
Basic Security Precautions for Non-Profits and Journalists - idlewords
https://techsolidarity.org/resources/basic_security.htm
======
tptacek
Before you freak out about these recommendations, please take into account:

These instructions are written for unsophisticated users, particularly
journalists and activists, and were written with feedback from those users.
So, for instance, the steps you might take to arrive at a secure Firefox or
Android configuration _are probably fine_ , but not workable for the audience
these instructions are intended for.

We're simultaneously working with the airport lawyer groups (there's a huge
one at ORD). It's been jarring to realize how many compromises are required to
make things workable for groups of non-experts to use. Just getting software
installed is a major hassle, so anything you install or customize needs to be
really worth the effort.

~~~
scholia
If you can't use your phone number for password recovery or SMS to your phone
number as the 2FA, what do you use instead?

~~~
tptacek
The best-practices 2FA stack is:

* U2F token (primary method)

* TOTP via phone app (backup)

* Backup keys printed or on encrypted USB, in a safe.

* SMS disabled explicitly.

TOTP fallback doesn't reduce security meaningfully, because U2F principally
protects against phishing. But SMS fallback is devastating to security.

~~~
scholia
Thanks!

------
snowwrestler
It's unfortunate that this guide is not presented in two columns, at least
partially. It's hard to line up the Don't's with Do's.

For example in the Don't section it says "[Don't] Store sensitive information
in cloud services like Evernote or Dropbox." Ok, but where is the
corresponding entry in the "Do" section, which tells folks how to store
sensitive information? Especially in a way that permits more than one person
to access and use the information, which is key to how both journalists and
activists work?

There might not be a "good" answer. But recognizing that people have to work,
there is probably a sense of "better" or "best for now". Maybe that's the
format:

    
    
        Don't                      | Better
        Don't use your fingerprint | Use a long passphrase 
        to lock/unlock devices     | to lock your devices.
    
    

EDIT: This guide is very helpful and kudos to the folks to made it. I offer my
thoughts solely in the spirit of "maybe this feedback will be helpful." My
intention is not to sit on the sidelines throwing rocks at people who are
actually doing things.

~~~
idlewords
Thanks for the helpful suggestion! I'll try formatting it this way, too.

------
ploggingdev
Can someone explain the reasoning behind these recommendations?

Don't :

> Use your fingerprint to lock/unlock devices.

> Use an Android phone.

> Take the devices you work on across the US border.

Anyone has experience with their devices being searched at the border? Do they
just look at your social media and let you go or do they somehow copy the data
on the devices or install any software on the devices? Will the persons
devices always be in visibility or do the CBP officers handle them in separate
rooms?

Assuming I have to carry my laptop and phone across the border, what
precautions can I take to minimize the potential privacy violations? After
crossing the border, do I just reinstall my OS of choice (Ubuntu) from scratch
and reset all passwords?

Regarding the browser recommendation, why is Firefox not recommended? It's
used in the Tor browser and I have not heard of any major security incident
recently with Firefox.

~~~
dguido
> Use your fingerprint to lock/unlock devices.

Fingerprints have a different and weaker legal standard than passwords to
protect them

> Use an Android phone.

It may be _possible_ to get a secure Android phone, however, it is unlikely
that the one you have is. Varying levels of quality for disk crypto and TPM
key storage will do you in.

> Take the devices you work on across the US border

Any data or passwords you have on you is data you could lose, get forced to
cough up, etc.

> Assuming I have to carry my laptop and phone across the border, what
> precautions can I take to minimize the potential privacy violations?

Put an encrypted blob on [name a cloud provider]. Download it once you cross
through customs.

> why is Firefox not recommended?

Because Firefox has no sandbox and gets routinely exploited by Law Enforcement

> It's used in the Tor browser

The Tor Browser is an abomination.

> I have not heard of any major security incident recently with Firefox.

You have not been paying attention. Maybe consider accepting the advice of
experts?

~~~
tptacek
Adding: the Tor Browser might be the least _safe_ browser to use of all
available browsers that can be installed on modern computers. It is a perfect
storm of "inferior security design" and "maximized adversarial value per
exploit dollar spent".

Don't use Tor Browser.

~~~
vojnovski
Why exactly?

