Semantic search
| Scenario Task Description | Scenario Task Type | Scenario Task Format | Scenario Task Parent | |
|---|---|---|---|---|
| Identity or Location | Computers and smartphones [https://myshadow.org/location-tracking leave traces] about you and your actions. Connected together, all these pieces of information can [https://myshadow.org/trace-my-shadow reveal a lot] about your identity and the places you have visited. Browsing and communicating on the Internet is inextricably linked to your [https://learn.equalit.ie/wiki/How_does_the_Internet_actually_work%3F IP address] and [https://tails.boum.org/contribute/design/MAC_address/#index1h1 MAC address]. These details are continuously recorded by your Internet service provider, in accordance with [https://en.wikipedia.org/wiki/Telecommunications_data_retention Data retention] legislation passed in most countries, and often times by the website you are visiting as well. The IP address can also be linked to a geographic location, as you can see by visiting http://www.hostip.info. The MAC address can be linked to your online accounts and identity. There are several solutions to 'hiding' your identity or location from the site you are visiting or masking your true destination from the ISP. However, disassociating your location from the IP address assigned to you on the network and disassociating your identity from the MAC address of your personal computer or smartphone require a different approach. Inadvertently we leave a lot of [https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual#.E2.80.98Digital_Traces.E2.80.99_and_.E2.80.98Digital_Shadows.E2.80.99 traces and information about our identity and location] through the voracious use of social media services and the pervasive [https://myshadow.org/browser-tracking presence of online trackers] that record, correlate and create profiles of our characteristics and persona. Simply by using [https://en.wikipedia.org/wiki/Open-source_intelligence open source intelligence] it is possible (and fairly easy to any savvy Internet user) to locate and identify a person from their online accounts. <br /> | Profiling your identity and actions Surveillance |
Scenario | |
| Kolabnow | [https://kolabnow.com Kolabnow] is an Internet services provider based in Switzerland. Their systems are built strictly on open source software. | Surveillance | Service | To find a reliable email provider |
| Minimising damage from a lost or stolen computer | Security measures must be taken in advance of the loss. They include: * A good backup, either on removable media or [[I want to ensure that my data is never lost|online]] * An [[I want to prevent unauthorised access to my data|encrypted disk]] or [[I would like to prevent others from accessing my computer|secure chip]] in your computer <br /> | Unauthorised Access Data Loss |
Solution | Computer |
| My Website | It's very easy to get a website up and running these days, but it's pretty tough to keep it secure and stable against a continually evolving and maturing array of cyber attacks. In order to protect your website, you will need to consider its technical set-up, the software you are using to create the site and its content, as well as the various types of plugins and extensions enabled for extra features on that site. Most importantly, you need to have a contingency plan, by asking yourself what happens in case of an emergency. This includes: * creating regular backups of your files and database, in case your online content gets lost due to a technical problem or an attack; * knowing your hosting provider's terms of service and their readiness to protect you during an attack; * knowing your Domain name service (DNS) provider's security options and terms of service; * implementing mitigation solutions in advance of a crisis. In most cases, for non-technical users it is advised to create a site/profile on an existing platform catering especially for this, like [https://wordpress.com/ WordPress], [https://medium.com/ Medium] and [http://www.livejournal.com/ Livejournal] to name a few of the bigger providers. They look after all the back end details, leaving you to create and manage content on the site. You can also choose to host your blog at one of the non-profit groups including [http://noblogs.org/ NoBlogs] or someone from this [https://help.riseup.net/ca/security/resources/radical-servers list]. | Unauthorised Access Data Loss Censorship |
Scenario | |
| Online Conversations | In the Internet you will find an incredible amount of resources for real-time online conversations, whether you want to interact with communities, have one-on-one conversations, or organize a meeting or a conference. Sometimes these conversations are only textual (chat and instant messaging), but in other cases they offer audio and video as well. As with email and Internet browsing, similar considerations on surveillance and profiling also apply for online conversations. You can have a private or an anonymous conversation using some of the tools and methods described in this section. | Surveillance Profiling your identity and actions |
Scenario | |
