Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Online Security Tips for Newbie Freedom Activists?
197 points by tokenadult on Jan 29, 2017 | hide | past | favorite | 131 comments
I'm becoming active in a local group of citizens (constituents of one electoral district here in the United States) who are trying to promote protection of civil liberties. Many are quite new to any kind of political activism and quite a few are very new to participation in online networks. What are your recommendations for sources of advice on best online security practices, easy for beginners to understand? The local group includes some technology professionals familiar with online security and administration of websites and mailing lists. The group plans to build a public-facing website, an internal use website, a mailing list for group participants, and other online channels of communication. It already operates a Twitter account and Facebook group (which is becoming quite active) and hosts in-person meetings. I would appreciate tips to pass on to new members about personal Internet security best practices and resources for nonprofit organizations or political action organizations to maintain secure communications in a possibly hostile environment.

Thanks for any suggestions you have.

These answers are unlikely to make much of HN happy, but they are the correct answers.

1. Get an iPhone and use it in preference to your computer.

2. Enable "code-generating" or "authenticator app" 2FA on all your accounts, particularly email (this is called "TOTP").

3. Disable SMS 2FA on any account wherever you're using real 2FA.

4. Switch to Google Chrome, which is significantly more resilient against vulnerabilities than either Safari, Firefox, or IE.

5. Don't use Dropbox.

6. Enable your OS's built-in full-disk encryption (this is FileVault on a Mac, BitLocker on Windows).

7. Disable cloud-based keychain backups (OS X will ask you to opt-in when you configure your phone or laptop the first time; Windows will make you go out of your way to do it).

8. Install Signal and either WhatsApp or Wire on your iPhone. Use Signal when you can, and fall back to the less strict alternative app when you can't.

9. Don't use email to send sensitive information, full stop.

10. Install a password management application that doesn't store your secrets in the cloud. I recommend 1Password. Better though to rely on 2FA than on a password manager.

11. Do not use antivirus software, other than Microsoft's own antivirus software on Windows.

12. Turn off cloud photo backups and location sharing for your camera.

13. Don't accept or click on email attachments, or allow your peers to send email attachments.

Thank you so much for this list, it's more concise and useful than any corporate security lecture I've ever received! Some questions:

> 10. Install a password management application that doesn't store your secrets in the cloud.

Great recommendation, but how do you handle syncing passwords between your computer and phone?

> 2. Enable "code-generating" or "authenticator app" 2FA on all your accounts, particularly email (this is called "TOTP").

Do you recommend using the TOTP feature of 1Password, or would you consider storing your password / TOTP together a loss of the "2nd Factor"?

1Password has a WiFi sync option that syncs your passwords between your computer and phone when they're both connected to the same WiFi network. I've been doing it Mac --> Android for quite some time and never had any issues.

    Great recommendation, but how do you handle syncing passwords between your 
    computer and phone?
I use KeePass to encrypt my passwords and store the password vault in Dropbox. It's not a perfect system, in that an adversary can gain access to my password vault and try to brute-force my master password. But it's "safe enough", if you make sure to use a strong passphrase as the master password for the vault.

How is brute-forcing a concern?

Your password might be a guessed in a dictionary attack if you have a weak password. Or if at some future date a KeePass specific vulnerability is discovered, someone might be able to use that.

But someone trying to brute-force your password isn't a problem anyone needs to worry about.

To my mind, the real downside to using dropbox to store encrypted stuff is that the existence of the encrypted stuff is not a secret. And recently it seems the spooks look upon encryption with ever increasing suspicion.

I do this too but it conflicts with tptacek's injunction above to "not use Dropbox."

I'm not sure why tptacek specifically warns against using Dropbox. My guess (and I emphasize that this is just a guess) is that you can't rely on Dropbox (or Google Drive or Microsoft OneDrive) to keep your data out of the hands of a state-level adversary. However, encrypting your data before putting it into Dropbox should address that concern. Is there something I'm missing? Is it that cloud folders like Dropbox make it too easy to accidentally share information in cleartext?

Why paint a target on your back?

If you have a device that's relatively well hardened against attack, why subvert those protections by giving a copy of your secrets to a third party who isn't (and can't be, from a legal standpoint) as well protected?

Why give a copy of your secrets to an adversary that's 10 to 20 years ahead of the rest of the world, crypto-analytically speaking?

In short, make them work for it.

> Get an iPhone and use it in preference to your computer.

When connecting to a computer or charging, never ever tap on "trust this computer". If I understand it right "trusting this computer" involves some irrevocable certificate exchange, in effect granting the computer elevated permissions.

Can someone correct me? What precisely "trusting" on iphone means except from the ability to decrypt backups?


Don't use icloud or any other cloud sync.

It's revocable:


It's anyway not a great idea to plug anything into strange USB ports.

> It's anyway not a great idea to plug anything into strange USB ports.

Solid advice, gentlemen. Goes for all your USB-cabels.

Related: get a lightning cable with no data connection, only power.

This is true. It is most commonly used to decrypt backups and allows developer to install personally signed apps on the device for development.


4. a citation why chrome would be "safer" than firefox (or edge) would be appreciated. in terms of privacy, i wouldn't trust chrome as much as i'd trust firefox.