~~~
tptacek
The comment I just wrote says why, succinctly. It helps if you understand the
economics of browser exploit development, and then remind yourself that TBB
collapses a whole set of valuable targets down to a single release chain.

~~~
vojnovski
Does make sense. Any advice on best way to access the Tor network, if not the
Tor Browser?

~~~
munin
The TOR network is a network: you can access it using any web browser and the
TOR client + a local web proxy. Use Chrome and configure it to use the local
web proxy, now you're accessing TOR using Chrome.

~~~
caivvoacmh
@munin can you clarify is "TOR client" the same as "TOR Browser" downloaded
here[1] or is it something different?

Do you have any links you can share to best practices for setting up this
secure TOR client instead of using the insecure TBB as explained above?

[1] [https://www.torproject.org/download/download-
easy.html.en](https://www.torproject.org/download/download-easy.html.en)

~~~
angry_octet
The Tor client is the software which runs the 'onion routing' part. This
provides a local network port which is your wormhole into the network; this is
called a SOCKS proxy.

The TBB has the Tor client and a browser (a slightly tweaked Firefox)
configured to connect via the Tor SOCKS proxy rather than via the standard
network.

I was disappointed last time I booted up TBB to see they had security by
default set to 'Low', which enabled lots of unnecessary stuff, like javascript
on for every site by default. Too many content parsers trying to do stuff with
untrusted data. Its pretty poor.

------
zie
It's sort of sad and wonderful that the best we can do is an iPad when it
comes to secure computing. It's awesome that something you can buy most
anywhere for < $500 USD is pretty secure. It's also sad that it's the best we
can do, and there is only 1 manufacturer of such a device. We desperately need
better privacy and security, both from a legal and a technical point of view.

------
lordofmoria
Just a bit of feedback: might be nice to repeat the "Don't" in front of each
sentence, even if it's grouped under the heading and therefore repetitive: I
found myself being like "wait, it's telling me to backup my messages to google
drive? Are they client-side encrypted?"

~~~
amk_
Yes, I read the article through Readability and it actually stripped out the
Do and Don't headers

~~~
idlewords
Thank you both! I'll fix this.

------
lsh123
"Use a bluetooth keyboard for easier typing..."

Not a good advice for any public place (airports, cafes, etc). Very easy to
listen to BT and intercept passwords as user types them in.

~~~
maxerickson
Is there a documented attack on say, Apple's Magic Keyboard?

(if it is true that some (relatively modern) bluetooth keyboards are sniffable
and some aren't, I'm sure you can convince them to amend the article with
specific models that are believed to be better)

~~~
ENOTTY
I'd second adding recommendations for specific models. There are a lot of BT
keyboards on the market of varying quality.

~~~
tptacek
(I don't in any way own this document).

I acknowledge that the situation with Bluetooth peripherals is complicated†
and accept that there are probably a bunch of vendors that are unsafe to use.
It might be reasonable to simply require Apple peripherals --- not because
they're the best, but because Apple is more accountable to peripherals
security than most other vendors are.

On the other hand, what we can't reasonably do is create a Bluetooth Keyboard
Product Guide in a simple set of security recommendations. Not only will it
not be effective, but it will discourage the audience, who will fall back to
their previous insecure configurations.

So I'd ask to what extent we think Bluetooth sniffing attacks on journalists
are a spy movie threat. No matter what device they use, simply by using a
wireless device as an input, they're exposing those inputs to timing as well.
But then, as well, Apple's software update could be targeted too.

The basic idea behind the "use a Bluetooth keyboard recommendation" is, I
presume, to convince people who would otherwise use computers to do sensitive
work to instead use an iDevice. That's a _very_ sound security principle;
those iDevices are far more secure than the median fully-functional computer.

If I had to pick between telling a journalist to use a _random_ Bluetooth
keyboard with an iPad, or use a Macbook or Thinkpad, I would have a hard time
deciding, but I think I'd ultimately go with the random Bluetooth keyboard ---
there are too many different ways the computer can be undetectably (to a
typical user) owned up, and only one fairly elaborate scenario where the BT
keyboard will screw them.

What I'm learning from working with at-risk normal users is that a lot of
security steps we all take for granted are simply not on the table for the
people who need security the most.

† _Way more complicated than the people claiming "Bluetooth keyboards are
trivially sniffable" are letting on_

~~~
ENOTTY
I completely agree with your ranking/preference and your logic here, but I
don't think listing a bunch of models nor even listing your ranking is beyond
the comprehension or ability of journalists, lawyers, or activists. I think we
differ in how much faith we have in the abilities of those groups of people.

