Below are some quick notes that we hope are useful for getting started. For more depth on these topics, the [[https://tech.safehubcollective.org/cybersecurity/|Safe Hub Collective tech.safehubcollective.org/cybersecurity]] has very well-written guides. ===Password Managers=== [[https://www.keepassx.org/|KeePassX]] is a cross-platform password manager, with third-party apps available for android and ios. It stores all your account credentials in a file that you encrypt with one master passphrase. This way, you can have strong, unique passwords for each online account, avoiding the dangers of [[https://xkcd.com/792/|password reuse]]. Some alternatives are [[https://lastpass.com/|LastPass]] and [[https://agilebits.com/onepassword|1password]]. They offer a convenience trade-off, where you store your (encrypted) passwords on their service, and they synchronize them across your devices. Also, enable 2-factor authentication whenever possible! === Mobile Devices === ==Full-disk Encryption== - iOS https://support.apple.com/en-us/HT202064 - Android http://www.greenbot.com/article/2145380/why-and-how-to-encrypt-your-android-device.html ==RedPhone / TextSecure / Signal== Apps by Open Whisper Systems for encrypted communication - Android: RedPhone does calls, TextSecure does messaging - iOS: Signal does both calls and messaging ==Location Tracking== Be aware that your phone can and is used to track you. Your cell provider has records of your phone's location, and advertisers track your phone's wifi signal to try to determine where you buy things. ==Tor for Android== The Guardian Project has written a Tor client for Android, as well as a Tor browser. === Web Browsers (other than Tor Browser) === ==Chrome vs Chromium== Chrome is Google's web browser. It has two forms: Chrome, the proprietary version from Google, with closed-source parts you can't inspect (e.g., Flash), and Chromium, the open-source Free software version. Chromium is preferred over Chrome for privacy reasons. ==Privacy Badger== https://www.eff.org/privacybadger Attempts to do *behaviour-based blocking* of web trackers. Privacy Badger keeps track of content loaded across different websites. If something appears to be tracking you, it will block it from being loaded in the future. Upside: - adaptive filtering: detection based on behaviour Downside: - may take time to 'warm up' the filter - may not catch everything that a blacklist would - EFF allows advertisers to opt out of blocking if they promise to behave well / look like they're not tracking you ==Disconnect.me== https://disconnect.me/ Blacklist-based filtering of web trackers Disconnect.me has a blacklist of blocked content and prevents your browser from loading it. The Chrome/ium version of Disconnect also has a visualizer that lets you see which companies are tracking you across multiple sites. Upside: - extensive blocklist Downside: - on rare occasions blocking content can break a site, in which case you can temporarily pause the blocking if need be. ==HTTPS Everywhere== https://www.eff.org/https-everywhere Forces the browser to use TLS (encrypted) connections when possible Some sites allow you to connect securely but don't require it. Scenario: You're browsing a webpage and see a link like http://en.wikipedia.org/wiki/Daniel_Ellsberg HTTPS Everywhere rewrites this link to https://en.wikipedia.org/wiki/Daniel_Ellsberg automatically. Scenario: You're on an open wifi and you click a link to an HTTPS login page. But an adversary has MitM'd the page and replaced the link with an HTTP one, so they can steal your account details. HTTPS Everywhere prevents the downgrade. HTTPS Everywhere also has an option to block all unencrypted requests. Scenario: You're on a network you don't trust (e.g., open WiFi, Tor) and want to prevent injection / spying. HTTPS Everywhere lets you block any unencrypted requests. You can also opt in to the EFF's SSL Observatory and submit anonymous reports about the encrypted connections you see. This allows the EFF to detect attacks against HTTPS. ==Ad Blockers== uBlock Origin is very efficient and lightweight. Chrome/ium: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/?src=search You can choose to add extra blocklists; the more restrictive you choose to be, the higher likelihood of a website breaking. Adblockers increase performance as well as protect your privacy. ==Flash & other plugins== Friends don't let friends run Flash. The Flash plugin is a huge source of security flaws and you're much safer without it. Flash also allows websites to track you in ways that are harder to block with standard tools. In the event that you really, really, really need Flash for some reason, you should minimize your risk by enabling click-to-play. Scenario: Your browser is redirected to a malicious page with an invisible Flash applet that exploits a security flaw. You visit the page, and your computer is silently compromised. Firefox: Add-ons > Plugins > "Ask To Activate" or "Never Activate". Chrome/ium: Settings > Advanced Settings > Content Settings > Plug-ins > "Let me choose when to run plug-in content". Flash is slightly less dangerous in Chrome/ium since it runs in a sandbox. ==Javascript== Disabling Javascript prevents many attacks, but also breaks most websites. Running Javascript on HTTP sites is dangerous since anyone between you and the website can inject their own scripts that run in your browser. In Chrome/ium, it's possible to block Javascript on all insecure sites: Settings > Advanced Settings > Content Settings > JavaScript, select "Do not allow any site to run Javascript", then "Manage Exceptions" and add "[https://]*". This blocks all JS and then allows it on secure connections. In Firefox, NoScript allows you to block Javascript. The Tor Browser has a slider that allows you to adjust your security level, including blocking insecure Javascript ===OTR=== Use OTR over Jabber/XMPP -- see the Safe Hub Collective guide https://tech.safehubcollective.org/cybersecurity/ ===Tor=== Anonymity network; anonymity vs. privacy https://www.eff.org/pages/tor-and-https How Tor works: https://www.torproject.org/about/overview.html.en ===TAILS=== Anonymous Live-USB operating system with Tor