Category Archives: Open Source

TLDR Digital Safety Checklist

🤔 Who this guide is for

  • You use the internet on a day-to-day basis – for work, social media, financial transactions, etc.
  • You feel you could be doing more to ensure your digital safety and privacy, but you’re also not in immediate danger. (If you are, seek out an expert for a 1:1 consult.)
  • You’re comfortable with technology. For example, you’re comfortable going into the settings section of your computer/smartphone.

🌱 How this guide works

  • Recommendations have been sorted in ascending levels of difficulty. Start from level one and work your way up!
  • I recommend doing everything in levels one, two and three. I did, and I’m only a mildly technically-competent person.
  • Then scan the scenarios to see if any of them apply to you. (They assume that you’ve done everything in levels 1-3.)
  • This guide is a living document – please feel free to submit a pull request or fork your own version of this guide on GitHub.

🕒 Last updated

  • 23 October 2019

🧐 Theory & science

🎯 Threat modeling

  • What kind of danger are you in? E.g. corporate espionage, police/state intervention, online harassment/doxxing.
  • What kind of assets are you protecting? E.g. confidential documents, private photos.
  • We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.
  • For more info, read the EFF’s introduction to threat modeling.
  • Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.

🔡 Encryption levels

  1. Not encrypted: Any third party who intercepts the data can read it as-is.
  2. Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts/the government.
  3. End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if law enforcement calls, the service provider can’t hand over the messages because they don’t have them either.

🧩 Metadata

  • Data about your data – e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.

💦 Level 1 recommendations

✅ Things to do now

Email

  • If you’re on a webmail service, check that you’re logging into it using an https:// URL. And if there isn’t one, find a new email provider.
  • Turn on two-factor authentication for your email service (e.g. instructions for Gmail, Protonmail) if they support an authenticator app (SMS is no longer considered safe) (e.g. Authy, Google Authenticator).
  • After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions.

Good passwords

  • Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.
  • Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends/looking you up on Google.
  • Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (Lifehacker reviews them here) to store/autofill/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).
  • Use a non-common/obvious unlock code for your phone.
  • On iPhone, turn off USB Accessories in Settings > Face ID & Passcode > Allow Access When Locked.

Encrypt your devices

  • Encrypt your phone storage: Android, iOS (many phones now encrypt by default but it’s worth double checking).
  • Encrypt your laptop/desktop hard drive: Windows, Windows if no BitLocker, Mac OSX.
  • Secure your backups too! Encrypt your backup hard drives and/or make sure your online backup storage solution supports end-to-end encryption.
  • N.B. Remember encryption is only fully effective when the device is off!

Other

💪🏽 Habits to cultivate

Email

  • Be on the lookout for phishing scams: where possible double check the From email address and the domains that outbound links go to.
  • Don’t open unnecessary email attachments. Where possible, open/preview them first in an online document reader, or have colleagues use a filesharing server or service (Dropbox, Google Drive, SpiderOak, Tresorit), which tend to be a little harder to hack into.
  • You can upload a suspicious attachment to VirusTotal for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don’t submit sensitive information).

Update all the things

  • When you get a notification to update your operating system (on your mobile or computer), do it right away.
  • Same for apps (mobile + computer).
  • Check occasionally for firmware updates for your router (and other Internet-connected devices).

Other

  • Change important passwords (e.g. email, computer login, password manager master) every year or two.
  • Wipe your devices properly before donating/giving away: phone, computer.
  • Don’t charge your phone at public charging stations/ports – they may steal your data. Consider charging your portable battery instead.

👍 Great job! You’ve covered the basics.
👍 What about trying out the next level?


💦💦 Level 2 recommendations

✅ Things to do now

Enhance your privacy

  • Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.
  • Install these protective web browsers add-ons (and make sure they’re on even during private/incognito mode):
  • If you use smart speakers, turn off its recording function: instructions for Google Home and for Amazon Alexa.

Other

  • Set up your devices with third-party applications (e.g. Prey, Lookout Security so you can remotely track, wipe, and encrypt your devices from a website in the future.
  • Review what’s connected to your main email/social media accounts (e.g. what kinds of services have access to Facebook, and what data can they access and/or can they post on your behalf).
  • Review the extensions/add-ons/plug-ins that have been installed within your computer web browser – delete any that you haven’t used in a while or don’t remember installing.
  • Download and run Stethoscope for your computer, which make sure your basic security settings (encryption, firewall, screen locks, etc.) are covered.