In my experience, people, especially people with budgets like most mainstream
journalists and lawyers, want a list of specific things, best of all SKUs,
they can buy that will give them the most security.

~~~
tptacek
I don't think they're incapable of following advice; I think they have a lot
of competing demands on their time. Any bullet on this list needs to earn its
place, and the list itself needs to work without requiring constant updates,
because most people who use the list will only see a single snapshot of it in
time.

------
projektir
Would be helpful to provide alternative to some of the Don'ts.

How does one transfer information if they can't transfer anything across the
border?

Where _should_ one store sensitive information? An encrypted drive you're not
supposed to transfer across the border?

I'm not really sure what a person is supposed to do with either of those two
recommendations, especially if we're saying that person is not tech-savvy. I
think these will just be ignored because they don't seem very viable and
require a lot of background knowledge and planning.

Also, why is Chrome preferred to Firefox? I generally assume Chrome is
listened to by Google across the board, and it still lacks something like
NoScript. Chrome doesn't seem to do block XSS well, either.

Similarly, why Gmail as opposed to, I don't know, something like Protonmail or
the like? Safety behind big company, reliability, viability?

Why Chromebook and not just a normal Linux?

The inherent trust in Google in this list confuses me.

And 1password over KeyPass. It seems every cloud-based password manager has
been hacked in a round robin fashion, but I guess this solves the other cloud
based problem.

~~~
chmars
I also have my doubts about 1Password – although I am still a 1Password users,
at least of the old approach (pay once, cloud sync but no web-accessible
storage with 1Password). I guess I will have to look for an alternative sooner
or later! :(

~~~
newman314
I use 1Password + Resilio (formerly BTSync) in local sync only mode.

It's kind of a pain in the ass sometimes (I can only sync at home) but the
upside is no cloud component and it syncs nicely and automatically between
multiple machines.

For mobile devices, I use the Wifi sync mode.

------
loteck
Great list, I'm glad the crew in the comment threads put it together. 2
observations:

* These lists are often made but are never kept up to date as recommendations change. Will this list be any different?

* Use Gmail? We can't pick some other web based, 2FA capable non-US hosted service that doesn't specifically use machines to scan your content for ad serves? This recommendation was the only one that furrowed my brow.

~~~
tptacek
A weakness in the way these guidelines are worded is that it's not clear
enough how much security experts discourage people from using email. Email is
the single largest risk most at-risk people have, and not just because only 2
email providers have a team capable of securing their infrastructure or
because the protocol is weak, but also because of existing collection
capabilities and because of its "archive-by-default" design.

Yes: if you are using email at all, you should use Google's email service.
Virtually every concern you'll state about using Google Mail is better
articulated as a concern about using email at all (especially because 90% of
the people lawyers and activists communicate with _also use Google Mail_ ).

If you want, instead, to militate against using email at all, I'll agree and
also tell you that I expect this guide will get clearer about that.

~~~
rocqua
Why g-mail instead of a more security focused provider like proton-mail? It
seems to me like the only downside of proton-mail is that it is less well-
known, but I'd compare it to signal vs whatsapp. And you can get journalists
to use signal.

Only other thing I can think of is google being more secure by virtue of being
bigger.

~~~
Spooky23
There was a thread a few days ago talking about Google security looking at how
protect against compromised shared GPUs.
([https://cloudplatform.googleblog.com/2017/02/fuzzing-PCI-
Exp...](https://cloudplatform.googleblog.com/2017/02/fuzzing-PCI-Express-
security-in-plaintext.html?m=1))

How many organizations globally are doing research like that?

------
Buge
This should be updated to not just specify the US border. It should say any
international border with border control.