| Only one of us knows how to use encryption | If only you or in turn the recipient knows how to use public key encryption, it's now possible to send a secure one way message. The person with the public key pair registers an account with https://keybase.io and uploads their public key to it, creating an identity on the portal. The sender can compose an encrypted message using your online space on this portal "https://keybase.io/encrypt#username". Keep in mind this is for one-way communication. If you would like to establish a secure channel with your recipients, please read [[I want to learn about encrypting email]]. If you would like to investigate other options of securing your messages, please go to [[I want to investigate other options]]. <br /> | Surveillance | Solution | To send an email that no one but me and the recipient can read |
| Phone | A smartphone is a small computer in your pocket, and all of the vulnerabilities mentioned throughout other sections of this guide apply. The solutions are more or less the same as those for a computer, only with different software. In most cases your smartphone will be running a version of the [https://www.android.com/ Android] or [http://www.apple.com/ios/ iOS] operating system. The Security in-a-box toolkit has excellent recommendations on secure [https://securityinabox.org/en/guide/mobile-phones mobile] and [https://securityinabox.org/en/guide/smartphones smartphone] usage One major difference between a computer and a phone is that the latter always gives away its location to the cellular network. You can read more about this in [[Can I be anonymous whilst using my phone]]. Wikipedia has a useful description of various [https://en.wikipedia.org/wiki/Mobile_security Mobile security] issues. Smartphones in general require just as much attention security-wise as your computer. | Profiling your identity and actions Surveillance |
Scenario | |
| Protect files and messages on my phone | Both the Android and Apple smartphones offer full handset (disk) encryption, which ensures all files and messages on your handset cannot be accessed without knowing the handset's password. On the Android phone this needs to be [http://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/ enabled manually] and on the iPhone you are simply required to set up [https://support.apple.com/en-us/HT202064 a security Passcode] to enable disk encryption automatically. If you forget the phone's password, you will need to ''restore the phone'' back to its original setting. Your phone would need to be synced with your Google or iTunes account so as not to lose any data. On the other hand, syncing your phone with these providers means that there is a duplicate of all your data in the cloud. If you just want to encrypt your messages on the phone, you can use Signal on [https://ssd.eff.org/en/module/how-use-signal-android Android] and [https://ssd.eff.org/en/module/how-use-signal-ios iPhone]. | Unauthorised Access | Solution | Phone |
| Protect my site from denial of service attacks | Denial of service attacks attempt to bring down the target website through a variety of hacking, social engineering and other means. Distributed denial of service attacks (or DDoS) attempt to overwhelm the target website or its provider's resources by flooding it with malicious requests. There are many vulnerabilities and mitigation points to think through, as described in the [https://digitaldefenders.org/digitalfirstaid/#section-ddos-mitigation DDoS mitigation] section of the Digital First Aid Kit. The [https://github.com/OpenInternet/MyWebsiteIsDown/blob/dev/MyWebsiteIsDown.md What to do when your website goes down] guide describes how to respond to such attacks and prevent their success in the future. There are also a number of DDoS mitigation and secure hosting providers ranging from large corporate run services like [https://cloudflare.com/galileo Cloudflare's Project Galileo] and [https://projectshield.withgoogle.com/public/#application-form Google's Project Shield] to smaller ethically run organisations including [https://www.qurium.org/contact/ Virtualroad], [https://greenhost.net/order/ Greenhost] and the purpose-built [https://deflect.ca Deflect]. | Censorship | Solution | My Website |
| ProtonMail | [https://protonmail.ch/ ProtonMail] is an emerging and popular email service run out of Switzerland, offering end-to-end encryption based on the OpenPGP.js library. Currently they are restricting account registration due to overwhelming demand. Parts of the codebase are open source and other proprietary. | Surveillance | Service | To find a reliable email provider |
| Reset passwords and security questions | Password are easily forgotten (unless you are using a [https://securityinabox.org/en/guide/keepass/windows password program]). This is why most service providers offer several opportunities for you to reset your password by sending you an email or by asking you a personal question of your choice to prove your identity. Whilst often necessary, both options may result in a security risk and need to be thought through carefully in advance. For an excellent description of the problem, you can read this [http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ Wired article by Matt Honan]. To make a long story short: # Resetting a password by sending the code to another email account opens up another attack vector for the hacker. If they can break into one account and then request the reset password to another account to be sent there, you are worse off than before. # Setting a security question based on personal information (e.g. your mother's maiden name) means the attacker only needs to find out this information in order to reset your password and gain access to your account. If at all possible, it is best to not set any reset options. If you want this option or are required to do so, put yourself in the hacker's shoes and make sure their task won't be easy. <br /> | Unauthorised Access | Solution | I want to protect my email account from unauthorised access |
