| Scenario Task Description | Scenario Task Type | Scenario Task Format | Scenario Task Parent | |
|---|---|---|---|---|
| I want to know about options for private chat | If you want to have a private chat conversation with someone, you need to make sure that no one else but you and the person/s you are chatting with can read your messages (confidentiality), that the person/s you are chatting with are really who they say they are (authenticity) and that what you and the other people in the chat are writing is not tampered with by third parties (integrity). In order to obtain all this, you need to use a tool offering end-to-end encryption and key verification. As most service providers (e.g. Google, Microsoft, Yahoo, Facebook) don't offer this service and can therefore read your chat record, it is a good idea to either switch to an alternative chat service that provides encryption by default, or to use software for encryption if you need to stick to those services. Take a look at the EFF's [https://www.eff.org/secure-messaging-scorecard Secure Messaging Scorecard] to see how they rate various chat clients that claim security properties. <br /> <br /> The standard for a secure two-party conversation is called [https://en.wikipedia.org/wiki/Off-the-Record_Messaging OTR - Off the record messaging], and several popular chat clients support it, including Pidgin with OTR for [https://securityinabox.org/en/guide/pidgin/windows Windows] and [https://ssd.eff.org/en/module/how-use-otr-linux Linux], [https://ssd.eff.org/en/module/how-use-otr-mac Adium] for Mac, and [https://securityinabox.org/en/guide/jitsi/windows Jitsi] for all common desktop operating systems. The latter also includes secure audio and video conferencing. These clients can work with your existing accounts on Google, Facebook, Yahoo, etc. and encrypt the conversation over their respective networks. <br /> <br /> Several chat clients are available as an add-on to your web browser, including [https://crypto.cat Cryptocat], [https://mega.nz Mega] and [https://whispersystems.org/blog/signal-desktop/ Signal]. Aside from that, several free messaging services offer similar encryption properties for messaging including [https://peerio.com/ Peerio] and [https://telegram.org/ Telegram]. All of the mentioned tools are available as open source software and publicly disclose the encryption methods they employ in their software. <br /> <br /> If you are interested in creating a secure and an anonymous conversation, please refer to [[I'd like to have an anonymous conversation]] | Surveillance | Solution | Online Conversations |
| I want to learn about circumventing Internet censorship | There are numerous ways to block a website. Luckily there are also many ways to get around these blocks. For a quick primer, look at the [https://ssd.eff.org/en/module/how-circumvent-online-censorship How to Circumvent Online Censorship] guide by the EFF or the more detailed [http://flossmanuals.net/bypassing-censorship Floss manual] on bypassing censorship, or a practical multilingual guide on how to [https://securityinabox.org/en/guide/anonymity-and-circumvention remain anonymous and bypass censorship on the Internet] from the Security in-a-box project. The solution lies in connecting to the desired website via an intermediary server - and hiding this action from the censor. There are a number of tools and services to achieve this: *Circumvention tools - purpose-built software to go around local Internet restrictions. [https://psiphon.ca Psiphon], [https://getlantern.org Lantern] and [https://www.uproxy.org uProxy] are some such tools. *VPNs - a Virtual Private Network allows you to connect to the Internet via an encrypted tunnel to the VPN provider. Your ISP can only see your connection to the VPN service, and to the website you are visiting your origin appears as coming directly from the VPN servers. The [https://black.riseup.net/ RiseUp VPN] service is a popular choice among activists and functions from all computers and Android smartphones. [https://www.surfeasy.com/ Surfeasy] is one of the many commercial VPN services offering free accounts as well. *The [https://securityinabox.org/en/guide/torbrowser/windows Tor Browser] is another popular method for bypassing website censorship by using an anonymity network. A growing number of countries practicing Internet censorship are beginnning to discover and block access to these intermediaries as well. If neither method works (as you live in a country that blocks public circumvention methods) then you may need to ask a friend living in another country to set up a [http://en.flossmanuals.net/bypassing-censorship/ch042_installing-web-proxies/ proxy server], a [https://www.torproject.org/docs/bridges.html.en#RunningABridge Tor Bridge] or a [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 VPN] just for you. The latter (setting up a VPN server) is a little trickier and will require some technical competency with Linux systems (and possibly home routers). | Censorship | Solution | A website I am trying to access is unreachable |
