to better address technical security concerns, such as using password managers and two-factor authentication, as well as secure communications, device and file encryption, data minimization practices, and more.

(@KendraSerra). With an eye to lawful process and a realistic security concerns for legal professionals and their clients, this resource introduces the basics of threat modeling, social engineering, and encryption. It also provides several recommendations on how to better address technical security concerns, such as using password managers and two-factor authentication, as well as secure communications, device and file encryption, data minimization practices, and more. (Last updated January 2019) Operational Security for Lawyers, by Ansel Halliburton (@anseljh), Lawyerist (@lawyerist). The guide covers the basics of threat modeling, strong authentication practices, secure messaging with Signal, anonymous filesharing, and describes many issues with basic email security. The guide also describes the role of other basic practices (e.g., patching) for security hygiene.

Resources for dangerous situations

(March 2017) DIY Cybersecurity for Domestic Violence , by Noah Kelley (@ciakraa), HACK*BLOSSOM (@hackblossom). A (beautifully illustrated) guide to security concerns in situations involving intimate partner abuse. The guide examines security concerns through various scenarios, including when partner harassment over phone calls and social media, stalking, and targeted surveillance. The guide also examines what happens when partners have access to your online accounts, when your sex life is being used against you, and when you want to leave your partner. Each scenario comes with a series of corresponding defenses.

(@ciakraa), (@hackblossom). A (beautifully illustrated) guide to security concerns in situations involving intimate partner abuse. The guide examines security concerns through various scenarios, including when partner harassment over phone calls and social media, stalking, and targeted surveillance. The guide also examines what happens when partners have access to your online accounts, when your sex life is being used against you, and when you want to leave your partner. Each scenario comes with a series of corresponding defenses. (March 2017) Digital Privacy at the U.S. Border, by Sophia Cope (@scopesetic), Amul Kalia (@amullionaire), Seth Schoen, and Adam Schwartz (@Adam_D_Schwartz), Electronic Frontier Foundation (@eff). In light of the looming U.S. travel ban targeted at individuals traveling to and from primarily Muslim countries, the Electronic Frontier Foundation Part released this whitepaper to examine travelers’ security options at the U.S. border. The paper examines the basics of risk assessment, as well as legal, technical, and practical concerns when you are preparing to leave, arriving at the border, and what to do afterwards. The guide also examines your rights, U.S. border policy, a wide range tools you can use to protect yourself, and their constraints.

Guides to specific tools and practices

While many of the above resources are broad overviews or contain many step-by-step guides, other recent resources are narrowly focused on specific tools and practices.

Signal for encrypted messaging, voice, and video calls

WhatsApp for encrypted messaging, voice, and video calls

(February 2017) Upgrading WhatsApp Security, by Martin Shelton (@mshelton). A short guide that walks through improving WhatsApp’s security by turning off and removing cloud backups, adjusting privacy settings, encryption key change notifications, and using session verification, as well as information on securing the device itself (e.g., with device encryption).

Wire for encrypted messaging, voice, and video calls

(January 2018) Wire for Beginners, by Martin Shelton (@mshelton). A primer on installing and using Wire. The guide walks through setting up the app, the basics of messaging, how to set up the desktop app, making messages disappear, lock screen security, verification methods, and how to shore up potential security holes.

Pretty Good Privacy (PGP) email encryption

Password managers

(Regularly updated) Password Managers for Beginners, by Martin Shelton (@mshelton). A beginner-friendly guide describing why password managers are useful, branching into three step-by-step guides for getting started with 1Password, LastPass, and KeePassXC.

Anti-phishing

(Last updated December 2016) Anti-phishing and Email Hygiene, by Harlo Holmes (@harlo), Freedom of the Press Foundation (@freedomofpress). This guide covers threat modeling, authentication practices, as well as common phishing tactics and how to avoid them.

Two-factor authentication

Virtual Private Networks

Disk encryption

(Last updated May 2015) Encrypting Your Laptop Like You Mean It, by Micah Lee (@micahflee). A detailed resource on disk encryption for Mac devices with FileVault, Windows PCs with BitLocker, and Linux machines at the time of installation. The guide covers several attacks for stealing data from an unencrypted device.

Private browsing

(July 2018) What Does Private Browsing Mode Do?, by Martin Shelton (@mshelton). A short primer on what data private browsing mode protects, and doesn’t protect. The article begins with a general explanation of what other parties see when you connect to websites (e.g., your ISP, network administrator, and the website itself). It then examines what data is “forgotten” locally in private browsing mode, and highlights data that may not be forgotten by other entities.

Denial of service mitigation

(Last updated October 2017) Keeping Your Site Alive, by the Electronic Frontier Foundation (@EFF) This guide examines how to defend against distributed denial of service (DDoS) attacks, which can render a server (e.g., a personal website) inaccessible by overloading it with more junk traffic than it can accept, preventing the delivery of legitimate traffic. The guide examines how a DDoS attack works, outlining multiple types of traffic used in attacks. It unpacks how to assess risk, and how to set up defenses with various web hosting options, DDoS protection services, backups, and site mirroring tools.

Slightly less up to date, but worth reviewing

It’s an older guide, but it checks out.

Resources for journalists

Resources for activists and human rights defenders

Resources for security trainers

(March 2014) SaferJourno: Digital Security Resources for Media Trainers , by Internews (@internews).

(@internews). (August 2013) Security Training Curricula, by eQualit.ie (@eQualitie). This guide provides general tips and resources (e.g., a pre-training questionnaire) for leading digital security trainings. Focusing on Windows, it also offers resources for teaching about password security, how the internet works, SSL, secure communications, disk encryption, secure deletion, as well as anonymity and circumvention tools. Available in English and Russian.

Resources for specific tools and practices

(July 2016) Security Tips Every Signal User Should Know, by Micah Lee (@micahflee) via The Intercept. Covers tips for securing your device, setting screen locks, verification methods, as well as archiving and deleting messages. Note: This guide is fairly current, with some exceptions (e.g., Signal has transitioned to “safety numbers” instead of fingerprints for verification; separate voice verification has been phased out.)

Keeping it real, current

There are many excellent guides available today, and even security professionals can have a tough time keeping up. Many of the guides are clearly one-time pieces. For others, it’s which intend to stay updated. When I could not find information about when each guide was updated, I reached out to many of the groups who developed these resources.

We want people new to security to have good information, and to be confident that they’re getting fresh information. This is why it’s so important to be transparent about the timeliness of our resources.

When developing security resources, we should aim to…

Be clear about when the guide has been updated (e.g., the EFF notes the dates its Surveillance Self-Defense modules are updated) , and if possible, what changed. For example, Tactical Tech often uses revision histories, while Internews makes some resources available on GitHub.

(e.g., the EFF notes the dates its Surveillance Self-Defense modules are updated) and if possible, what changed. For example, Tactical Tech often uses revision histories, while Internews makes some resources available on GitHub. Be transparent if the information is expected to get out of date . There are many ways to do that. (e.g., matt mitchell uses “best by” dates.)

. There are many ways to do that. (e.g., matt mitchell uses “best by” dates.) Be clear about the level of commitment to updating the information. In some cases, it’s fairly clear that the document will not be updated (e.g., in large news publications), but often our commitment to keeping guides updated is not clear to the unfamiliar reader.

What do you think?

It’s likely there are other great resources to add. Did I forget something? Have an update to suggest that meets all of the same requirements outlined above? Reach out on Twitter at @mshelton or one of several encrypted channels.

Thanks for all the hard work from everyone who teaches, demonstrates, builds software, or publishes to defend safe access to information. ❤