💪🏾 Habits to cultivate

Enhance your privacy

  • Post less personal information online – especially information that can be used to identify/track/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.
  • Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example) for your laptop and/or phone.
  • If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.

Other

  • Use a paid VPN service when on public networks (e.g. cafe wifi) – free VPN services are bad because operators don’t have enough incentive to protect you/your data. See recommendations from Wirecutter and Freedom of the Press.
  • Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.
  • If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).
  • Put a sticker (or webcam cover) over your laptop’s front-facing camera.
  • Don’t use Google/Twitter/Facebook to sign up/login to other services – each service should have its own account.

🎉 Congratulations! You’re now reasonably
🎉 secure, which is more than most 🙂


💦💦💦 Level 3 recommendations

✅ To do

Lock up sensitive files

  • Identify files that you don’t want others to access (e.g. private photos, passport documents).
  • Use Cryptomator or Veracrypt to create an encrypted, password-protected vault for them.
  • Set them up on both your desktop/laptop and your phone.
  • Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.

Revisit old passwords

  • Store all of your online service passwords in a password manager. (If you have the right browser add-on/plugin installed, it will capture all the relevant details during a login process.)
  • Using your password manager’s analysis feature, see which accounts/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.

💪🏾 Habits to cultivate

  • Start using Signal, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe/secure/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)
  • When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).
  • Buy a harder-to-hack mobile phone ($$$). Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.

😲 Wow, you even finished the difficult
😲 digital housekeeping tasks. Well done!


💦❗️ Scenario-based recommendations

🛫 Crossing an international border

  • Turn off your devices because:
    • Storage/hard drives are only encrypted when they’re off, not when they’re just in sleep mode
    • This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.
  • Store less information on your devices – in case they’re seized, what you don’t have they can’t take.
  • Be mindful of what stickers you put on your devices – a border agent could mistake them for something suspicious.
  • Notify your people about your flight number and arrival time. Have them contact a lawyer/relevant organization if you do not show up.
  • For high risk situations (some of these practices might raise suspicions and backfire):
    • Set up alternate photo albums, email addresses and social media accounts full of harmless content.
    • “Forget” half of your password: Password lock your device/account so that only a trusted friend has the second half of the password.
    • Log out of all important accounts (or simply leave your devices at home).
  • For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact and BoingBoing’s addendum about filing for attorney privileges at the US border.

😭 Somebody took my phone/computer!

  • Wipe your phone remotely: see instructions for Android, iOS.
  • Log out of all important accounts from another device.
  • If this happened at an international border: Ask for a seizure receipt (available in some jurisdictions, e.g. Canada)
  • Get a new SIM card.
  • If you get it back, reset your phone/computer back to its factory settings. Then run some anti-virus and anti-spyware programs just in case.

👾 I think my computer has been hacked!

  • Download an application that will notify you when data is being sent out from your computer. E.g. Little Snitch for Mac.
  • Run Activity Monitor on Mac or Process Explorer on Windows to look at what processes/applications are running. Google any suspicious names.
  • Login to important online accounts to see if there have been any suspicious logins – see this Motherboard guide for details.
  • Setup a spare smartphone using Haven as a room monitor to detect unwanted intrusions.

🍆 Sexting & non-consensual image sharing


✊🏾 Attending a protest

In case of emergency

  • Draft a message to a trusted friend (not at protest) or legal hotline. Be ready to hit send if you are arrested/there is an emergency.
  • Bring a spare battery for your phone.
  • If you use thumbprint (or facial recognition) unlock, immediately power off your phone if you’re ever arrested. In some jurisdictions, officers can compel you to provide your fingerprint but not your passcode. Better yet, turn off fingerprint or face ID before going to a protest.
  • If you’re attending a high-risk protest: leave your phone at home or use burner phone.

Store less share less

  • Keep as little sensitive personal information or incriminating information as possible – you never know whose hands it might end up in.
  • Turn on disappearing messages if your messaging app supports it.
  • If you need to share photos, erase the associated metadata first using these apps.
  • Turn off location history:
    • iPhone: Settings > Privacy > Location Services > System Services > Significant Locations
    • Android: Settings > Google > Google Account > Data & personalization > Location History > Manage setting > Your account & all your devices > turn off Use Location History
    • Google Maps: Settings > Maps history > Web & App Activity
  • Delete past location history:
    • iPhone: Settings > Privacy > Location Services > System Services > Significant Locations > Clear History
    • Android
    • Google Maps

Other

  • Double check your messaging apps privacy settings.
  • Turn off message previews in your notifications:
    • iOS: Settings > Notifications > Show Previews: When Unlocked
    • Android: Settings > Apps & notifications > Notifications > On lock screen: Hide sensitive content
  • Remember to make voice calls through end-to-end encrypted apps like Signal or Whatsapp.
  • More info from the EFF about protesting in the US and internationally.