| I want to learn about digital signatures | You've come to the right place! But all in due time: before you learn how to cryptographically sign your message, you first need to understand [[I want to learn about encrypting email | how email encryption works]] and generate a key pair, which is used to encrypt your messages, but also to digitally sign them. By signing a message, you will be able to prove to the recipient that you are the actual author of the email (authenticity) and that the text has not been tampered with along its way from your computer to the recipient's inbox (integrity). For more information, you can read the [http://www.bitcoinnotbombs.com/beginners-guide-to-pgp/ Digital Signatures] section on the Bitcoinbombs website and then a [https://securityinabox.org/en/guide/thunderbird/windows practical guide for your email client] from the Security in-a-box website. | Impersonation | Solution | I want to be certain of the recipient's identity (and vice versa) |
| I want to learn about encrypting email | Excellent! It's a journey but one well worth taking. There are many guides about setting up and using public key encryption and it may seem overwhelming at first. A few helpful tips to remember when starting out: * There is a general standard for public key encryption called [https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP OpenPGP]. Popular encryption engines including [http://www.symantec.com/products-solutions/families/?fid=encryption PGP] and [https://www.gnupg.org/ GnuPG] are compliant with this standard * To use public key encryption you will need a key pair, an encryption engine and (optionally) an interface with your email program * Your key pair is portable, you can change the email program and encryption engine, using the same encryption method from different computers. Essentially the key pair is made up of two distinct (but interdependent) files - the public and private key. Keep a copy of them.<br /> Keep in mind that aside from encrypting your messages, you should also know about key verification, message signing and file encryption. Please make sure you refer to these sections in the given resources. Here's a list of guides, varying in the software methods they show as examples, by language and context, to help you get started and on the way: *[https://help.riseup.net/en/security/message-security/openpgp/best-practices Message Security] - by the RiseUp folks. A very thorough guide on all aspects of PGP/GPG encryption. Windows and Linux. 11 languages. *[https://github.com/freedomofpress/encryption-works/blob/master/encryption_works.md#pretty-good-privacy-pgp-email-encryption Encryption works] - A good introduction to various topics related to public key encryption and more. Originally written by Micah Lee of the Intercept *[https://ssd.eff.org/en/playlist/want-security-starter-pack#communicating-others PGP/GPG set-up guides from the EFF] for [https://ssd.eff.org/en/module/how-use-pgp-windows-pc Windows], [https://ssd.eff.org/en/module/how-use-pgp-linux Linux] and [https://ssd.eff.org/en/module/how-use-pgp-mac-os-x MacOS]. 11 languages. *[https://securityinabox.org/en/guide/thunderbird/windows Setting up GnuPG and email with Thunderbird] - from the Security in-a-box project. Windows users. 13 different languages. And similar guide from the [https://emailselfdefense.fsf.org/ Free Software Foundation]. *[https://www.mailvelope.com/en/help Mailvelope documentation] - Browser plugin for GPG encryption. Works with most webmail clients. For Mozilla Firefox and Google Chrome. <br /> | Surveillance | Solution | To send an email that no one but me and the recipient can read |
