Digital Security for Everyone

HomeFree resources

Version 3 – Updated September 2024

Share this guide link: actionskills.au/sec

This guide is designed for beginners and non-technical people with the aim of increasing security across our whole community. The content is based on research, working with security experts and on the ground experience working with community activists and people who believe government and corporations do not have the right to spy on people by default.

Ten quick and easy things to radically improve your digital privacy and security

If this guide feels like too much, start with these 10 things.

Please Note

Security is always changing so do some extra research yourself about recommended tools.The safety of tools can change suddenly if we learn of new exploits or risks with tools. Sometimes great tools get sold to dodgy corporations. Please use these recommendations in context with some healthy cynicism and common sense.

Webinar discussing this content and tools

2 hour discussion on the content of previous guide published in 2020.

Why Secure myself? – I am not doing anything worth spying on

Many people believe that they are not worth spying on. There are many reasons to protect yourself and your community.

Why Bother, they can access all my data anyway?

Sort of yes and mostly no.

Who are we protecting from?

Security has many levels and protects you from different levels of spies. It is important to understand, the people more likely to target you are probably the least sophisticated. This means any improvement to your security will go a long way.

Herd Immunity – My part in protecting everyone

If only a few people are protecting themselves they become targets, as it is assumed they have something worth spying on. When you and others start protecting themselves, then it gets very difficult and expensive to spy on everyone.

Don’t let Paranoia stop you organising

Although they come with risks, digital tools allow us to leverage our actions and communications in unprecedented ways. If we stop using the these tools due to security, we have lost before we have even started. Use the tools wisely. Some risks are involved but missing the big opportunities is a far bigger risk.

Convenience VS Security

Some security technologies can be less than convenient. Typing long passcodes into your phone and surfing with slower internet speeds via tor. It is up to you how much you balance security and convenience. Many security approaches and technologies do not impact on convenience so apply as many security lessons as you practically can.

Be geek street-smart – Security is not perfect

High end security is very complex and can make using your technology less convenient. The aim of this guide is to implement good security and not perfect security. Unless you understand the technologies of a technical level, always assume your system is compromised and use your technology wisely. You may have perfect encrypted messaging but your system may have malware that is recording your keystrokes.

Digital literacy – learn your technology

Computers have given us powerful tools that also need maintenance and management. Learning the basics of how your computers and phones work, will make you far more savvy in understanding digital security

Encryption works – What is encryption?

Encryption involves using advanced mathematics to scramble your data, making it impossible to access without your key (password). The Snowden leaks has proven that encryption works and we can protect ourselves from spying.

Encrypt all devices, drives and sensitive folders

Encrypting is usually a simple matter of turning encryption on via your devices settings. By enabling encryption you make hacking your device either impossible or very difficult and resource intensive.

Multiple backups

Your data can be lost in many ways: Fire, theft, failure, arrest, loss etc. You can also lose data if you apply some security measures incorrectly. Make sure you have adequate backups before you start securing and encrypting.

Update your software regular – apply updates

There is a constant loop happening: Hackers find exploits in software and the software people patch them up. Make sure you apply the latest versions to all your software including operating systems, apps and websites to ensure you have the latest secure versions. Unpatched software is a very common way to be hacked.

Lock your computer and phones. Review security settings

Turn on auto-screen lock features using passwords and 2FA. Facial recognition lock can be unlocked by police using your face (same with fingerprint). Turn the phone off if police are likely to confiscate it as this makes it much harder for them to break into a phone before it has been logged into for the first time. Alternatively put your phone in lockdown mode if you don’t want to turn it off as this is also more secure than regular lock screen. Review and configure security settings. Review and configure app settings (eg turn off location unless it explicitly needs location). Most apps have too much permissions on by default. 

Phone security

Phones have become very complex and usually ship with dodgy settings out of the box so the first and most important rule about modern smart phones is DON”T TRUST THEM. Make sure your are geek street smart.
Here are some ways to improve your phone security.

Secure Phone communications

Anything encrypted is better. SMS and voice was built to be intercepted and recorded (since the paper telegram days). Apple messenger and Facetime are respected, however requires iphone. Older phones have lots of vulnerabilities – not recommended

  • Signal replaces SMS / voice / video
  • Session a version of signal that does not require a phone number for your account. Fork of SIgnal, new identity each session
  • Keet.io Keet only shares end-to-end encrypted data between the participants in every call.
  • Firefox Relay⁩ Masks your phone number with an alias
  • DELETE - Keybase Acquired by Zoom. Zoom is partly owned by Israeili spyware company NSO.
  • DELETE - WIRE Move to high cost model, cryptobro fascists.
  • DELETE - Telegram Has never implemented e2ee effectively. User data is maintained and likely to be handed over to EU due to Pavel Durov’s arrest. Content control is unsafe and carries risk of doxxing. Common route for message injection of Dark Caracal and Pegasus spyware used to assassinate dissidents by Israel.
  • DELETE - Whatsapp Never been safe. Delete. E2EE unimplemented, Meta has handed geolocation data to ISR to target 160 murdered journalists. Meta also trains facial and targeting machine learning on SM content.
  • DELETE - Wickr compromised in 2021

Smart password mangement

Weak passwords are a primary way to hack you. Simple passwords can be broken by a “brute force attack” where average computers have enough resources to crack them reasonably quickly. YOU NEED A PASSWORD MANAGER

Antivirus and scanners

We have been discussing Antivirus and specifically this article: Do You Even Need Antivirus Software in 2024 Apple and Microsoft Defender are now just as good as the anti-virus software. Installing anti-virus brings privacy risks as the application has so much access to your computer. This is a big change for us Updating this guide […]

Location and tracking

Your location is being tracked and recorded via your mobile device. Many private companies are recording and selling this info. Many drone assassinations in the Middle East are targeted via the location of a persons mobile device.