📰 I’m a journalist working on a sensitive topic

Below are some basics that all journalists should consider. If you’re working on/in a particularly sensitive story/region (e.g. a whisteblower story in the US or China), you and your team should get an tailored training session from an expert.

Be prepared

  • To remotely wipe the contents of your devices using a tracking app (e.g. Find My on iOS, Find My Device on Android, Prey, Lookout Security).
  • To be on the receiving end of an email phishing campaign (as journalist emails are usually more public than others).

Protect yourself

  • If you’re traveling, review the Crossing an international border scenario above.
  • If you’re covering a protest, review the Attending a protest scenario above and decide which parts apply to you (if you have special journalist rights/protections where you’re working).
  • Use a VPN if you’re browsing the internet at the office (website administrators can usually see that you’re coming from, say, the New York Times network)

Protect your sources

Protect your data

  • Make sure you’re using an email/storage provider that’s not owned/linked to a state or organization that you’re reporting on.
  • Better yet, move all of your work onto end-to-end encrypted platforms. (E.g. Protonmail Be aware that courts can compel Google to hand over all of your data.
  • Store sensitive data in a password-protected cloud or external storage device as much as possible. See the Lock up sensitive files section above.
  • Remember to permanently erase sensitive files from your laptop/desktop: use Eraser for Windows and File Shredder for Mac.

For more information


🕵🏼‍♂️ Online harassment & doxxing

Harassment and doxxing can get very specific and complicated based on the attacker, your position, the overall cultural context, etc. While we have some general suggestions below, we implore you to think about whether your situation has escalated sufficiently and whether it’s time to find professional, one-on-one help.

Recruit a trusted friend

  • Do not force yourself into a corner by going at this alone!
    • Baseline: Ask a trusted friend to hold space for your situation and be your sounding board on analyzing how bad the threat is.
    • Preferred: Ask a trusted friend to help you investigate, record, report and block harassers – see Take Back The Tech’s Hey Friend! guide for more details about this. In some cases, it may be healthier to hand over your phone/social media/accounts over to them so that you’re not constantly triggered.
  • Alternately, reach out to online communities you’re an active member of and ask for help. See PEN America’s article on Deploying Your Supportive Cyber Communities.
  • If no one is available right now, Heartmob has a list of supportive organizations, some of which have 24/7 hotlines.

Monitor updates & collect receipts

  • Set up a Talkwalker and/or Google Alerts for your name/nickname.
  • Start logging (date, time, description, screenshot) incidents in whatever program/app that’s easiest for you.

Remove your personal information from the internet

  • Pay PrivacyDuck to scrub your information online. If you are an activist you can contact Equity Labs for a discounted rate.
  • Pay Reputation.com to remove your information from paid sites and monitor them to make sure it stays removed.
  • Alternately, both PrivacyDuck and Motherboard have free online resources to help you remove your information yourself.

Obscure your personal information

  • Use Burner to set up burner phone numbers for calling/texting.
  • Use Traveling Mailbox to obscure your postal address.
  • Delete old accounts to eliminate traces of personal information on the Internet. Use Justdelete.me to accelerate this process.
  • Review your social media accounts and delete any posts that reveal too much about where you live/where you go/who you’re with.
  • For Twitter users:
    • Ask around in your communities for shared block lists of known offenders.
    • Use Semiphemeral to delete most of your unwanted posts on Twitter. (Requires use of the command line.)

Ignore/reply/report/block your harassers

  • Together with your support person/friend and the log of receipts, decide on your course of action (these aren’t mutually exclusive):
    • Ignore: Sometimes harassers will walk away if they don’t get attention.
    • De-escalate: In some contexts, you can defuse the situation with some calm words before it gets worse.
    • Report: Report the harasser to the relevant online platform and/or your local law enforcement.
    • Mute on social media: Allows for peace of mind.
    • Block on social media: Maximizes peace of mind as the harasser won’t be able to see your posts. But they will notice and see it as a sign of escalation.
    • Go public: Can be dangerous, but sometimes shaming them publicly or rallying people to your support will make them go away.

