
Ask HN: Online Security Tips for Newbie Freedom Activists? - tokenadult
I&#x27;m becoming active in a local group of citizens (constituents of one electoral district here in the United States) who are trying to promote protection of civil liberties. Many are quite new to any kind of political activism and quite a few are very new to participation in online networks. What are your recommendations for sources of advice on best online security practices, easy for beginners to understand? The local group includes some technology professionals familiar with online security and administration of websites and mailing lists. The group plans to build a public-facing website, an internal use website, a mailing list for group participants, and other online channels of communication. It already operates a Twitter account and Facebook group (which is becoming quite active) and hosts in-person meetings. I would appreciate tips to pass on to new members about personal Internet security best practices and resources for nonprofit organizations or political action organizations to maintain secure communications in a possibly hostile environment.<p>Thanks for any suggestions you have.
======
tptacek
These answers are unlikely to make much of HN happy, but they are the correct
answers.

1\. Get an iPhone and use it in preference to your computer.

2\. Enable "code-generating" or "authenticator app" 2FA on all your accounts,
particularly email (this is called "TOTP").

3\. Disable SMS 2FA on any account wherever you're using real 2FA.

4\. Switch to Google Chrome, which is significantly more resilient against
vulnerabilities than either Safari, Firefox, or IE.

5\. Don't use Dropbox.

6\. Enable your OS's built-in full-disk encryption (this is FileVault on a
Mac, BitLocker on Windows).

7\. Disable cloud-based keychain backups (OS X will ask you to opt-in when you
configure your phone or laptop the first time; Windows will make you go out of
your way to do it).

8\. Install Signal and either WhatsApp or Wire on your iPhone. Use Signal when
you can, and fall back to the less strict alternative app when you can't.

9\. Don't use email to send sensitive information, full stop.

10\. Install a password management application that doesn't store your secrets
in the cloud. I recommend 1Password. Better though to rely on 2FA than on a
password manager.

11\. Do not use antivirus software, other than Microsoft's own antivirus
software on Windows.

12\. Turn off cloud photo backups and location sharing for your camera.

13\. Don't accept or click on email attachments, or allow your peers to send
email attachments.

~~~
majke
> Get an iPhone and use it in preference to your computer.

When connecting to a computer or charging, never ever tap on "trust this
computer". If I understand it right "trusting this computer" involves some
irrevocable certificate exchange, in effect granting the computer elevated
permissions.

Can someone correct me? What precisely "trusting" on iphone means except from
the ability to decrypt backups?

Also:

Don't use icloud or any other cloud sync.

~~~
maxerickson
It's revocable:

[https://support.apple.com/en-us/HT202778](https://support.apple.com/en-
us/HT202778)

It's anyway not a great idea to plug anything into strange USB ports.

~~~
hrez
USB condoms - [http://www.portablepowersupplies.co.uk/portapow-fast-
charge-...](http://www.portablepowersupplies.co.uk/portapow-fast-charge-data-
block-usb-adaptor/)

------
gus_massa
Beware of the guy that has too much free time, too many contacts and want to
scale up the protest to more violent methods. He is probably an FBI informant.
It was common during the previous administration, I don't expect it to have
finished.

I'm too pessimistic about the security situation since a long time ago. Just
email your Gmail/Hotmail/Facebook/Tweeter password to the NSA/CIA/FBI chief,
so you don't get a false sensation of privacy.

Perhaps someone can try to keep some conversation private, like a journalist-
whistleblower conversation, but it's too difficult to scale it up to bigger
groups.

~~~
dsr_
Very much the first two sentences, here: if anyone starts saying that they
know where they can get instructions to make a bomb, they are probably an
agent trying to provoke you. Kick them out.