In Canada you can be put in prison for 1 year if you don't give up your
password at the border.

~~~
angry_octet
While I'm sure you are referring to the Alain Philippon case, your facts are
wrong.

Firstly, the CBSA action was never tested in court. Failure to divulge
information hasn't been defined as 'hindering' before. The case would probably
have to go to the Supreme Court of Canada for it to be decided.

Secondly, even at the border you can choose to remain silent.

See linked page for advice from actual lawyers.

The most likely worst outcome is you get refused entry if you are not
Canadian.

[https://bccla.org/2016/08/what-happens-if-you-dont-
provide-y...](https://bccla.org/2016/08/what-happens-if-you-dont-provide-your-
cellphone-password-to-border-agents/)

------
kayone
I'm a bit confused about the don't backup to Google Drive but use Gmail.

are you trusting google or not?

~~~
tptacek
There's virtually nothing in security that works this way. It's not the NFL.
We don't pick teams and root for them. There are things that Google does that
are superior to the alternatives, and there are things Apple does that are
superior to the alternatives.

~~~
kayone
I understand and I agree with your point, however to me Gmail and google drive
both fall into one bucket, Google's cloud offering. If any thing I would
assume Drive is safer since it isnt forced to interact with an old unsecure
protocol. They have full control of how it's implemented.

------
Accacin
I pretty much follow most of these guidelines already, however I do use the
Firefox browser and I wasn't aware it was so inseucre compared to Chrome. Is
there a nice guide on hardening Firefox security or am I out of luck because
of the sandbox situation?

~~~
hackermailman
FF does have a sandbox w/some versions
[https://wiki.mozilla.org/Security/Sandbox#Current_Status](https://wiki.mozilla.org/Security/Sandbox#Current_Status)

Or try Firejail
[https://firejail.wordpress.com/](https://firejail.wordpress.com/) (Linux) or
possibly Sandboxie on Windows
[https://www.sandboxie.com/](https://www.sandboxie.com/)

------
caivvoacmh
Great initiative.

>1\. Don't send any sensitive information by email.

>2\. Don't store sensitive information in cloud services like Evernote or
Dropbox.

Both of these are good advice.

However, what I don't see is "how to share information securely". The intended
audience surely needs a way to exchange information, e.g. documents but what
are the recommendations on how they should do this?

>Carry a “USB data blocker” (either the whole cable or an adapter that plugs
into your cable like this) to charge at airport or hotel chargers.

I would suggest that SyncStop[1][2] is recommended instead of the current
device on the basis that SyncStop is created and sold by a security company
that specialises in hardware security. It is also recommended by Mikko[3] from
fsecure.

[1] [http://syncstop.com/](http://syncstop.com/)

[2] [https://www.amazon.com/Syncstop-
Syncstop/dp/B00ZQAY23U](https://www.amazon.com/Syncstop-
Syncstop/dp/B00ZQAY23U)

[3]
[https://twitter.com/mikko/status/792980858340769792](https://twitter.com/mikko/status/792980858340769792)

------
teekert
So... Use Google services on a modern iDevice and don't use the fingerprint
scanner and you're good?

The contrast with Snowdens recommendations is quite stark:
[https://theintercept.com/2015/11/12/edward-snowden-
explains-...](https://theintercept.com/2015/11/12/edward-snowden-explains-how-
to-reclaim-your-privacy/)

------
krick
Is iPhone actually fine replacement for Android in terms of security? I never
owned an iPhone, but I was guessing that it is closed-source proprietary piece
of hardware with closed-source proprietary piece of software running, which is
perfectly able to be transferring all your data to the vendor and most likely
does exactly that.

~~~
kasey_junk
Security professionals tend to care about open source over closed source much
less than many other factors.

Things that seem more important^:

\- Well known and vetted data structures/algorithms etc

\- Vulnerability history

\- Large install base

\- well regarded, well funded security team vetting the project

\- capacity and history of fighting expensive legal battles on behalf of its
users.

Its possible that there are android phones that meet these criteria but there
are many that do not. The iphone on the other hand does. So rather than having
very specific android phone recommendations its generally easier to just say
use iPhone. So much so that most of the security professionals I've talked to
view it as the most secure, commonly available computing platform period.

^Not a security professional, but I drink with a couple.