7 and 10: as others have noted, where is the security risk in storing the encrypted vault in the cloud? actually, choosing user-friendly solutions has a security benefit in itself because it doesn't make you switch to less secure alternatives ("i'll just use my standard password for this one thing) out of laziness

9. should mention PGP, although that's certianly not convenient and might not work for less tech-savvy people.

I think it's reasonable to trust Firefox's privacy more than Chrome's. But there are very few people in the industry who trust it's security more than Chrome's. Chrome has a more secure architecture and one of the best security teams assembled for any consumer product.

The iOS and Chrome recommendations are the things I'm saying that I believe to be somewhat unpopular here. But in the software security community, they've been commonly accepted for several years now.

I try not to recommend PGP anymore, not because it's unsafe but because it's difficult to use and discouraging for unsophisticated users.

Having said that: I actively warn against trying to use PGP for secure email. Email has inferior security even with PGP layered on top of it. Signal was designed for long-term asynchronous conversations; if you can use PGP, you can use Signal. Use Signal instead.

Yeah, its a mixed bag when choosing between Firefox and Chrome - especially if both security and privacy are desired. Personally, I trust and like Mozilla more than Google, but Chrome has better security from what I have observed.

The FBI has repeatedly found and exploited Firefox vulnerabilities. Chrome does all the dangerous bug-prone stuff (parsing) in a separate process that is sandboxed, so vulnerabilities are harder to exploit.

Standboxing what just introduced in Firefox as well. But yes I agree.

Chrome holds up far better in the annual Pwn2Own competitions than any other browser. The Chrome team really goes over the top on security and sandboxing. Firefox is unfortunately a CVE-fest.

First, thank you.

Second, how much security does this provide and against what? For example, Moxie said once that Signal was designed to be usable and prevent mass surveillance, but not necessarily to prevent targeted attacks (my paraphrasing);[0] civil rights activists can expect targeted attacks.

Finally, the public needs real security professionals to do the work and provide a reliable, authoritative, updated guide - including pointing out where in the technology/solution stack we need better solutions. There are many guides out there, some cited below; like all the other unreliable information on the Internet, some are obviously flawed, some are flawed in ways that few will notice. There is no alternative to real security expertise. Also, it will need names on it that people know and trust. Crowdfund it; I will happily contribute.

[0] https://news.ycombinator.com/item?id=10665789

There are several gradations more security we could specify if we relaxed the constraint that ordinary non-technical activists be able to reliably do things.

The level of protection you're getting here is from targeted non-state attackers, ambient opportunistic state-level actors, and non-specialist law enforcement. Some of this stuff would have helped Ross Ulbricht (I mean that non-normatively), for instance.

Google "you're gonna get Mossaded" for fuller picture of what we can expect for current state of the art against targeted state-level attackers.

Googling that phrase leads to one of your tweets which has a no longer valid link(redirects to the microsoft research homepage).

Edit: I presume this is the intended article: https://www.usenix.org/system/files/1401_08-12_mickens.pdf

Yes, that's the one.

Thanks for this, awesome. Questions:

> 4. Switch to Google Chrome.

Can one configure Chrome to not be a data-sucking kraken?

> 7. Disable cloud-based keychain backups.

That backup is encrypted, I'd hope? So, is the problem that getting hold of a cloud-backup facilitates off-line attacks on the encryption key?

I remember Filippo (FiloSottile here) publishing his encrypted private PGP key [1] (back when he was still positive on PGP). If that's safe, how is this problematic?

> 10. Install a password management application that doesn't store your secrets in the cloud.

Same question as 7. My understanding was that most password manager vulnerabilities have been related to browser integration, so that is the first thing I'd switch off.

[1] https://blog.filippo.io/on-keybase-dot-io-and-encrypted-priv...

Regarding Chrome, here's a good place to start:


There are also people who use Chromium, or particular configurations of Chromium, instead of Chrome. That's fine. But don't use forks of Chromium, no matter who maintains them, even if it looks like a sizable effort. You don't want your browser to be any number of days behind the Chromium patch cycle.

I use the browser integration for 1Password on OS X (I might not if I was on Windows). I'm generally not that worried about localhost privilege escalation. I am very worried about how well I can reason about cloud-based storage of any sort, and how it will interact with things like my browser.

KISS: keep your secrets out of cloud systems and your backups offline.

If you're very sophisticated, I like Tarsnap for online backups. But you have to be very sophisticated to use it.

If you're very sophisticated, I like Tarsnap for online backups. But you have to be very sophisticated to use it.

I think you're overstating this a bit. You have to be comfortable at a UNIX command line. Surely that alone doesn't qualify someone as "very sophisticated"?

Very sophisticated varies on the demographics of the group, For HN no, for the general population yes.

Right, I can believe that. Maybe that's what tptacek meant.

Yes, it very much does.

>You don't want your browser to be any number of days behind the Chromium patch cycle.

Since Chromium does not upgrade itself, do you happen to have a suggestion on how to be arrange to be notified when a new patch is released?

> I am very worried about how well I can reason about cloud-based storage of any sort, and how it will interact with things like my browser.