| RiseUp email | [https://mail.riseup.net RiseUp email] is a free service for organised civil society members and is many an activists' preferred choice. They have been in operation for over 15 years and take your privacy very seriously. At the same time, a @riseup.net email account could arouse suspicion since it is so prevalent in the activist community | Surveillance Profiling your identity and actions |
Service | To find a reliable email provider |
| Run your own mail server | If you're up to the challenge, a personal (or small network) mail server on an encrypted computer is an excellent way to go. It may expose the participants as belonging to a single service, but can offer privacy and reliability far and beyond what you'd expect from a 3rd party. Many guides are available online, ranging from the step-by-step walk-throughs with detailed explanations to the point-and-click install. Its not a task for the novice but it is definitely doable with some attention and persistence. *[http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/ Ars Technica guide to running your own mail server] *[http://www.iredmail.org/ iredMail] point and click server installation *[https://equalit.ie/portfolio/caislean/ Caislean] is a set of Ansible recipes that you can use to set up and manage in few simple steps servers offering free and open-source tools for secure communications and information exchange <br /> | Surveillance Profiling your identity and actions |
Service | To find a reliable email provider |
| SafeMail | [http://www.safe-mail.net/ Safe-mail] is an established provider of secure email. It is a commercial enterprise and free accounts only allow for 3mb of space. The company and servers are located in Israel, with offices in UK and Japan. The company [http://www.safe-mail.net/support/eng/help/protectsecure/index.html claims] to seamlessly encrypt all messages between safe-mail users with 'PKE', but the secret key is stored on their servers (which means you will have to trust they will never use it to decrypt your mail). | Surveillance Profiling your identity and actions |
Service | To find a reliable email provider |
| Social Network | The very term - social network - implies socialising and not discreet conversation. However the Facebooks and Twitters out there have become such an essential part of information exchange between us that we inevitably begin to look for confidentiality and authenticity within our social circles. There are numerous [https://ssd.eff.org/en/module/protecting-yourself-social-networks vulnerabilities to consider] and important steps to [https://securityinabox.org/en/guide/social-networking mitigate them] are documented and require your action. In brief, you should: * switch on [[2 factor authentication]] for your account * consider [[I want to be anonymous connecting to the web|anonymity services]] when using the social network * use a [https://securityinabox.org/en/guide/passwords good password] to protect your login * configure your account's security and privacy settings (guide for [https://www.facebook.com/help/325807937506242/ Facebook] and [https://support.twitter.com/categories/51#category_267 Twitter]) When using a commercial social networking platform, consider that you are helping [https://immersion.media.mit.edu/ create the social graph] of your friends and associates. This is useful information to companies and security services. By remaining constantly signed in on your social network account in the browser, you are also disclosing your [https://myshadow.org/browser-tracking browsing habits] on the Internet in general, aside from their service. This extends to many types of websites, including your [https://trackography.org news and media] service. The [https://panopticlick.eff.org/ Panopticlick] project by the EFF can analyse your browser for traces of identifiable data that websites you visit will collect about you. The [https://myshadow.org/lightbeam Lighbteam browser add-on] will "visualise the relationships between the websites you visit and the third party companies that track your online activity through those websites" and the [https://www.ghostery.com/our-solutions/ghostery-add-on/ Ghostery browser add-on] will help you block these trackers from collecting your personal data. There are alternative social networking services that are built with privacy in mind, including [https://diasporafoundation.org/ Diaspora], [http://retroshare.sourceforge.net/ RetroShare], [https://gnu.io/social/ Gnu Social] and a recently launched [https://www.minds.com Minds] for Android and iOS. <br /> | Profiling your identity and actions Surveillance Unauthorised Access |
Scenario | |
