What you need to know before using this manual
From Gender and Tech Resources
What you need to know before using this manual
Before reading this manual and using the recommended tools and tactics, it is important to remember that every technology has its risks and therefore precautions ought to be taken to minimise these risks.
The first step we should take before connecting our devices to the internet, is to reflect on the data we have stored on our devices and elsewhere: What kind of data do we produce and/or manage? With whom do we produce this data? Where is this data stored? Which devices or online platforms hold our data? Most importantly, how sensitive is our data and what would happen if this particular data suddenly disappeared or was seen and copied by a third party? To learn more about mapping our data, read: https://gendersec.tacticaltech.org/wiki/index.php/Step_0#Mapping_your_data
Once we've mapped our data, the next step is securing them.
When our data is stored online, on the "cloud", it is crucial to choose strong passwords, or better passphrases, and to use a different one for each of your accounts. For more information on the importance of strong passwords and how to store them, read Security in a Box's chapter on passwords and the EFF's howto. A good tool to generate and store strong passwords is KeePassX. A technique to create strong passphrases that are also easy to remember consists in creating a random group of words that don’t make any sense together by using simple, physical dice. Read more about the Diceware techique.
Another very important measure we should take when going online, especially if we are transmitting personal data and passwords, is to always use a secure SSL connection, which ensures that our data cannot be seen by anyone as it travels from our computer to the website we are visiting or to the service we are using. To do so, when we access a website we should type HTTPS instead of HTTP before the url of the website we want to visit. If we receive an error or the HTTPS is replaced by HTTP again, this means that the website is not offering a secure connection. To make sure that we always connect securely to websites when this option is offered, we can install HTTPS Everywhere, a Firefox, Chrome, and Opera extension developed by the Electronic Frontier Foundation that encrypts our communications with many major websites.
Likewise, when we create an account with an online service (e.g. our mailbox or a chat network) that we will access through a specific client or app, we should check the features of the service to make sure that it offers a secure connection and configure our clients accordingly by activating the TLS/SSL option.
Some activities are riskier than others, and in some cases SSL is not enough: we may have good reasons to hide our physical location and our usage of the internet, and to do so we could decide to anonymise our connections through Tor, an anonymity network that hides both the location of our connection and what we do on the internet by routing communications through a distributed network of servers run by volunteers all over the world. By consistently using Tor, no one can link our IP address to us, not even the mail server we use. For further information on how to use Tor, see the TOR project website.
An easy tool to anonymise our connections when browsing the internet is Torbrowser, the most recommended and rigorously tested tool for keeping our online activities anonymous. For more information on Torbrowser and instructions for Windows users, visit: https://securityinabox.org/en/guide/anonymity-and-circumvention For instructions for Mac OSX users, visit: https://ssd.eff.org/en/module/how-use-tor-mac-os-x
Also the choice of the mail server we use for our contact mail address is important. There are several secure servers that offer a good service, like the Swiss commercial service Kolab Now (https://kolabnow.com). But the main point is to find a service that offers a secure connection (HTTPS instead of HTTP) and that is compatible with our actual needs. If you think that using a grass-roots service instead of a commercial one is closer to your view of the world, you can open a mail account with an autonomous server such as Riseup (a site used by activists with a clear set of political principles) or Autistici/Inventati (A/I). Riseup provides email addresses to activists based on a trust system. You can either get two invite codes from friends who already have Riseup accounts or wait for Riseup to approve your detailed request (which can take a long time). For more info visit: https://user.riseup.net/forms/new_user/first To obtain a mailbox with A/I, you just have to read their policy and manifesto and, if you agree with their principles, fill in a form explaining why you are asking for this service and in which way you share the collective's fundamental principles. To learn more about A/I, visit: http://www.autistici.org/en/about.html
Finally, nothing is secure if we only think about technology and we neglect our well-being. If we are exhausted, stressed or burnt out, we might make mistakes that impair our security. Read more about this in the Tactical Technology Collective's manual on holistic security: https://tacticaltech.org/holistic-security and this essay on The Psychological Underpinnings of Security Training: https://www.level-up.cc/resources-for-trainers/holistic/psychological-underpinnings-security-training.