In that case, why 1password over keepassx?

1Password doesn't store secrets in the cloud, as far as I know. You have to manually back up the database and some users choose to store that encrypted db in the cloud.

I don't disagree with the list. But I do think that few political organizations are going to have the will and discipline to enforce it upon their members particularly in the US. For a political organization with the will and discipline to enforce such practices, effort would might be better invested in creating a cell structure that isolates access to information in terms of the social graph.

Or to put it another way, an organization that relies on technical means to maintain secrets is still subject to infiltration. Wikileaks shows how readily organizations with dedicated and expert security staff and meaningful budgets are compromised by lack of or weak compartmentalization. A Snowden knockoff just walks out the door with a thumb drive of documents and hands it over to people who aren't supposed to have access bypassing NSA level security. And that's in an environment where people are rigorously vetted, not one looking for volunteers to the cause.

If I have an issue with the answer, it's that it conceives of an adversary who is 'just like us'. But plant a bug. Tape a cell phone to a car. Hire a honeypot. All will bypass an iPhone and disk-encryption and the local police can do any of them legally with a little effort and just about anyone with a will and a few hundred dollars can do them illegally with even less effort. And in the political realm there are lots of people with lots of will and more than a few hundred dollars at risk.

How does Linux compare with either MacOS, Windows, or just using an iPhone? Any particular distros that are more secure than others, or software to include / not to include?

I assume Android is a bad idea because of the ease of picking up spyware and the privileges that such software can have once downloaded?

What's the best way to secure your web browsing & search history? Being an ex-Googler, I can think of a couple things to do - don't sign in to Chrome, turn off your Web & App activity, turn off location history and don't grant permissions to use the location service - but I'm curious what the non-Google threats would look like (honestly, I don't believe Google is your biggest threat for a freedom activist).

What would you recommend for sharing documents, source code, or other permanent work/organizing products?

"Android is vulnerable to several key-extraction techniques." [0] Another likely reason is the appalling update situation on non-Nexus/non-Pixel devices.

[0] https://arstechnica.com/security/2016/07/androids-full-disk-...

Hey you would probably be interested in a app that we make called Umbrella. Built by activists, for activists, Umbrella makes it easier to learn about and manage digital and physical security. It has short lessons and checklists on everything from sending a secure email to security at protests. It's free, open source and available on Android.

You can learn more about it at https://www.secfirst.org or download it from Google Play:


You can also reuse our Creative Commons content and check out our code at https://www.github.com/securityfirst

If you had to use a cloud-based storage system, what would you use to replace Dropbox? Spider Oak?

> Get an iPhone and use it in preference to your computer.

Color me surprised, but wasn't Apple involved with PRISM. Gives me reason enough to believe they maybe in on similar programs given there have been no drastic changes to their policy and whatnot

The problem is that PRISM has conflated two separate things, and it is unclear how much of that conflation occurred at the NSA and how much outside.

Apple was (and is) compliant in the "release customer details with a court order" thing, which it seems is part of the PRISM data.

However, there was a second part, where the NSA got bulk access to communications without a court order. It is unclear which companies were complicit in this part. We know Google wasn't (because the NSA slide decks show how they had to intercept Google's inter and intra-data center links which were unencrypted at the time - and Google undertook a crash program to fix that).

Apple's statements are pretty clear: they say they only release information with a court order. That means they weren't complicit in bulk collection - but they may have been hacked at the time like Google was.

PRISM = FISA - it's just the NSA code name for data collection under the Foreign Intelligence Surveillance Act of 1978. All tech companies were involved, because to do otherwise would've been illegal.

The press cycle around the Snowden declarations made it seem like the big tech companies were in bed with the government, but honestly they hated it as much as you did, and in many cases the programs had different names within the NSA from when they interfaced with the companies involved, or were done entirely without knowledge of those companies.

Aside from Apple appearing on a PRISM slide deck, I don't think there is any evidence to support your claim.

I suspect they weren't complicit in being involved in PRISM, but maybe that's just me hoping.

> Aside from Apple appearing on a PRISM slide deck

That's far from a random mistake..

No doubt they may have been pwned, either by infiltration or other means. There's no evidence of them (ala Yahoo) complying with the NSA

I remember one of the slides implied that Microsoft did comply without much resistance.

I'll see if I can dig it up.

This might be naive, but would you recommend being on iOS Beta to get security patches earlier? Also do you prefer Touch ID or password/passcode unlocking?

Personally, I would avoid Touch ID. In my opinion, a good security feature should work even when you are asleep or unconscious.

TouchID has the issue that a law enforcement can make you unlock your phone. In short cops can get your fingerprints, which is on you, but not compel you to say or do something.


> Don't use Dropbox.

Can you elaborate a bit? You mean "don't use any file sharing program" like SpiderOak and the like, or specifically Dropbox?

Regarding point 4: what is your opinion on Edge and its exploit mitigation strategies, in comparison to Chrome?

Why is Wire less secure than Signal?

The right way to think about secure messaging software is this:

You want to be using a messenger based on Signal Protocol, no matter what. Nobody has thought more carefully about cryptographic messaging protocols than Trevor Perrin and Moxie.

