Semantic search
| Scenario Task Description | Scenario Task Type | Scenario Task Format | Scenario Task Parent | |
|---|---|---|---|---|
| 2 factor authentication | [https://en.wikipedia.org/wiki/Two-factor_authentication 2-factor authentication] also known as 2-step and 2fa is a method of authenticating yourself with a combination of two components: something you know (a password) and something you have (e.g. a mobile phone). The idea behind this method is that it's incredibly difficult for the hacker to have access to both components. The service must be offered by your email provider and many of them do now. Please have a look at this excellent report by Citizen Lab on [https://citizenlab.org/2015/08/iran_two_factor_phishing/ 2fa phishing attacks], in particular the conclusions and recommendations within. *[https://www.google.ca/landing/2step/ Google 2-step verification] and the [https://support.google.com/accounts/answer/1066447?hl=en Authenticator] application for your smartphone that allows you to generate codes without Internet access *[http://windows.microsoft.com/en-ca/windows/two-step-verification-faq Hotmail 2-step verification] *[https://help.yahoo.com/kb/SLN5013.html Yahoo 2-step verification] *[https://www.facebook.com/help/148233965247823 Facebook Login Approval] *[https://support.twitter.com/articles/20170388# Twitter Login Verification] <br /> [https://help.yahoo.com/kb/SLN5013.html Here's a list] of other popular online services that provide 2fa. <br /> | Unauthorised Access | Solution | I want to protect my email account from unauthorised access |
| A website I am trying to access is unreachable | Many countries that practice [https://opennet.net/ Internet censorship] are 'kind' enough to display a warning or a reason to the user when a banned website is being requested. In other circumstances your request may simply result in a 'Page Not Found' error, or the browser will keep spinning and eventually time out with another error message. There could be several reasons for this situation to consider, before claiming with certainty that the site is indeed censored. # You made a mistake in the site's name (perhaps omitted or added 'www' when it's not necessary) # Your computer's network configuration is not working. Try opening other websites or http://74.125.224.72 (Google's search page by IP). If nothing works - check your computer's settings. # Try to open the site from http://downforeveryoneorjustme.com This service will attempt to open your website from a different physical location. If that works, then the site is functioning and is likely censored (not accessible) from your location/country. If you think that the website has been blocked in your country, take a look at [http://www.herdict.org/ Herdict] project from the Berkman Center for Internet. Here you can test the site's accessibility from different countries and whether other users have reported similar blockages. If that site is blocked, please see [[I want to learn about circumventing Internet censorship]] | Censorship | Scenario | Access to the Web |
| Access to the Web | Sometimes accessing a website may prove problematic. This may be due to several reasons: for instance that website may be filtered in the place where you are located, but you may also be experiencing a simple connection problem. This section explores how to troubleshoot a connection, introduces the topic of circumventing website filtering, and discusses ways to connect to websites securely or anonymously. An introduction to these topics can be found in the [https://learn.equalit.ie/wiki/How_does_the_Internet_actually_work%3F How does the Internet actually work?] pages, [http://en.flossmanuals.net/basic-internet-security/ Basic Internet Security] from Floss manuals and the more detailed [https://gist.github.com/atcuno/3425484ac5cce5298932 Privacy & Security Conscious Browsing guide]. <br /> | Censorship Surveillance Profiling your identity and actions |
Scenario | |
| Can I be anonymous whilst using my phone | The short answer is you can't, and there are [https://ssd.eff.org/en/module/problem-mobile-phones several reasons why]. Your [https://en.wikipedia.org/wiki/Subscriber_identity_module SIM card] can be directly linked to your identity, account or point of purchase. The [https://en.wikipedia.org/wiki/International_Mobile_Station_Equipment_Identity IMEI] and the [https://en.wikipedia.org/wiki/International_mobile_subscriber_identity IMSI] numbers in your phone are unique and can also be linked directly to your location and/or identity. In general, [https://en.wikipedia.org/wiki/Mobile_phone_tracking Mobile phone tracking] is a well established technology and the only way to prevent this type of location tracking is to remove the battery, carry a [https://en.wikipedia.org/wiki/Faraday_cage Faraday cage-like] accessory or not bring your phone at all. If you want, however, you can browse the Internet anonymously from your phone: * Android users can install [https://securityinabox.org/en/guide/orbot/android Orbot] and the [https://securityinabox.org/en/guide/orweb/android Orweb browser] * iPhone users can install the [https://itunes.apple.com/us/app/onion-browser/id519296448?mt=8 Onion Browser] <br /> | Profiling your identity and actions Surveillance |
Solution | Phone |
| Computer | A large portion of our digital identities, years of work history and meticulously configured software rests on our computers. A broken, stolen or otherwise malfunctioning computer could be a small (or large) calamity. This section deals with how best to protect your computer from various physical and digital risks. <br /> | Unauthorised Access Data Loss |
Scenario | |
| Data | Your data is your own. Protecting it from loss, corruption and unauthorised access requires effort and by default your data is only as secure as the device it is stored on. This section deals with protecting your offline data. For information on protecting your data on the Internet, please refer to the sections on [[Email]], [[Online Conversations]], [[Access to the Web]] | Unauthorised Access Data Loss |
Scenario | |
| To send or not to send - that is the question! And it is not a rhetorical one: email is an all consuming part of our digital lives, but it is also very ancient, and in the years its 30-year-old design hasn't improved much in terms of security. Email is basically made of two parts: the "body", with the content of the message, and the "header", with information on the author of the email, the person it has been sent to, the time when it was sent, etc. All this information, called [https://en.wikipedia.org/wiki/Metadata metadata], can be gathered from email records and turned into a pattern, as can be seen on [https://immersion.media.mit.edu/ the Immersion project from MIT]. The content of the messages, on the other hand, can be protected, and the various questions you may have about how to secure your email are answered in this section.<br /> Other good introductory guides to email security include the [https://en.flossmanuals.net/basic-internet-security/ch022_introduction-to-email-safety Introduction to email safety] from Floss Manuals and the multi-lingual [https://securityinabox.org/en/guide/secure-communication secure communications] chapter of the Security in a box project. | Profiling your identity and actions Surveillance |
Scenario | ||
| FAQ | This is an introductory guide for those looking for an answer to their digital security concerns. It assumes common threat scenarios and asks a series of iterative questions to direct you to a solution, whether that's a tool, a technique or a link to one of the excellent resources listed herein. Treat every recommendation as one piece of the security puzzle you need to solve. __TOC__ ===Guides and reference manuals=== *[https://prism-break.org Prism Break] - a directory of Internet services and software for protecting oneself from online surveillance *[https://www.privacytools.io Privacy Tools] - a huge collection of privacy-oriented tools, services and guides *[https://emailselfdefense.fsf.org/ Email Self Defense] - Free Software Foundation *[https://digitaldefenders.org/digitalfirstaid/ Digital First Aid Kit] - Digital Defenders *[https://securityinabox.org Digital Security Toolkit] - Tactical Technology Collective & Front Line Defenders *[https://help.riseup.net/en/security Security Guides] - Riseup *[https://ssd.eff.org Surveillance Self Defense guide] - Electronic Frontier Foundation *[https://www.accessnow.org/pages/protecting-your-security-online Protecting Your Security Online] - AccessNow *[https://myshadow.org My Shadow] - Tactical Technology Collective *[https://gendersec.tacticaltech.org/wiki/index.php/Main_Page Gender and Tech Resources] - Tactical Technology Collective *[http://equalit.ie//esecman/index.html Digital Security Manual for Human Rights Defenders] - Front Line Defenders *[https://github.com/OpenInternet/MyWebsiteIsDown/blob/dev/MyWebsiteIsDown.md What to do when your website goes down] - Jon Camfield *[https://flossmanuals.net/basic-internet-security Basic Internet Security] - FLOSS manuals Greenhost, Free Press Unlimited *[https://github.com/freedomofpress/encryption-works/blob/master/encryption_works.md Encryption Works] - Freedom of the Press Foundation *[https://gist.github.com/atcuno/ Privacy and security conscious browsing] - Andrew Case ===Software and services index=== <ul> <li>[[:Avast|Avast]]</li> <li>[[:BitMask|BitMask]]</li> <li>[[:BittorrentSync|BittorrentSync]]</li> <li>[[:Bleachbit|Bleachbit]]</li> <li>[[:Bleep|Bleep]]</li> <li>[[:CCleaner|CCleaner]]</li> <li>[[:Comodo|Comodo]]</li> <li>[[:Cryptocat|Cryptocat]]</li> <li>[[:DiskCryptor|DiskCryptor]]</li> <li>[[:Dm-crypt|Dm-crypt]]</li> <li>[[:Eraser|Eraser]]</li> <li>[[:Firechat|Firechat]]</li> <li>[[:FlashBlock|FlashBlock]]</li> <li>[[:FlashControl|FlashControl]]</li> <li>[[:GPG4USB|GPG4USB]]</li> <li>[[:Ghostery|Ghostery]]</li> <li>[[:HTTPS Everywhere|HTTPS Everywhere]]</li> <li>[[:Herdict|Herdict]]</li> <li>[[:Jitsi|Jitsi]]</li> <li>[[:Jitsi Meet|Jitsi Meet]]</li> <li>[[:KeePass Password Safe|KeePass Password Safe]]</li> <li>[[:Lantern|Lantern]]</li> <li>[[:LibreCrypt|LibreCrypt]]</li> <li>[[:Lightbeam|Lightbeam]]</li> <li>[[:Linphone|Linphone]]</li> <li>[[:LinuxLive USB Creator|LinuxLive USB Creator]]</li> <li>[[:Mailpile|Mailpile]]</li> <li>[[:Mailvelope|Mailvelope]]</li> <li>[[:Mega|Mega]]</li> <li>[[:Nessus|Nessus]]</li> <li>[[:NetCraft|NetCraft]]</li> <li>[[:Nmap|Nmap]]</li> <li>[[:NoRoot Firewall|NoRoot Firewall]]</li> <li>[[:NoScript|NoScript]]</li> <li>[[:Onion Browser|Onion Browser]]</li> <li>[[:Orbot|Orbot]]</li> <li>[[:Orweb|Orweb]]</li> <li>[[:Panicbutton|Panicbutton]]</li> <li>[[:Peerio|Peerio]]</li> <li>[[:Pidgin Adium|Pidgin Adium]]</li> <li>[[:Psiphon|Psiphon]]</li> <li>[[:Purify|Purify]]</li> <li>[[:Qubes OS|Qubes OS]]</li> <li>[[:Recuva|Recuva]]</li> <li>[[:Ricochet IM|Ricochet IM]]</li> <li>[[:SMSSecure|SMSSecure]]</li> <li>[[:ScriptBlock|ScriptBlock]]</li> <li>[[:Signal|Signal]]</li> <li>[[:SilentPhone|SilentPhone]]</li> <li>[[:SpoofMac|SpoofMac]]</li> <li>[[:SureSpot|SureSpot]]</li> <li>[[:Symantec Endpoint|Symantec Endpoint]]</li> <li>[[:Tails OS|Tails OS]]</li> <li>[[:Telegram|Telegram]]</li> <li>[[:Tor Browser|Tor Browser]]</li> <li>[[:Tor Messenger|Tor Messenger]]</li> <li>[[:Tor2Web|Tor2Web]]</li> <li>[[:TorBirdy|TorBirdy]]</li> <li>[[:Truecrypt|Truecrypt]]</li> <li>[[:UBlock|UBlock]]</li> <li>[[:UProxy|UProxy]]</li> <li>[[:Veracrypt|Veracrypt]]</li> <li>[[:Virtualbox|Virtualbox]]</li> <li>[[:Whonix|Whonix]]</li> <li>[[:WorldIP|WorldIP]]</li> </ul> ===Contacts=== If you have a suggestion for a threat scenario or new resource to link to, a recommendation or simply want to help or find something out, please write https://encrypt.to/info@equalit.ie | Solution | ||
