TECHNOLOGY SECURITY

FOR ACTIVISTS

Compiled by the Oh Shit! What Now Collective

Austin, TX | February, 2017
 2

Why Is Security Critical?

In resistance culture, we are each only as safe as our weakest link.
Even if you are not planning to participate in direct action that
could put you at risk of targeting for surveillance, harassment, or
arrest, you may be associated with those who are. For the safety of
everyone, it is critical that we all take responsibility to ensure our
communications are as secure as possible.
This zine is intended to provide practical solutions for securing
communications at a basic level that is understandable even to
computer novices.
Please note: this information is compiled from multiple resources,
which are notated and linked. Its important to be clear that one
can only expect to achieve safer or more secure
communication. There is no such thing as absolute privacy for
novices, and therefore please calibrate the information you share
over electronic communications to the maximum level of security
achievable by you and others in your communication circle or
affinity group.
 3

How to Use this Guide

Following the Security checklist, you will find tools for each item on
the list. You can review and act upon the information individually,
or gather your friends and/or affinity groups together and make
sure everyone in your circle is prepared for safer communication.

Security Checklist
o Perform threat modeling and action planning (Page 4)
o Review phone security guidelines (Page 5)
o Encrypt phone and computer hard drives (Page 6)
o Secure your passwords/passcodes (Page 8)
o Create update schedule (Page 10)
o Download and install Signal (Page 11)
o Secure your browsing (Page 12)
o Secure your email (Page 13)
o Research and purchase VPN (Page 14)
o Secure your home network (Page 14)
o General Security Habits (Page 15)
o TOP 3 THINGS (Page 15)
 4

Threat Modeling
(Source: An Introduction to Threat Modeling - https://ssd.eff.org/en/module/introduction-threat-modeling)

Determining a plan for securing your digital devices and accounts

begins with understanding what you need to protect and from
whom you need to protect it.
Five main questions you should ask yourself:
1) What do you want to protect?
a) Write down a list of data that you keep (such as contact
lists, emails, files, and instant messages) where its kept,
who has access to it, and what stops others from accessing
it.
2) Who do you want to protect it from?
a) Make a list of who might want to get ahold of your data or
communications. It might be an individual, a government
agency, or a corporation.
3) How likely is it that you will need to protect it?
a) Write down what your adversary might want to do with
your private data.
4) How bad are the consequences if you fail?
a) Remember a group is only as secure as the weakest link
when considering consequences, make sure you are
considering the potential consequences to others in your
communication chain.
5) How much trouble are you willing to go through to try to
prevent those?
a) Consider how important it is to maintain security vs. the
cost/inconvenience of maintaining it.
 5

Phone Security Guidelines

Phones can be tracked even when off.
Leave phones at home for best security.
It only takes one loose link in the chain.
Encrypt and lock with strong passcode.
If you have a phone with you, keep it with you.
Keep data backed up and encrypt your backups.
Use burner phones
Set up designated check-in time with friend.
Do not consent to search of phone.
You are not required to provide your password to a police
officer.
Do not use fingerprint or other biometric authentication on
your phone.
Review your app permissions. Newer versions of Android
allow you to set per app permissions, so that your contacts
list cannot be scraped.
Uninstall unused apps.
 6

Encrypt phone and computer hard drives

What is encryption: While computer scientists, developers, and
cryptographers have created far smarter and complex methods for
doing so, at its heart, encryption is simply taking some information
that makes sense and scrambling it so it become gibberish. Turning
it back into real informationvideo files, images, or simple
messagescan only be done by decrypting it back from gibberish
using a method called a cipher, usually relying on important piece
of information called a key. (source: http://www.howtogeek.com/234642/what-is-encryption-
and-why-are-people-afraid-of-it/)

Platform-Specific Information
iOS: On devices running iOS 8 or later, your personal data such as
photos, messages (including attachments), email, contacts, call
history, iTunes content, notes, and reminders is placed under the
protection of your passcode.
Android: Google introduced full-device encryption in
Android Gingerbread (2.3.x), but it has undergone some dramatic
changes since then. On some higher-end handsets running Lollipop
(5.x) and higher, its enabled out-of-the-box, while on some older
or lower-end devices, you have to turn it on yourself.
MacOS: FileVault 2 is available in OS X Lion or later. When FileVault
is turned on, your Mac always requires that you log in with your
account password.
You can turn on FileVault 2 in System Preferences Security &
Privacy
 7

Windows: Many new PCs that ship with Windows 10 will

automatically have Device Encryption enabled. This feature was
first introduced in Windows 8.1, and there are specific hardware
requirements for this.
Theres another limitation, too it only actually encrypts your
drive if you sign into Windows with a Microsoft account. Your
recovery key is then uploaded to MIcrosofts servers. This will help
you recover your files if you ever cant log into your PC. (This is also
why the FBI likely isnt too worried about this feature, but were
just recommending encryption as a means to protect your data
from laptop thieves here. If youre worried about the NSA, you may
want to use a different encryption solution.)
To check if Device Encryption is enabled, open the Settings app,
navigate to System > About, and look for a Device encryption
setting at the bottom of the About pane. If you dont see anything
about Device Encryption here, your PC doesnt support Device
Encryption and its not enabled. (Source: http://www.howtogeek.com/234826/how-to-
enable-full-disk-encryption-on-windows-10/)

3rd party encryption: There are many third party applications that
can be used to encrypt your data. Some work with the operating
system to perform their encryption, and some use their own
methods. When possible, use reputable open source encryption
suites. Do not use TrueCrypt. It is outdated and has serious security
vulnerabilities that render it unsuitable for use.
All: Strong Passcode/Key, at least 8 characters - 11 if FBI might be
involved.

