Okay folks. So I see a lot of misinformation about cybersecurity in activist communities, and today my organization had a major security leak.
So, here are some basic recommendations that might help you keep yourself and your comrades safe.
(THREAD)
So, here are some basic recommendations that might help you keep yourself and your comrades safe.
(THREAD)
1. Security is a group effort, not an encryption scheme. If anyone has bad security practices, accesses sensitive info on an unsecure network, or routinely tells their friends about actions you plan to take, no amount of encryption will help.
I learned this the hard way today.
I learned this the hard way today.
Democratic centralism should also mean agreeing on security practices that everyone in your organization is held accountable to.
No digital info is safe. As organizers, the most we can do is minimize the risk to ourselves and our comrades.
No digital info is safe. As organizers, the most we can do is minimize the risk to ourselves and our comrades.
2. Do threat modelling. Who are you worried about and why? School admins, far right militias, and the NSA all suck, but have very different capabilities.
Change your security plans accordingly. E.g. For students, GroupMe is fine but your school email might not be so secure.
Change your security plans accordingly. E.g. For students, GroupMe is fine but your school email might not be so secure.
3. For email and browsing, please oh god ditch Chrome and Gmail. They are free because you pay with all your data.
Always have separate accounts for organizing.
For email, I use Protonmail or Tutanoda. For web browsing, I suggest Raid or DuckDuckGo, in that order.
Always have separate accounts for organizing.
For email, I use Protonmail or Tutanoda. For web browsing, I suggest Raid or DuckDuckGo, in that order.
4. For messaging, don't plan your actions on the phone. If you have to, make sure you are using an app with end-to-end encryption, set your messages to delete themselves periodically and copy anything you need into a more secure format, and be careful who you let in.
Instead of GroupMe or Messenger, I recommend Threema or Wire if you're serious. Wickr and Signal are decent free options although both have some flaws that you should make yourself aware of. Again, delete those old messages and make sure the app developer stores nothing.
5. VPNs. Use them (Nord VPN, ProtonMail's VPN, etc.), but if you're serious about organizing using digital platforms do not make a VPN the wall between you and the feds.
It is worth investing a little in a good VPN, they are more than sufficient for lower level threats.
It is worth investing a little in a good VPN, they are more than sufficient for lower level threats.
6. Passwords. Use passphrases instead. They are easier to remember, longer, and more secure. Go for 25+ characters and use a distinct password for organizing tools like your secure messenger or email. Use a password manager and two step encryption on everything.
7. Going to a protest? Encrypt your mobile device so police can't access it -- your SD and flash memory too. Don't consent to unlocking your phone ever and remove fingerprint or Face ID. Afterwards, scrub all metadata from any photos and videos.
8. Remember that every tool breaks. TOR and Signal are the latest tools to have news-worthy security flaws, but no tool is 100% secure and keeping yourself and your comrades up to date on security vulnerabilities is important.
9. Only use tools that are (A) open source and verified by security experts and (B) are secure even from the makers of them (you don't want the company handing over all of your organization's info in a court case.)
** whoops, l autocorrect changed my hasty typing of Brave, a wonderful and secure browser, into Raid, a nonexistent and therefore the most secure one. Use Brave!
Also, Firefox with the “safest” configuration is a decent option!
Also, Firefox with the “safest” configuration is a decent option!