| Find a reliable hosting provider | If you are setting up your own website for the first time, or want to find a more secure solution for the website you already have, you will have to look into the complicated market of hosting providers, where making the right choice can be hard. To understand what you need to look for, consider the following points: * Larger companies will be more reliant on existing control panels and automated processes to solve your problems and less willing to go out of their way specifically for you. On the other hand, their infrastructure could be better suited to mitigate [https://en.wikipedia.org/wiki/Denial-of-service_attack an attack] * Research company reviews from past customers * Read the terms of service, in particular their mitigation options during an attack * Look for details on their data centre location, internal systems security, client privacy, customer support agreements In any case, keep your own backup of the site and make sure you are in control of the [https://en.wikipedia.org/wiki/Domain_Name_System DNS records] so as to switch providers when necessary. A more [https://learn.equalit.ie/wiki/Choose_a_hosting_provider detailed guide] is available for those considering their hosting options. '''Commercial Hosting''' * [https://aws.amazon.com/ec2/ Amazon EC2] - huge amount of features and resources, a bit overwhelming for non-technical users at first * [https://www.dreamhost.com/ Dreamhost] - Many hosting options with a control panel, DNS registration included * [http://wpengine.com/ WpEngine] - popular option for Wordpress site hosting '''Non-commercial Hosting''' * [http://www.autistici.org/ Autistici/Inventati, or A/I] - free hosting for activists on servers run by people who care about users' privacy and security * [https://help.riseup.net/ca/security/resources/radical-servers A list of non-profit] hosting and Internet service providers, catering to activist causes <br /> | Unauthorised Access Surveillance Censorship |
Solution | My Website |
| Google mail | [https://mail.google.com Google Mail] hardly requires an introduction. It is a free service and incredibly prevalent on the Internet. There are many options to improve your account's security, such as [https://www.google.com/landing/2step/ 2-step authentication] and [https://support.google.com/mail/topic/3394463 other account security] options. If correctly configured, these will provide a good level of protection. Consider that Google is a US registered company and has hundreds of millions of users. | Surveillance | Service | To find a reliable email provider |
| How can I access censored websites from my phone | Bypassing website censorship on your phone is very similar to [[I_want_to_learn_about_circumventing_Internet_censorship|doing it from your computer]] albeit with slightly different tools. You can use the [https://www.torproject.org/docs/android.html.en Tor Browser for Android] or the unofficial [https://mike.tig.as/onionbrowser/ Onion Browser] for iPhone. Android users can also install [https://psiphon.ca/en/download.html Psiphon], that works with "VPN, SSH, and HTTP proxy technologies to keep users connected at all times". [https://bitmask.net/ BitMask] is a new project encrypting online communications for Android users. iPhone users should establish a [https://support.apple.com/en-ca/HT201550 VPN connection] to a trusted provider for circumventing censorship. [https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/ Torrent Freak] has a list you can choose from. | Censorship | Solution | Phone |
| How can I prevent getting a virus infection from an email | There are many solutions here, varying in their degree of difficulty to implement. Protecting your email from malware (malicious software, including viruses) begins with [[I want to protect my computer from virus infection|protecting your computer from viruses]]. You need to be extra vigilant when opening an email and, whenever possible, switch off the email preview function. What follows is a list of steps, by degree of difficulty, you could take to reduce the risk of viruses infecting your primary computer systems and files: #Don't open suspicious messages and attachments. Write back to the sender to confirm their intention #Install an [https://securityinabox.org/en/guide/avast/windows anti-Virus, anti-malware] tool #Keep all your software up-to-date #Don't use pirate (or cracked) software #Use an email account from a provider that scans messages for malware before you receive them #Switch to using a [https://en.wikipedia.org/wiki/Linux_distribution#Popular_distributions Linux operating system] or better still, use [https://tails.boum.org/ Tails] #Consider running a [https://www.virtualbox.org/ virtual machine], better if with [https://www.whonix.org/ Whonix], to isolate potential infection from email and third party devices within it To learn more, refer to the Security in-a-box [https://securityinabox.org/en/guide/malware malware guide] or the Surveillance Self Defense page on [https://ssd.eff.org/en/module/how-do-i-protect-myself-against-malware How Do I Protect Myself Against Malware?] <br /> | Unauthorised Access | Solution | I want to be protected from malicious emails |
| How can I prevent my computer from malfunctioning | Like any machine with a huge number of components, a computer could theoretically break at any time - whether through physical or water damage, or simply because of a malfunctioning component. More often than not a computer malfunction is caused by buggy or conflicting software. The infamous [https://en.wikipedia.org/wiki/Blue_Screen_of_Death blue screen of death] will be familiar to any longtime Windows user. Simply put: *'''Do not rely''' on your computer as the sole repository for your data - have a backup on a removable storage medium. *Make sure your backup is on a secure (encrypted) medium and is kept in a different physical location (e.g. keeping your backup in the same office as the original, is not a good idea) *Keep handy a [http://www.linuxliveusb.com/ live USB] so as to access your hard disk without having to go through the (malfunctioning) operating system In any case, make sure you have an up-to-date [[I want to ensure that my data is never lost| backup]] <br /> | Data Loss | Solution | Computer |
| How can I see who the email is really from? | The short answer is: you can't. You can only be certain of the sender's identity and for that you need to read [[I want to learn about digital signatures]]. There are however some tips to help you better understand where the email ''may'' have come from. Every email you receive is made up of several components. There is the content itself, address details, as well as technical data about the message - also known as the message header. It contains detailed information generated by your email server about where the message came from and how it was processed before arriving in your inbox. This may be your only forensic clue to investigate the message's origin. If you want to learn to examine email headers, read this guide on [https://learn.equalit.ie/wiki/Email_spoofing email spoofing] and [https://support.google.com/mail/answer/29436?hl=en Gmail's guide] on understanding their message headers. You can also copy and paste the message header into the [http://mxtoolbox.com/EmailHeaders.aspx MXToolbox] to get a humanly readable context of where this email has been. | Impersonation | Solution | I want to be certain of the recipient's identity (and vice versa) |
| How can I stop spam | Unfortunately you can't :( Once your email address ends up on the spammers' lists, the only thing you can do is to install a good spam cleaner or use an email provider that offers this service (quite common these days). It's very easy to end up on these lists especially with the prevalence of the [https://en.wikipedia.org/wiki/Information_broker data broker industry]. Here's some tips for keeping your email address out of the spammers' hands: *Maintain several email accounts for various functions: work, friends and family, online transactions, email groups and lists *Never give out your 'spam free' email address to a third party *Register several email addresses on your smartphone and be careful which one you use to download apps with *Do not reply to spam! That confirms your email address *Whenever you need to display your email address on a public site, use clever techniques to masquerade it. *Use a [http://www.throwawaymail.com/ temporary email address] <br /> | Profiling your identity and actions | Solution | I want to be protected from malicious emails |
| How do I know if someone else is accessing my email account | The three main email providers offer a 'Recent Activity' notification window where you can view where and how your account was last accessed. *[https://security.google.com/settings/security/notifications Google recent activity] *[https://account.live.com/Activity?mkt=en-US Hotmail recent activity] *[https://www.yahoo.com/notifications# Yahoo notification] <br /> | Unauthorised Access | Solution | I want to protect my email account from unauthorised access |
| How to protect your phone from virus infection | The best way to keep your phone free from malicious software is to: * keep the operating system and all apps up-to-date * not install ANY applications outside of the GooglePlay or AppStore Even these methods may not protect you completely, as attackers have been known to sneak malicious software into the official repositories run by Google and Apple. You can also try to install an [https://www.avast.com/free-mobile-security anti-virus] and are advised to enable the firewall [https://support.apple.com/en-us/HT201642 on your iPhone] or something akin to the [https://play.google.com/store/apps/details?id=app.greyshirts.firewall NoRoot Firewall] on Android. To secure yourself from malicious code built (or injected) into various websites, install a script blocker such as [https://www.ghostery.com/en/try-us/download-add-on/ Ghostery]; [https://www.ublock.org/ uBlock] for Android; or the [https://www.purify-app.com/ Purify app] for iPhone. | Unauthorised Access | Solution | Phone |