Regardless of platform encryption is only as strong as the

passcode you are using to lock your device, and the timing of your
screen lock.
 8

Password Security
Passwords are the key to your content, and are therefore one of
the most critical levels of defense. There is no sense in encrypting
a hard drive, for instance, without a strong password.
The strongest passwords can be generated by a password vault app
that auto-generates passwords for your individual logins, and
provides you with a master password which opens the vault.
KeePassX, LastPass, and Encryptr are all examples of password
vaults.
If you dont want to use a password vault, manually generated
passwords in the form of 7-word passphrases chosen from random
wordlists can create very secure passwords. One Random Wordlist
can be found here: https://www.eff.org/deeplinks/2016/07/new-wordlists-
random-passphrases

Either way, always enable two-step or two-factor authentication

when possible. Two-factor authentication requires at least two
methods of verification (your password, plus a trusted device or
phone number, for instance) to unlock an account.
And for Maudes sake, use different passwords for every account,
please. Imagine having one key that unlocks everything you own
with a lock, so if someone found your key, they could rob your
house and drive your belongings away in your car. Thats what you
are setting yourself up for when you dont create new passwords
for different accounts.
 9

Some useful guidelines:

Use a strong password
o When possible, use randomly generated, long
passwords
o Length is more important than complexity
o Use 4+ random words of at least four letters each
strung together as a password. This is easier to
remember than randomly generated passwords,
but just as safe
o A very long password only containing letters is
stronger than a shorter password with a mix of
numbers, letters, and special characters.
o Numbers and special characters can be added in for
some additional security
Use a unique password for each application
Turn on 2-factor or 2-step authentication
Use a password storage locker
o LastPass: Sucks up all of your browser passwords
and allows you to convert to strong passwords.
o Encryptr: Similar to LastPass, but on a secure
infrastructure
o KeyPass: Free, open-source, local
o Make sure all of these are properly secured as well!
Use a private, secure email account strictly for account
recovery
 10

Staying Up To Date
As annoying as they can be, regularly updating your system is an
extremely important aspect of security in the modern age. Security
updates are released almost weekly, and the longer you wait the
more vulnerable you will be.
Create a schedule and stick to it. Most devices can be set
to automatically update at a set time, when it wont be
disruptive.
After updates, make sure to check that no security settings
have changed on your device. Sometimes updates reset
these to their defaults, which have a tendency to track your
information.
If your device cannot be updated any longer, it should be
considered unsecure and replaced. Many older phones and
computers do not fully support modern encryption
standards.
Remember that updates apply to more than just your
computers, tablet, and phone. Check regularly for updates
to all of your network enabled devices.
 11

Safer Messaging: Signal

Signal is an open source messaging application that allows for
encrypted communication between devices. Keep in mind that this
kind of communication is only as strong as its weakest link.
Communicating about sensitive subjects over a network requires
full trust in all spokes of the wheel. Each person in the
communication group is responsible for the encryption and
password protection of the device and account in their possession.
Signal offers additional security for phone calls, as well as
messaging between individuals and groups by providing a shared
password that can be used to verify identity at the beginning of a
conversation.
To get the most out of Signal, remember the following:
1. Lock Down Your Phone
2. Hide Signal messages on your lock screen
3. Verify that youre talking to the right person
1. via phone
2. via text
4. Archive and delete messages
 12

Secure your browsing

Do not use browsers such as Chrome or Internet
Explorer/Edge. Firefox should also be avoided if possible in
favor of more secure alternatives, such as Pale Moon.
Avoid using add-ins to your browser where you can avoid it,
unless they are security related. Must haves include:
o Ad blocking software like UBlock (do not use
Adblock Plus as it is no longer trustworthy)
o Script blocking software like NoScript
Tor
o https://guardianproject.info/howto/browsefreely/
o Please be aware: simply installing Tor might put you
on the NSA watch list.
o Tor is NOT the be all end all in security, as it is still
possible to gather information from exit points in
the Tor network. Dont use it blindly.
Switch from Google to a search engine that doesnt track
your search history (e.g. DuckDuckGo)
Never use public or company owned WiFi for sensitive
communications. This is frequently monitored, and is
generally highly insecure.
Do not sign in to any web browser, as this attaches a very
direct fingerprint to yourself.
Always check the address bar for a lock icon, indicating that
the site is using encryption. Do not use sites that are
unencrypted, as everything you do is visible.
Be careful of scams that can steal your personal
information. Several examples:
o Phishing (https://riseup.net/en/email/scams/phishing)
o Viruses (https://riseup.net/en/email/scams/viruses)
o Spam (https://riseup.net/en/spam)
Avoid storing sensitive information in cloud based storage
solutions such as Dropbox or Google Drive.
 13

Secure Your Email

Proton Mail is a secure, encrypted email service provider with servers
based in Switzerland, end-to-end encryption, and no required personal
information for account creation. You can sign up for a proton mail
account at https://protonmail.com/.