What they won't do, and you should: learn your rights. Get a friendly lawyer
to advise you and agree to represent you, should anybody get arrested.

~~~
toomanybeersies
If anyone says they know where they can get instructions to make a bomb you
should kick them out regardless, doesn't matter if they're probably an agent
or not.

That actually reminds me of the time when the FBI sent undercover agents to
mosques to try and entrap some Muslims by pretending to be jihadists, and the
people at the mosque reported the agents to the FBI.

------
danso
I like these guides by AP journalist Jonathan Stray:

[https://source.opennews.org/en-US/learning/security-
journali...](https://source.opennews.org/en-US/learning/security-journalists-
part-one-basics/)

[https://source.opennews.org/en-US/learning/security-
journali...](https://source.opennews.org/en-US/learning/security-journalists-
part-two-threat-modeling/)

In general, I think the two things that activists and journalists need to do
that they often don't do, yet is a very common attack vector:

1\. Enable two-factor auth on all accounts, especially their email.

2\. Care about proper access control.

#2 is something I see violated quite frequently by tech novices, as it is a
fairly mundane detail. Such as giving everyone admin level access to the org's
Wordpress installation, and someone inevitably gets phished. And then there's
the even more common problem of not revoking access when a member leaves.

And of course, phishing seems by far the most common way that groups get
hacked. The recent U.S. election is the new canonical example, but I believe
it's been the downfall of many other high profile orgs, such as the Associated
Press and HBGary.

~~~
tptacek
I have some quibbles with this (the first, practical, checkbox guide post; not
so much the longer, abstract policy one).

* At-risk users should disable SMS 2FA, and favor code-generating applications instead. It takes some effort to disable SMS, but that effort is worthwhile, because SMS is quite insecure.

* The guide correctly notes that attachment are dangerous, but isn't very pragmatic about how to handle that danger. I think the right answer is: establish a rule that you won't be using email attachments to transmit documents. If you can be sure of the provenance of a file, you don't need an error-prone dance to pre-screen it before opening it on your desktop.

* The guide wildly overstates the value of full disk encryption. FDE handles almost exclusively a single threat: the physical threat of your unattended computer. Alter any of those words, and FDE does essentially nothing. You should, of course, enable FDE. You should not have high expectations about what it accomplishes.

~~~
danso
I think the risk of your unattended computer being compromised is quite low
for the average journalist, but don't activists in the field face increased
danger of having their laptops/property seized during an arrest? It could be
an activist participating in a march who happens to bring their laptop bag
with them. Yes, ideally, people would have a policy not to engage in a protest
while carrying laptops, but I could see activists who do the mobile-multimedia
thing (shoot, process video/photos in the field) just being used to having
their laptops out at all times.

I think the option of FDE is important to mention because I'm thinking the
average non-techie thinks that having a password on their laptop prevents the
(easy) reading of files when the laptop is confiscated.

~~~
tptacek
The unattended compromise scenario is that your laptop is grabbed out of your
house or car in a breakin, or left in your backpack in a bar or a cab, which
happens all the time even to savvy people. Full disk encryption contains that
catastrophe so that all you lose is your data and not your privacy.

It doesn't really protect you in any other scenario. In particular: if you can
use your computer without a password, it is not at that moment protected by
FDE.

------
wheelerwj
the eff guide is really solid for most people [0] but i think its a little
laymen for most people. Especially when you get into the activism side of
things. Here are the rules i follow.

Rule #1. No phones. If this can't be avoided. burner phones without linked
accounts. they cost $30-50, plus some for minutes/sms/basic data. This is good
for using maps and visiting forums etc. Burner phones should be able to remove
batteries. keep them fully powered down anytime you are near home or in your
neighborhood. Major companies and governments are incredibly good at
connecting profiles based on ancillary meta-data that you don't even think
about.

Rule #2. see rule #1. Your phone isn't secure, get used to it.

rule #3. encrypt everything, use tails and TOR.

[0] [https://ssd.eff.org/en](https://ssd.eff.org/en)

~~~
allemagne
What if someone needs to call or message you at home?

I have thought about taking some of these more "paranoid" measures as a
precaution against an unpredictable political future. But doing this would cut
me off from nearly every friend and family member.

How do you meet an average person and keep in contact with them (I.e. start a
friendship or relationship) when doing something like this sounds insane?