| Hushmail | [https://www.hushmail.com Hushmail] is an established and well known provider of secure email solutions. In the past they [http://www.wired.com/2007/11/encrypted-e-mai/ have provided] access to private user data in response to a request from Canadian law enforcement. | Surveillance | Service | To find a reliable email provider |
| I want to be anonymous connecting to the web | Disassociating your true identity from an IP address assigned to your device usually requires a change of your physical location - a public place - to connect to the Internet from. Using a wifi hot-spot or going to an Internet cafe will give you some degree of anonymity (especially if those places are not running CCTV or force you to register with an ID before using their services). Bear in mind that once connected you need to consider the following concerns that may de-anonymise you on the local network: *Software on your computer. Your Internet browser and many other tools, including malware, may reveal your identity on the network. Use a live operating system such as [https://tails.boum.org/ Tails] or [https://www.whonix.org/ Whonix] on your computer to ensure that there is no history or malicious tools during your session. *Hardware on your computer. In particular your network card (connecting you to the wired or wireless network) has a unique identifier called a Media Access Control (MAC) address. It can be used to identify your computer's actions on the network. However you can spoof this address using [http://www.wikihow.com/Spoof-a-MAC-Address built-in techniques] or a tool like [https://github.com/feross/SpoofMAC SpoofMac]. Tails also allows you to create a fake MAC address for every session. *The services you access online (e.g. your Facebook page) may also correlate your current IP address to your identity. Use the built-in [https://www.torproject.org/ Tor Browser] from the [https://tails.boum.org/ Tails] or [https://www.whonix.org/ Whonix] operating systems. <br /> The situation is much more complicated (regarding anonymity) when accessing the Internet from your smartphone. Please refer to the section on [[Phone|Protecting your phone]] for more details. <br /> | Profiling your identity and actions Surveillance |
Solution | Identity or Location |
| I want to be anonymous when browsing the web | There are multiple guides to help you stay anonymous when browsing the Internet. Anonymity, which is not [https://learn.equalit.ie/wiki/What_is_Internet_surveillance%3F inherent in the Internet], is useful when you want to hide your destination address from the local Internet Service Provider or your identity from the visited website. It can also help protect your [https://en.wikipedia.org/wiki/Social_graph social graph], obscuring the network of your actual online (and offline) relationships. If you need anonymity to send an email, please refer to the [[I want to send an anonymous email]] section. *The [https://www.torproject.org/about/overview.html.en#whyweneedtor Tor Browser] hides your destination address and shields your identity from the visited website. It is completely open source and free with an active developer and volunteer community. To learn how to use it, read the guides from the [https://securityinabox.org/en/guide/torbrowser/windows Security in-a-box] project for Windows users and from the [https://ssd.eff.org/en/module/how-use-tor-mac-os-x Surveillance Self Defense] guide for Mac users, as well as some [https://github.com/freedomofpress/encryption-works/blob/master/encryption_works.md#browsing-habits tips for using Tor]. *[http://anonymous-proxy-servers.net/en/software.html JonDonym] offers several options for anonymising your origin and destination whilst browsing websites. *The [https://censorship.no CeNo] is a new project that utilises the [https://freenetproject.org Freenet] anonymous communications and publishing platform for browsing websites and media news feeds. <br /> Deciding whether you need to use an anonymity or a [[I want to learn about circumventing Internet censorship|VPN]] will depend on your circumstances and is best explained in the [https://ssd.eff.org/en/module/choosing-vpn-thats-right-you Surveillance Self Defense] guide as well as [https://gist.github.com/atcuno/3425484ac5cce5298932#vpn-vs-tor- here]. Be aware of [https://github.com/freedomofpress/encryption-works/blob/master/encryption_works.md#what-tor-doesnt-protect-you-from Tor limitations] as well. <br /> | Profiling your identity and actions Surveillance |
Solution | Identity or Location |
| I want to be certain of the recipient's identity (and vice versa) | When sending an email, it is incredibly easy to fake (or "spoof") one's email address. For example, try sending yourself an email with a made up identity from https://emkei.cz In order to be certain of each other's email identity the message needs to be signed cryptographically. You can [[I want to learn about digital signatures | do this yourself]] or learn about existing authentication methods used by some email providers. | Impersonation | Scenario | |
| I want to be protected from malicious emails | A huge quantity of malicious content can access your computer through your email inbox. This could be annoying but harmless unsolicited advertising (spam), [https://en.wikipedia.org/wiki/Malware malicious software] embedded in an attachment or within the message itself, and various types of [https://en.wikipedia.org/wiki/Phishing#Link_manipulation links] leading you to infected web pages. Many tools exist to protect your computer from infection but they will never be 100% effective and a lot of discretion is advised when opening or reacting to content received in an email message. To learn how to check if an email you have received is malicious, read [https://ssd.eff.org/en/module/how-avoid-phishing-attacks this manual] by the Electronic Frontier Foundation. Also, be aware of [https://en.wikipedia.org/wiki/Spyware#Rogue_anti-spyware_programs rogue software] promising to protect your computer. | Unauthorised Access | Scenario | |
| I want to communicate securely | There are two primary channels for communicating with others from your smartphone - using the [https://en.wikipedia.org/wiki/Cellular_network mobile network] (GSM, CDMA, etc) for voice and SMS messages, or using a data connection (e.g. to the Internet) over the cellular network. Different solutions for secure communications exist for each of the two channels, and each scenario below assumes both circumstances. Generally speaking, privacy advocates and security researchers [https://ssd.eff.org/en/module/problem-mobile-phones do not recommend] using mobile phones or smartphones for (very) secure communication. There is a third way, however, to communicate 'off the grid' for smartphone users. [http://opengarden.com/ Firechat] uses the phone's wifi or bluetooth device to establish conversations with other users in the geographic vicinity. You do not need to connect to the cellular or data network. Messages between users in these temporal messaging rooms are, however, not encrypted. | Surveillance Profiling your identity and actions |
Scenario | Phone |
| I want to delete metadata from my files | Metadata is [https://myshadow.org/digital-traces-content-and-metadata data about data]. It is needed for our digital systems to work properly: for instance, it enables emails to be delivered correctly, helps us find files on our computer, and fundamentally makes it possible to navigate and manage digital content. But as it helps our navigation, it can also help others [https://myshadow.org/tracking-data-traces trace our activities]. Every Word document, digital photograph, PDF, etc. you create will contain metadata. This could include information about the physical device you used, the location you were at, the time of creation and so on. It's important that you know how to [https://securityinabox.org/en/lgbti-mena/remove-metadata locate and destroy this metadata] from a given file. | Profiling your identity and actions | Solution | I want to destroy data |
| I want to destroy data | Those rumours were true - computers [https://learn.equalit.ie/wiki/Destroying_data cannot delete data]. Information previously deleted on your computer, USB or SD card by using the standard delete > empty bin method, can be recovered. In order to destroy data you need to overwrite its physical location on the disk with new information. Specific tools exist for this purpose including [https://ssd.eff.org/en/module/how-delete-your-data-securely-windows Bleachbit for Windows] and [https://ssd.eff.org/en/module/how-delete-your-data-securely-linux Linux], as well as [https://securityinabox.org/en/guide/ccleaner/windows CCleaner] and [http://sourceforge.net/projects/eraser/ Eraser] for Windows. MacOS users can follow the techniques mentioned in [https://ssd.eff.org/en/module/how-delete-your-data-securely-mac-os-x this guide] or recommendations regarding SecureTrash on the [https://support.apple.com/kb/PH18638?locale=en_US&viewlocale=en_US Apple website]. <br /> | Unauthorised Access Data Loss |
Scenario | Data |
| I want to ensure that my data is never lost | Whether through a malicious action or by sheer bad luck, data can be lost in many different ways. And if that data had been stored just in one device or location, it may be very difficult or even impossible to [[I_want_to_recover_data | recover]] it. The only way to not actually lose any information is to have an up-to-date and secure backup. The best solution, especially if your archive is sizeable and your Internet connection speed is basic, is to make several [[I want to prevent unauthorised access to my data | encrypted copies]] of your data on various portable memory devices If you want to keep an online archive of your files, there are many commercial and some free services offering encrypted storage. In choosing between them, look out for terms such as 'client-side' or 'end-to-end' encryption - that is where the provider cannot decrypt your data because it was encrypted locally, by your client. [https://peerio.com Peerio] is an encrypted file storage and sharing tool with 1GB of free space. [https://mega.nz Mega] also offers encrypted online storage and sharing with 50GB for free. There is a syncing feature to keep all your devices up to date. <br /> | Data Loss Unauthorised Access |
Solution | Data |
