Skip to content

Security training: Individuals versus The State

Jump to bottom
Meitar M edited this page Apr 20, 2017 · 10 revisions

WikiSecurity culturePersona-based training matrixSecurity training: Individuals versus The State

How to use this persona-based threat modeling matrix:

  1. You are a "defender" (a given row). Find yourself there.
  2. Your concern(s) map to a given "attacker" (a given column). Find your attacker.
  3. Find the cell at which these two personas intersect. Everything listed in the cells above and to the left of your cell applies to you, too.
  4. Start at the top-left cell and read the advice from left-to-right, top-to-bottom, until you reach your cell. Then stop worrying. :)
Attackers
Random Assholes Assholes with Resources The State
Defenders Individuals Individuals vs Random Assholes Individuals vs Assholes with Resources Individuals vs The State
Organizers and Journalists Organizers & Journalists vs Random Assholes Organizers & Journalists vs Assholes with Resources Organizers & Journalists vs The State
Targeted Activists Targeted Activists vs Random Assholes Targeted Activists vs Assholes with Resources Targeted Activists vs The State

Individuals versus The State

Prerequisites

Before you dive too deeply into this practice material, you should first explore the following lower-hanging fruit in the following order:

  1. Security training: Individuals versus Random Assholes
  2. Security training: Individuals versus Assholes with Resources

Data management

  • Encrypt your phone/laptop disk at rest (FileVault, Android Encryption, LUKS/cryptsetup)
  • Make sure you read the privacy terms/terms of service/terms and policies of a service you sign up for. Remember, when you sign up for a online service, you are agreeing on a contract.
  • Make sure you can actually delete your account after signing up and keep in mind that some services keep your data forever (even if you requested a deletion). You can use Just delete me's service so it warns you on how difficult is it to delete an account on the service you are currently browsing.
  • Remember that using a service from a foreign country, you are subjected (in some terms) by their law, so make sure you go through the following check list (also make sure you do the same for your local service).
    1. Does the foreign/local service store your data in your country?
    2. Does the foreign/local service share any personal data with the government or any third party?
    3. Does the foreign/local service requires any personal data that may harm you in the future? If so, ask what they do with this information.
    4. Does the foreign/local service have any history with the government/police or any "privacy/corruption" scandal?
    5. Does the foreign/local service keep a Canary Statement? Check Canary Watch to see if your service is listed there, and if not, mail them asking if they keep such information public.

Security hygiene and habits

  • Use passphrases, not biometric unlock features such as fingerprints
  • Use passphrases for locking your phone instead of PIN or Pattern.
  • Use cash whenever possible, not a credit card or electronic payment system
  • If you need to use credit-card to buy something (and you are currently based in US), use a random credit-card for each service. You can get that at Privacy.com.
  • Switch your default search provider to a Google-alternative
  • Uninstall the Facebook/Twitter/etc. apps and use the mobile web versions of these sites
  • Audit your Android device's app permissions and revoke any permissions granted to apps that enable features you don't use
  • Use temporary emails/identities when making temporary use of services: use a temporary email (FakeMailGenerator.com and similar sites) for that, and fake names, birth dates and etc. to go along with that temporary identity
  • If possible, don't use hardware received from employer for personal use. (Why? "Employee monitoring.")
    • Similarly, never tell your boss/employer the passwords to personal accounts, even if "required" to by employment contracts (these clauses are illegal).
  • Check the validity of the lock icon in your Web browser's address bar (TLS certificate validation practices)
  • Don't use the default DNS your network provides, most of them are used for surveillance and profiling. Use DNSCrypt instead or the DNS provided by OpenNIC Project.

Helpful tools

  • Use certificate transparency monitoring tools (like Facebook's) to further check the trustworthiness of a given certificate (but, because FB is shit, they require you be logged in to a FB account)
  • Use TermsOfService;Didn't Read to get up-to-speed on legal terms for a given service you're considering using.
  • Turn off JavaScript using blockers such as ScriptSafe and NoScript and re-enable it only on sites you purposefully visit
  • Use HTTPS Everywhere so you make sure you send data to the service using HTTPS and not HTTP.

Also, a guide: Digital Security Tips for Protesters

The NYC chapter of the Anarcho-Tech Collective provides technological and digital infrastructure support services to anti-fascist, anti-racist, and anti-capitalist organizations in New York City. See our Activities and events page for details. Read our Welcome guides to get involved.

We appreciate your support to help us do what we do. If you have the means, please donate BitCoin to 17ByVbkM6mf7bytqWRFwzjqradBkmVh4Tr.

Found an error in these pages? Please let us know by submitting a new issue ticket.

Clone this wiki locally