MFA – Multi-factor authentication

Sometimes called Two factor verification. This provides multiple methods to verify yourself in addition to your usual login user and password which vastly improves your security while using online apps and websites.  MFA apps are the recommended approach as the Common approaches of SMS or email codes could be spoofed or hacked.

  • Ente Auth
  • DELETE Authy Has become problematic since bought out by Twillio
  • DELETE Google Authenticator We don't trust Google

Private Internet – Stop using Google and FaceBook (so much)

Treat Google and Facebook like “Junk Food” and seek to limit your consumption

  • Startpage Anonymous search. Alternative to Google search without the tracking
  • DuckDuckGo Anonymous search. Alternative to Google search without the tracking

Private Internet – Block ads and trackers

Minimise browser plugins as some have built in trackers. Cookies are stored in your browser to personalise your experience on websites and are also used to track you. Delete these regularly (every time you quit) to reduce their ability to build a profile on you. In Brave/Chrome > clear browsing data > on exit.  

  • Brave Browser Chrome browser with adblockers and tracking protection built in
  • Lightbeam Visualise the trackers that are tracking you

Private Internet – VPN – Virtual private network

A VPN works by connecting your computer  (using encryption) to another computer located somewhere else in the world. Your access to the  internet then comes from that computer located somewhere else in the world. So if the computer is located in France, then you are surfing from France. The mandatory data retention scheme implemented by […]

Private Internet – Tor – Anonymous Browsing

Bounces internet users’ and websites’ traffic through “relays” run by thousands of volunteers around the world, making it extremely hard for anyone to identify the source of the information or the location of the user. Use tor with your VPN and ideally with a secure OS and burner laptop. Unfortunately Tor can slow your internet […]

Private Internet – Anonymous Connection

You could use a public wifi but be careful and use a VPN as they are insecure and can be used to hack you. You can also order an overseas SIM online with Australian data roaming – that doesn’t require ID.

Private internet – commerce

There are two major ways to buy things anonymously online. The first one is using Visa or Mastercard gift cards. These can be bought with cash at many supermarkets and at Australia Post. The other way is using the crypto-currency: Bitcoin. Please search for more information on the Bitcoin technology and how to use it.

Advanced anonymous internet

So you want to be a ninja online? Like martial arts to be truly invisible online you need to spend a lot of time becoming an expert in the technology. There are no shortcuts to becoming a martial arts ninja but there are some ways to skill up without being a top level security geek.

Security Culture – working in groups

Security culture is an agreement made by a group which outlines the minimum security, tools and security processes the group will use. This allow individuals to understand their personal risk as well as the risk to the group and the groups actions.

Remote Group collaboration – working online

Slack, Google and similar tools are not encrypted: authorities can request the hosting companies to hand over the documents, user list and the chat logs. Nextcloud is a secure replacement for the google collaboration ecosystem

Document Collaboration

Crypt pad is  realtime Collaborative docs simplar to google docs. Due to its secure nature it laks an easy way to group documents, requiring the need to create and manage an inventory of the secure URLs. You can also use a desktop text or document editor and share by encrypted channel (not realtime)

Secure Email

Google and similar tools are not encrypted: authorities can request the hosting companies to hand over your data. Secure email can be simplified by your group using only one email service such as riseup, tutanota, or protonmail. This means the “end to end” (from your email to your friends email) encryption is managed by the […]

Group Chat

  • Matrix
  • Semaphor I have not used this since the new version which is now free. Recommend by security geeks
  • Signal Small groups – (large groups make it annoying to use as main sms replacement)
  • DELETE - Keybase Acquired by Zoom. Zoom is partly owned by Israeili spyware company NSO.

Video conferencing

We are looking for a better option for video conferencing. It is important to know that regular phone conversations or popular VoIP tools like Skype or Google Hangouts have wiretapping capabilities built-in. Authorities can request Microsoft to record and hand over conversations with a warrant.

  • jitsi The best ethical choice - turn on the encryption. Can be unstable
  • Facetime Apple has a good reputation or security but requires an iphone or mac.
  • Signal Signal is good for one on one video
  • DELETE - Zoom Zoom is partly owned by Israeili spyware company NSO.

Phones and laptops in meetings

Microphones and cameras can be remotely activated without you knowing and can be switched on remotely. Good practice is to gather all devices and remove them from meetings. Even if they have dead batteries, this encourages good security culture. Some people place tape over their laptop camera because someone watching you remotely is creepy.

Databases and CRMs

(In our context ) A database is a  collection of information on people. A CRM (Client Relationship Manager) is a specialised database for managing people’s information, interactions and relationships with people. As database tools become more advanced, we are increasingly building up a lot of information so we need to pay special attention to privacy […]

Email list management

Should be self-hosted somewhere overseas. The servers hosting the email list management software contain the list of all email subscribers. Ideally, all subscribers should use a brand-new email account solely dedicated for receiving emails from the email list.

Secure PC Operating System

More digital security guides

Last updated: March 22nd, 2021

Creative Commons Licence
More digital security guides by actionskills.co is licensed under a Creative Commons Attribution 4.0 International License.
https://actionskills.au/resource/security-links/.