It's good to have two secure messengers, one that favors usability and has a large user base, and one that can function as a laboratory for strictly secure UX.

The very secure messenger you should have should be Signal; as Trevor and Moxie and their team devise new cryptographic protections for things like contact lists and file transfers, you'll get them through Signal.

The more usable messenger should be WhatsApp or Wire. I don't have strong opinions about which; mostly, I'm just saying there's no other Signal-based messenger I trust at all.

Whatever you do, don't use Telegram.

Reasons/links as to why no Telegram? Honestly curious.

Quick response and I'm no expert: their encryption technology isn't open source and from what I recall hasn't been verified by third parties. They claim that is sufficient but no one has been able to confirm that. "Security through obscurity" if you will.

What is a better solution for remote file sharing, since email and Dropbox are out?


This is what I use, after Wuala shut down.

You don't mean Chromium?

any recommendation encryption for linux?

> but they are the correct answers

Citation needed.


OP used to own/manage a world-class security consulting firm in Chicago, and now runs the entire security team for several decent-sized startups. His expertise is the citation.

This is Argument from authority.

We should instead ask for evidence that IOS provides better security than any other alternative for activists.

I'm satisfied with an expert's opinion without a citation list. That's the benefit of being an expert; your reputation vouches for your knowledge.

The way I would put it is that we run the entire security teams for several decent-sized startups. :)

Edited! Thanks for correcting me!

This is a crazy list.

1. IPhone is closed source and any kind of rootkit can be installed by Apple/NSA secret court system. I suggest not using a smartphone if you are serious about security.

2. Good but difficult to anonymize

3. Good

4. Google Chrome is a botnet effectively and users lose their expectation of privacy there. Should switch to Firefox and use Chromium (Not Chrome) as a backup. Ideally Tor browser though.

5. Why? It's great for sharing encrypted files. Certainly if you trust Apple, why not trust Dropbox?

8. Signal transmits metadata that Google/Apple and by extension NSA/FBI/CIA/DEA know about now. Use something else that protects your anonymity and is secure. Something like cryptocat/Pidgin OTR is better.

9. You can use email to send encrypted information.

10. Unnecessary. Good strong password is good enough and you don't have a centralized password storage app. Another benefit is avoiding all the frustration that comes with using it when you are on someone else's computer.

11. Commercial AVs are better than Microsoft's native solution as repeatedly shown on independent tests. If you are tech literate, you're probably fine with the native solution or no solution at all.

12. Good idea. Best not to have a smartphone at all.

13. That's crazy. Just know your email app. Attachments should be read only and if your software is updated, it's very very unlikely you'll be compromised. If the email isn't signed and you are worried, use an alternative app to open common document formats. PDF.js for PDF, Libre Office for documents.

    IPhone is closed source and any kind of rootkit can be installed by 
    Apple/NSA secret court system. I suggest not using a smartphone if you are 
    serious about security.
I absolutely disagree. While you are correct that in theory an iPhone can have rootkits and other backdoors installed on it by the NSA, in practice, I've found that the average user's computer can be compromised far more easily than their smartphone. Remember, we're not dealing with security professionals. We're not even dealing with people who can use PGP to secure their e-mail. We're dealing with rank newbies. In such a situation, it's far better for them to take incremental steps today to secure themselves (e.g. by using Signal to communicate, rather than e-mail) than it is for them to spend a year learning about encryption and having PGP key signing parties before they can set up a secure infrastructure.

Comments like these are why I have a deep frustration with the "security community". It's letting the perfect be the enemy of the good.

> It's letting the perfect be the enemy of the good.

We are talking activists facing state-sponsored attackers, where "good" security is not enough.

It's a silly argument anyway, as in the famous xkcd comic, technology probably isn't the weakest link. And if a state really wants to snoop on you in particular, they will.

Meanwhile, as mentioned elsewhere, Android is vulnerable to several key-extraction techniques and the speed of security updates depends on which model you have.

Literally every other phone on the planet is vulnerable. Even some garbage flip-phone you got at Wal-Mart thinking it's not smart and therefore secure is likely a joke for anyone to crack into. That software hasn't changed in years. It's full of unpatched holes.

This is why Snowden wanted people to put their phones in the freezer to avoid eavesdropping: https://thelede.blogs.nytimes.com/2013/06/25/why-snowdens-vi...

Beware of the guy that has too much free time, too many contacts and want to scale up the protest to more violent methods. He is probably an FBI informant. It was common during the previous administration, I don't expect it to have finished.

I'm too pessimistic about the security situation since a long time ago. Just email your Gmail/Hotmail/Facebook/Tweeter password to the NSA/CIA/FBI chief, so you don't get a false sensation of privacy.

Perhaps someone can try to keep some conversation private, like a journalist-whistleblower conversation, but it's too difficult to scale it up to bigger groups.

Very much the first two sentences, here: if anyone starts saying that they know where they can get instructions to make a bomb, they are probably an agent trying to provoke you. Kick them out.

What they won't do, and you should: learn your rights. Get a friendly lawyer to advise you and agree to represent you, should anybody get arrested.

