Security disclaimer

From Gender and Tech Resources

Ideas to be added

Activists, feminists and people who use this manual should also make themselves well versed about their countries cyber laws and policies or any kind of disclaimer should be there.

Before you start: mapping your data and devices; securing your data; anonymising your connections

Before reading this book and using the recommendend tools and tactics, it is important to be awaare that every technology has its risks if some precautions are not taken in advance.

Before we connect our devices to the internet, the first step we should take is reflecting about the data we have stored there and anywhere else: What kind of data do we produce and or manage? With whom? Where is this data stored? Which devices or online platforms hold our data? Most importantly, how sensitive is our data and what would happen if this particular data suddenly disappeared or was seen and copied by a third party? To learn more about mapping our data, read: https://gendersec.tacticaltech.org/wiki/index.php/Step_0#Mapping_your_data

Once we've mapped our data, the next step is securing it.

Especially where our data is stored online, it is crucial to choose strong passwords, or better passphrases, and to use a different one for each of our accounts. For more information on the importance of strong passwords and how to store them, read Security in a Box's chapter on passwords. https://securityinabox.org/en/guide/passwords and the EFF's howto: https://ssd.eff.org/en/module/creating-strong-passwords

A good tool to generate and store strong passwords is KeePassX: https://securityinabox.org/en/guide/keepass/windows

A technique to create strong passphrases that are also easy to remember consists in creating a random group of words that don’t make any sense together by using simple, physical dice. Read more about the Diceware techique in this article: https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess.

Another very important measure we should take when going online, especially if we are transmitting personal data and passwords, is to always use a secure SSL connection, which ensures that our data cannot be seen by anyone as they travel from our computer to the website we are visiting or to the service we are using. To do so, when we access a website we should type HTTPS instead of HTTP before the url of the website we want to visiting. If we receive an error or the HTTPS is replaced by HTTP again, this means that the website is not offering a secure connection. To make sure that we always connect securely to websites when this option is offered, we can install HTTPS Everywhere, a Firefox, Chrome, and Opera extension developed by the Electronic Frontier Foundation that encrypts our communications with many major websites: https://www.eff.org/https-everywhere

Likewise, when we create an account with an online service (e.g. our mailbox or a chat network) that we will access through a specific client or app, we should check the features of the service to make sure that it offers a secure connection and configure our clients accordingly by activating the TLS/SSL option.

Some activities are riskier than others, and in some cases SSL is not enough: we may have good reasons to hide our physical location and our usage of the internet, and to do so we could decide to anonymise our connections through Tor, an anonymity network that conceals both the location of our connection and what we do on the internet by routing communications through a distributed network of servers run by volunteers all over the world. By consistently using Tor, no one can link our IP address to us, not even the mail server we use. For further information on how to use Tor, see the project's website: https://www.torproject.org

An easy tool to anonymise our connections when browsing the internet is Torbrowser, the most recommended and rigorously tested tool for keeping our online activities anonymous. For more information on Torbrowser and instructions for Windows users, visit: https://securityinabox.org/en/guide/anonymity-and-circumvention For instructions for Mac OSX users, visit: https://ssd.eff.org/en/module/how-use-tor-mac-os-x

Also the choice of the mail server we use for our contact mail address is important. There are several secure servers that offer a good service, like the Swiss commercial service Kolab Now (https://kolabnow.com). But the main point is to find a service that offers a secure connection (HTTPS instead of HTTP) and that is compatible with our actual needs.

If you think that using a grass-roots service instead of a commercial one is closer to your view of the world, you can open a mail account with an autonomous server such as Riseup (a site used by activists with a clear set of political principles) or Autistici/Inventati (A/I). Riseup provides email addresses to activists based on a trust system. You can either get two invite codes from friends who already have Riseup accounts or wait for Riseup to approve your detailed request (which can take a long time). For more info visit: https://user.riseup.net/forms/new_user/first To obtain a mailbox with A/I, you just have to read their policy and manifesto and, if you agree with their principles, fill in a form explaining why you are asking for this service and in which way you share the collective's fundamental principles. To learn more about A/I, visit: http://www.autistici.org/en/about.html

Finally, nothing is secure if we only think about technology and we neglect our wellbeing. If we are exhausted, stressed or burnt out, we might make mistakes that impair our security. Read more about this in the Tactical Technology Collective's manual on holistic security: https://tacticaltech.org/holistic-security (verify link) and this essay on The Psychological Underpinnings of Security Training: https://www.level-up.cc/resources-for-trainers/holistic/psychological-underpinnings-security-training