| I want to learn about secure audio and video conferencing | Secure telephony and video conferencing on the Internet did not exist until very recently, when [https://en.wikipedia.org/wiki/ZRTP ZRTP], a cryptographic standard for voice over IP (VOIP) conferencing was invented by Phil Zimmerman, the same person who gave us [https://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] encryption for email. ZRTP offers end-to-end encryption of the conversations and has been implemented in [https://jitsi.org/ Jitsi] and [http://www.linphone.org Linphone]. Both tools encrypt audio and video conferencing and are available for use on all common platforms. <br /> In addition Jitsi also offers a conferencing service accessible directly from the browser, called [https://jitsi.org/Projects/JitsiMeet Jitsi Meet]. You can [https://github.com/jitsi/jitsi-meet install the open source] package on your own computer or use their publicly available portal at https://meet.jit.si. Note that this web service provides only transport layer security (TLS) and not end-to-end encryption as the clients mentioned above, which means that the connection is encrypted but the content is accessible to the provider. <br /> | Surveillance | Solution | Online Conversations |
| I want to prevent unauthorised access to my data | If you want to avoid that your documents are accessed by someone without your permission, you need to either encrypt them one by one (file encryption) or to store them in a secure space, which may be your computer, a storage device or just a part of them (disk encryption). In order to create a secure space on your hard disk or storage device or encrypt the entire computer, you can use several tools: * [https://securityinabox.org/en/guide/truecrypt/windows Truecrypt] can encrypt your entire hard disk or just a part of it, but is no longer actively maintained. * Truecrypt is being replaced by [https://www.idrix.fr/Root/content/category/7/32/46/ Veracrypt], which has been developed starting from Truecrypt's code, but this project is very recent and doesn't have a very large user base. * [https://ssd.eff.org/en/module/how-encrypt-your-windows-device DiskCryptor] and [https://github.com/t-d-k/LibreCrypt LibreCrypt] are two other free and open source tools for disk encryption that are gaining prominence as replacements of Truecrypt. * [https://en.wikipedia.org/wiki/BitLocker BitLocker] is a Windows solution (Vista and 7 Ultimate+ editions and Windows 8+) with several options for full disk or folder encryption. * Another popular commercial disk encryption tool is [https://www.symantec.com/endpoint-encryption/ Symantec Endpoint Encryption]. * Mac users can encrypt their disk using the built-in [https://support.apple.com/en-ca/HT204837 FileVault] feature. You can also use an encrypted file storage service like [https://peerio.com Peerio] or [https://mega.nz Mega] as explained in the [[I want to ensure that my data is never lost]] section. Individual files can be protected with [https://securityinabox.org/en/guide/gpg4usb/windows GPG4USB]. | Unauthorised Access | Solution | Data |
| I want to protect my Email | Surveillance Profiling your identity and actions |
Scenario Starts | ||
| I want to protect my computer from virus infection | Like its biological predecessor, a computer virus can be caught in a lot of different circumstances. It may be impossible to prevent your computer from exposure but a series of defensive mechanisms should be able to stop the infection. They include: * Automatic updates installation for the operating system (Windows, Mac, etc) and all software * A registered and functioning [https://securityinabox.org/en/guide/avast/windows anti-virus] * Use either the native [https://support.apple.com/en-us/HT201642 Mac] or [http://windows.microsoft.com/en-us/windows-8/windows-firewall-from-start-to-finish Windows] firewall or a third-party [https://securityinabox.org/en/guide/comodo/windows firewall] on your computer * Use the [https://securityinabox.org/en/guide/firefox/windows NoScript] and [https://addons.mozilla.org/en-us/firefox/addon/flashblock/ FlashBlock] extensions for Firefox or [https://chrome.google.com/webstore/detail/flashcontrol/mfidmkgnfgnkihnjeklbekckimkipmoe?hl=en FlashControl] and [https://chrome.google.com/webstore/detail/scriptblock/hcdjknjpbnhdoabbngpmfekaecnpajba?hl=en ScriptBlock] for Chrome * Switch to [https://en.wikipedia.org/wiki/Linux_distribution#Popular_distributions Linux] or use the security-oriented [https://tails.boum.org/ Tails] or [https://www.qubes-os.org/ QubesOS] operating systems Furthermore, detailed guides are available in the [https://ssd.eff.org/en/module/how-do-i-protect-myself-against-malware Surveillance Self Defense] project and the [https://securityinabox.org/en/guide/malware Security in-a-box] toolkit. | Unauthorised Access | Solution | Computer |