~~~
dublinben
You should compartmentalize different relationships you have. You wouldn't
contact a friend or family member from your burner phone. Inversely, you
shouldn't give a member of your activist group your home phone number.

You can maintain both types of relationships, as long as you use the
appropriate tools for each one, and maintain strong separation.

------
tokenadult
Thank you very much to all for the detailed comments. I appreciate you keeping
advice simple enough for someone like me, who decades ago counted as a "power
user" of PCs, but who has no particular technical training or computer-related
work experience. I will have to digest some of this advice for women (they are
mostly women in the local group) who are barely comfortable using Facebook.
And I'll pass on other tips to the women and men who have actual technical
backgrounds and will be implementing the different online projects of the
local group.

Advice that especially fits our situation is having an appropriate level of
security for an intentionally PUBLIC organization whose members will be
identifiable by multiple in-person activities in public places over the next
few years. We are not afraid to be known as people who support the cause that
we support. We are resolutely sticking to peaceful, legal means to reach our
goals. Many group members are VERY wary of new group members--plenty of them
are wary of me--so we will have to build mutual trust as we build mutual
communication and public-facing communication. I like mz's advice to remind
members that anything they say in an online group--even in our internal online
groups for members only--might show up in mass media or in propaganda spread
by opponents, so I try to model careful speaking and writing.

I'll link here to a document about the bad-case scenario of living under an
actual dictatorship with a secret police force that kills political opponents.
That's something I've actually done (in Taiwan, in the 1980s). The good news
is that nonviolent popular movements can even overthrow dictators and
establish democratic republics with full protection of civil liberties. That
takes mental toughness, but it can be done. I've seen it done. You may be
inspired by the document linked here and the other documents (in numerous
languages) posted at the same website.

[http://www.aeinstein.org/wp-
content/uploads/2013/09/FDTD.pdf](http://www.aeinstein.org/wp-
content/uploads/2013/09/FDTD.pdf)

~~~
Mz
Since you have a lot of women, I will suggest that you explicitly instruct
them to be careful about talking about other people in their lives in
identifiable terms. Men tend to invest their identity in their work. Women
tend to invest their identity in their relationships. Telling anecdotes about
"My sister/boss/mother/daughter/son/husband" is potentially putting those
people at risk. Encourage them to use vaguer terminology such as 'someone I
know'; 'a relative'; 'an acquaintance'; 'a friend of a friend.'

Women are incredibly prone to talking about other people in terms that they
don't think is problematic and in terms that they think is anonymous enough
for the internet, but really is not ("my sister" instead of "sister's name"
\-- but it is possible to identify your sister). This is a habit they need to
break if they value the welfare of these other people.

Edit: Since this is getting down votes, I will add that if you think they
won't listen to a man saying this, I will be happy to blog about it and you
can give them the link. Perhaps it will be more palatable coming from a woman.

~~~
tokenadult
Maybe some of the onlookers don't know that you have long identified yourself
as a woman here. As I recall, we (you and I) eventually figured out that we
first "met" on an online community before Hacker News was founded.

~~~
Mz
As promised:
[http://micheleincalifornia.blogspot.com/2017/01/infosec-1-in...](http://micheleincalifornia.blogspot.com/2017/01/infosec-1-information-
security-for.html)

You are free to use it, or not, to help your group get oriented.

------
hackuser
The new social activists are shockingly ignorant of security. Most that I know
of are organizing over Facebook. When someone mentions security to them, the
activists say that there is no risk to them.

Education is even more urgently needed than tools.

------
gsch
I would absolutely start by running a threat modeling exercise, as that will
help you focus on the important things and tune out unnecessary FUD (e.g. do
you really need to PGP-encrypt everything and run TAILS if you're not being
targeted by the NSA?).

Once you have an understanding of what you need to protect and who your main
adversaries are, choosing the right tools should become more straightforward.

My favorite guide to threat modeling for activists comes from WITNESS:
[https://blog.witness.org/2016/11/getting-started-digital-
sec...](https://blog.witness.org/2016/11/getting-started-digital-security/)

EFF Surveillance Self-Defense (mentioned elsewhere in this thread) also has a
guide to threat modeling, as well as a lot of good resources around how to use
various tools.

But my advice: don't choose the tools first, or the non-techies won't
understand why they have to use them and may become discouraged by the
friction and poor usability they encounter.