~~~
krick
I see. I think there might be some distinction in regards of what different
people view as "secure". Say, your phone produced by my company may be
completely transparent to me and completely impenetrable to, say, tptacek. As
I understand, in that narrative it is considered secure as you (the user) are
supposed to trust me (the manufacturer). That's why iPhone is considered
secure in comparison to Android, which is similarly backdoored, but in
addition more penetrable to tptacek (the 3rd party).

Correct?

~~~
kasey_junk
No. Closed source binaries are not impenetrable to researchers. For a security
audit you have to study the binary _in any case_ so open source is a bonus not
a requirement.

~~~
krick
I didn't imply otherwise. I'm just wondering how it is iPhone is considered
secure when it is happily sharing your data with Apple. Or doesn't it?

~~~
Spooky23
It's only sharing stuff with Apple if you allow it.

------
smacktoward
_> Use Chrome as your browser_

This one breaks my heart a little.

I mean, I get it, I understand why it's there. But it still breaks my heart.

~~~
zie
Agreed. Luckily Sandboxing, which is pretty much the big feature that sells
Chrome for Security will get to FF, it will just take a bit longer. Plus with
FF going crazy for Rust, I think FF has a bright future security wise.

~~~
tptacek
An all-Rust browser would make a big difference. Sandboxing is good, but won't
close the gap with Chromium, which just invests too much money into software
security to lose much ground to other browsers.

~~~
zie
Agreed for the most part. There is Servo[0] which is Mozilla's playground for
a Rust Browser. It's not really usable for day-to-day browsing, but it's a
neat proof of concept. They are actively moving stuff from it into FF, and FF
now requires rust to build. Google definitely cares a lot about security. It's
great to see them embrace U2F so heavily, that even Chrome supports it out of
the box. I'm not sure FF will ever become Rust-only, but if it did, it would
take quite a while I think.

[0] [https://servo.org/](https://servo.org/)

------
RRRA
So, no Android phones is not very pragmatic... Any justifications?

(Especially without saying to use only FOSS OS)

~~~
jsjohnst
I agree it's overly broad statement without justification, but it's not
entirely unfounded either. iOS's extreme walled garden does protect you from
many things that Android doesn't. As another commenter mentioned, security
permissions are a mess, malware is a real thing, and the power and versatility
of Android leaves you very vulnerable if you're in a high risk profession who
_must_ keep secrets safe.

~~~
tptacek
Very few of the items in here have justifications listed, because that's not
productive for the intended audience. They don't want to know "why" any more
than most patients want to know "why" their doctor prescribes one antibiotic
versus another.

~~~
projektir
Even if your intended audience doesn't care about the why, you must
necessarily provide justification so that another audience, which would want
to make sure that you're not selling snake oil, could verify your why.
Knowledge sharing only really works when there's a vetting process on some
level.

~~~
tptacek
No, that's not how it works. The guide itself doesn't need to be bulletproofed
against zany accusations that the authors are selling snake oil; there are
other ways to accomplish that without crudding the recommendations themselves
up with verbiage to placate angry nerds.

~~~
projektir
I didn't say anything about bulletproofed, just explained. Right now, there's
no explanation, and I'm asking for some justification, how are you getting
"bulletproofing" from that?

I didn't say the authors are selling snake oil. But if a person doesn't know
much about a subject, they may not be able to tell, and they should be
suspicious. They might want to see a review or criticism of it. They might
want to verify that it's well intentioned, especially on a sensitive subject
such as this. There's nothing zany about that, it's common sense.

If I find some information source that presents itself as an arbiter of truth,
but has no justification for its points, I cannot in good faith recommend it
to anyone.

The only angry one here seems to be you, with many unnecessarily rude
responses that do not at all inspire confidence.

~~~
tptacek
Again: the audience for these instructions isn't asking for explanations or
justifications. If you have a concern with any of these instructions, write a
comment detailing it, and someone will respond.

------
dredmorbius
Questions and suggestions:

1\. For "Do as much of your work as possible on an iPhone or iPad." \-- as
opposed to what? Android and Windows? Would listing device options be a
possibility?

2\. Possibly: add a set of suggestions for transporting device(s) across
borders or acquiring them. I suspect mail or package delivery _might_ be an
option -- or if it's not, then clarifying the risks would be of interest.