| I want to protect my email account from unauthorised access | There are many things you can do to protect your email account from unauthorised entry or hacking. There are quite a few things your email provider should do as well, so [[To find a reliable email provider|pick one wisely]]. First and foremost your account must be protected by a [https://learn.equalit.ie/wiki/Better_Passwords good password]. You also need to make sure that your computer is free from [[I want to protect my computer from virus infection|malware]]. | Unauthorised Access | Scenario | |
| I want to recover data | Information previously deleted from your computer or removable memory card can [https://securityinabox.org/en/guide/recuva/windows sometimes be recovered]. If your computer is broken and the operating system refuses to load, it may still be possible to recover data from the hard drive by booting it from a [http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows live operating system] | Data Loss | Solution | Data |
| I want to send & receive secure messages from my phone | Messaging is the most popular method for communicating on smartphones today. [https://www.whatsapp.com/ WhatsApp], [https://www.snapchat.com/ SnapChat], [https://slack.com/ Slack], just to name a few, and of course the behemoths that are [https://www.facebook.com/mobile/messenger Facebook messenger] and [http://www.google.com/+/learnmore/hangouts/ Google Hangouts] all offer messaging services. It's interesting to note that they are all working in silos - your friends and contacts need to use the same provider as there is no inter-service communication. In general, they are not considered private since the provider has access to your messages. Messaging apps that perform [https://en.wikipedia.org/wiki/End-to-end_encryption end-to-end encryption] and publish their methods and source code in the public domain are considered here as private messaging tools. You can see a review of multiple apps on the [https://www.eff.org/secure-messaging-scorecard EFF's secure messaging scorecard]. *Signal for [https://ssd.eff.org/en/module/how-use-signal-android Android] and [https://ssd.eff.org/en/module/how-use-signal-ios iPhone] from [https://whispersystems.org/ WhisperSystem] *[https://telegram.org Telegram] for all smartphone and desktop platforms *[https://www.surespot.me SureSpot] for Android and iPhone *[https://www.silentcircle.com/products-and-solutions/software/ SilentPhone], a commercial solution from Silent Circle *[http://www.bleep.pm/ Bleep], an encrypted peer-to-peer chat infrastructure using BitTorrent <br /> | Surveillance Profiling your identity and actions |
Solution | I want to communicate securely |
| I want to send a pseudonymous email | There are two ways to go about this. One is to use an [[I want to be anonymous when browsing the web|anonymity network]] (like Tor) to register and then send emails from a standard webmail account, as explained in EFF's [https://www.eff.org/deeplinks/2012/11/tutorial-how-create-anonymous-email-accounts How to create an anonymous email account] guide. The other solution is to use a [https://tails.boum.org/ secure operating system] and access your email provider from a public location, using a [https://tails.boum.org/doc/first_steps/startup_options/mac_spoofing/index.en.html fake MAC address]. Needless to say, in both cases your email account should be registered with a pseudonym, completely disassociated from any of your personal details and you must maintain rigor and vigilance whenever accessing this account. | Surveillance | Solution | I want to send an anonymous email |
| I want to send a secure SMS (text message) | There really are not many options for sending private SMS/MMS without a data plan or access to the Internet from your smartphone. Android users have [http://smssecure.org/ SMSSecure] which was a fork of the original TextSecure application after they decided to [https://whispersystems.org/blog/goodbye-encrypted-sms/ remove support for SMS/MMS]. There are no known iPhone applications for end-to-end SMS encryption. | Surveillance | Solution | I want to send & receive secure messages from my phone |