| I want to find out about existing options for authenticating email | Several systems have been developed in recent years to help email providers [https://en.wikipedia.org/wiki/Email_authentication authenticate] the sender of an email message. Most providers currently use an email authentication system to filter spam. If you are a Gmail user, you can understand how this works by reading Gmail's [https://support.google.com/mail/answer/180707?hl=en email authentication] guide. In general, you must rely on your email provider to perform sender authentication, but if you want to be sure and inspect some of the messages you receive manually, you will need to [https://www.arclab.com/en/kb/email/how-to-read-and-analyze-the-email-header-fields-spf-dkim.html learn how to read message headers] (sometimes called "message source") and authenticate them yourself with these online tools: * [http://dkimcore.org/tools/dkimrecordcheck.html DKIM authentication ] * [http://mxtoolbox.com/spf.aspx SPF record lookup] If you would like to check that your email provider offers email authentication (for emails that you send to others), you can try the [http://dkimvalidator.com/ DKIM Validator] website. Simply send an email to the address on that page and then click to view the results. These systems either confirm the domain name (e.g. @equalit.ie) that the message was sent from or check the sender's [https://learn.equalit.ie/wiki/How_does_the_Internet_actually_work%3F#Internet_Protocol_.28IP.29_Address IP address] against a list of known malicious addresses. | Impersonation | Solution | I want to be certain of the recipient's identity (and vice versa) |
| I want to have a private phone conversation | There is not much choice for having a private (encrypted) conversation using the cellular network. The [http://www.cryptophone.de/ CryptoPhone] might be one of the few commercially available solutions, but both parties will need to have one for secure calls. Android and iPhone users can rely on various tools that use a secure Voice over IP protocol or a VPN approach to encrypting your calls. You will need a steady data (Internet) connection and the same application for all conversing parties. Note that by "private" we mean conversations which are not accessible to anyone but the conversing parties. Android: * [https://www.linphone.org/ LinPhone] * [https://ostel.co Ostel], using the CSIP simple client - ''no updates since November 2014'' <br /> Multi-platform * Signal for [https://ssd.eff.org/en/module/how-use-signal-%E2%80%93-private-messenger iPhone] and [https://ssd.eff.org/en/module/how-use-signal-android Android] *[http://www.bleep.pm Bleep] messenger enables encrypted calls over the peer-to-peer Bittorrent protocol *[https://www.silentcircle.com/products-and-solutions/software/ SilentPhone] commercial solution from SilentCircle <br /> | Surveillance | Solution | I want to communicate securely |
| I want to hide my traces | Your computer [[Destroying temporary files | keeps trace]] of most of your activities. This includes the websites you visit, documents you've worked on, email attachments opened, etc. This information is constantly collected and stored as 'temporary files' on the computer. Since these files document your actions, they could give away a lot of information about you to anyone who might have access to your machine, so it may be prudent to delete such traces. [https://ssd.eff.org/en/module/how-delete-your-data-securely-windows Bleachbit for Windows] and [https://ssd.eff.org/en/module/how-delete-your-data-securely-linux Linux], as well as [https://securityinabox.org/en/guide/ccleaner/windows Ccleaner] can destroy temporary files. <br /> Using your browser in [https://support.google.com/chrome/answer/95464?hl=en Incognito mode on Chrome] or [https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history Firefox] will prevent the recording of your browsing history and the download of [https://en.wikipedia.org/wiki/Cache_%28computing%29 cache] to the computer. It will also disable [https://en.wikipedia.org/wiki/HTTP_cookie cookie] collection for that session and help [https://myshadow.org/visualisations/animation prevent profiling]. Additional browser settings on [https://myshadow.org/how-to-increase-your-privacy-on-firefox Firefox] and [https://myshadow.org/how-to-increase-your-privacy-on-chrome Chrome] will help you better control your data. If you want to be fairly sure that anyone getting hold of your machine will not be able to learn about what you've been up to, it is always advisable to [[I want to prevent unauthorised access to my data | encrypt your hard disk]], and you can also consider using [https://tails.boum.org/ Tails], a live operating system that leaves no traces on the computer you are using (unless you ask it to do so). <br /> | Profiling your identity and actions | Solution | Data |
| I want to investigate other options | The only way to be sure that your email conversation is truly confidential is to use [[I want to learn about encrypting email|end-to-end encryption]] technology. Aside from that you would need to either: *Trust your email service provider. Please see [[To find a reliable email provider]] and ensure that your recipient uses the same provider, or *Trust the provider of an encrypted messaging service (for example, that they have properly implemented their security algorithms and are resilient from any type of 3rd party interference). Some suggestions for encrypted messaging services built as open-source software: * https://peerio.com - encrypted messaging and file sharing where you don't need to learn about GPG encryption. Required for all recipients. Cannot be used with regular email addresses. * https://mega.nz/ - encrypted online file storage. Mega allows you to share the file with another Mega user or externally, provided you can get the link to them securely. You can always turn to a proprietary solution (e.g. http://www.symantec.com/desktop-email-encryption) but we cannot recommend any commercial solutions, especially those which do not disclose their code for inspection. | Surveillance Profiling your identity and actions Impersonation |
Solution | To send an email that no one but me and the recipient can read |
| I want to know about options for private chat | If you want to have a private chat conversation with someone, you need to make sure that no one else but you and the person/s you are chatting with can read your messages (confidentiality), that the person/s you are chatting with are really who they say they are (authenticity) and that what you and the other people in the chat are writing is not tampered with by third parties (integrity). In order to obtain all this, you need to use a tool offering end-to-end encryption and key verification. As most service providers (e.g. Google, Microsoft, Yahoo, Facebook) don't offer this service and can therefore read your chat record, it is a good idea to either switch to an alternative chat service that provides encryption by default, or to use software for encryption if you need to stick to those services. Take a look at the EFF's [https://www.eff.org/secure-messaging-scorecard Secure Messaging Scorecard] to see how they rate various chat clients that claim security properties. <br /> <br /> The standard for a secure two-party conversation is called [https://en.wikipedia.org/wiki/Off-the-Record_Messaging OTR - Off the record messaging], and several popular chat clients support it, including Pidgin with OTR for [https://securityinabox.org/en/guide/pidgin/windows Windows] and [https://ssd.eff.org/en/module/how-use-otr-linux Linux], [https://ssd.eff.org/en/module/how-use-otr-mac Adium] for Mac, and [https://securityinabox.org/en/guide/jitsi/windows Jitsi] for all common desktop operating systems. The latter also includes secure audio and video conferencing. These clients can work with your existing accounts on Google, Facebook, Yahoo, etc. and encrypt the conversation over their respective networks. <br /> <br /> Several chat clients are available as an add-on to your web browser, including [https://crypto.cat Cryptocat], [https://mega.nz Mega] and [https://whispersystems.org/blog/signal-desktop/ Signal]. Aside from that, several free messaging services offer similar encryption properties for messaging including [https://peerio.com/ Peerio] and [https://telegram.org/ Telegram]. All of the mentioned tools are available as open source software and publicly disclose the encryption methods they employ in their software. <br /> <br /> If you are interested in creating a secure and an anonymous conversation, please refer to [[I'd like to have an anonymous conversation]] | Surveillance | Solution | Online Conversations |
| I want to learn about circumventing Internet censorship | There are numerous ways to block a website. Luckily there are also many ways to get around these blocks. For a quick primer, look at the [https://ssd.eff.org/en/module/how-circumvent-online-censorship How to Circumvent Online Censorship] guide by the EFF or the more detailed [http://flossmanuals.net/bypassing-censorship Floss manual] on bypassing censorship, or a practical multilingual guide on how to [https://securityinabox.org/en/guide/anonymity-and-circumvention remain anonymous and bypass censorship on the Internet] from the Security in-a-box project. The solution lies in connecting to the desired website via an intermediary server - and hiding this action from the censor. There are a number of tools and services to achieve this: *Circumvention tools - purpose-built software to go around local Internet restrictions. [https://psiphon.ca Psiphon], [https://getlantern.org Lantern] and [https://www.uproxy.org uProxy] are some such tools. *VPNs - a Virtual Private Network allows you to connect to the Internet via an encrypted tunnel to the VPN provider. Your ISP can only see your connection to the VPN service, and to the website you are visiting your origin appears as coming directly from the VPN servers. The [https://black.riseup.net/ RiseUp VPN] service is a popular choice among activists and functions from all computers and Android smartphones. [https://www.surfeasy.com/ Surfeasy] is one of the many commercial VPN services offering free accounts as well. *The [https://securityinabox.org/en/guide/torbrowser/windows Tor Browser] is another popular method for bypassing website censorship by using an anonymity network. A growing number of countries practicing Internet censorship are beginnning to discover and block access to these intermediaries as well. If neither method works (as you live in a country that blocks public circumvention methods) then you may need to ask a friend living in another country to set up a [http://en.flossmanuals.net/bypassing-censorship/ch042_installing-web-proxies/ proxy server], a [https://www.torproject.org/docs/bridges.html.en#RunningABridge Tor Bridge] or a [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 VPN] just for you. The latter (setting up a VPN server) is a little trickier and will require some technical competency with Linux systems (and possibly home routers). | Censorship | Solution | A website I am trying to access is unreachable |