However, if you have a current email account that you want to continue
to use for your day-to-day communications, please keep the following
tips in mind.

Like with all other services, its important to protect your email
account with a secure password and two-factor authentication.
Be careful opening attachments and downloading files that are
unexpected or from unknown sources.
You can have all of the protection in the world on your account,
but if the person you are emailing, the networks you are emailing
over, or the email service provider you are using is not secure
you are also not secure.
Do not reply to spam email
Create a complex email address and dont share it
Keep track of, and when necessary delete, old email accounts
that youve opened.
Use the Bcc (blind carbon copy) line for large numbers of
recipients. This protects the email addresses of the recipients by
hiding them and makes your email easier to read.
Delete email and attachments when you no longer need them.
Use more than one email account:
o Use one as a general catch-all account that you use to
sign up for mailing lists.
o Use one for general conversations.
o Use one or more secure email accounts for more private
conversations, as well as a secure account for password
recovery.
 14

Research and purchase VPN

A VPN's purpose is providing a secure and reliable private connection between
computer networks over an existing public network, typically the Internet.
(source: http://computer.howstuffworks.com/vpn.htm)

When you connect to a VPN, you usually launch a VPN client on your computer
(or click a link on a special website), log in with your credentials, and your
computer exchanges trusted keys with a far away server. Once both computers
have verified each other as authentic, all of your internet communication is
encrypted and secured from eavesdropping.
The most important thing you need to know about a VPN: It secures your
computer's internet connection to guarantee that all of the data you're sending
and receiving is encrypted and secured from prying eyes. (source:
http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-
the-best-one-for-your-needs)
For comparative information about individual VPNs:

https://torrentfreak.com/which-vpn-providers-really-take-anonymity-
seriously-111007/

Secure your home network

Never leave any device, no matter how insignificant, with the default
passwords. Changing the default password, and if possible username,
is the first thing you should do.
Do not use ISP supplied equipment as your router if you can help it. Its
best to use your own. Avoid connecting it to cloud services.
When you can help it, avoid using wireless, as most consumer grade
equipment is crackable.
If you must use wireless, only use WPA2 encryption, never use WPA1 or
WEP, as they are both highly insecure. Never, ever, leave your home
wireless network unsecured!
If you are confident in doing so, setting up device whitelisting for
wireless devices can solve some of the vulnerabilities with wireless
encryption standards.
If your router supports it, set up a guest network. Use this for visitors,
and for Internet of Things devices, as both of these represent a security
vulnerability.
 15

General Good Security Habits

Do not save any sensitive information to a shared
computer. Always use a private browsing session, even if
you have a unique user ID.
Make sure to log out of everything when done.
If you get up from your computer or put down your phone,
make sure to lock it.
Use a virtual keyboard to log in if you believe a system may
be compromised.
Whenever you can, use encryption
Do not ever use unencrypted public WiFi, period
Never plug your phone into an untrusted USB port
Likewise, never plug untrusted USB devices into your
computer
Set devices to ask before joining new networks so you
dont unknowingly connect to insecure wireless networks.
Remember items you cut or copy can remain in the
clipboard. Copy a blank space after cutting and pasting
private information.

NOT SURE WHERE TO START? TRY THESE 3

THINGS:
1. Download and use Signal for your text
messaging
2. Use two-step authentication and strong
passwords
3. Use strong passcodes to lock your phones,
computers, and tablets.
 16

What is the Oh Shit! What Now? Collective

The Oh shit! What now? collective was inspired by a
crowdsourced survival guide by a similar name.
http://www.theworldisaterribleplace.com/ohcrap/
We are a small group of activists whose goal is to facilitate working
relationships among leftist and radical groups in Austin, as well as
folks who are unaffiliated and looking for a way to get plugged in.
We believe that now more than ever, folks on the outskirts of
activism should be empowered to share their energy and feel
welcome within activist circles.
The Oh Shit! What now? Collective plans study groups, discussions,
and workshops aimed at equipping folks with radical skills to share
with others.
Points Of Unity:
While we are not founded upon a central ideology, we remain
grounded on principles that we feel are necessary to push our
movements forward. We are anti-authoritarian, anti-capitalist,
feminist, and anti-oppression driven. We envision a world where
communities are empowered to take care of each other, without
relying on hierarchical structures that pit people against each
other.
Where To Find Us:
http://www.ohshitwhatnow.org/
https://www.facebook.com/ohshitwhatnowatx/
https://twitter.com/ohshit_atx