If anyone says they know where they can get instructions to make a bomb you should kick them out regardless, doesn't matter if they're probably an agent or not.

That actually reminds me of the time when the FBI sent undercover agents to mosques to try and entrap some Muslims by pretending to be jihadists, and the people at the mosque reported the agents to the FBI.

I like these guides by AP journalist Jonathan Stray:



In general, I think the two things that activists and journalists need to do that they often don't do, yet is a very common attack vector:

1. Enable two-factor auth on all accounts, especially their email.

2. Care about proper access control.

#2 is something I see violated quite frequently by tech novices, as it is a fairly mundane detail. Such as giving everyone admin level access to the org's Wordpress installation, and someone inevitably gets phished. And then there's the even more common problem of not revoking access when a member leaves.

And of course, phishing seems by far the most common way that groups get hacked. The recent U.S. election is the new canonical example, but I believe it's been the downfall of many other high profile orgs, such as the Associated Press and HBGary.

I have some quibbles with this (the first, practical, checkbox guide post; not so much the longer, abstract policy one).

* At-risk users should disable SMS 2FA, and favor code-generating applications instead. It takes some effort to disable SMS, but that effort is worthwhile, because SMS is quite insecure.

* The guide correctly notes that attachment are dangerous, but isn't very pragmatic about how to handle that danger. I think the right answer is: establish a rule that you won't be using email attachments to transmit documents. If you can be sure of the provenance of a file, you don't need an error-prone dance to pre-screen it before opening it on your desktop.

* The guide wildly overstates the value of full disk encryption. FDE handles almost exclusively a single threat: the physical threat of your unattended computer. Alter any of those words, and FDE does essentially nothing. You should, of course, enable FDE. You should not have high expectations about what it accomplishes.

I think the risk of your unattended computer being compromised is quite low for the average journalist, but don't activists in the field face increased danger of having their laptops/property seized during an arrest? It could be an activist participating in a march who happens to bring their laptop bag with them. Yes, ideally, people would have a policy not to engage in a protest while carrying laptops, but I could see activists who do the mobile-multimedia thing (shoot, process video/photos in the field) just being used to having their laptops out at all times.

I think the option of FDE is important to mention because I'm thinking the average non-techie thinks that having a password on their laptop prevents the (easy) reading of files when the laptop is confiscated.

The unattended compromise scenario is that your laptop is grabbed out of your house or car in a breakin, or left in your backpack in a bar or a cab, which happens all the time even to savvy people. Full disk encryption contains that catastrophe so that all you lose is your data and not your privacy.

It doesn't really protect you in any other scenario. In particular: if you can use your computer without a password, it is not at that moment protected by FDE.

> FDE handles almost exclusively a single threat: the physical threat of your unattended computer.

For most FDE solutions, doesn't the computer have to be off or possibly in hibernation (suspend to disk)? Does sleep mode (effectively suspend to memory?) activate the FDE? IME, most people's computers are almost always on or asleep.

EDIT: File-level encryption seems better: All files are encrypted except when open. But I don't know if there are any solutions that implement it securely and useably.

A decent middle ground is encrypted disk images. You're getting inferior encryption (it'll be sector-level wide-block unauthenticated encryption), but at least you'll have to unlock and lock things as you use them.

There used to be an OS X tool called Vault that managed these with a simple, pretty UI. Unfortunately, it was discontinued. We may put something like it together, but we suck at UI.

Stuff like this, by the way, is why I get so aggravated by UI/UX/Frontend developers who build new encrypted messengers --- the world doesn't need more encrypted messengers, but badly needs more UI/UX help with existing tools (I'd be happy to build the backend for such a thing and sign the IP over to an effective front-end developer).

Thanks. Am I correct about FDE and sleep mode? Does anyone know?

> I'd be happy to build the backend for such a thing and sign the IP over to an effective front-end developer.

If you're serious, we should talk. Email in profile.

If you are worried about phishing (you should be) don't use SMS or code-based two-factor. They can and are being phished. Use U2F (yubikeys). They are phishing proof.

FWIW, I recently got a YubiKey Fido - their U2F-only version, and a disappointingly small number of sites I care about have implemented U2F... It's also website-in-Chrome only right now - which is a little limiting, no help protecting your mobile devices. (Not that any of the other usb 2FA devices are gonna work too well on iOS either...)

I'm not sure how up-to-date this page is, but there's a stark difference between ticks in the OTP column and the U2F column...

(Apart from that, it seems to be a well made bit of kit - but I think I'm gonna spend the extra and order a Yubikey 4 or Nano...)

the eff guide is really solid for most people [0] but i think its a little laymen for most people. Especially when you get into the activism side of things. Here are the rules i follow.

Rule #1. No phones. If this can't be avoided. burner phones without linked accounts. they cost $30-50, plus some for minutes/sms/basic data. This is good for using maps and visiting forums etc. Burner phones should be able to remove batteries. keep them fully powered down anytime you are near home or in your neighborhood. Major companies and governments are incredibly good at connecting profiles based on ancillary meta-data that you don't even think about.

Rule #2. see rule #1. Your phone isn't secure, get used to it.

rule #3. encrypt everything, use tails and TOR.