3\. Operating systems: A list of most to least secure might also be handy.
E.g., WinCE, Windows, MacOS, iOS, Linux, TAILS, etc. Some indication of where
"good enough" starts to apply.

4\. Out-of-scope for document to include a full set of terms and definitions,
but a glossary with links to additional reading might be of interest.

5\. Providing "why" links might also be useful. E.g., Fingerprints (can be
forced to divulge, fewer legal protections than passwords).

6\. Formatting: A bulleted list would be slightly easier to read. A numbered
list can be specifically referenced (e.g., "'Don't' #4 ...").

7\. Define terms. E.g., "Long password" "At least 20 characters, 200 if
possible", say. Tips on passphrase generation (e.g., xkcd passphrases,
"correct battery horse staple".

Finally: thank you for setting this up.

~~~
idlewords
1\. As opposed to a laptop.

2\. Any concrete advice about crossing borders is hard to give right now. The
goal in this document is just to alert people that it is not OK to travel with
your work device.

3\. For the audience here (think someone providing legal aid at an airport)
this is too technical.

4,5,6 Great idea, thank you!

7\. It's funny but the XKCD really seems to be the best thing to link.

~~~
dredmorbius
Thanks.

1\. Windows laptop, I take it? Or _any_ laptop?

2\. Even if specifics are hard to provide, a pointer to best information, _a
clear statement that "Any concrete advice about crossing borders is hard to
give right now" (in fact that exact phrase strikes me as excellent),_ and
perhaps a pointer to a larger document with laws pertaining to specific
countries. Ranked, say, by interest and/or travel volume. World Bank has
listings:
[http://data.worldbank.org/indicator/ST.INT.ARVL?year_high_de...](http://data.worldbank.org/indicator/ST.INT.ARVL?year_high_desc=true)

3\. Even people providing legal aid may have support teams who could
assimilate the information. Out-of-document link here. Think staged
information delivery.

7\. It's an effective format for communciation. There are several generators
(caveat emptor) as well. For MacOS, it would be easy to create a local
generator using wordlists (I've done same on Linux). The problem is actually
that the system dictionaries are generally _too_ comprehensive and have really
obscure words in them. A GUI wrapper around a Very Simple Shell Script would
tend to give good outputs.

------
jgalt212
> If you are going to use email, use Gmail, with a physical security key on
> your laptop and Google Authenticator on your phone.

I understand Google runs a tight ship security-wise, but what about the
unintentional information leakage that occurs because they read all your mail
to serve you ads?

~~~
shawn-furyan
If you're using email to communicate with humans, you are using Gmail since
your counterparty is almost always using Gmail. Gmail and their ad scanning is
unavoidable in practice when using email so your only real recourse is to use
a different communication protocol.

Gmail is reasonably secure in situations that actually occur frequently. No
other providers are. But even Gmail is optimized for adoption and monitization
over security, so it's security efforts only go so far, particularly when
interacting with other email providers.

------
biafra
> Use a password manager and have it generate random passwords for every site
> you use. A good password manager is 1password.

Be aware, that on Google's Android every app in the background has access to
the clipboard. And Google refuses to fix that. It is fixed in CopperheadOS
afaik.

------
biafra
> If you are going to use email, use Gmail, with ...

Is Gmail really the most secure email provider? I am sure it is not for non US
citizens. But is it for US citizens. Don't you have better?

------
sachinag
It would probably behoove someone to sell these laptops, iPads, and iPhones to
journalists, lawyers, and other folks with these configurations. It's a lot
easier to give them a pre-configured locked down device that they can't mess
with than it is to ask them to actually buy a Yubikey.

It won't work for everyone - Slate's CMS is notorious for only working in
Firefox, for example - but if Pro Publica is going to hire 30 journalists,
then _be their vendor_.

~~~
CM30
Wouldn't this provide a great targt for spies and security services? I mean,
maybe I'm being stupid here, but if I was in charge of the NSA and knew that
people with sensitive information were buying this gear from a certain vendor,
said vendor would be right at the top of the target list.

I don't think I'd be able to trust any individual or company selling 'secure
devices' for journalists and activists.