| I want to send an anonymous email | There are several options for sending an anonymous email. One of which involves a pseudonymous email where any data identifying you or your location is stripped from the message. A level of technical experience is required as you move further down the anonymity scale in your email communications. This is especially true because of the problem posed by [https://immersion.media.mit.edu/ email metadata]. You can register a temporary email address (good for one day) to receive an email anonymously from the https://anonbox.net project. You can send an anonymous email using the [https://webmixmaster.paranoici.org Paranoici] remailer service. It will wrap your email message in several layers of encryption, anonymising the [https://ssd.eff.org/en/module/why-metadata-matters metadata] of your message. The 'easiest' way to send an anonymous email (containing no identifying metadata about the conversing parties) is over the [https://www.torproject.org/docs/hidden-services.html.en Tor Hidden Service] network. You can register an email account in Torbox (http://torbox3uiot6wchz.onion/) and access its webmail service from a [https://www.torproject.org/download/download-easy.html.en Tor Browser] or through a [https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/ Torrified Thunderbird client]. The recipient must use the same service for conversing with you. <br /> | Profiling your identity and actions Surveillance |
Scenario | |
| I want to share a document securely | If you want to share a document with a friend or two, without anyone else being able to access this document, several options are available. You can send your document as an encrypted email attachment, as described in [[I want to learn about encrypting email]] or use a stand-alone [https://securityinabox.org/en/guide/gpg4usb/windows GPG4USB] to encrypt one or more individual files. In either case, both parties need to have [[I want to learn about encrypting email | set up and exchanged their keys]] in advance - to decrypt the message they have received. You can also use an [[I want to investigate other options | encrypted messaging service]] or do a file transfer if both parties have set up a [[I want to know about secure chat | secure chat session]]. <br /> | Surveillance | Solution | Data |
| I would like to connect to a website anonymously | This topic is covered in [[I want to be anonymous connecting to the web]] in the section [[Identity or Location]]. | Surveillance | Solution | Access to the Web |
| I would like to connect to a website securely | Connecting to a website securely means several things, all of which contribute to secure your access to the websites you visit: * the connection between your computer and the website's server is [https://learn.equalit.ie/wiki/Encrypted_connections '''encrypted''']; * there are '''no [https://trackography.org/ leaks of information]''' about the current session to third parties; * you do not expose yourself to '''[https://support.google.com/websearch/answer/8091?hl=en malware infection]''' by visiting a compromised website. Read the [https://help.riseup.net/en/better-web-browsing Better Browsing] guide by RiseUp for details on how to browse with greater security in Firefox or Chrome (in general, these are the recommended browsers when discussing security). <br /> The [https://www.eff.org/HTTPS-EVERYWHERE HTTPS Everywhere] browser add-on by the Electronic Frontier Foundation ensures that you connect securely and with trusted credentials to thousands of websites. <br /> In all cases, make sure that your computer's operating system is up-to-date, that you are using the latest version of your browser and that you are running [https://securityinabox.org/en/guide/avast/windows anti-malware] protection. Install the recommended extensions from the RiseUp guide and review the [https://ssd.eff.org/en/module/how-do-i-protect-myself-against-malware How Do I Protect Myself Against Malware?] guide from the EFF. <br /> You may also wish to use an anonymity network or a VPN to reach the desired website as explained in the [[I want to be anonymous when browsing the web]] section. <br /> | Surveillance Profiling your identity and actions |
Solution | Access to the Web |
| I would like to prevent others from accessing my computer | Barring physical access to your computer may be a logistical challenge: in most cases there will be moments when it is left unattended. Nevertheless, you can prevent others from getting any of your personal data out of it by using [https://learn.equalit.ie/wiki/Better_Passwords strong passwords] and [[I_want_to_prevent_unauthorised_access_to_my_data|disk encryption]]. A laptop with a [https://en.wikipedia.org/wiki/Trusted_Platform_Module TPM chip] can encrypt the entire drive and secure the computer from booting to unauthorised parties, using [http://windows.microsoft.com/en-ca/windows-vista/bitlocker-drive-encryption-overview BitLocker] for Windows (Ultimate and Enterprise editions of Windows Vista and Windows 7, the Pro and Enterprise editions of Windows 8) and [https://en.wikipedia.org/wiki/Dm-crypt dm-crypt] for Linux. Mac users can encrypt the disk using the built-in [https://support.apple.com/en-ca/HT204837 FileVault] feature. | Unauthorised Access | Solution | Computer |