~~~
tptacek
Ross Ulbricht was crushed by a mountain of evidence generated by the FBI
simply by snatching his laptop from him when he was arrested and not allowing
FDE to kick in. Had he compartmentalized and separately encrypted his files,
much of that evidence might not have been available to the court. That might
have been the difference between a few years in prison and the rest of his
natural life.

So, the idea that people should be blasé about encryption is worth
questioning. If your threat model includes "law enforcement", then there's not
much difference between "ostensibly NSA proof"† and "protected from police".

† _Security people have a bit about this, which you can find by searching for
"you're gonna get Mossaded"._

~~~
sneak
could you please provide links? googling this phrase is unhelpfully returning
this precise thread and not much else that appears useful.

~~~
FabHK
Probably this gem:
[https://www.usenix.org/system/files/1401_08-12_mickens.pdf](https://www.usenix.org/system/files/1401_08-12_mickens.pdf)

> In the real world, threat models are much simpler (see Figure 1). Basically,
> you’re either dealing with Mossad or not-Mossad. If your adversary is not-
> Mossad, then you’ll probably be fine if you pick a good password and don’t
> respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your
> adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN
> DO ABOUT IT. The Mossad is not intimidated by the fact that you employ
> [https://](https://). If the Mossad wants your data, they’re going to use a
> drone to replace your cellphone with a piece of uranium that’s shaped like a
> cellphone, and when you die of tumors filled with tumors, they’re going to
> hold a press conference and say “It wasn’t us” as they wear t-shirts that
> say “IT WAS DEFINITELY US"

> _Threat_ : Organized criminals breaking into your email account and sending
> spam using your identity

 _Solution_ :

Strong passwords + common sense (don’t click on unsolicited herbal Viagra ads
that result in keyloggers and sorrow)

> _Threat_ : The Mossad doing Mossad things with your email account

 _Solution_

* Magical amulets?

* Fake your own death, move into a submarine?

* YOU’RE STILL GONNA BE MOSSAD’ED UPON

------
Mz
Years ago on an email list, we were advised to not say anything on list that
we wouldn't want posted to the front page of the local newspaper. I still find
this to be a good rule of thumb.

Humans are incredibly, horribly bad about writing stuff online like it is
confidential, just between you and me -- even when it is a public forum that
anyone can read, like Hacker News. Thinking of it in terms of published to the
front page of the local paper can help people keep some of their worst,
stupidest impulses down to a dull roar.

~~~
tptacek
Yes. Email in general is an opsec nightmare, no matter what rules you come up
with or what tools you use to protect it. It's the worst case scenario, a
system that goes out of its way to make sure everyone has copies of
everything.

Above all else: _do not create mailing lists for at-risk projects_.

~~~
Mz
We may be talking at cross purposes, but for clarity's sake: I was not
recommending email. I was only recommending that noobs be told to think of any
written communication in terms of "like it is being published to the front
page of your local paper, where your husband, mother in law, and any personal
enemy might see it" and, in this case, where any officials might see it as
well.

The list in question was mostly full time mothers. I was a full time mother,
but also a military wife. I was more familiar with general information
security practices than most of them. So this is the most noobie friendly line
I know that seems helpful in trying to get inexperienced people to think
before they speak/type.

I also got annual InfoSec training while working for an insurance company for
more than five years. Getting human beings to take InfoSec seriously is
incredibly challenging. If you can't get that to happen, no amount of good
tech will save you.

~~~
type0
> Getting human beings to take InfoSec seriously is incredibly challenging. If
> you can't get that to happen, no amount of good tech will save you.

I personally know one case when an assistant for a medical study forwarded a
email list of participants to everyone when it was specifically complied that
it was confidential. You would think that the person was fired because of this
but no they literally couldn't find another employee that would take the job
for such a low pay, so he kept his job and security didn't improve...

------
pmoriarty
If you are seriously concerned about your security and safety, I would avoid
electronic communication completely.