------
secfirstmd
Hey everyone. Apologies for the blatant plug but seeing as we are talking
about security precautions for non-profits and journalists, it's probably
relevant...

We build a tool specifically to help non-profits and journalists learn about
and manage their digital and physical security on the move. It's called
Umbrella App. It's free, open source, on Android and contains tons of lessons
on privacy related issues like digital and physical security. Umbrella has
everything from how to do basic stuff like communicate with basic tools like
Signal to sending a secure email with PGP. However, the unique bit is we also
have stuff on the physical side, like how to plan travel, cross borders, set-
up a secure physical meeting, deal with detecting surveillance, covering a
protest, respond to a kidnapping etc. Basically we have tried to make it a bit
of a one-stop-shop for security for regular people, activists, refugees and
journalists. We also pull security feeds from places like the UN, Centres for
Disease Control etc - which is obviously very important to folks in places
like Syria or affected by Zika/Ebola.

There’s tons of really relevant stuff in it, especially for those now
mobilising for the first time on some issues. Loads of people are writing
guides that solve small parts of the puzzle but we have tried to provide the
whole picture in the one place.

Google Play Store:
[https://play.google.com/store/apps/details?id=org.secfirst.u...](https://play.google.com/store/apps/details?id=org.secfirst.umbrella)

Amazon App Store: [https://www.amazon.com/Security-First-Umbrella-made-
easy/dp/...](https://www.amazon.com/Security-First-Umbrella-made-
easy/dp/B01AKN9M1Y)

F-Droid Repo:
[https://secfirst.org/fdroid/repo](https://secfirst.org/fdroid/repo)

Github Repo:
[https://github.com/securityfirst](https://github.com/securityfirst)

Code Audit: [https://secfirst.org/blog.html](https://secfirst.org/blog.html)

Hope some folks here find it useful/interesting!

 __ _Ends blatant plug_ __

~~~
idlewords
Please get this vetted by real security people. The fact that you mention PGP
suggests to me you haven't.

~~~
secfirstmd
How can a standard guide to installing and using PGP through various different
methods be a security issue?

~~~
idlewords
Because people should not be using PGP for secure messaging.

~~~
codelitt
PGP isn't user friendly, but from the Snowden leaks we learned it is one of
the few encryption standards the NSA hasn't been able to break. TLS and most
configs of VPN protocols were shown to be easily compromised. PGP was
basically shown to be a show stopper.

1\.
[http://m.spiegel.de/international/germany/a-1010361.html](http://m.spiegel.de/international/germany/a-1010361.html)

~~~
secfirstmd
Agreed. It has many problems but it's still one of the only games in town.

~~~
willstrafach
> TLS and most configs of VPN protocols were shown to be easily compromised.

This is a major claim to be making, and it is false. It is not helpful to
spread misinformation like this.

~~~
codelitt
Easily was, perhaps, not the correct adverb, but the linked article above as
well as this one below go into it more. It does not appear to be false.

[http://www.theverge.com/2014/12/28/7458159/encryption-
standa...](http://www.theverge.com/2014/12/28/7458159/encryption-standards-
the-nsa-cant-crack-pgp-tor-otr-snowden)

Bruce Schneier has said while large government actors may be able to exploit
it, it's still recommended:
[https://www.theguardian.com/world/2013/sep/05/nsa-how-to-
rem...](https://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-
secure-surveillance)

~~~
willstrafach
Perhaps older versions of SSL, but there is no evidence that anyone has
compromised TLS.

There is evidence that encrypted traffic was stored and research was done on
the metadata of these connections but that is no surprise. That may be what
they were referring to.

~~~
secfirstmd
Also, threat models are important here...not everyone includes needs to
include the five eyes as your threat model.

~~~
codelitt
Of course. I am just using it as a yardstick for security strength.

------
krick
Also, why using fingerprint to unlock devices is not recommended?

~~~
mattybrennan
US law enforcement is allowed to take fingerprints, which can then be used to
unlock the device. Somewhere less friendly may just compel you to put your
finger on the device

~~~
krick
Is it that different from making you enter your password? I don't see any real
issue here if it's the only problem.

~~~
kevinr
Your password is, in a weird US Constitutional sense, speech, and your 5th
Amendment right not to be forced to self-incriminate protects you. Your
fingerprint is not speech, and not protected in the same fashion.

(Once more for the folks in the back: fingerprints are usernames. Passwords
are things you can rotate.)