| I'd like to have an anonymous conversation | In order to have an anonymous conversation, you need to connect to the network anonymously or via a service that protects your identity to enable anonymity. In general, what you have to look for is a tool or a service that hides your IP address, as explained in the [[Identity or Location]] section. *[https://ricochet.im/ Ricochet] client is a peer-to-peer messaging app that creates a [https://www.torproject.org/docs/hidden-services.html.en Tor Hidden Service] to enable anonymity for the conversing parties. "Instead of a username, you get a unique address that looks like ricochet:rs7ce36jsj24ogfw. Other Ricochet users can use this address to send a contact request." *[https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily Tor Messenger] is a new tool that has been just released to the public by the Tor project team. Quoting from Tor Project's blog, it is a "cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages." *[http://www.bleep.pm/ Bleep] messenger is built on top of BitTorrent, a file sharing peer-to-peer infrastructure. There is no central server and connections between conversing parties are made directly, with content encrypted between the parties. It is not, strictly speaking, anonymous as it relies on IP addresses to route a connection through other BitTorrent users. *If you want to keep your current chat address and existing contact lists whilst adding anonymity properties to your conversations, install the [https://help.riseup.net/ca/chat/clients/pidgin#tor-with-pidgin-configuration Pidgin or Adium chat clients] and configure them to work over the Tor network. This approach is explained in detail in [https://firstlook.org/theintercept/2015/07/14/communicating-secret-watched/ Chatting in secret while we're being watched], an article by Micah Lee published in The Intercept. In addition, you should read [[I want to know about secure chat]] and ensure that your recipients have performed the same steps. <br /> | Profiling your identity and actions | Solution | Online Conversations |
| I'm worried someone is trying to lure me with a fake email (phishing) | Receiving messages asking you to click on a certain link, reply with private and sometimes confidential data or open an attachment, could also be a [https://en.wikipedia.org/wiki/Phishing Phishing attack]. Targeted attack messages - whereby the content is specifically tailored to be relevant to you are known as [http://www.wired.com/2015/04/hacker-lexicon-spear-phishing/ spear phishing]. In the everyday humdrum of working life, reading dozens if not hundreds of emails per day, it is quite easy to mistakenly click on a link or open an attachment, without giving a second thought to the sender's identity or intent. Targeted attacks (an email purportedly from your friend or your boss) are even harder to detect. Please review the [https://ssd.eff.org/en/module/how-avoid-phishing-attacks How to avoid phishing attacks] guide from the EFF. Some of the bigger email providers like [https://support.google.com/mail/answer/184963?hl=en&ref_topic=3394464&vid=1-635773191968940616-20681252 Gmail] or [http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Recognize Hotmail] offer help to detect and report phishing attacks. The [http://toolbar.netcraft.com/ NetCraft] tool can protect your web browser from accessing known websites used for phishing re-directions. Firefox users can also install additional [https://addons.mozilla.org/en-us/firefox/addon/worldip/ add-ons] to double-check a site's validity before visiting it. In principle you should: * Never click on links in email messages directly (copy and paste them into the browser manually if you're intent on opening it) * Never open an attachment unless you are sure of the sender's identity and intent. Sometimes it's better to reply to the sender in order to confirm the message before opening it [https://www.google.com/chrome/browser/desktop/ Google Chrome] and the open source [https://download-chromium.appspot.com/ Chromium] browser have built-in [https://support.google.com/chrome/answer/99020?hl=en phishing protection]. It may warn you in advance of opening up a known phishing site. | Unauthorised Access | Solution | I want to be protected from malicious emails |