| I want to learn about digital signatures | You've come to the right place! But all in due time: before you learn how to cryptographically sign your message, you first need to understand [[I want to learn about encrypting email | how email encryption works]] and generate a key pair, which is used to encrypt your messages, but also to digitally sign them. By signing a message, you will be able to prove to the recipient that you are the actual author of the email (authenticity) and that the text has not been tampered with along its way from your computer to the recipient's inbox (integrity). For more information, you can read the [http://www.bitcoinnotbombs.com/beginners-guide-to-pgp/ Digital Signatures] section on the Bitcoinbombs website and then a [https://securityinabox.org/en/guide/thunderbird/windows practical guide for your email client] from the Security in-a-box website. | Impersonation | Solution | I want to be certain of the recipient's identity (and vice versa) |
| I want to learn about encrypting email | Excellent! It's a journey but one well worth taking. There are many guides about setting up and using public key encryption and it may seem overwhelming at first. A few helpful tips to remember when starting out: * There is a general standard for public key encryption called [https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP OpenPGP]. Popular encryption engines including [http://www.symantec.com/products-solutions/families/?fid=encryption PGP] and [https://www.gnupg.org/ GnuPG] are compliant with this standard * To use public key encryption you will need a key pair, an encryption engine and (optionally) an interface with your email program * Your key pair is portable, you can change the email program and encryption engine, using the same encryption method from different computers. Essentially the key pair is made up of two distinct (but interdependent) files - the public and private key. Keep a copy of them.<br /> Keep in mind that aside from encrypting your messages, you should also know about key verification, message signing and file encryption. Please make sure you refer to these sections in the given resources. Here's a list of guides, varying in the software methods they show as examples, by language and context, to help you get started and on the way: *[https://help.riseup.net/en/security/message-security/openpgp/best-practices Message Security] - by the RiseUp folks. A very thorough guide on all aspects of PGP/GPG encryption. Windows and Linux. 11 languages. *[https://github.com/freedomofpress/encryption-works/blob/master/encryption_works.md#pretty-good-privacy-pgp-email-encryption Encryption works] - A good introduction to various topics related to public key encryption and more. Originally written by Micah Lee of the Intercept *[https://ssd.eff.org/en/playlist/want-security-starter-pack#communicating-others PGP/GPG set-up guides from the EFF] for [https://ssd.eff.org/en/module/how-use-pgp-windows-pc Windows], [https://ssd.eff.org/en/module/how-use-pgp-linux Linux] and [https://ssd.eff.org/en/module/how-use-pgp-mac-os-x MacOS]. 11 languages. *[https://securityinabox.org/en/guide/thunderbird/windows Setting up GnuPG and email with Thunderbird] - from the Security in-a-box project. Windows users. 13 different languages. And similar guide from the [https://emailselfdefense.fsf.org/ Free Software Foundation]. *[https://www.mailvelope.com/en/help Mailvelope documentation] - Browser plugin for GPG encryption. Works with most webmail clients. For Mozilla Firefox and Google Chrome. <br /> | Surveillance | Solution | To send an email that no one but me and the recipient can read |
| I want to learn about secure audio and video conferencing | Secure telephony and video conferencing on the Internet did not exist until very recently, when [https://en.wikipedia.org/wiki/ZRTP ZRTP], a cryptographic standard for voice over IP (VOIP) conferencing was invented by Phil Zimmerman, the same person who gave us [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] encryption for email. ZRTP offers end-to-end encryption of the conversations and has been implemented in [https://jitsi.org/ Jitsi] and [http://www.linphone.org Linphone]. Both tools encrypt audio and video conferencing and are available for use on all common platforms. <br /> In addition Jitsi also offers a conferencing service accessible directly from the browser, called [https://jitsi.org/Projects/JitsiMeet Jitsi Meet]. You can [https://github.com/jitsi/jitsi-meet install the open source] package on your own computer or use their publicly available portal at https://meet.jit.si. Note that this web service provides only transport layer security (TLS) and not end-to-end encryption as the clients mentioned above, which means that the connection is encrypted but the content is accessible to the provider. <br /> | Surveillance | Solution | Online Conversations |
| I want to prevent unauthorised access to my data | If you want to avoid that your documents are accessed by someone without your permission, you need to either encrypt them one by one (file encryption) or to store them in a secure space, which may be your computer, a storage device or just a part of them (disk encryption). In order to create a secure space on your hard disk or storage device or encrypt the entire computer, you can use several tools: * [https://securityinabox.org/en/guide/truecrypt/windows Truecrypt] can encrypt your entire hard disk or just a part of it, but is no longer actively maintained. * Truecrypt is being replaced by [https://www.idrix.fr/Root/content/category/7/32/46/ Veracrypt], which has been developed starting from Truecrypt's code, but this project is very recent and doesn't have a very large user base. * [https://ssd.eff.org/en/module/how-encrypt-your-windows-device DiskCryptor] and [https://github.com/t-d-k/LibreCrypt LibreCrypt] are two other free and open source tools for disk encryption that are gaining prominence as replacements of Truecrypt. * [https://en.wikipedia.org/wiki/BitLocker BitLocker] is a Windows solution (Vista and 7 Ultimate+ editions and Windows 8+) with several options for full disk or folder encryption. * Another popular commercial disk encryption tool is [https://www.symantec.com/endpoint-encryption/ Symantec Endpoint Encryption]. * Mac users can encrypt their disk using the built-in [https://support.apple.com/en-ca/HT204837 FileVault] feature. You can also use an encrypted file storage service like [https://peerio.com Peerio] or [https://mega.nz Mega] as explained in the [[I want to ensure that my data is never lost]] section. Individual files can be protected with [https://securityinabox.org/en/guide/gpg4usb/windows GPG4USB]. | Unauthorised Access | Solution | Data |
| I want to protect my Email | Surveillance Profiling your identity and actions |
Scenario Starts | ||
| I want to protect my computer from virus infection | Like its biological predecessor, a computer virus can be caught in a lot of different circumstances. It may be impossible to prevent your computer from exposure but a series of defensive mechanisms should be able to stop the infection. They include: * Automatic updates installation for the operating system (Windows, Mac, etc) and all software * A registered and functioning [https://securityinabox.org/en/guide/avast/windows anti-virus] * Use either the native [https://support.apple.com/en-us/HT201642 Mac] or [http://windows.microsoft.com/en-us/windows-8/windows-firewall-from-start-to-finish Windows] firewall or a third-party [https://securityinabox.org/en/guide/comodo/windows firewall] on your computer * Use the [https://securityinabox.org/en/guide/firefox/windows NoScript] and [https://addons.mozilla.org/en-us/firefox/addon/flashblock/ FlashBlock] extensions for Firefox or [https://chrome.google.com/webstore/detail/flashcontrol/mfidmkgnfgnkihnjeklbekckimkipmoe?hl=en FlashControl] and [https://chrome.google.com/webstore/detail/scriptblock/hcdjknjpbnhdoabbngpmfekaecnpajba?hl=en ScriptBlock] for Chrome * Switch to [https://en.wikipedia.org/wiki/Linux_distribution#Popular_distributions Linux] or use the security-oriented [https://tails.boum.org/ Tails] or [https://www.qubes-os.org/ QubesOS] operating systems Furthermore, detailed guides are available in the [https://ssd.eff.org/en/module/how-do-i-protect-myself-against-malware Surveillance Self Defense] project and the [https://securityinabox.org/en/guide/malware Security in-a-box] toolkit. | Unauthorised Access | Solution | Computer |
| I want to protect my email account from unauthorised access | There are many things you can do to protect your email account from unauthorised entry or hacking. There are quite a few things your email provider should do as well, so [[To find a reliable email provider|pick one wisely]]. First and foremost your account must be protected by a [https://learn.equalit.ie/wiki/Better_Passwords good password]. You also need to make sure that your computer is free from [[I want to protect my computer from virus infection|malware]]. | Unauthorised Access | Scenario | |
| I want to recover data | Information previously deleted from your computer or removable memory card can [https://securityinabox.org/en/guide/recuva/windows sometimes be recovered]. If your computer is broken and the operating system refuses to load, it may still be possible to recover data from the hard drive by booting it from a [http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows live operating system] | Data Loss | Solution | Data |
| I want to send & receive secure messages from my phone | Messaging is the most popular method for communicating on smartphones today. [https://www.whatsapp.com/ WhatsApp], [https://www.snapchat.com/ SnapChat], [https://slack.com/ Slack], just to name a few, and of course the behemoths that are [https://www.facebook.com/mobile/messenger Facebook messenger] and [http://www.google.com/+/learnmore/hangouts/ Google Hangouts] all offer messaging services. It's interesting to note that they are all working in silos - your friends and contacts need to use the same provider as there is no inter-service communication. In general, they are not considered private since the provider has access to your messages. Messaging apps that perform [https://en.wikipedia.org/wiki/End-to-end_encryption end-to-end encryption] and publish their methods and source code in the public domain are considered here as private messaging tools. You can see a review of multiple apps on the [https://www.eff.org/secure-messaging-scorecard EFF's secure messaging scorecard]. *Signal for [https://ssd.eff.org/en/module/how-use-signal-android Android] and [https://ssd.eff.org/en/module/how-use-signal-ios iPhone] from [https://whispersystems.org/ WhisperSystem] *[https://telegram.org Telegram] for all smartphone and desktop platforms *[https://www.surespot.me SureSpot] for Android and iPhone *[https://www.silentcircle.com/products-and-solutions/software/ SilentPhone], a commercial solution from Silent Circle *[http://www.bleep.pm/ Bleep], an encrypted peer-to-peer chat infrastructure using BitTorrent <br /> | Surveillance Profiling your identity and actions |