[0] https://ssd.eff.org/en

That's expensive for a burner phone.

I don't know about the USA, but in New Zealand you can get a phone for $10, usually with $10 credit already loaded onto it. So in essence a free phone. It won't be a smart phone, but that's probably good.

Viewing Google maps on your phone, burner or not, is a pretty bad idea from a privacy viewpoint. Good old fashioned static maps is what you want, printed out is even better.

What if someone needs to call or message you at home?

I have thought about taking some of these more "paranoid" measures as a precaution against an unpredictable political future. But doing this would cut me off from nearly every friend and family member.

How do you meet an average person and keep in contact with them (I.e. start a friendship or relationship) when doing something like this sounds insane?

You should compartmentalize different relationships you have. You wouldn't contact a friend or family member from your burner phone. Inversely, you shouldn't give a member of your activist group your home phone number.

You can maintain both types of relationships, as long as you use the appropriate tools for each one, and maintain strong separation.

Thank you very much to all for the detailed comments. I appreciate you keeping advice simple enough for someone like me, who decades ago counted as a "power user" of PCs, but who has no particular technical training or computer-related work experience. I will have to digest some of this advice for women (they are mostly women in the local group) who are barely comfortable using Facebook. And I'll pass on other tips to the women and men who have actual technical backgrounds and will be implementing the different online projects of the local group.

Advice that especially fits our situation is having an appropriate level of security for an intentionally PUBLIC organization whose members will be identifiable by multiple in-person activities in public places over the next few years. We are not afraid to be known as people who support the cause that we support. We are resolutely sticking to peaceful, legal means to reach our goals. Many group members are VERY wary of new group members--plenty of them are wary of me--so we will have to build mutual trust as we build mutual communication and public-facing communication. I like mz's advice to remind members that anything they say in an online group--even in our internal online groups for members only--might show up in mass media or in propaganda spread by opponents, so I try to model careful speaking and writing.

I'll link here to a document about the bad-case scenario of living under an actual dictatorship with a secret police force that kills political opponents. That's something I've actually done (in Taiwan, in the 1980s). The good news is that nonviolent popular movements can even overthrow dictators and establish democratic republics with full protection of civil liberties. That takes mental toughness, but it can be done. I've seen it done. You may be inspired by the document linked here and the other documents (in numerous languages) posted at the same website.


Since you have a lot of women, I will suggest that you explicitly instruct them to be careful about talking about other people in their lives in identifiable terms. Men tend to invest their identity in their work. Women tend to invest their identity in their relationships. Telling anecdotes about "My sister/boss/mother/daughter/son/husband" is potentially putting those people at risk. Encourage them to use vaguer terminology such as 'someone I know'; 'a relative'; 'an acquaintance'; 'a friend of a friend.'

Women are incredibly prone to talking about other people in terms that they don't think is problematic and in terms that they think is anonymous enough for the internet, but really is not ("my sister" instead of "sister's name" -- but it is possible to identify your sister). This is a habit they need to break if they value the welfare of these other people.

Edit: Since this is getting down votes, I will add that if you think they won't listen to a man saying this, I will be happy to blog about it and you can give them the link. Perhaps it will be more palatable coming from a woman.

Maybe some of the onlookers don't know that you have long identified yourself as a woman here. As I recall, we (you and I) eventually figured out that we first "met" on an online community before Hacker News was founded.

As promised: http://micheleincalifornia.blogspot.com/2017/01/infosec-1-in...

You are free to use it, or not, to help your group get oriented.

Oh, no doubt. The offer to do a blogpost still stands. I can include the pertinent info in a piece I have been planning for some time about information security online for women.


Consider this:


I've given a bunch of friends (women and men) that.

The new social activists are shockingly ignorant of security. Most that I know of are organizing over Facebook. When someone mentions security to them, the activists say that there is no risk to them.

Education is even more urgently needed than tools.

I would absolutely start by running a threat modeling exercise, as that will help you focus on the important things and tune out unnecessary FUD (e.g. do you really need to PGP-encrypt everything and run TAILS if you're not being targeted by the NSA?).

Once you have an understanding of what you need to protect and who your main adversaries are, choosing the right tools should become more straightforward.

My favorite guide to threat modeling for activists comes from WITNESS: https://blog.witness.org/2016/11/getting-started-digital-sec...

EFF Surveillance Self-Defense (mentioned elsewhere in this thread) also has a guide to threat modeling, as well as a lot of good resources around how to use various tools.

But my advice: don't choose the tools first, or the non-techies won't understand why they have to use them and may become discouraged by the friction and poor usability they encounter.

Ross Ulbricht was crushed by a mountain of evidence generated by the FBI simply by snatching his laptop from him when he was arrested and not allowing FDE to kick in. Had he compartmentalized and separately encrypted his files, much of that evidence might not have been available to the court. That might have been the difference between a few years in prison and the rest of his natural life.

So, the idea that people should be blasé about encryption is worth questioning. If your threat model includes "law enforcement", then there's not much difference between "ostensibly NSA proof"† and "protected from police".

Security people have a bit about this, which you can find by searching for "you're gonna get Mossaded".