| Test my site for vulnerabilities | The rule of thumb for not getting your site hacked or infected with malware is: * Run up-to-date software, including all themes and plugins (if there are no recent updates to either - do not use them anymore) * Do not install or run any services you are not currently using * Make sure your web hosting service continually updates their own systems and services Testing a site for vulnerabilities is not an easy task. You need to look not only at the various systems your website is comprised of and depends on, but to be able to interpret the results as well. A vulnerability could be found and exploited on a systems level (e.g. hosting set-up), in the web server configuration, inside Wordpress or in some third-party plug-in you have installed within it. An [https://pentest-tools.com online penetration test] is available with several testing options, including a passive reconnaissance [https://pentest-tools.com/information-gathering/google-hacking# 'Google hacking'] test. In principle it is recommended to run your own vulnerability testing systems, including the popular [https://nmap.org/download.html Nmap] tool and the surprisingly easy to set up but very well respected [http://www.tenable.com/products/nessus/nessus-professional Nessus vulnerability scanner]. Many vulnerabilities occur at the user level - with you. For an in-depth look into auditing internal organisational processes and systems, refer to the [http://www.safetag.org Safetag] project and make sure you have read the section on how to [[I would like to prevent others from accessing my computer|protect your computer]]. | Unauthorised Access | Solution | My Website |
| The website loads but is unrecognisable - it looks like another site | If you're sure that the website address is correctly typed, then three possibilities remain for it appearing as a different site altogether. # It's been hacked and its contents have been replaced with what you see now. # The website's DNS account was hacked and is now redirecting you to another IP address. # You are witnessing a [https://en.wikipedia.org/wiki/DNS_spoofing DNS poisoning] attack. To avoid this circumstance, use [[I want to be anonymous when browsing the web|an anonymity network or a VPN]]. You may also want to try searching through various online cache repositories that take a historical snapshot of various sites, including [http://cachedview.com/ Cached View] and the Internet Archive's [https://archive.org/web/ Wayback machine]. | Censorship | Solution | A website I am trying to access is unreachable |
| To find a reliable email provider | Ideally you would not need to rely on your email provider if you [[I_want_to_learn_about_encrypting_email|encrypted all your email]]. In general, there are several important factors to consider when choosing an email provider: *Who is behind the service - is it a big corporation or a small company? *Where are their servers located, where is the company registered? *What are the privacy and security features of the account? Answers to these questions may help you understand how far the email provider will go to protect your privacy and identity, the relevant laws that will govern that company and your messages on their servers. [https://www.privacytools.io/#email Here's a list from the Privacy Tools website] on ethical email providers. It is best to read carefully each provider's terms of service and privacy policies before registration. Be aware that apart from protecting the contents of your email messages with encryption, you should also consider email metadata - that is information about who you send and receive email from, when, how often and the subject line, which is never encrypted. Please refer to the EFF [https://ssd.eff.org/en/module/why-metadata-matters Surveillance Self Defense Guide - why Metadata matters]. <br /> | Surveillance Profiling your identity and actions |
Scenario | |
| To send an email that no one but me and the recipient can read | There are several options for sending a confidential email that no one but the sender and recipient/s can read. Unlike traditional letters, email isn't protected by an envelope and isn't just one copy of a message travelling from the sender to the receiver. Rather, it is plainly visible to anyone who has access to its several copies, which are stored in several computers along the way. So you have to trust that those copies won't be read by your email provider, the Internet service provider and anyone else responsible for sending and delivering your message. If you want to be sure that no one but you and the recipient can read your messages, the solution relies on using encryption. The Electronic Frontier Foundation has a good introductory guide to [https://ssd.eff.org/en/playlist/want-security-starter-pack#communicating-others communicating with others] in a secure way. <br /> | Surveillance | Scenario | |
| Tutanota | [https://tutanota.com/ Tutanota] is a German email provider offering built-in RSA/AES 2048 encryption and an open source [https://github.com/tutao/tutanota/ codebase]. Messages sent within the Tutanota service are encrypted end-to-end and you have an option of sending an encrypted (password protected) email to an external address. [https://tutanota.com/terms Terms of Service & Privacy Policy] | Surveillance | Service | To find a reliable email provider |
| Useful apps for my phone | * Any app from the [https://guardianproject.info Guardian Project] is recommended for Android users * [https://www.getsync.com/platforms/mobile BittorrentSync] allows for secure file or folder synchronisation * The [https://panicbutton.io/ Panicbutton] app will send out a number of SMS messages and your GPS location to pre-configured contacts <br /> | Solution | Phone |