Solution | I want to communicate securely |
| I want to send a pseudonymous email | There are two ways to go about this. One is to use an [[I want to be anonymous when browsing the web|anonymity network]] (like Tor) to register and then send emails from a standard webmail account, as explained in EFF's [https://www.eff.org/deeplinks/2012/11/tutorial-how-create-anonymous-email-accounts How to create an anonymous email account] guide. The other solution is to use a [https://tails.boum.org/ secure operating system] and access your email provider from a public location, using a [https://tails.boum.org/doc/first_steps/startup_options/mac_spoofing/index.en.html fake MAC address]. Needless to say, in both cases your email account should be registered with a pseudonym, completely disassociated from any of your personal details and you must maintain rigor and vigilance whenever accessing this account. | Surveillance | Solution | I want to send an anonymous email |
| I want to send a secure SMS (text message) | There really are not many options for sending private SMS/MMS without a data plan or access to the Internet from your smartphone. Android users have [http://smssecure.org/ SMSSecure] which was a fork of the original TextSecure application after they decided to [https://whispersystems.org/blog/goodbye-encrypted-sms/ remove support for SMS/MMS]. There are no known iPhone applications for end-to-end SMS encryption. | Surveillance | Solution | I want to send & receive secure messages from my phone |
| I want to send an anonymous email | There are several options for sending an anonymous email. One of which involves a pseudonymous email where any data identifying you or your location is stripped from the message. A level of technical experience is required as you move further down the anonymity scale in your email communications. This is especially true because of the problem posed by [https://immersion.media.mit.edu/ email metadata]. You can register a temporary email address (good for one day) to receive an email anonymously from the https://anonbox.net project. You can send an anonymous email using the [https://webmixmaster.paranoici.org Paranoici] remailer service. It will wrap your email message in several layers of encryption, anonymising the [https://ssd.eff.org/en/module/why-metadata-matters metadata] of your message. The 'easiest' way to send an anonymous email (containing no identifying metadata about the conversing parties) is over the [https://www.torproject.org/docs/hidden-services.html.en Tor Hidden Service] network. You can register an email account in Torbox (http://torbox3uiot6wchz.onion/) and access its webmail service from a [https://www.torproject.org/download/download-easy.html.en Tor Browser] or through a [https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/ Torrified Thunderbird client]. The recipient must use the same service for conversing with you. <br /> | Profiling your identity and actions Surveillance |
Scenario | |
| I want to share a document securely | If you want to share a document with a friend or two, without anyone else being able to access this document, several options are available. You can send your document as an encrypted email attachment, as described in [[I want to learn about encrypting email]] or use a stand-alone [https://securityinabox.org/en/guide/gpg4usb/windows GPG4USB] to encrypt one or more individual files. In either case, both parties need to have [[I want to learn about encrypting email | set up and exchanged their keys]] in advance - to decrypt the message they have received. You can also use an [[I want to investigate other options | encrypted messaging service]] or do a file transfer if both parties have set up a [[I want to know about secure chat | secure chat session]]. <br /> | Surveillance | Solution | Data |
| I would like to connect to a website anonymously | This topic is covered in [[I want to be anonymous connecting to the web]] in the section [[Identity or Location]]. | Surveillance | Solution | Access to the Web |
| I would like to connect to a website securely | Connecting to a website securely means several things, all of which contribute to secure your access to the websites you visit: * the connection between your computer and the website's server is [https://learn.equalit.ie/wiki/Encrypted_connections '''encrypted''']; * there are '''no [https://trackography.org/ leaks of information]''' about the current session to third parties; * you do not expose yourself to '''[https://support.google.com/websearch/answer/8091?hl=en malware infection]''' by visiting a compromised website. Read the [https://help.riseup.net/en/better-web-browsing Better Browsing] guide by RiseUp for details on how to browse with greater security in Firefox or Chrome (in general, these are the recommended browsers when discussing security). <br /> The [https://www.eff.org/HTTPS-EVERYWHERE HTTPS Everywhere] browser add-on by the Electronic Frontier Foundation ensures that you connect securely and with trusted credentials to thousands of websites. <br /> In all cases, make sure that your computer's operating system is up-to-date, that you are using the latest version of your browser and that you are running [https://securityinabox.org/en/guide/avast/windows anti-malware] protection. Install the recommended extensions from the RiseUp guide and review the [https://ssd.eff.org/en/module/how-do-i-protect-myself-against-malware How Do I Protect Myself Against Malware?] guide from the EFF. <br /> You may also wish to use an anonymity network or a VPN to reach the desired website as explained in the [[I want to be anonymous when browsing the web]] section. <br /> | Surveillance Profiling your identity and actions |
Solution | Access to the Web |
| I would like to prevent others from accessing my computer | Barring physical access to your computer may be a logistical challenge: in most cases there will be moments when it is left unattended. Nevertheless, you can prevent others from getting any of your personal data out of it by using [https://learn.equalit.ie/wiki/Better_Passwords strong passwords] and [[I_want_to_prevent_unauthorised_access_to_my_data|disk encryption]]. A laptop with a [https://en.wikipedia.org/wiki/Trusted_Platform_Module TPM chip] can encrypt the entire drive and secure the computer from booting to unauthorised parties, using [http://windows.microsoft.com/en-ca/windows-vista/bitlocker-drive-encryption-overview BitLocker] for Windows (Ultimate and Enterprise editions of Windows Vista and Windows 7, the Pro and Enterprise editions of Windows 8) and [https://en.wikipedia.org/wiki/Dm-crypt dm-crypt] for Linux. Mac users can encrypt the disk using the built-in [https://support.apple.com/en-ca/HT204837 FileVault] feature. | Unauthorised Access | Solution | Computer |
| I'd like to have an anonymous conversation | In order to have an anonymous conversation, you need to connect to the network anonymously or via a service that protects your identity to enable anonymity. In general, what you have to look for is a tool or a service that hides your IP address, as explained in the [[Identity or Location]] section. *[https://ricochet.im/ Ricochet] client is a peer-to-peer messaging app that creates a [https://www.torproject.org/docs/hidden-services.html.en Tor Hidden Service] to enable anonymity for the conversing parties. "Instead of a username, you get a unique address that looks like ricochet:rs7ce36jsj24ogfw. Other Ricochet users can use this address to send a contact request." *[https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily Tor Messenger] is a new tool that has been just released to the public by the Tor project team. Quoting from Tor Project's blog, it is a "cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages." *[http://www.bleep.pm/ Bleep] messenger is built on top of BitTorrent, a file sharing peer-to-peer infrastructure. There is no central server and connections between conversing parties are made directly, with content encrypted between the parties. It is not, strictly speaking, anonymous as it relies on IP addresses to route a connection through other BitTorrent users. *If you want to keep your current chat address and existing contact lists whilst adding anonymity properties to your conversations, install the [https://help.riseup.net/ca/chat/clients/pidgin#tor-with-pidgin-configuration Pidgin or Adium chat clients] and configure them to work over the Tor network. This approach is explained in detail in [https://firstlook.org/theintercept/2015/07/14/communicating-secret-watched/ Chatting in secret while we're being watched], an article by Micah Lee published in The Intercept. In addition, you should read [[I want to know about secure chat]] and ensure that your recipients have performed the same steps. <br /> | Profiling your identity and actions | Solution | Online Conversations |
| I'm worried someone is trying to lure me with a fake email (phishing) | Receiving messages asking you to click on a certain link, reply with private and sometimes confidential data or open an attachment, could also be a [https://en.wikipedia.org/wiki/Phishing Phishing attack]. Targeted attack messages - whereby the content is specifically tailored to be relevant to you are known as [http://www.wired.com/2015/04/hacker-lexicon-spear-phishing/ spear phishing]. In the everyday humdrum of working life, reading dozens if not hundreds of emails per day, it is quite easy to mistakenly click on a link or open an attachment, without giving a second thought to the sender's identity or intent. Targeted attacks (an email purportedly from your friend or your boss) are even harder to detect. Please review the [https://ssd.eff.org/en/module/how-avoid-phishing-attacks How to avoid phishing attacks] guide from the EFF. Some of the bigger email providers like [https://support.google.com/mail/answer/184963?hl=en&ref_topic=3394464&vid=1-635773191968940616-20681252 Gmail] or [http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Recognize Hotmail] offer help to detect and report phishing attacks. The [http://toolbar.netcraft.com/ NetCraft] tool can protect your web browser from accessing known websites used for phishing re-directions. Firefox users can also install additional [https://addons.mozilla.org/en-us/firefox/addon/worldip/ add-ons] to double-check a site's validity before visiting it. In principle you should: * Never click on links in email messages directly (copy and paste them into the browser manually if you're intent on opening it) * Never open an attachment unless you are sure of the sender's identity and intent. Sometimes it's better to reply to the sender in order to confirm the message before opening it [https://www.google.com/chrome/browser/desktop/ Google Chrome] and the open source [https://download-chromium.appspot.com/ Chromium] browser have built-in [https://support.google.com/chrome/answer/99020?hl=en phishing protection]. It may warn you in advance of opening up a known phishing site. | Unauthorised Access | Solution | I want to be protected from malicious emails |