~~~
tptacek
That concedes an enormous amount of ground to your opposition, who then has
the privilege of using efficient communication while you don't. It's worth
building up a gradient of security so that people who are simply exercising
their rights can do so effectively without electronic harassment.

------
helpfulanon
In addition to the EFF Security Self Defense
([https://ssd.eff.org/](https://ssd.eff.org/) ) I've also seen this
circulated: [https://securityinabox.org/en/](https://securityinabox.org/en/)

Personally I don't think these resources go far enough, and some of the
methods recommended have obvious exploits, or are too complicated for the less
tech literate. Lot's of work to be done in this area for sure

------
joeclark77
My one tip is this: get to know each other in real life, and make sure you
know how to find and contact each other if Facebook, Twitter, Google or
whatever big left-wing internet service decides to silence, shadow-ban, or
delete your account.

------
maxerickson
They should think long and hard about the downsides to each presence that they
establish and not establish anything until they think they have a really good
understanding of those downsides.

This may involve drastic steps like not using email.

------
x0rz
[https://ssd.eff.org/](https://ssd.eff.org/)

------
greenwalls
Twitter Personality @SwiftOnSecurity has a guide
[https://decentsecurity.com/](https://decentsecurity.com/) that is reasonable
for non-techies to understand and follow.

~~~
hackuser
But is it accurate?

------
mschuster91
I'm an active German antifascist. Here's something I do:

0) Get a lawyer. If you're arrested and you don't know a lawyer, you're
screwed. And learn your rights: what do you have to tell the cops, and what
you can refuse to tell them. Always carry a valid ID card with you.

1) When publishing pictures, especially on Twitter: place stickers over
people's faces, or better: pixelate using ObscuraCam. The best thing is of
course to not take pictures or video at all.

2) Get a "burner dumbphone", best are used, old Nokias and a burner sim-card
when going to demonstrations. Do not activate or use the phone at your home or
at meeting points.

3) If you insist on carrying a smartphone, get a recent Android phone with
support for FDE and an exchangeable battery. Enable FDE, also on your SD card,
and in case you're about to get arrested, take out the battery or drop the
phone to the ground so that the battery falls out and the cops cannot use
imaging devices. Use a strong passphrase. iOS devices may be secure, too, but
they have the disadvantage that you can't pull out their battery or switch
them off in a hurry. If you care about your device, get an IP68-proof/rugged
device - cops don't care if they damage your property when pushing you around,
and it's easy to e.g. fall on your phone when you're pushed to the ground.
Android: disable USB debugging, or if possible with your model, the entire USB
stack. On a rooted Android phone, you can do so via an adb shell command.

4) When browsing around the web researching political stuff, use TOR. Do not
download unneccessary stuff onto your computer.

5) Securely encrypt your computers and all external media devices (USB
sticks). OS X can use Filevault, Windows can use Bitlocker. USB sticks are
best protected by VeraCrypt (as it is a cross-platform solution). If you have
a NAS that doesn't support encryption, ditch it and buy one that does.

5) If you receive sensitive information, delete it as soon as in any way
possible. Insist on communicating via GPG-secured emails, and password-protect
your key. Written information should be shredded to as tiny pieces as possible
- don't burn the paper, ash flakes or incompletely burned paper can be
restored (as evidenced after 9/11).

6) Enable 2FA, preferrably via a token generator app on your phone, on any
service that supports it. Store the backup keys (you will need them e.g. if
your phone gets damaged!) somewhere safe that is NOT your home (e.g. at your
parents' house). Do not label the sheets with a cleartext name of the
service/account associated with them. SMS 2FA is the "last measure" as you'll
be vulnerable to government attacks, but better SMS 2FA than simple password
protection.

7) Handle sensitive information on a strict need-to-know basis. And for
heaven's sake, don't talk about planned actions in public. Or brag about
things you/your friends did or plan to do - while bars etc. usually aren't
crowded with agents, someone may decide to rat you out to the cops.

8) Before going to any demonstration, write down the name and phone number of
your attorney with waterproof ink on your arm. That way you don't have to rely
on the cops finding your attorney or delaying calling him by taking their
sweet time to do the search.

9) Inform close relatives/roommates that you're away, especially if you have
pets, children etc. that need to be taken care of. Have enough cash on your
bank account (or have a relative) to pay rent if you end up arrested.

10) don't ditch fares, or if you have a car, always take care that it's up to
code, legally registered, and taxes/insurance are paid. Nothing sucks more
than getting arrested for petty stuff, and pulling people over for broken
lights is a common excuse of cops to search the vehicle. Do not carry huge
amounts of cash in your vehicle (google for "asset forfeiture", it's really
gross what cops can legally do).

11) don't ever go drunk, intoxicated or not well-rested to any political
event. Do not take drugs of any kind with you, except medicine that you need
(and for these, best take the original prescription or a copy with you, so the
cops can't bother you with drug charges). Preferrably use plastic glasses
(glass lenses can cause grave eye injury when damaged), contact lenses and
cosmetics of any kind tend to aggregate nasty stuff like pepper spray.

12) Always take sufficient supplies of water, food and a small pack of glucose
tablets (in Germany, we know them as Dextro Energy) with you. If you can, take
a couple small adhesive bandages with you, and go to a First Responder
education (this is useful anyway, even if you're not "actionist" \- you can
save lives!)

13) Connect with other political groups both in your area and
state/nationwide: ACLU, antifa groups, civil rights movements. Political
parties (liberals, greens) may also be of interest to you, depending on your
focus.

14) Beware of snitches or agents provocateurs that try to incite you to
violence. When you want to go the "actionist" route, be aware of the potential
consequences if you get caught and don't do anything you're not comfortable
with.

15) Do NOT go on political demonstrations with firearms, knives or other
weaponry. In most jurisdictions it's illegal, and even if it's legal to
assemble with arms, it's not sane to do so. When you see armed protestors, or
a demonstration turns violent, GTFO as fast as you can.