~~~
krick
I see. Thanks. The first one seems relevant only for people in the USA, but
inability to change fingerprints is something, I guess.

~~~
zie
Most other countries probably feel similarly, or they don't have anything like
the 5th amendment. In places without something like the 5th amendment, you can
choose to lie about your password, do it enough times, the device will reset
and erase everything(assuming you set that up). One can not lie about their
fingerprints.

Of course in places without something like the 5th, and you lie a few times,
your death may find you quite quickly, there is at the very least an option...
With a fingerprint, no options. Have a picture of your finger and game over.

------
qrbLPHiKpiux
I prefer to use a live version of ubuntu on a flash drive on a laptop with no
hard drive in it. A separate sd card, or thumb drive with an entire encrypted
file partition. Writing in plain text only.

------
pdog
_> Avoid installing spurious, unknown or unnecessary extensions._

This is wrong. You absolutely must use an ad blocker or noscript extension if
you intend to browse the web securely.

~~~
tptacek
The guide doesn't say not to install an ad blocker, but I dispute that claim
nonetheless. Ad blockers are fine, and probably add marginally to security,
but I don't think they a necessity --- if you're using Chrome/Chromium.

If I was using Firefox or IE, I would agree with you. But step one here is not
to be using un-hardened browsers.

~~~
dguido
I generally make an exception for HTTPS Everywhere and Google Password Alert
when I wrote things like this, but I agree that maybe it's worth it to cut
them and simplify the guide.

[https://chrome.google.com/webstore/detail/password-
alert/noo...](https://chrome.google.com/webstore/detail/password-
alert/noondiphcddnnabmjcihcjfbhfklnnep?hl=en)

[https://chrome.google.com/webstore/detail/https-
everywhere/g...](https://chrome.google.com/webstore/detail/https-
everywhere/gcbommkclmclpchllfjekcdonpmejbdp)

~~~
tptacek
HTTPS Everywhere would be a win (I'd have to think about whether it's enough
of one to earn its place on the list, but if you added it, you could also
suggest an ad-blocker --- another issue there though is suggesting ad blockers
to journalists gets to a tricky place).

GPA is great, but the premise behind this guide is that if you're relying on
passwords for Google you're already boned. It's a security win even with TOTP
enabled, but I don't think it's enough to earn a spot.

These guidelines are being distributed to activists and journalists along with
free U2F keys, for whatever that's worth.

~~~
hackuser
> HTTPS Everywhere would be a win

IME, it breaks too many sites to give to all end-users; if the default
configuration omitted sites listed as 'Partial'; maybe it would be passable.
Maybe have a subcategory for intermediate users and put it there. Novice-level
users (for lack of a better term) have no idea why the website is not working,
and thus don't even know to consider disabling HTTPS Everywhere.

Also, it makes the user easier to identify.

------
cgb223
While iOS devices are generally more secure, its been proven that Apple has
been a part of the various NSA programs (X-Keyscore, PRISM, etc).

Chromebooks are made by Google, who is also a known partner ni these programs.

It all comes down to who you trust, and recommending that Journalists use iOS
Devices and Chromebooks made by Apple and Google who are known snoopers is a
bad bet if the thing you're trying to avoid is the US Government.

Also, bluetooth keyboards are trivial to listen in on. Not a great
recommendation.

This article is short but bogus.

~~~
tptacek
The people these notes are targeted at are not going to use whatever the
vanity "secure" non-Google-infected non-Apple-infected non-Microsoft-infected
options you'll have in mind. It's not going to happen. If you want to write a
separate set of recommendations for people who spend their lives on Tor,
that's fine. These recommendations have to work for people who are barely
willing to install software, let along switch to idiosyncratic hardware.

------
w8rbt
Step 1: Wear a wig and dark sunglasses and buy a laptop (with cash while you
still can) from a Walmart as far away from where you live as possible and
never, never connect it to a network.

Step 2: The rest is easy.

 __ _Edit: You guys need to get a sense of humor_ __