| Identity or Location | Computers and smartphones [https://myshadow.org/location-tracking leave traces] about you and your actions. Connected together, all these pieces of information can [https://myshadow.org/trace-my-shadow reveal a lot] about your identity and the places you have visited. Browsing and communicating on the Internet is inextricably linked to your [https://learn.equalit.ie/wiki/How_does_the_Internet_actually_work%3F IP address] and [https://tails.boum.org/contribute/design/MAC_address/#index1h1 MAC address]. These details are continuously recorded by your Internet service provider, in accordance with [https://en.wikipedia.org/wiki/Telecommunications_data_retention Data retention] legislation passed in most countries, and often times by the website you are visiting as well. The IP address can also be linked to a geographic location, as you can see by visiting http://www.hostip.info. The MAC address can be linked to your online accounts and identity. There are several solutions to 'hiding' your identity or location from the site you are visiting or masking your true destination from the ISP. However, disassociating your location from the IP address assigned to you on the network and disassociating your identity from the MAC address of your personal computer or smartphone require a different approach. Inadvertently we leave a lot of [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual#.E2.80.98Digital_Traces.E2.80.99_and_.E2.80.98Digital_Shadows.E2.80.99 traces and information about our identity and location] through the voracious use of social media services and the pervasive [https://myshadow.org/browser-tracking presence of online trackers] that record, correlate and create profiles of our characteristics and persona. Simply by using [https://en.wikipedia.org/wiki/Open-source_intelligence open source intelligence] it is possible (and fairly easy to any savvy Internet user) to locate and identify a person from their online accounts. <br /> | Profiling your identity and actions Surveillance |
Scenario | |
| Kolabnow | [https://kolabnow.com Kolabnow] is an Internet services provider based in Switzerland. Their systems are built strictly on open source software. | Surveillance | Service | To find a reliable email provider |
| Minimising damage from a lost or stolen computer | Security measures must be taken in advance of the loss. They include: * A good backup, either on removable media or [[I want to ensure that my data is never lost|online]] * An [[I want to prevent unauthorised access to my data|encrypted disk]] or [[I would like to prevent others from accessing my computer|secure chip]] in your computer <br /> | Unauthorised Access Data Loss |
Solution | Computer |
| My Website | It's very easy to get a website up and running these days, but it's pretty tough to keep it secure and stable against a continually evolving and maturing array of cyber attacks. In order to protect your website, you will need to consider its technical set-up, the software you are using to create the site and its content, as well as the various types of plugins and extensions enabled for extra features on that site. Most importantly, you need to have a contingency plan, by asking yourself what happens in case of an emergency. This includes: * creating regular backups of your files and database, in case your online content gets lost due to a technical problem or an attack; * knowing your hosting provider's terms of service and their readiness to protect you during an attack; * knowing your Domain name service (DNS) provider's security options and terms of service; * implementing mitigation solutions in advance of a crisis. In most cases, for non-technical users it is advised to create a site/profile on an existing platform catering especially for this, like [https://wordpress.com/ WordPress], [https://medium.com/ Medium] and [http://www.livejournal.com/ Livejournal] to name a few of the bigger providers. They look after all the back end details, leaving you to create and manage content on the site. You can also choose to host your blog at one of the non-profit groups including [http://noblogs.org/ NoBlogs] or someone from this [https://help.riseup.net/ca/security/resources/radical-servers list]. | Unauthorised Access Data Loss Censorship |
Scenario | |
| Online Conversations | In the Internet you will find an incredible amount of resources for real-time online conversations, whether you want to interact with communities, have one-on-one conversations, or organize a meeting or a conference. Sometimes these conversations are only textual (chat and instant messaging), but in other cases they offer audio and video as well. As with email and Internet browsing, similar considerations on surveillance and profiling also apply for online conversations. You can have a private or an anonymous conversation using some of the tools and methods described in this section. | Surveillance Profiling your identity and actions |
Scenario | |
| Only one of us knows how to use encryption | If only you or in turn the recipient knows how to use public key encryption, it's now possible to send a secure one way message. The person with the public key pair registers an account with https://keybase.io and uploads their public key to it, creating an identity on the portal. The sender can compose an encrypted message using your online space on this portal "https://keybase.io/encrypt#username". Keep in mind this is for one-way communication. If you would like to establish a secure channel with your recipients, please read [[I want to learn about encrypting email]]. If you would like to investigate other options of securing your messages, please go to [[I want to investigate other options]]. <br /> | Surveillance | Solution | To send an email that no one but me and the recipient can read |
| Phone | A smartphone is a small computer in your pocket, and all of the vulnerabilities mentioned throughout other sections of this guide apply. The solutions are more or less the same as those for a computer, only with different software. In most cases your smartphone will be running a version of the [https://www.android.com/ Android] or [http://www.apple.com/ios/ iOS] operating system. The Security in-a-box toolkit has excellent recommendations on secure [https://securityinabox.org/en/guide/mobile-phones mobile] and [https://securityinabox.org/en/guide/smartphones smartphone] usage One major difference between a computer and a phone is that the latter always gives away its location to the cellular network. You can read more about this in [[Can I be anonymous whilst using my phone]]. Wikipedia has a useful description of various [https://en.wikipedia.org/wiki/Mobile_security Mobile security] issues. Smartphones in general require just as much attention security-wise as your computer. | Profiling your identity and actions Surveillance |
Scenario | |
| Protect files and messages on my phone | Both the Android and Apple smartphones offer full handset (disk) encryption, which ensures all files and messages on your handset cannot be accessed without knowing the handset's password. On the Android phone this needs to be [http://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/ enabled manually] and on the iPhone you are simply required to set up [https://support.apple.com/en-us/HT202064 a security Passcode] to enable disk encryption automatically. If you forget the phone's password, you will need to ''restore the phone'' back to its original setting. Your phone would need to be synced with your Google or iTunes account so as not to lose any data. On the other hand, syncing your phone with these providers means that there is a duplicate of all your data in the cloud. If you just want to encrypt your messages on the phone, you can use Signal on [https://ssd.eff.org/en/module/how-use-signal-android Android] and [https://ssd.eff.org/en/module/how-use-signal-ios iPhone]. | Unauthorised Access | Solution | Phone |
| Protect my site from denial of service attacks | Denial of service attacks attempt to bring down the target website through a variety of hacking, social engineering and other means. Distributed denial of service attacks (or DDoS) attempt to overwhelm the target website or its provider's resources by flooding it with malicious requests. There are many vulnerabilities and mitigation points to think through, as described in the [https://digitaldefenders.org/digitalfirstaid/#section-ddos-mitigation DDoS mitigation] section of the Digital First Aid Kit. The [https://github.com/OpenInternet/MyWebsiteIsDown/blob/dev/MyWebsiteIsDown.md What to do when your website goes down] guide describes how to respond to such attacks and prevent their success in the future. There are also a number of DDoS mitigation and secure hosting providers ranging from large corporate run services like [https://cloudflare.com/galileo Cloudflare's Project Galileo] and [https://projectshield.withgoogle.com/public/#application-form Google's Project Shield] to smaller ethically run organisations including [https://www.qurium.org/contact/ Virtualroad], [https://greenhost.net/order/ Greenhost] and the purpose-built [https://deflect.ca Deflect]. | Censorship | Solution | My Website |
| ProtonMail | [https://protonmail.ch/ ProtonMail] is an emerging and popular email service run out of Switzerland, offering end-to-end encryption based on the OpenPGP.js library. Currently they are restricting account registration due to overwhelming demand. Parts of the codebase are open source and other proprietary. | Surveillance | Service | To find a reliable email provider |
| Reset passwords and security questions | Password are easily forgotten (unless you are using a [https://securityinabox.org/en/guide/keepass/windows password program]). This is why most service providers offer several opportunities for you to reset your password by sending you an email or by asking you a personal question of your choice to prove your identity. Whilst often necessary, both options may result in a security risk and need to be thought through carefully in advance. For an excellent description of the problem, you can read this [http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ Wired article by Matt Honan]. To make a long story short: # Resetting a password by sending the code to another email account opens up another attack vector for the hacker. If they can break into one account and then request the reset password to another account to be sent there, you are worse off than before. # Setting a security question based on personal information (e.g. your mother's maiden name) means the attacker only needs to find out this information in order to reset your password and gain access to your account. If at all possible, it is best to not set any reset options. If you want this option or are required to do so, put yourself in the hacker's shoes and make sure their task won't be easy. <br /> | Unauthorised Access | Solution | I want to protect my email account from unauthorised access |