~~~
tokenadult
Thanks especially for items 8 through 15, which some people forget. Part of
what I hope happens where I live is that 13 happens in a big way, and the
overall inclusive movement becomes broader and broader as different
specialized local groups network with one another and with a variety of
national groups.

~~~
mschuster91
You're welcome. I wish you all the best!

------
Jaepa
I'd like to suggest taking some time to read through some off the EFF's
collection on this.

[https://ssd.eff.org/](https://ssd.eff.org/)

If you are worried about more national level threats

While it is more dense PrivacyTools.io has pretty good material.

[https://www.privacytools.io/](https://www.privacytools.io/)

------
figureoutwho
This is the EFF's turf.

[https://www.eff.org/](https://www.eff.org/)

------
joatmon-snoo
Since this is coming up: I've seen recommendations for encrypted file drops
when similar topics have come up before, but for some reason I can't find any
of the mentions that I've seen on HN before. Anyone have services they plug?

------
figureoutwho
The "get an iPhone" comments remind me of Steve Martin's advice on how get
rich... "First... Get a million dollars" Unless, theoretical bs.

------
b01t
privacytools.io - plain and simple

------
Cozumel
It's already too late, if you have an active Facebook group where you're
discussing this stuff then you're already all tagged and profiled.

~~~
chippy
And there's no reason to suppose that YCombinator and HackerNews is not
compromised and that there is no profiling going on by some entity.

~~~
grzm
It doesn't even need to be compromised. A lot of the HN data is available
through the HN API. Plenty of data there without requiring any additional
access to the HN hardware.

------
fleitz
Exactly what prevents the hostile actors you are ostensibly protecting against
from joining your group?

Privacy is the antithesis of public advocacy.