You're proving GP's point. If you're running the largest darknet drug market in the world, you should probably have stronger security and assume a group like the NSA, or with the means of the NSA, is targeting you.

Local police aren't going to be able to tap into the power of the NSA. Your local country sheriff isn't going to be able to tap into NSA resources, it's going to be difficult enough for them to tap into the resources of the FBI.

For the average person participating in activism of whatever sort, it's going to be perceived as more effort than it's worth if you suggest that they compartmentalize and separately encrypt all their files, keep several burner phones etc. etc. Simply encrypting their full drive is enough.

There's diminishing returns the further down security rabbit hole you go.

MLK's inner circle of most trusted associates included a photographer who was an FBI informant.

It may limit your choices for civil disobedience that breaks laws, but the only reasonable assumption is that if a state actor wants access to your information, they will get it. I suggest reading "This is an Uprising" which has a fantastic history of activism.

could you please provide links? googling this phrase is unhelpfully returning this precise thread and not much else that appears useful.

Probably this gem: https://www.usenix.org/system/files/1401_08-12_mickens.pdf

> In the real world, threat models are much simpler (see Figure 1). Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US"

> Threat: Organized criminals breaking into your email account and sending spam using your identity


Strong passwords + common sense (don’t click on unsolicited herbal Viagra ads that result in keyloggers and sorrow)

> Threat: The Mossad doing Mossad things with your email account


* Magical amulets?

* Fake your own death, move into a submarine?


Years ago on an email list, we were advised to not say anything on list that we wouldn't want posted to the front page of the local newspaper. I still find this to be a good rule of thumb.

Humans are incredibly, horribly bad about writing stuff online like it is confidential, just between you and me -- even when it is a public forum that anyone can read, like Hacker News. Thinking of it in terms of published to the front page of the local paper can help people keep some of their worst, stupidest impulses down to a dull roar.

Yes. Email in general is an opsec nightmare, no matter what rules you come up with or what tools you use to protect it. It's the worst case scenario, a system that goes out of its way to make sure everyone has copies of everything.

Above all else: do not create mailing lists for at-risk projects.

We may be talking at cross purposes, but for clarity's sake: I was not recommending email. I was only recommending that noobs be told to think of any written communication in terms of "like it is being published to the front page of your local paper, where your husband, mother in law, and any personal enemy might see it" and, in this case, where any officials might see it as well.

The list in question was mostly full time mothers. I was a full time mother, but also a military wife. I was more familiar with general information security practices than most of them. So this is the most noobie friendly line I know that seems helpful in trying to get inexperienced people to think before they speak/type.

I also got annual InfoSec training while working for an insurance company for more than five years. Getting human beings to take InfoSec seriously is incredibly challenging. If you can't get that to happen, no amount of good tech will save you.

> Getting human beings to take InfoSec seriously is incredibly challenging. If you can't get that to happen, no amount of good tech will save you.

I personally know one case when an assistant for a medical study forwarded a email list of participants to everyone when it was specifically complied that it was confidential. You would think that the person was fired because of this but no they literally couldn't find another employee that would take the job for such a low pay, so he kept his job and security didn't improve...

Indeed. The fundamental truth about communication is that you want at least one person to be able to read it. That person might be undercover, or get turned (just now thousands of (new) people can be threatened with deportation, for example).

Doesn't mean one shouldn't organise, just be aware that all communication have risks.

I'm enthusiastically agreeing with you.

If you are seriously concerned about your security and safety, I would avoid electronic communication completely.

That concedes an enormous amount of ground to your opposition, who then has the privilege of using efficient communication while you don't. It's worth building up a gradient of security so that people who are simply exercising their rights can do so effectively without electronic harassment.

In addition to the EFF Security Self Defense (https://ssd.eff.org/ ) I've also seen this circulated: https://securityinabox.org/en/

Personally I don't think these resources go far enough, and some of the methods recommended have obvious exploits, or are too complicated for the less tech literate. Lot's of work to be done in this area for sure

My one tip is this: get to know each other in real life, and make sure you know how to find and contact each other if Facebook, Twitter, Google or whatever big left-wing internet service decides to silence, shadow-ban, or delete your account.

They should think long and hard about the downsides to each presence that they establish and not establish anything until they think they have a really good understanding of those downsides.

This may involve drastic steps like not using email.

Twitter Personality @SwiftOnSecurity has a guide https://decentsecurity.com/ that is reasonable for non-techies to understand and follow.

But is it accurate?

I'm an active German antifascist. Here's something I do:

0) Get a lawyer. If you're arrested and you don't know a lawyer, you're screwed. And learn your rights: what do you have to tell the cops, and what you can refuse to tell them. Always carry a valid ID card with you.

1) When publishing pictures, especially on Twitter: place stickers over people's faces, or better: pixelate using ObscuraCam. The best thing is of course to not take pictures or video at all.

2) Get a "burner dumbphone", best are used, old Nokias and a burner sim-card when going to demonstrations. Do not activate or use the phone at your home or at meeting points.