For more information


👤 I don’t want to give out my real phone number for online dating/networking/organizing

For messaging apps that use phone numbers as the primary identifier/username (e.g. Signal, WhatsApp), get a secondary number from:

  • Twilio (1 USD/month, but complicated setup – see the Twilio section here and this guide)
  • Burner (5 USD/month, but also has prepaid plans for short-term use)
  • Google Voice (free but only available in the US)
  • A phone company: get a prepaid or cheap SIM card plan (rates vary)

But keep in mind:

  • If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.
  • Most companies will still hand over your information to the authorities if the latter files the right paperwork.

For true anonymity – create an untraceable online persona under a pseudonymn


💦❓ Other recommendations

This section is a catch-all for difficult or esoteric practices that do not fall under any of our scenarios above and might not have any immediate payoff for the casual user.

Emails

Access

File storage & sharing

  • Use an end-to-end encrypted cloud storage service (not Dropbox): Tresorit, SpiderOak.
  • Use encrypted external USB/hard drives from companies like Apricorn.
  • If you want to send a file anonymously, use a special sharing service like OnionShare.
  • Instead of Google Docs or Microsoft Office, use CryptPad (open-source, end-to-end encrypted).

Messaging apps

  • WhatsApp additional settings:
    • To be 100% end-to-end encrypted, turn off chat backups on WhatsApp (Settings > Chats > Chat backup) and delete your previous backups (instructions for iOS, Android).
    • Turn on security notifications on WhatsApp (Settings > Account > Security).
    • Set up a pin number to prevent your account from being moved without your permission (Settings > Account > Two-Step Verification).
  • If you’re a journalist who uses Signal regularly, step up your safety practices try following Martin Sheldon’s Locking Down Signal guide (or similarly for WhatsApp if you use that a lot).

Other

  • Keep less information/data/photos on your devices – you can’t lose what you don’t have!
  • Don’t use smart TVs or smart speakers.
  • Search the web anonymously with DuckDuckGo.
  • If you (or your organization) is really wedded to the Google Suite, consider Google’s Advance Protection program.
  • Put your smart cards/passports/phones in a Faraday bag that blocks signals from going in and out. (See Micah Lee’s guide on them.)
  • Fortify your self-hosted WordPress website with Cloudflare + iThemes Security.
  • Use a more secure operating system: Tails (works off of a USB stick) or Qubes OS.
  • For Android users: Download apps using F-Droid, an open-source, security-focused app store.
  • For US residents: Freeze your credit to prevent hackers from accessing sensitive data. See Security Checklist’s Freeze Your Credit section for details.

🏆 Oh my, you made it this far.
🏆 You are a true champ!


🧠 Sources

We consulted many sources and drew upon our own experiences in creating this resource. (See our full list of sources.) If you’re not finding quite what you want here, we recommend checking out these other resources:

For a curated selection, check out Martin Shelton’s Current Digital Security Resources guide.


📝 License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.tldr-digital-security is maintained by hongkonggong.

This article originally appeared on hongkonggong

How to set and use passwords in a safety way

Passwords are like underwear, you change them frequently. Do not share them and do not show them”

Well maybe some people like to show part of their underwear, but let’s say the previous statement suits most people. 😉

Nowadays we have to deal with hundreds of places where we have security access through a username and password. To use a different username and password is a suggestion that we have surely heard of, and probably tried, but when we have to remember access details for services we access everyday, a lot of people end up using the same username and password. Even if we use a strong password with upper and lower cases, numbers and signs, if one of these sites has a security problem (remember the cases of YahooLinkedIn and Dropbox, …) all the accounts using the same password will be jeopardised

So, it is clear that the most secure solution would be to use different, strong passwords for our accounts. But how can we deal with all this information?

thinking

One of the solutions is provided by password managers. This tool stores all of our passwords in an encrypted database and the only thing we have to do is to remember one strong password (a master password), usually incorporated within a long sentence. Once we have entered this password, we will be granted access to all the account details.

There are two types of password managers: the ones where the database is stored on servers and the other ones where we locally store the database. It is clear that the first ones are easy to use. We only have to create the database on their cloud and access from any device we want. You might be reluctant to hold your database on their servers, and you are probably right, because some providers were hacked into in the past, for example LastPass.

So we are going to focus on the password managers group where they do not provide a centralized database feature. That does not mean we are not able to use the same database in different devices but we have to use a cloud service to provide this synchronisation.

In this article I will explain how to setup and use the KeePass, the free, open source, light-weight, easy-to-use password manager, with a lot of awards. You can use it with Windows, Mac OSX, GNU/Linux, Android, iPhone/iPad, Windows Phone, Blackberry, Chrome… You can check the ports list here. As a cloud service I will use Mega and FolderSync Lite to synchronise the database to my mobile device and Keepass2Android Password Safe to get the database on my Android.

I will take for granted that you have already installed the KeePass version for your operating system, that you have some cloud service installed and that you have already created an account. The steps are the following:

Start KeePass and create the database

Start KeePass

kp1

The first time you will need to create a database

new

The system will ask for a name and a location. Remember to store them into the folder where the cloud service has been setup.

mydb

Create the Master password and the Key file

This is the MAIN and MOST important password, and the ONLY ONE you have to REMEMBER. It is a good idea to use a sentence instead of a word, use capital letters, numbers and special characters, like the one below:

My f4th3r w@s 4 great p3r$0n. 1 admire h1m!

As you can see, I am combining capital letters, numbers and especial characters, trying not to use the same pattern (I am not replacing all the vowels for numbers in all the words). It is a complex sentence, but you only need to remember this one. I recommend you to click on the 3 dots button to avoid repeating the sentence twice and ensure the Master password typed is the one you want.

IMPORTANT: In case you forget your Master password, you will not be able to open the database.

The estimated quality will show you how secure the password you have typed in is. Try to reach the 192 bits.

createmp

Key file (optional)

In case you want to setup an additional security level, you can create a Key file. You will need both (if checked is required), a master password and a key file to unlock the database. We have to specify where we want the Key file to be stored.

mykey

And then help the system generate random bits in order to increase the entropy of the computer. Move the mouse over the field until Generated bits bar reache 256 bits. Type random keys inside the Random keyboard input field. Then click OK button.

entropy1

You can only check the “Key file” option, but I will not recommend it to you, as anyone who has your key file will be able to open the database. I suggest using Key file as an additional security level.createmp

Set database settings

Here we can set some database settings, like name, some description and additional parameters.

dbsetting

In case you are using the key file option, you can enable a change key reminder and an expiration date, to force that key to be changed. By default both settings are deactivated.

dbsetting2

Once you click on the OK button, you will have the database opened and ready to create new entries. You have 2 samples.

dbnew

Please, take into account that the database name in the main title window has an asterisk, meaning that the changes are not saved yet.

Adding a new entry

To add a new entry in the database, just click on the key button

The fill the main fields:

  • Title. Something to link with the account

  • User name. The user name of the account

  • Password: In case you want to ensure the password you are typing in, I will hardly recommend you to click on the 3 dots button

screenshot_20160501_202710

  • URL: The address of the site, in case the account is related to one website. If you write without the subdomain (www in the www.wikipedia.org for example), this entry will be able to login inside any subdomain of wikipedia.org, like en.wikipedia.org, ca.wikipedia.org.. and so on.

Since there is no need to remember the password you have created, this is a good way to start using a strong password. Create strong passwords manually is not advisable, since maybe we have some (unconscious?) pattern, so it is better to delegate this task to the software. Just click on the key button and several options will be displayed.

screenshot_20160501_202858

In case you want to personalize due to some constraints on the password, just click on the “Open Password Generator…” option

screenshot_20160501_202956

Below you can set which type of character set you want to appear on the password. For a strongest password, I suggest enabling Upper and lower-cases, Digits, Special characters. Check the “Collect additional entropy” option which will show you the Entropy collection window we have already mentioned above.

screenshot_20160501_204100

Inside the Advanced tab you can specify some additional constraints. Like excluding the look-alike characters (Capital I and lower-cases L, vowels o and number 0…). You can also exclude some characters. Please remember that these options and rules may reduce the security of generated passwords.nocaracters

The Preview tab will show you some examples of the passwords generated matching the rules specified on the fist tab.

screenshot_20160501_204152

Clicking on the OK button will generate the password matching the options and rules. It is a good idea to specify inside the Notes field the email linked to the account, just in case you need to.

screenshot_20160501_205456

Now you have a database stored in a cloud service.

Browser integration in computer

The easiest way to be used in a trusted computer is by using a browser add-on. The one I use it is PassIFox, since I am using Mozilla Firefox as a main browser, but  chromeIPass can be used in case you use Chrome browser.

passifox

Following the instructions you will find the website to install and configure the add-on.

Once connected to your database, just visit the site where you have already set up an account, and in case the user name and password are not filled in automatically, click inside the username or password field and click with the right button. The “Fill User & Pass” option will appear.

wiki

Coming soon: (How to use KeePass with Android)