| RiseUp email | [https://mail.riseup.net RiseUp email] is a free service for organised civil society members and is many an activists' preferred choice. They have been in operation for over 15 years and take your privacy very seriously. At the same time, a @riseup.net email account could arouse suspicion since it is so prevalent in the activist community | Surveillance Profiling your identity and actions |
Service | To find a reliable email provider |
| Run your own mail server | If you're up to the challenge, a personal (or small network) mail server on an encrypted computer is an excellent way to go. It may expose the participants as belonging to a single service, but can offer privacy and reliability far and beyond what you'd expect from a 3rd party. Many guides are available online, ranging from the step-by-step walk-throughs with detailed explanations to the point-and-click install. Its not a task for the novice but it is definitely doable with some attention and persistence. *[http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/ Ars Technica guide to running your own mail server] *[http://www.iredmail.org/ iredMail] point and click server installation *[https://equalit.ie/portfolio/caislean/ Caislean] is a set of Ansible recipes that you can use to set up and manage in few simple steps servers offering free and open-source tools for secure communications and information exchange <br /> | Surveillance Profiling your identity and actions |
Service | To find a reliable email provider |
| SafeMail | [http://www.safe-mail.net/ Safe-mail] is an established provider of secure email. It is a commercial enterprise and free accounts only allow for 3mb of space. The company and servers are located in Israel, with offices in UK and Japan. The company [http://www.safe-mail.net/support/eng/help/protectsecure/index.html claims] to seamlessly encrypt all messages between safe-mail users with 'PKE', but the secret key is stored on their servers (which means you will have to trust they will never use it to decrypt your mail). | Surveillance Profiling your identity and actions |
Service | To find a reliable email provider |
| Social Network | The very term - social network - implies socialising and not discreet conversation. However the Facebooks and Twitters out there have become such an essential part of information exchange between us that we inevitably begin to look for confidentiality and authenticity within our social circles. There are numerous [https://ssd.eff.org/en/module/protecting-yourself-social-networks vulnerabilities to consider] and important steps to [https://securityinabox.org/en/guide/social-networking mitigate them] are documented and require your action. In brief, you should: * switch on [[2 factor authentication]] for your account * consider [[I want to be anonymous connecting to the web|anonymity services]] when using the social network * use a [https://securityinabox.org/en/guide/passwords good password] to protect your login * configure your account's security and privacy settings (guide for [https://www.facebook.com/help/325807937506242/ Facebook] and [https://support.twitter.com/categories/51#category_267 Twitter]) When using a commercial social networking platform, consider that you are helping [https://immersion.media.mit.edu/ create the social graph] of your friends and associates. This is useful information to companies and security services. By remaining constantly signed in on your social network account in the browser, you are also disclosing your [https://myshadow.org/browser-tracking browsing habits] on the Internet in general, aside from their service. This extends to many types of websites, including your [https://trackography.org news and media] service. The [https://panopticlick.eff.org/ Panopticlick] project by the EFF can analyse your browser for traces of identifiable data that websites you visit will collect about you. The [https://myshadow.org/lightbeam Lighbteam browser add-on] will "visualise the relationships between the websites you visit and the third party companies that track your online activity through those websites" and the [https://www.ghostery.com/our-solutions/ghostery-add-on/ Ghostery browser add-on] will help you block these trackers from collecting your personal data. There are alternative social networking services that are built with privacy in mind, including [https://diasporafoundation.org/ Diaspora], [http://retroshare.sourceforge.net/ RetroShare], [https://gnu.io/social/ Gnu Social] and a recently launched [https://www.minds.com Minds] for Android and iOS. <br /> | Profiling your identity and actions Surveillance Unauthorised Access |
Scenario | |
| Test my site for vulnerabilities | The rule of thumb for not getting your site hacked or infected with malware is: * Run up-to-date software, including all themes and plugins (if there are no recent updates to either - do not use them anymore) * Do not install or run any services you are not currently using * Make sure your web hosting service continually updates their own systems and services Testing a site for vulnerabilities is not an easy task. You need to look not only at the various systems your website is comprised of and depends on, but to be able to interpret the results as well. A vulnerability could be found and exploited on a systems level (e.g. hosting set-up), in the web server configuration, inside Wordpress or in some third-party plug-in you have installed within it. An [https://pentest-tools.com online penetration test] is available with several testing options, including a passive reconnaissance [https://pentest-tools.com/information-gathering/google-hacking# 'Google hacking'] test. In principle it is recommended to run your own vulnerability testing systems, including the popular [https://nmap.org/download.html Nmap] tool and the surprisingly easy to set up but very well respected [http://www.tenable.com/products/nessus/nessus-professional Nessus vulnerability scanner]. Many vulnerabilities occur at the user level - with you. For an in-depth look into auditing internal organisational processes and systems, refer to the [http://www.safetag.org Safetag] project and make sure you have read the section on how to [[I would like to prevent others from accessing my computer|protect your computer]]. | Unauthorised Access | Solution | My Website |
| The website loads but is unrecognisable - it looks like another site | If you're sure that the website address is correctly typed, then three possibilities remain for it appearing as a different site altogether. # It's been hacked and its contents have been replaced with what you see now. # The website's DNS account was hacked and is now redirecting you to another IP address. # You are witnessing a [https://en.wikipedia.org/wiki/DNS_spoofing DNS poisoning] attack. To avoid this circumstance, use [[I want to be anonymous when browsing the web|an anonymity network or a VPN]]. You may also want to try searching through various online cache repositories that take a historical snapshot of various sites, including [http://cachedview.com/ Cached View] and the Internet Archive's [https://archive.org/web/ Wayback machine]. | Censorship | Solution | A website I am trying to access is unreachable |
| To find a reliable email provider | Ideally you would not need to rely on your email provider if you [[I_want_to_learn_about_encrypting_email|encrypted all your email]]. In general, there are several important factors to consider when choosing an email provider: *Who is behind the service - is it a big corporation or a small company? *Where are their servers located, where is the company registered? *What are the privacy and security features of the account? Answers to these questions may help you understand how far the email provider will go to protect your privacy and identity, the relevant laws that will govern that company and your messages on their servers. [https://www.privacytools.io/#email Here's a list from the Privacy Tools website] on ethical email providers. It is best to read carefully each provider's terms of service and privacy policies before registration. Be aware that apart from protecting the contents of your email messages with encryption, you should also consider email metadata - that is information about who you send and receive email from, when, how often and the subject line, which is never encrypted. Please refer to the EFF [https://ssd.eff.org/en/module/why-metadata-matters Surveillance Self Defense Guide - why Metadata matters]. <br /> | Surveillance Profiling your identity and actions |
Scenario | |
| To send an email that no one but me and the recipient can read | There are several options for sending a confidential email that no one but the sender and recipient/s can read. Unlike traditional letters, email isn't protected by an envelope and isn't just one copy of a message travelling from the sender to the receiver. Rather, it is plainly visible to anyone who has access to its several copies, which are stored in several computers along the way. So you have to trust that those copies won't be read by your email provider, the Internet service provider and anyone else responsible for sending and delivering your message. If you want to be sure that no one but you and the recipient can read your messages, the solution relies on using encryption. The Electronic Frontier Foundation has a good introductory guide to [https://ssd.eff.org/en/playlist/want-security-starter-pack#communicating-others communicating with others] in a secure way. <br /> | Surveillance | Scenario | |
| Tutanota | [https://tutanota.com/ Tutanota] is a German email provider offering built-in RSA/AES 2048 encryption and an open source [https://github.com/tutao/tutanota/ codebase]. Messages sent within the Tutanota service are encrypted end-to-end and you have an option of sending an encrypted (password protected) email to an external address. [https://tutanota.com/terms Terms of Service & Privacy Policy] | Surveillance | Service | To find a reliable email provider |
| Useful apps for my phone | * Any app from the [https://guardianproject.info Guardian Project] is recommended for Android users * [https://www.getsync.com/platforms/mobile BittorrentSync] allows for secure file or folder synchronisation * The [https://panicbutton.io/ Panicbutton] app will send out a number of SMS messages and your GPS location to pre-configured contacts <br /> | Solution | Phone |