3) If you insist on carrying a smartphone, get a recent Android phone with support for FDE and an exchangeable battery. Enable FDE, also on your SD card, and in case you're about to get arrested, take out the battery or drop the phone to the ground so that the battery falls out and the cops cannot use imaging devices. Use a strong passphrase. iOS devices may be secure, too, but they have the disadvantage that you can't pull out their battery or switch them off in a hurry. If you care about your device, get an IP68-proof/rugged device - cops don't care if they damage your property when pushing you around, and it's easy to e.g. fall on your phone when you're pushed to the ground. Android: disable USB debugging, or if possible with your model, the entire USB stack. On a rooted Android phone, you can do so via an adb shell command.

4) When browsing around the web researching political stuff, use TOR. Do not download unneccessary stuff onto your computer.

5) Securely encrypt your computers and all external media devices (USB sticks). OS X can use Filevault, Windows can use Bitlocker. USB sticks are best protected by VeraCrypt (as it is a cross-platform solution). If you have a NAS that doesn't support encryption, ditch it and buy one that does.

5) If you receive sensitive information, delete it as soon as in any way possible. Insist on communicating via GPG-secured emails, and password-protect your key. Written information should be shredded to as tiny pieces as possible - don't burn the paper, ash flakes or incompletely burned paper can be restored (as evidenced after 9/11).

6) Enable 2FA, preferrably via a token generator app on your phone, on any service that supports it. Store the backup keys (you will need them e.g. if your phone gets damaged!) somewhere safe that is NOT your home (e.g. at your parents' house). Do not label the sheets with a cleartext name of the service/account associated with them. SMS 2FA is the "last measure" as you'll be vulnerable to government attacks, but better SMS 2FA than simple password protection.

7) Handle sensitive information on a strict need-to-know basis. And for heaven's sake, don't talk about planned actions in public. Or brag about things you/your friends did or plan to do - while bars etc. usually aren't crowded with agents, someone may decide to rat you out to the cops.

8) Before going to any demonstration, write down the name and phone number of your attorney with waterproof ink on your arm. That way you don't have to rely on the cops finding your attorney or delaying calling him by taking their sweet time to do the search.

9) Inform close relatives/roommates that you're away, especially if you have pets, children etc. that need to be taken care of. Have enough cash on your bank account (or have a relative) to pay rent if you end up arrested.

10) don't ditch fares, or if you have a car, always take care that it's up to code, legally registered, and taxes/insurance are paid. Nothing sucks more than getting arrested for petty stuff, and pulling people over for broken lights is a common excuse of cops to search the vehicle. Do not carry huge amounts of cash in your vehicle (google for "asset forfeiture", it's really gross what cops can legally do).

11) don't ever go drunk, intoxicated or not well-rested to any political event. Do not take drugs of any kind with you, except medicine that you need (and for these, best take the original prescription or a copy with you, so the cops can't bother you with drug charges). Preferrably use plastic glasses (glass lenses can cause grave eye injury when damaged), contact lenses and cosmetics of any kind tend to aggregate nasty stuff like pepper spray.

12) Always take sufficient supplies of water, food and a small pack of glucose tablets (in Germany, we know them as Dextro Energy) with you. If you can, take a couple small adhesive bandages with you, and go to a First Responder education (this is useful anyway, even if you're not "actionist" - you can save lives!)

13) Connect with other political groups both in your area and state/nationwide: ACLU, antifa groups, civil rights movements. Political parties (liberals, greens) may also be of interest to you, depending on your focus.

14) Beware of snitches or agents provocateurs that try to incite you to violence. When you want to go the "actionist" route, be aware of the potential consequences if you get caught and don't do anything you're not comfortable with.

15) Do NOT go on political demonstrations with firearms, knives or other weaponry. In most jurisdictions it's illegal, and even if it's legal to assemble with arms, it's not sane to do so. When you see armed protestors, or a demonstration turns violent, GTFO as fast as you can.

Thanks especially for items 8 through 15, which some people forget. Part of what I hope happens where I live is that 13 happens in a big way, and the overall inclusive movement becomes broader and broader as different specialized local groups network with one another and with a variety of national groups.

You're welcome. I wish you all the best!

I'd like to suggest taking some time to read through some off the EFF's collection on this.


If you are worried about more national level threats

While it is more dense PrivacyTools.io has pretty good material.


This is the EFF's turf.


Since this is coming up: I've seen recommendations for encrypted file drops when similar topics have come up before, but for some reason I can't find any of the mentions that I've seen on HN before. Anyone have services they plug?

The "get an iPhone" comments remind me of Steve Martin's advice on how get rich... "First... Get a million dollars" Unless, theoretical bs.

privacytools.io - plain and simple

It's already too late, if you have an active Facebook group where you're discussing this stuff then you're already all tagged and profiled.

And there's no reason to suppose that YCombinator and HackerNews is not compromised and that there is no profiling going on by some entity.

It doesn't even need to be compromised. A lot of the HN data is available through the HN API. Plenty of data there without requiring any additional access to the HN hardware.

But..but..we set the group's privacy to "Secret"!


any thoughts of the VPN that comes built in Opera browser?

Exactly what prevents the hostile actors you are ostensibly protecting against from joining your group?

Privacy is the antithesis of public advocacy.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact