Windows 10 is going to reach the end of support on October 14, 2025. Following that date, technical assistance, feature updates and security updates will no longer be provided. And while Windows Defender will continue getting support on Windows 10, the lack of security updates will expose your computer to a heightened risk even if your antivirus software is still working.

Upgrading to Windows 11 is the most straightforward way to keep your computer safe, but if you have an older device, this option may not be immediately available as Windows will consider your hardware unsupported. This post includes a series of solutions to keep your computer safe if you can't install Windows 11 through the standard updating procedure.

Before your proceed with any of the solutions recommended in this post, it is crucial that you back up your data, as some of the steps you will take might make it impossible to access the content of your hard drive, or even erase it.

If Windows 10 has already reached the end of support, you can buy some time to consider thoroughly which solution is best for you by enabling Extended Security Updates, a paid service to keep receiving important security updates on Windows 10.

Find a workaround to install Windows 11 on "unsupported hardware"

Even if the PC Health Check app tells you that your PC "doesn't meet the minimum requirements for Windows 11", you might still find a way of switching to Windows 11. Here's a few steps you can follow:

1. Try to fix the issue:
   • Check for updates: the error message might disappear after you update your drivers and BIOS.
     • Learn how to update software in your computer in Microsoft's support page on how to update drivers through Device Manager in Windows.
     • Learn how to update your BIOS in Makenzie Buenning, How to Update BIOS on Your Windows PC.
   • Check if you can enable TPM and Secure Boot in your BIOS.
   • Consider upgrading the hardware of your computer. If your hardware doesn’t meet the requirements, upgrading components like the RAM or graphics card could resolve the issue.
   • Read more on these steps in Jacob Bergman's post on how to fix "This PC Doesn’t Meet the Minimum Requirements for Windows 11".
2. If none of the steps above work or are possible, you can still bypass the requirements for installing Windows 11. This approach might lead to instability though, so it's best to avoid this solution if you use your computer for crucial tasks.
   • Learn more on this option in Les Pounder and Avram Piltch's post on how to bypass Windows 11's TPM, CPU and RAM requirements.

Install Linux

If your computer is perfectly functioning and you don't need specific software that only runs on Windows, this is the perfect time to switch to a different operating system, ideally to Linux.

• If you are interested in this option but need someone to support you, check out the Linux support page in the End of 10 website.
• Linux comes in many different flavors. To choose the one that works best for your needs, read Lucas Rees' Best Linux Distro: How to Choose Guide for Every User. We recommend Ubuntu, Linux Mint and Debian for their stability, security and user-friendliness.
• Read our guide on how to set up a Linux computer more securely.
• If you need increased security, consider installing Qubes OS and configuring it based on the SecureDrop guide for journalists and human rights workers.

Get a new computer

If your computer running Windows 10 is older and not very functional, you could consider buying a new computer.

• The cheapest option would be to get a computer without any operating system and then install Linux on it.
• If you work for a nonprofit organization or a public library in the U.S., you can get a discount on a Windows 11 license, or even on a laptop, through TechSoup.
• If you need to get a cheaper computer that is ready to use, consider getting a Chromebook, a laptop that runs ChromeOS, a proprietary operating system developed by Google.
• If you have enough funding for it, you can also consider buying a new computer with Windows 11 (possibly Pro) installed on it, or a Mac.

Image: The end of 10. No more 10., by Mitch Groff, released under the Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Generic license.

In some regions, prominent human rights defenders, activists, journalists and lawyers have to choose between going into exile or risking to be arrested and legally prosecuted, often in unfair conditions.

This is a situation that the Front Line Defenders Digital Protection team has been frequently observing especially in Central American countries like Guatemala, El Salvador and Mexico.

To help people at risk protect their activities, information and contact networks, we have developed a series of guidelines and recommendations that can make it harder to extract data from their personal and work devices.

If you are preparing to go into exile or to travel in riskier situations, read our guide on how to protect your information and devices while traveling.

Assess your situation

Talk to a lawyer

• Assess your legal situation: how likely is it that you will be detained?
  • If you work with a group, the recommendations in this post are not necessary for the whole staff of your organization, but they are essentials for those most at risk.
• Know your rights. In particular you may want to know if:
  • you can refuse to provide the passwords or codes to unlock your phone and computer;
  • the agents need a warrant from a judge to seize your devices;
  • they need a warrant that specifies which devices (brand and model) they can take;
  • you can refuse to provide the passwords to access your social media accounts and other online services;
  • you can make one or more phone calls after you have been arrested;
  • you can call a lawyer before you provide any information to the authorities.
• Remember: if violent interrogation or torture are a possible scenario, it is better to have empty devices, so you can provide your passwords without exposing yourself or others to higher risks.

Map your data

As a first step to prepare for a possible detention, take an inventory of the most important information in your devices (phones, computers, external hard drives, USB sticks, SD cards, etc.). Include in your inventory all information you store online (on online storage platforms, mailboxes, etc.)

• You can find recommendations on how to proceed in the Holistic Security Manual.
• Don't forget to go through all your devices and make a digital inventory of any sensitive information: pictures, text documents, PDFs, chats, attachments, login credentials, etc.

Prepare for potential detention

When you have a clear vision of what your devices contain, you can proceed to:

1. deleting what you don't need;
2. backing up what you want to keep;
3. deleting what you've backed up from your computer and phone;
4. disconnecting your devices from online storage platforms and mailboxes where you keep sensitive information;
5. (if possible) uninstalling any apps that you use to access online services and only accessing them through a browser.

Back up important information

• Learn how to back up your data more securely.
• You can choose to back up important information on an encrypted external storage device and/or on a secure online storage platform.
  • When making this choice, consider: could the authorities decide to seize your external storage devices and force you to give them the password to decrypt it, or try to crack the password? If so, consider backing up on a secure online storage platform and access this platform only through a browser so you can better hide that you have account on that platform.
• If you keep producing content in your devices, repeat the backup process regularly and then delete all information again.

Minimize data in your devices

Try to reduce the data in your phone and computer to a bare minimum: what is not stored on your devices can not be breached by any tool or person.

• Once you have completed your backup, delete all data, or at least the most sensitive ones, from your devices.
  • Read our guide on how to securely destroy sensitive information.
• Go through our guide on how to protect your information and devices while traveling for more recommendations on how to clean up your devices before agents search through them.
• Consider keeping all your data and work in a secure cloud storage service.
  • Try to access the online storage platform through a browser rather than through an app.
  • Make sure to delete all browsing history at the end of each session. This way you can keep working without storing data in your device.
  • Consider accessing the online storage platform through Tails to reduce the risk of leaving traces of your activities in your devices.

Store sensitive files in a secure app

• If you really need to keep some files in your computer, consider storing them in a secure app.
  • Consider storing sensitive information in a hidden Veracrypt volume if you're using a computer.
  • Consider using Tella if you're storing sensitive data in a phone. On Android, you can also camouflage Tella so it looks like a functional calculator.

Protect your devices against malware infections

If you think there might be an ongoing investigation on you, be sure to protect your devices against the risk of surveillance through spyware.

• Read our guide on preventing malware infections.

Prepare your phone

For all phones

• If you can, avoid linking your phone to your personal Google or iCloud account; if you really need Google or iCloud services, create a new account.
• Avoid biometrics to lock your phone. Instead, use at least a 6-digit PIN, or even better a password with a minimum of 8 characters.
• Make sure automatic updates are enabled.
• Remove all the apps that contain private or sensitive information or that connect to online services including personal, sensitive or valuable information and/or your contacts network, as most likely the authorities will be able to access them through forensics tools.
  • If you don't want or cannot delete these apps, consider hiding them.
• Use your phone only for less sensitive purposes.
• Read our guides on how to use Android or iOS more securely.
• On iPhone, enable Lockdown Mode.
• On Android, enroll in Google's Advanced Protection program.

[Optional but recommended] Install Graphene OS

• If you can, buy a new or used Google Pixel (ideally an 8a or a more recent model).
• Get a trusted technologist to remove the default operating system by installing Graphene OS.
  • We recommend you follow the instructions in the anarsec guide on how to install and configure Graphene OS.
  • Once Graphene OS is installed in your phone, use the Auditor App to ensure that your device is running a verified operating system with a locked bootloader and that you will be able to check in the future that no tampering has occurred..
• Create different profiles on the phone (admin, work, bank, social media, etc.).
  • We recommend to create (at least) a second user profile on Graphene OS. Use the first profile (owner profile), the one that you created when installing the operating system, only to install apps and for administration purposes. Use the other profile(s) for communications, data storage, etc. This will ensure even better protection of your data.
• Use the default browser and PDF reader built into Graphene OS.
  • In Graphene OS, the PDF reader and Vanadium browser are specially hardened to cover several attack vectors.

Prepare your computer

• Follow our guides to use macOS, Windows or Linux more securely.
• If you really need to keep information in your computer, make sure to encrypt your hard drive.

[Optional but recommended] Use Tails on your computer

Tails is an operating system that runs on a USB stick or an SD card. Once you turn off your computer, no traces of your work stay in the hard drive or RAM. Also, Tails only connects to the internet through the Tor network, so your online traffic is also anonymized.

By using Tails, you can avoid leaving any traces of your most sensitive activities in your computer, so if your device is seized nobody will be able to find out what you had been doing with it.

• Read more about Tails.
• Learn how to install Tails in a USB stick or SD card.
• Learn how to start using Tails.

If you need, you can also create a persistent storage volume inside your Tails stick and store sensitive information inside this encrypted container.

• Read more on persistent storage.
  • Note that the persistent storage is not hidden. An attacker in possession of your USB stick can know that there is a persistent storage volume and force you or trick you to give out its passphrase. If you need to hide sensitive data, consider using a VeraCrypt hidden volume in an external storage device instead.

[Optional] Install Qubes OS to protect your data from online attacks

If you need to protect your data from online attacks, consider installing Qubes OS and configuring it based on the SecureDrop guide for journalists and human rights workers.

• Qubes OS is an operating system developed to increase security by isolating different compartments (called qubes) inside your computer. You can assign some of these compartments to less sensitive purposes while completely isolating from the internet other qubes containing more sensitive information.
• Qubes OS will not necessarily protect your data from someone who can use forensic tools to search your computer, but it can protect sensitive information from remote attempts at hacking into your computer.

Review your password strategy

The weakest point of any encryption, secure tool or service is the password you use to protect it with - if your passwords are not strong enough, it won't take a lot of effort to crack them and decrypt your sensitive data or access your online platforms and communication tools.

• Make sure you are using strong and unique passwords.
• Save your passwords in a secure password manager.
  • If you are using an offline password manager like KeePassXC, back up your password database securely.
• Use 2-factor authentication for all your online accounts.
  • When you enable 2-factor authentication make sure to download backup codes and save them in your password manager together with your password for that account.
• If you use a 2-factor-authentication app, make sure to back it up somewhere safe. To make sure you can back up your codes, consider using one of the following apps:
  • Proton Authenticator (for Android, iOS, Windows, macOS and Linux) lets you back up your 2FA codes to iCloud on Apple devices or to a location of your choice on Android devices. If you're using an Android device, you can also choose the frequency of your backups.
    • Learn how backups work on Proton Authenticator
  • Aegis for Android backs up your codes automatically.
  • Raivo for iOS syncs your one-time passwords to iCloud.

Chat more securely

• Read our recommendations on using messaging apps more securely.
  • In particular, make sure to protect your sensitive chats with end-to-end encryption and enable disappearing messages in all your chat apps.
• Use a messaging app that protects your communications through end-to-end encryption by default, ideally Signal or another secure messaging app.
  • Learn how to use Signal more securely.

Protect your connections

If you think there might be an ongoing investigation on you, be sure to protect your connections from online surveillance.

• Learn how to browse the web more securely.
• Only connect to the internet through a trusted VPN.
  • If you need to be sure that nobody can trace your online activities back to you, consider anonymizing all your connections through Tor.

Possibly don't use apps to access online services

• If you need to access your sensitive emails or online cloud service, use a browser to log in and then log out when you're done. Avoid using apps for your online accounts whenever possible: this will reduce the traces of your activities you leave in your devices.
  • After logging out from your accounts, make sure to set your browser to delete all your browsing history at the end of every session and close the browser.

Choose trusted contacts you can inform in case you are arrested

• Consider securely giving your trusted contacts passwords to your most sensitive accounts and to your Google or iCloud accounts and asking them to suspend your social media accounts and wipe your phone remotely in case you are arrested.
  • When sharing a password with someone, only do this in person or through secure communication tools protected by end-to-end encryption. Ideally, share with them a KeePassXC database rather than the passwords in an unencrypted document.
  • Read our recommendations on how to share passwords more securely.
• Make a list of digital security helplines to support your contacts in suspending your accounts more quickly.
  • Among the helplines that can help, consider Access Now Digital Security Helpline and Front Line Defenders' emergency contact.
  • Also review the Digital First Aid Kit support page to look for help desks that may support your contacts for specific needs.

Set emergency apps to inform your trusted contacts and delete sensitive data

• On Android, you can set the Personal Safety app to start emergency actions like calling for help, sharing your location with your emergency contacts or recording video.
  • If you have an Android device, you can also install Ripple and set it to delete all sensitive data and apps in case of an emergency.
• If you have an iPhone, you can use Emergency SOS to alert your emergency contacts about your arrest and share live video or existing photos with them.

During the detention

• If possible, keep all your devices off.
• Only turn on your phone to call your trusted contacts (if you are allowed to do so). After calling them, switch off your phone again and do not unlock it.

Once you are released from detention

• If the authorities give you back your devices, do not use them until an expert can run a forensics analysis and make sure they're clean from malware.
• Consider that it might be impossible to confirm your devices have been infected and that you might have to replace them entirely.

Resources

• Coping with Prison
• Front Line Defenders, Workbook on Security: Practical Steps for Human Rights Defenders at Risk, Appendix 9, Check list: Detention / Arrest / Abduction / Kidnap, pp. 78-80, 2011.
• EFF Surveillance Self-Defense, Security Scenarios - Human rights defender? Recipes for organizations who need to keep safe from government eavesdroppers
• IBON International, A Quick Guide on Security for Human Rights Defenders (last updated: February 14, 2025)
• Craig Higson Smith, Daniel Ó Cluanaigh, Ali G. Ravi, Peter Steudtner, Holistic Security Manual, "Creating Security Plans and Agreements", p. 134 ff., 2016.

Image: Blockhead, Los Angeles 2017, by Hans-Jörg Aleff, released under the Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Generic license.

After almost 6 months from our latest blog post announcing news on Security in a Box, here's one more update on what's new in the website, starting with the announcement that at this point all the content in the guides linked from the home page has been completely updated in the past year and a half, and keeps being continuously updated and reviewed also thanks to the suggestions for improvement we receive through emails and Gitlab issues. Thanks to all the people who have taken the time to give us feedback!

But there is more: we have created new guides, added new features, updated some more tool guides and kept translating all the new and updated content into twelve languages: Arabic, Burmese, Chinese, Farsi, French, Indonesian, Pashto (with the help of UN Women), Portuguese, Russian, Spanish, Turkish and Vietnamese.

Here's a complete list of what we added and updated in Security in a Box during the first quarter of 2025:

New features

• Security in a Box has now a search engine. This means that you don't have to explore the whole website to find answers to your questions: just click the lens icon in the top right corner of the website and a pop-up window will open where you can enter your key words and find the resources you are looking for.
• This blog has now an RSS feed that will allow you to keep yourself updated on everything we write here. If you use an RSS reader, click the RSS icon above the list of posts in the home page or just copy this RSS feed link and add it to the RSS feeds in your reader.
• We have added new Assess & Plan section, which include guides on how to assess your needs and threats and get ready for protecting yourself against potential threats. The Assess & Plan section currently includes the guides on physical security and on safer communications that were previously located in different sections of the website, as well as the new guide on how to Protect your information and devices while traveling.

New guides in Security in a Box

In the first quarter of the year, we added these new resources to Security in a Box:

• Protect your information and devices while traveling - a guide we felt was highly needed, especially given the current restrictions in border security controls around the world.
• Protect your data when using TikTok - another guide that was long overdue, given how this platform is being used more and more as a communication channel by journalists, activists and media outlets.

Guides updated in 2025

In the past 5 months, we have also completely reviewed the following guides:

• The whole section on safer communications
• Protect yourself and your data when using Instagram
• Protect yourself and your data when using X
• Protect the privacy of your online communication

What's next

In the next few months, we will keep updating, expanding and restructuring Security in a Box. If you are curious about what we are planning to do, have a look at this Gitlab issue in particular, where we have defined our general update plan and are keeping track of our progress.

How to contribute

Security in a Box is an open-source resource, and we always welcome comments and suggestions. You can find instructions on how to give us feedback in our README page. We look forward to hearing from you, and to make Security in a Box always a bit more useful thanks to your input!

Image: Illustration to promote cybersecurity submitted in the Cybersecurity Visuals Challenge 2019 hosted by OpenIDEO, by Thomas Grimer, licensed under the Creative Commons Attribution 4.0 International license.

Human rights defenders and civil society members probably started using Twitter in the moment it was created, and at least by 2013 Security in a Box acknowledged this trend by publishing a guide on how to use Twitter securely. After recurrent updates, that guide still exists, although the name of the platform has since changed to X.

Over the years, Twitter has been used to distribute news quickly and to engage in open debates with selected communities of people sharing similar interests. Being mostly accessible to anyone without the need to create an account, it could be used to follow both what was happening in the world or in a certain sphere and what people were saying about it. A platform to follow individuals and organizations focusing on specific topics and sectors, Twitter helped make connections, and sometimes even friends, across the globe.

But like all centralized platforms, what Twitter allowed us to do largely depended on its terms of service and on the choices its owners were making. So after Elon Musk bought it in 2022, its policies and management changed together with its name, which became X after few months, in July 2023.

X is now mostly accessible only to people who have an account, it hardly moderates any abuse or disinformation, and has dissolved its Trust and Safety Council, the advisory group of independent civil, human rights and other organizations that used to address hate speech, child exploitation, suicide, self-harm and other problems on the platform. Furthermore, the company now reduces the reach of posts containing links (especially to news websites) and is generally showing an increase in the popularity of right-leaning users.

As a consequence, X has become a more toxic environment where harassers have the upper hand, and many important users and organizations have started leaving this platform. Among the media outlets and organizations that have recently left X there are, just to name a few, The Guardian, NPR,EDRi and Statewatch.

While X does not offer the same experience Twitter used to provide, some people and organizations still use it to distribute news, stay in touch with their contacts and participate in debates. It is certainly possible to keep doing so on other platforms, but some can reach a wider audience on X than on its alternatives.

Yet a campaign to kickstart a massive exodus from X has started, and there are some tools that allow you to stay in touch with your X network elsewhere and to troubleshoot other issues that may arise by moving to Mastodon or Bluesky. What follows is a few suggestions on what to consider when deciding where to move and what tools to use to make your move smoother.

What to consider before you leave X

If you are considering to leave X, it's a good idea to ask yourself some questions that will help you decide which alternative platforms or tools you can switch to. The first thing to note on this regard is that nothing will ever replace the experience you had on Twitter until 2022: X has replaced Twitter and has changed its dynamics for good, and although its number of users is still impressive, the open discussion platform it offered in the past has disappeared with its new policies and nothing has replaced that (yet).

In order to decide what alternative platforms you can switch to, ask yourself what you are using X for and what your needs are. Some reasons why people have been using Twitter and X are, for example:

• Distributing updates on one's activities
• Getting updates on news and current events
• Participating in political discourse
• Joining discussions on specific topics
• Entertainment
• Sharing videos
• Networking with like-minded people
• Brand promotion

Also ask yourself what communities you need to connect to: is it a wider audience or a specific niche? Do you want to follow celebrities, a group of people specializing on a topic, affinity groups or a group of friends? Do you just need to send updates to people who want to follow you or would you like to participate in conversations?

Alternatives to X

Depending on the answers you give to the questions above, you can make a plan for moving to one or more of the following alternatives:

1. Bluesky

Bluesky is currently the most popular alternative to X, and many people leaving X are moving to this platform.

Founded by Twitter co-creator Jack Dorsey, Bluesky makes it possible to tailor your user experience and to decide how your conversations are moderated. The down side is that Bluesky also belongs to a company, so if the company is sold to someone else its policies might change again. And while Bluesky is supposed to be based on a decentralized network, at the moment no other instance is connected to that network (although efforts are underway to change this situation).

2. Mastodon

The second most used alternative to X, Mastodon is a federated social networking platform that respects users' privacy and is based on free and open-source software.

It requires some more planning to start using it because you will have to choose the server you want to use, based on its community, code of conduct, moderation rules and content policies. You can choose your home server in the list of all Mastodon servers on joinmastodon.org, or also by checking where people and organizations you follow on X have been migrating to.

If you would like to start a Mastodon account, you can start from Fedi.Tips, an unofficial non-technical guide to using Mastodon and the Fediverse.

3. Threads (and other Meta platforms)

Threads is Meta’s microblogging platform. Some people are moving to it, and it can be a good idea to use it if you are focusing on advertising a brand and already are using other Meta platforms. However, Threads doesn't have as many users as other platforms and is not actively used by many people or entities. As for all other commercial social networking platforms, we suggest you to be cautious when deciding to create an account there.

Besides Threads, you may consider also moving your X activities to Instagram and Facebook, especially if they are used by many of your X followers already. If you decide to use these platforms, check out the Security in a Box guides on how to use Instagram and Facebook more securely.

4. A social media management tool that lets you use multiple different platforms at once

Another choice you can make, even without the need to leave X completely, is to start using a social media management tool that allows you to post on all the existing platforms at the same time. You can have a look at the topsocialtools website to choose the solution that works best for your needs.

6. Reddit

If your need is to follow and join conversations on specific issues, you can consider moving to Reddit, where you can follow topics of every possible kind, often without even the need to log in and with a focus on relevance given by the platform's upvote and comment system.

7. LinkedIn

If you use X as a professional, to network with colleagues, look for work and follow your industry, you can consider LinkedIn as an alternative to X.

10. An RSS feed reader

If you are using X to keep up-to-date on news, consider using an RSS feed reader to follow blogs, news outlets and most websites.

• Follow instructions on SocialBee to learn how to find the RSS feed of almost any site.
• Learn how to read your RSS feed on Thunderbird.
• On Firefox, you can use an RSS feed reader add-on like Feedbro.

11. Your own blog or website

If you are using X to distribute updates on your activities, and you have capacity to manage your own site, consider setting up a blog or website. You can also publish your RSS feed and accept comments to get feedback and have conversations about the news you publish.

12. A newsletter or a Telegram channel

If you need to keep your audience up-to-date on your activities, consider curating a newsletter or a Telegram channel. This will allow you freedom of choice regarding the content you publish and you can also choose to monetize this activity by using a newsletter tool like Substack or Mailchimp, or a premium account on Telegram.

Some useful tools

Once you have planned your X-odus, you will find it useful to know that there are some tools that will make your move easier.

• Cyd helps you create a local, private backup of your data — like all of your tweets, retweets, likes, bookmarks, and direct messages. Once you've done this, Cyd helps you delete all your tweets. If you subscribe to the premium version, you can also choose what data you want to delete from your X account and you can use Cyd to migrate your data from X to Bluesky.
  • Read Cyd's step-by-step instructions on how to close down your X account while keeping your username and telling your followers where they can find you. Want to quit X in 2025? Here's how to do it the right way with Cyd .
• OpenPortability helps you migrate your data and contacts from X to Bluesky and Mastodon.
• If you move to Bluesky, BlueNotify will let you get notifications on new posts by the people you follow (a feature Bluesky does not offer at the moment).
• Xcancel lets you read posts on X without having to log in to the platform.

Would you like a new security guide on one of these alternatives?

If you would like Security in a Box to curate a guide on one of the alternatives to X, we would like to know! Reach out to us by writing an email to siab @ frontlinedefenders . org.

Image by Walter Baxter licensed for reuse under a CC BY-SA 2.0 Creative Commons Licence

Security in a Box was initially created in 2005 as NGO in a Box - Security edition, with its title changing to the current one in 2009. Over these 20 years, it has been developed on different platforms and has repeatedly changed its structure and content, with one fundamental goal in mind: offering useful strategies and tools for human rights defenders, journalists, activists and civil society members to protect themselves against the most widespread digital threats they face in their everyday life.

At the beginning of each page, immediately after the title, you can check when a guide has been last updated, to make sure that the recommendations you are going to read still apply to the current situation.

In 2024 most of the guides in Security in a Box have been reviewed and updated and some more have been created from scratch. All this new and updated content has been completely translated into French, Indonesian, Portuguese, Russian, Spanish, Turkish and Vietnamese, and is being translated into Arabic, Burmese, Chinese, Farsi and Pashto (this latter translation has been funded by UN Women).

Here's a list of what is new and what is updated in the entire website:

New guides on Security in a Box

• Create and protect multiple online identities
• Secure your email communications
• Browse the web more securely
• Anonymize your connections and communications
• Destroy identifying information
• Protect your data when using YouTube

Guides updated in 2024

• The whole section on passwords
• The whole section on phones and computers security
• The whole section on protecting files and information
• The following guides:
  • How the internet works and how it can be censored
  • Circumvent internet blockages and monitoring
  • Protect your data and communications when using Google services
  • Protect your data when using YouTube
  • Protect yourself and your data when using Facebook

Future plans

In the next few months, we will keep updating and expanding Security in a Box, and in 2025 we are going to restructure it a bit more. If you are curious about what we are planning to do, have a look at this Gitlab issue in particular.

Security in a Box is an open-source resource, and we always welcome comments and suggestions. You can find instructions on how to give us feedback in our Gitlab repository. We look forward to hearing from you, and to make Security in a Box always a bit more useful together with you!

Image: Illustration to promote cybersecurity submitted in the Cybersecurity Visuals Challenge 2019 hosted by OpenIDEO, by Rebecca Wang, licensed under the Creative Commons Attribution 4.0 International license.

Access the Dim sum Guide on https://yummydimsum.github.io/.

Some countries and regions experience more complex censorship and cyber-attacks against human rights defenders than others, and the advice provided by Security in a Box needs to be combined with guidance that addresses threats specific to those regions. People from China are one of the groups in need of contextualised digital protection. This is why our team, with the support of Front Line Defenders, completed the Dim Sum guide. It builds on the content of Security in a Box and provides more specific instructions and guidance for Chinese-speaking readers from China, focusing on particular aspects as detailed in the following paragraphs. Ideally one should read both guides together.

Restrictions and problems with the use of iPhones and iPads in China

The Dim Sum guide devotes a section to the restrictions applied to the usage of iOS devices in China, including the lack of eSIM, FaceTime being only available for video but not for audio calls and heavy censorship of books, music, movies and other content which is available for consumption on these devices elsewhere in the world.

During the "Sitongqiao Protests" and the "White Paper Movement" in 2022, many Chinese people used AirDrop on iPhones to share images and videos related to the protests. But in early 2024 the Beijing authorities were apparently able to trace the mobile phone numbers and email accounts of those who sent these messages. Given the risk of tracing the identity of people who share files through AirDrop, the Dim Sum manual recommends not to use AirDrop at all.

Safer Chinese input methods

Chinese input methods are mandatory software for Chinese language readers, and there is a risk of exposing sensitive information if one uses inappropriate and unsafe apps. It has been widely proved that Chinese input methods by some Chinese companies have security issues or even backdoors. Therefore the Dim Sum guide has a section dedicated to more secure Chinese input methods and their usage in different operating systems.

Secure VPNs available in China

China has one of the strictest Internet filtering regimes in the world, and using a VPN to "go over the [Great Fire-]wall" has become a daily routine for many Chinese people. However, not all VPNs can work stably and are secure enough, and according to some reports the Chinese police force has even developed some VPNs with the specific intent of phishing the data of people who use them. The Dim sum guide recommends some more secure censorship circumvention solutions, and the team behind the manual constantly monitors and updates this section to provide the most current and relevant information on the topic.

Confronting the police in case of mobile phone searches

In the wake of the "White Paper Movement" at the end of 2022, police in many Chinese cities have been randomly questioning passers-by on the street to check whether they have installed VPNs, Telegram and similar tools on their devices. The Dim Sum guide explains how ordinary people can respond to police checks of their mobile phones, both from a digital security perspective and from a legal perspective.

Conclusions

We sincerely hope that the Dim Sum guide will help Chinese readers, especially Chinese human rights defenders, to protect their activities as well as their data and devices. However, we also know that the digital landscape is constantly shifting and that no resource can guarantee 100% security in any given context.

We will continue to monitor and update the Dim Sum guide and Security in a Box, to provide the latest and most appropriate digital security recommendations, and we very much welcome comments and suggestions from our readers. Send us feedback by adding an issue to the Github where we developed the guide or by writing an email to secure.resistance @ proton . me.

The Dim Sum guide can be accessed on:

• https://yummydimsum.github.io/

The Dim Sum guide is also frequently shared on social media, so feel free to follow along:

• Mastodon
• Instagram

Quick security recommendations for your devices

People often ask us where they can start, what are minimum steps they should consider taking in an effort to better protect their devices. In this post we share what we are recommending as the first, often most effective and most important items.

General

1. Use unique and strong passwords for each account, using a password manager to safely store them.
2. Use two-factor authentication (2FA) on supported accounts. As a first choice, consider using hardware devices (also called security keys). Otherwise you can also use apps or programs that generate time-based one-time passwords (TOTP). Avoid using SMS for 2FA if you can.
3. Avoid using biometrics (face ID, fingerprint scan) as an authentication method. We explain why in the guide on passwords.
4. Delete old files, documents, pictures, screenshots and chat history that you do not need on your device. Securely back up as necessary before removal.
5. If you can, avoid installing social media apps: you can use them by accessing their website with your browser instead.
6. Restart your device frequently. This ensures updates are applied properly and reduces the risk for cases of non-persistent malware.

• 2FA hardware token recommendations:

  • Yubikey
  • Nitrokey
  • Solokeys
  • Thetis Key
  • Google Titan Key

• 2FA TOTP recommendations:

  • Computers: KeePassXC
  • Android: Aegis
  • iOS/iPhone: Raivo OTP
  • Android and iOS: FreeOTP

Further reading:

• Creating Strong Passwords
• Privacy Guides - Threat modeling article
• Security Planner recommendations
• Open Brienfing - Digital security guidance
• Surveillance Self-defense - Security plan

Android

1. Check that your Android is up to date and that both your version of Android and your device are still supported (check Samsung, Google Pixel, Nokia or Motorola. For other models, see C. Scott Brown's article on the phone update policies from every major Android manufacturer).
2. Automatically update your apps.
3. Enable Play protect.
4. Review the permissions your apps have access to.
5. Review installed apps and uninstall any unneeded/unknown ones.
6. Ensure apps can only be installed from trusted sources.
7. Set a longer password (not a PIN or a pattern) to protect access to your device.
8. Consider enrolling in Google's Advanced Protection program.

Further reading:

• Protect your Android device

iOS/iPhone

1. Check that your iOS version and device are still supported and up-to-date.
2. Automatically update your apps.
3. Review the permissions your apps have access to.
4. Review installed apps and uninstall any unneeded ones.
5. Switch on the lockdown mode, which will also make it harder to compromise your device.
6. Set a long passcode to protect access to your device.

Further reading:

• Protect your iOS device

Windows

1. Ensure you are using a supported version of Windows with automatic updates enabled.
2. Make sure that any software installed via the Microsoft store is set to automatically update.
3. Ensure Windows Defender is turned on. Activate Microsoft Defender rather than using a third-party antivirus.
4. Consider using Hardentools to disable some often abused features.
5. Consider using Simplewall to monitor where your computer is connecting to.
6. Ensure Bitlocker - or Device Encryption - is turned on.
7. Ensure your computer requires a strong password to log in.
8. Review installed programs and remove any that are no longer needed.

Further reading:

• Protect your Windows computer
• Manage updates in Windows

macOS

1. Ensure macOS automatic updates are enabled and that you use a supported version of macOS.
2. Consider using LuLu to monitor where you computer is connecting to.
3. Make sure FileVault is enabled.
4. Ensure your computer requires a strong password to log in.
5. Review installed programs and uninstall any that are not needed.

Further reading:

• Protect your Mac computer
• About background updates in macOS
• Set up your Mac to be secure

Ubuntu Linux

1. Ensure that your version of Ubuntu is still supported and that you are keeping it and the installed software up-to-date.
2. Enable the Firewall or consider using OpenSnitch to monitor where you computer is connecting to.
3. Ensure LUKS encryption is enabled when you install the operating system.
4. Ensure automatic login is disabled and your account is set up with a strong password.

Further reading:

• Protect your Linux Device

What happened?

Amnesty International and the media platform Forbidden Stories have published an investigation into the use of an Israeli tool to spy on many people in the world. The investigation was called the Pegasus Project.

How was this information obtained?

Forbidden Stories and Amnesty International gained access to a leak of more than 50,000 records of phone numbers that were targeted by NSO clients.

Who is the Israeli company and what is the tool used?

The company is NSO and the tool that is used is called Pegasus. NSO claims to sell spyware and tools to governments to target criminals around the world.

Who are the company's clients?

According to the documents, the company sold these programs to dozens of countries, but the countries that were exposed recently and used Pegasus against journalists and HRDs are: the UAE, Saudi Arabia, Bahrain, Morocco, Mexico, Azerbaijan, India, Hungary, Togo and Rwanda.

Who are the victims?

According to the documents, the victims are: journalists, human rights defenders, political activists, and politicians in countries and international organizations.

If the number is 50,000, is everyone really infected with malware?

It is impossible to be sure that 50,000 people have been hacked, even if an individual's phone number appears in the list. However, the Amnesty International Security Lab, in partnership with Forbidden Stories, was able to perform technical analysis on dozens of phones and the results showed that at least 67 devices were infected with this software.

How did the hack happen?

NSO has exploited some vulnerabilities in operating systems and applications on both IPhones and Android devices (for example in WhatsApp). Malware was distributed by sending links to fake malicious sites (created to look similar to a legitimate site). Clicking on those links would install the malware on the device.

NSO has also recently exploited a vulnerability in the iMessage application available on the iOS operating system.

The so-called zero-day vulnerabilities are used, which means that the vulnerability that a particular application or program suffers from is not known to developers and is known only to attackers because the vulnerability is not known to developers, no remedy has been developed prior to exploitation.

What can Pegasus malware do?

When a device is infected with Pegasus, attackers can see everything a user does on their device, as if an unlocked phone was given to another person to use, with access to all its information and apps.

The software can be used to look at victims' phone and email messages, look at photos they took, eavesdrop on their calls, track their location and even take a photo.

Pegasus developers are getting better at hiding all traces of the software over time, making it difficult to confirm whether a particular phone has been hacked or not.

Is it possible to check my device to see if I am infected or not?

The Pegasus software is very sophisticated and it is difficult to access accurate information about whether your device is infected with it or not. And it is difficult to detect it using anti-malware programs.

If you think you might be a target, it is advised to contact an expert in order to help you try to check your devices, However, the results might not be definitive.

Amnesty International said that it issued a program to check devices?

Indeed, AI has issued important instructions for using a technical method to do this, but this method was intended for technical experts and not the average user.

Are the victims iPhone users only?

No, the victims are users of all devices, Both iPhone or Android.

Has Apple released an update to address these vulnerabilities?

No.

Apple released an important update on 19/July/2021 with iOS version 14.7, and this update addresses serious security vulnerabilities that were previously discovered, However, new security vulnerabilities being exploited by NSO are not covered by this update

Nonetheless we strongly recommend updating your device immediately. See steps for update.

Should I be worried?

We are all worried about the situation, but in the same time we recognise that worrying without taking practical steps to mitigate the risk will not help stop the process of targeting you with malware. So believe that concerns should be turned into motiation to develop digital protection knowledge as well as strengthening the protection of your phones and communications.

What are the practical steps to take?

1- If you believe that you are infected with malware:

• Sign out of all accounts
• Change passwords for all accounts.
• Enable two-step verification for accounts
• Stop using the device and disconnect the device from any internet network.
• Contact an expert in digital protection to get help.

2- To protect your device in general:

• Check Security in-a-Box basic security guides for Android and iOS
• We recommend to perform a factory reset of your phone from time to time in order to erase what may have been installed in your device. See steps for Android and iOS. Note: Factory reset will remove all information stored on the phone, make sure that you have a recent, working backup of all information stored on the phone before performing factory reset.
• Immediately update operating systems and all applications when updates become available.
• Do not download applications from outside the official application store.
• Use a Virtual Private Network (VPN) on mobile phones and computers.
• Check links before opening them. Use VirusTotal.com
• Use anti-malware software.
• Review phone for unneccessary apps and uninstall if possible. If not possible, try and disable them.

Security in a Box has been respected for many years as one of the most detailed, localized training resources in the internet freedom community. In the past fifteen years, the software our community uses for digital security has changed. SiaB has evolved, and the community has been blessed with many other excellent new resources as well. We are currently preparing to update SiaB, and as we do, we are taking into account the landscape of other guides that is now available.

As a community, we have changed our approach to training in the past decade and a half, too. We are more likely to look for tools and strategies that are easy to use. When we are doing our best, we take guidance from the communities who need to stay safe, rather than considering ourselves the experts and dictating what they need to do. We are more aware of gendered experiences of digital security and privacy. And curricula like Level Up have helped us better understand the specific needs of adult learners.

When we began to review the existing digital security and privacy guides, we soon realized the list we were compiling could be useful for others. So we are making it available to everyone who would like an overview of the materials the community has developed. We hope this makes it easier for trainers to find the guides that best serve their communities’ needs. We also hope it can help us all better coordinate production of new materials, as needed.

View the guide to digital protection guides here.

Please note this spreadsheet is presented in Google Sheets. You do not need a Google account to view it. We do not generally endorse the use of Google products by at-risk populations. Google's business model is selling data about your viewing patterns to other companies, where it may end up in the hands of unethical data brokers or governments. However, in this case Google Sheets allowed us to present this data to you in a format we could not get a comparable open source tools to replicate. The "filter views" on this sheet allow different users to search this sheet for different kinds of guides (for example, translated in Amharic or for a low-literacy audience) and view different results simultaneously. We expect that if you use recommended tracker-blocker plugins (like uBlock Origin), it will help mitigate the potential tracking harm of viewing a Google-based site.

For digital security trainers and those learning about digital security

This “guide to the guides” includes materials produced by international digital rights organizations and our colleagues in the civil sphere, but also guides that are produced by individuals outside that sphere but used by trainers we know, as well as materials linked to by other guides. There are digital security and privacy materials in formats that range from short quizzes to tool guides to full lesson plans, meme images to podcasts. They are available in 58 languages, including Amharic, Aymara, Azerbaijani, Igbo, Kiswahili, nasa Yuwe, Pijao, Quechua dialects, Singhalese, Twi, and Yoruba.

You will find materials in here that are peripheral to the topics of privacy and security. As the digital rights movement has grown, we have welcomed related concerns into our tent. There is some material in here on fighting disinformation, a topic of rising concern for many of us. (We can add more of this, if there is interest; there has been a proliferation of work on this since 2015.) Because they overlap a great deal, we have included guides on privacy, sexuality, and relationship violence along with guides on gendered online harassment and defamation. There are also a couple of guides in here that are not exactly about security and privacy, but may be useful to those who need more background or need help explaining technologies or approaches to their colleagues. Those are tagged “research library.” They include Internews’s civicspace.tech guides, XYZ’s work on technology and gender, and some background on internet infrastructure by Womensnet ZA. Those guides contain material on mobile networks, blockchain technologies, artificial intelligence, and machine learning.

We hope to keep this sheet up to date, so if anything on here looks dangerously outdated let us know. Also, if you know of additional relevant guides that should be included—particularly in languages other than English and Spanish!—please let us know. We expect to also update this with information on secure software’s own documentation before too long.

For security guide writers, NGOs, and funders

We expect this guide to the guides will be useful to you, too. Here are some observations we made as we put this spreadsheet together.

Thinking about writing a new guide? Consider localizing, curating and updating existing materials instead, with the goal of meeting a particular community’s threat model. There are currently over forty guides each in Spanish and in English. A majority of them are Crective Commons licensed for re-use. Consider running an event with a local community to localise existing security guide so it speaks the local language and supports the abilities and needs of that community. We all should carefully consider why it is that we are planning to write a new guide rather than update an existing guide and having it localized well.

Maintaining your existing guide? To make updating easier, consider separating out:

• reasons why particular security advice is given, independent of personal threat model. Example: “don’t re-use passwords because there are lists of passwords floating around on the internet that make it easy for someone to get into more than one of your accounts,”

• strategies for specific threats faced by your readers and trainees and

• step-by-step guides to tools.

Why do we suggest this? Separating out different kinds of advice may make localization easier. These different parts of security advice need to be updated on different schedules. Separating them will make it easier to focus on what needs updating and when. The “why” of strategies for security generally does not need to be updated often. The reasoning behind using strong encryption to protect your documents hasn't changed much in the past decade, for example, though the tools we recommend for encrypting have. Specific threat models need periodic updating. Events unfold, like evolving government capabilities, new vulnerability disclosures, or groups of people migrating or organizing. Step-by-step guides to using tools need fast, regular updating as tools change all the time. These go out of date faster than any other part of a guide. Tool producers themselves may produce more updated guides than security trainers. Tails and Thunderbird have done an exemplary job with this. If developers aren’t producing usable guides or documentation, how can the community help make that happen?

We should all clearly list when our guides were last updated. Many guides out there may include outdated material. Outdated material may put users at risk. Also consider when to take down or put a warning on outdated material.

Explain how your guide was localized if versions exist in multiple languages. There can be a big difference in quality between co-produced guides or formally localized guides and the ones where a volunteer helped with translation. Co-produced guides will be sensitive to local conditions in which technology is used.

Consider using Creative Commons licensing. We think it does lead to a certain amount of sustainability. Different projects are definitely using each other’s material, or at least linking to it. However, there isn’t much coordination of updates, or awareness of who is using updated material or who is not.

Consider organizing regular community events to update your materials. A couple of guides currently have easy-to-use feedback options on individual articles, but still it appears people don’t leave feedback. Our most effective strategy for getting feedback was reaching out to individuals directly, and setting aside a specific time when people could work together on commenting.

There is an opportunity to better manage and coordinate security guide production in the internet freedom community. Because so much material is on GitHub and GitLab, and so much of it is Creative Commons licensed, it would not be difficult for organizations with a stake in training guide production to collaboratively coordinate a repository. This could also include pulling in the documentation produced by tool developers themselves.

Planning to localize/translate into more languages should happen early in your guide development. Think ahead about how you will localize, and how you will build a “workflow” out of the different pieces of software you will use (including collaborative editing software like office suites, version control software like GitHub or GitLab, and translation-specific software like Transifex). Producers of digital security guides could learn more about industry-standard documentation and localization processes that could make this easier for us.

Image: Flickr user stanzebla, "Gate Lock", CC-BY-SA-2.0

It can be hard to keep track of which parts of which digital security guides are up to date. Security in a Box has been incrementally updated over the years. To guide you to our most up-to-date content, we wanted to highlight these sections, which have been updated in English in the last six months:

• Create and Maintain Strong Passwords
• KeePassXC - Secure Password Manager for Windows
• KeePassDX - Mobile Password Manager for Android
• Some sections of Firefox and Security Add-Ons for Windows - Secure Web Browser
• Some sections of Basic security for Android

Note that translations of these pages into other languages are not necessarily up to date.

We are currently working on dramatic changes to the structure and contents of SiaB. Among other things, we hope to deploy a more effective translation backend to make it easier to keep future versions of the site up to date.

We welcome feedback on Security in a Box! Drop us a note and tell us: Which sections of SiaB do you depend on? What is currently useful to you? What is not so useful?

Image: Flickr user mtl_mauricio, "Oscar in a box", CC-BY-2.0

WhatsApp Crypto message

Or you might have read about this when it was all over the news.

WhatsApp's collaboration with Open Whisper Systems recently brought end-to-end encryption to the lives of a billion people around the world. (Open Whisper Systems develops Signal, an open source mobile messaging and VoIP app.) When WhatsApp integrated the encryption protocol developed for Signal, many of us began using end-to-end encryption without even realizing it.

Undoubtedly, this is an exciting and important development that will help protect the privacy of users all over the world. In this post, however, we would like to explain why we recommend Signal over WhatsApp, even though they both use the same protocol for end-to-end encryption.

Source code

We would like to start off by congratulating WhatsApp, not only for taking significant measures to protect the privacy of their users, but also for choosing to adopt an open encryption protocol that has been vetted by security experts rather than coming up with yet another proprietary encryption scheme with little or no external review.

Crypto is not the only aspect of security, however. Among other factors, the security of an app also depends on how an encryption protocol is integrated. When software is open source, we are able to review it, see how it has been implemented and verify that it does not contain malicious code. Closed source software, on the other hand, requires that we trust the claims of its developers.

While WhatsApp relies on the Signal protocol, which is an open standard, to encrypt its users' communications, the app itself is closed source. We trust Open Whisper Systems to have properly integrated the Signal protocol into WhatsApp, but the closed source nature of the app prevents us from identifying other aspects of the app that could impact our security.

Signal, on the other hand, is open source. As a result, we can verify that our communications are properly encrypted and review the overall security of the app.

Secure data storage

The Signal protocol that was recently integrated into WhatsApp is a communications protocol, which means that it only encrypts data in transit. It does not encrypt data, such as our messaging history, that is stored on our phones.

Signal addresses this by providing its users with the option to (encrypt messages stored on their phones with a passphrase, thus protecting those messages from anyone who gains physical access to their device. WhatsApp, on the other hand, does not currently allow users to secure the messages stored on their phones.

Verification

An essential component of digital security is the ability to verify that we are actually sending data to, and receiving data from, the person with whom we believe we are communicating. Without this ability, it is possible for someone to sit between us on the network when we first get in touch, decrypt our messages, record them, re-encrypt them and relay them back and forth. This is called a man-in-the-middle attack.

In this scenario, merely recognizing our correspondent's voice is not enough to guarantee that our communication is properly encrypted. For that, we need some kind of cryptographic identity verification mechanism.

Both WhatsApp and Signal support identity verification for messages and voice calls. For messages, they rely on the same mechanism: users compare identity key fingerprints, then flag a contact as verified. For voice calls, however, the two apps work differently. Signal’s voice encryption protocol makes it easy for users to verify each call by reading off two words and making sure they match. WhatsApp’s voice call verification, however, depends on users having previously verified one another for messaging by comparing fingerprints.

Business model

WhatsApp is owned by Facebook, while Signal is owned by Open Whisper Systems. They have very different business models.

It's well-known that advertising is at the heart of Facebook's business model, which is fueled by the vast quantities of data that users hand over to the company through its various services. Open Whisper Systems, on the other hand, is a non-profit, grant-funded group of free software developers whose mission is to “advance the state of the art for secure communication, while simultaneously making it easy for everyone to use”.

It’s important to note that while the Signal protocol encrypts the content of our communications, it does not encrypt metadata – information about information - such as who we contact, when and from where. Given Facebook’s willingness to implement end-to-end encryption in WhatsApp, which prevents even the company itself from accessing some of its users’ data, one can't help but wonder if the value has been in the metadata all along.

Unlike content data, which is harder and more expensive to process and retain, metadata is ideally suited to automated analysis by a computer. It can be stored in large quantities and reveals information (such as who you contacted, when and where) that is very difficult – if not impossible – to deny. Using metadata, analysts can map out an individual’s political affiliation, interests, economic background, location and habits, as well as the network of people with whom that individual communicates. This information can be used to create group and individual profiles that are in great demand by an advertising industry desperate to know its audience.

Advertising might seem harmless, but it's important to remember that we are rarely in control of the profiles being created about us. As a result, these profiles may or may not be accurate. And regardless of the accuracy of our profiles, research has shown that profiling can lead to various forms of discrimination. While it's not clear whether and to what extent WhatsApp users' metadata feeds into Facebook's advertising business model, it remains an important question. As Open Whisper Systems is not in the data business, we believe Signal is more likely to protect our metadata.

That said, it’s worth noting that Signal’s reliance on the Google Cloud Messaging platform means that Google — which is, of course, in the data business — does have access to some of the metadata produced by Signal. They know the current IP address of any device that receives a Signal message, for example, but Signal’s architecture hides as much of this metadata as possible. The Signal protocol can be used independently from Google Play Services via LibreSignal, a fork of Signal, which can be installed from F-Droid, a free and open source Android app repository.

Using Signal

Today we are releasing a new tool guide that explains, step-by-step, how to install and use Signal, if you're not already doing so.

Do you own a website? If so, as of today Let's Encrypt, a new non-profit certificate authority (CA), entered Public Beta and allows you to add HTTPS to your website for free and more easily than ever before.

If you've ever experienced the hassle of setting up a secure website, you'll be pleased to know that Let's Encrypt automates the entire process and only requires you to manage HTTPS with a few simple commands. This could be a huge step towards an encrypted Web.

Why TLS certificates are important

When we access a website, our device makes an HTTP connection to the server that is hosting the website. But as HTTP connections are unencrypted, anyone can potentially intercept our connection and read our traffic or even re-direct us to a malicious server in order to infect our device with malware. To prevent this, it's important that our connections to websites are encrypted and that the websites we visit are secure.

HTTPS was designed for precisely this purpose. Through the use of Transport Layer Security (TLS), it encrypts HTTP connections to websites that support it. This is where digital certificates play an important role; they authenticate websites that support HTTPS so that we know we're communicating with the right servers. Websites that are TLS certified are more secure because they allow you to connect to them via encryption, limiting the probability of interception and increasing the confidentiality of exchanged data.

How Let's Encrypt helps us move towards an encrypted Web

Up until today, obtaining a TLS certificate has been a difficult and expensive process which has discouraged many people from using HTTPS. Starting from today though, Let's Encrypt addresses this problem.

According to the EFF: “Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.”

The Let's Encrypt client handles the certificate request and authentication for you and, by default, renews your certificate automatically. It can also configure servers with your new certificate through a simple command. Detailed information on system requirements and on how to use Let's Encrypt's client to request for certificates can be found in its documentation.

That said, it's important to bear in mind that Let's Encrypt just entered Public Beta, which means that improvements (particularly on the client side) will still need to be made and it might contain some bugs. Yet, this is still an important step towards a more secure Web for everyone. Not only does Let's Encrypt advance TLS security best practices, but it's also transparent in the sense that all issued or revoked certificates will be publicly recorded and available for anyone to inspect. Furthermore, Let's Encrypt follows open standards by publishing its automatic issuance and renewal protocol.

Help make HTTPS the default across the Internet. Request a TLS certificate and let's encrypt.

In the last week, critical security flaws have been reported in TrueCrypt, the open source software for file and disk encryption. As a result, we are reviewing our advice on file and disk encryption and we now recommend users to consider other tools for secure file storage.

What's wrong with TrueCrypt?

Serious vulnerabilities were detected by Google zero-day researcher, James Forshaw, if an attacker has physical access to a device with TrueCrypt installed. While these security flaws don't allow an attacker to decrypt data directly, they can be exploited to compromise a machine, install spyware and to record password keystrokes – ultimately enabling an attacker to figure out a TrueCrypt user's decryption key.

Even though security engineers performed an audit of TrueCrypt which covered the driver code, they missed the following, which were detected by Forshaw:

• A vulnerability (CVE-2015-7358) which enables an attacker to can gain access to a running process and to get full administrative privileges
• A vulnerability (CVE-2015-7359) which enables an attacker to impersonate an authenticated user

Why did we recommend TrueCrypt in the first place?

Up until now, we have recommended TrueCrypt not because it provided perfect security (there's no such thing as “perfect security” anyway), but because it was widely regarded as the best option for file and disk encryption for most users. In particular, TrueCrypt:

• is open source (which enabled its audit from professional engineers around the world)
• implements strong AES encryption
• encrypts whole disks and external disks
• creates encrypted volumes and hidden volumes (which are useful features for many users)

Last year, however, TrueCrypt developers mysteriously announced an end to the development of this software, quoting “unfixed security issues”. The reasons for this remain unknown and have been subject to some debate and speculation.

We nonetheless continued to recommend TrueCrypt because:

• there is a lack of clear alternatives that offer Windows users the same features
• a recent independent audit found no major security flaws in the source code
• there were at least two tools aimed at resurrecting this code and developing it further (CipherShed and VeraCrypt)

However, given that TrueCrypt is no longer maintained, the recently discovered bugs won't be fixed directly in the program's code (but will be in VeraCrypt, see below). Furthermore, the last version of TrueCrypt is now out of date and getting increasingly awkward to install on current operating systems.

What now?

The closest tool to TrueCrypt currently available is one of its forks, VeraCrypt. Like TrueCrypt, VeraCrypt is * open source * and independently audited. VeraCrypt 1.15 was recently released and addresses the TrueCrypt vulnerabilities that were detected by Forshaw. CipherShed is another project that promises to improve on the TrueCrypt source code, but it is still some way off being released.

Another option is to use encryption built in to your device operating system, such as BitLocker on Windows and FileVault on Mac OS X. These are very simple to use as they can be activated in the settings menu of your operating system. However, BitLocker and FileVault are proprietary tools, they haven't been audited and there is no guarantee that either company's tool has not been compromised by government agencies.

The table below shows some of the features for some TrueCrypt alternatives:

Depending on their threat model and/or interest in trying out a different operating system, users can also consider switching to Linux for full disk encryption. The advantage is that - unlike BitLocker or FileVault - Linux's full disk encryption is open source. And as we learned from the latest report on TrueCrypt's vulnerabilities, it's important that the source code of the tools we use is open for review by engineers and researchers around the world.

The Workbook on Security is designed to raise awareness about security issues and to help human rights defenders consider how to mitigate threats. The workbook takes human rights defenders through the steps to producing a security plan - for individuals and for organisations. It follows a systematic approach for assessing their security situation and developing risk and vulnerability reduction strategies and tactics. The workbook is available in English, Arabic, Chinese, Dari, French, Portuguese, Russian, Spanish and Urdu.

Uganda has been in the news headlines around the world since 2009, when it introduced its first Anti-homosexuality Bill and there have been several attempts since then to increase penalties for LGBT people and those who help them. Unsurprisingly, criminalization, physical violence and harassment has led many in the LGBT community to socialize, discuss and organize online. However, many LGBT people are now facing extreme digital threats, including abuse on social media and targeted malware attacks. Activists and trainers are working hard to help people protect themselves online, in one of the most hostile to LGBT people climates in Africa.

Despite the political repression, Uganda has one of the most vibrant and outspoken LGBT movements in Africa, but the repercussions for those choosing to live publicly as LGBT can be severe.

As one human rights defender says:

LGBT persons in Uganda are under threat. Occasionally even their neighbors threaten to report them to the police.

LGBT people suffer arbitrary arrests, physical assaults and are frequently evicted from their homes. And in an atmosphere of concerted political suppression, opportunities for LGBT people to meet and organize are very limited.

As a result, the internet has become hugely important to the Ugandan LGBT community. LGBT organizations have been launching online petitions, running websites and participating in the human rights debate in Uganda, while LGBT individuals use internet platforms - such as dating websites - to network. But this creates further risks. One human rights defender said:

There is a lot of hate speech on discussion forums. Often we find comments with threats, including death threats

Facebook pages harassing and expressing hate speech against LGBT individuals have often been shared in Uganda. Newspapers have repeatedly published the names and addresses of alleged LGBT individuals and in some cases have even used their Facebook pictures.

In 2014 several LGBT organizations received emails affected by Zeus malware, which is used as a “backdoor” to access personal online accounts. In early 2015 an organization had one of their email accounts hacked and information about their donors leaked; they were then asked to send part of a donation they had received days before to an organization based in Kenya.

Frequent police raids on HIV/AIDS organization offices and at events also make it extremely risky to store sensitive information on devices. In addition, the 2014 Anti-Pornography Act holds Internet Service Providers (ISP) responsible for allowing pornography downloads through their services: such a provision can give way for surveillance and blocking of LGBT-related content by ISPs.

There is a clear connection between online and offline threats to LGBT people. Online harassment – especially when real names and pictures are involved – can be reproduced in the offline space. Police raids pose not only physical threats but also threats to information stored on devices. Malware and hacking attempts can result into wealth and information loss and so on.

One activist says:

Data- and email-theft are of the greatest digital security risks LGBT communities face in Uganda. And for that reason, strong passwords, whole-drive encryption, anti-viruses and anti-malware are the main tactics we adopt.

Activists in the Ugandan LGBT community have been highly pro-active in raising awareness of digital threats and taking steps to counter them. Digital security trainings have been taking place for some time, particularly with organizations. In these trainings activists learn how to stay secure online and offline and find out about new tools and techniques. But limited digital literacy and low internet penetration make effective digital security training highly challenging.

One trainer in Uganda says:

One of the most outstanding challenges I face as a digital security trainer is the fact that most of our people don't have concrete background in the use of ICTs and computers. They just have a basic knowledge of connecting online to specific pages. As such, we have had to first give these people computer literacy trainings and later introduce them to digital security. […] We have very recently embarked on distributing Tactical Tech's Security in-a-box manuals to community organizations and members.

There is a combination of factors that increases both offline and online risks to LGBT Ugandans. Legal persecution and social prejudice are reproduced in the online space as digital risks. These risks feed then back to the cycle and often have consequences in the offline world. Digital risks are reinforced by an environment characterized by loopholes in the protection of human rights and limited digital literacy. As such, there is an urgent need to increase LGBT Ugandans' awareness of digital risks and of the tools and tactics they can use to deal with these risks.

Tactical Technology Collective has produced a series of toolkits tailored to the needs of LGBT communities in sub-Saharan Africa. They present and describe, in user-friendly way, the tools and tactics LGBT communities can undertake to deal with digital risks. If you are a member of Uganda's LGBT communities and you would like to find out more on how to protect your devices and online communications you can access Tactical Tech's guide here and here, for free. If you are interested in Tactical Tech's work on digital security in general, you can visit our website or the website dedicated to our project Security in-a-box.

You can follow me on twitter.

Many thanks to Geoffrey Wokulira Ssebaggala from Unwanted Witness and Kelly Daniel Mukwano from i freedom Uganda for their comments and support.

The quotes have been picked from research on the digital security needs of African LGBT communities conducted by Tactical Tech staff. For security reasons the quotes have been anonymized.

In light of ongoing revelations about the global surveillance efforts of the US National Security Agency (NSA) and its intelligence allies, you might be wondering if any of this really matters anymore. Much of the recent media coverage appears to suggest that, not only are They recording everything we do and say on the Internet, but now They've defeated our encryption. The sky is falling; all is lost; etc. It is certainly the case that we have learned a great deal from this episode, and that toolkits like Security in-a-Box must be updated to reflect some of those lessons. (Watch this space!) And, of course, it is also true that bombshells remain to be dropped; questions to be answered; suspicions to be confirmed or denied. However, to the best of our knowledge—where "our" knowledge, in this case, is largely that of the security community's best and brightest researchers, cryptologists and tool developers—nothing has come to light that should lead us to abandon hope. While perfect security is (and will remain) unachievable, with the right tools and tactics, we can still protect our digital privacy and security in meaningful ways.

In the words of Edward Snowden himself, "Properly implemented strong crypto systems are one of the few things that you can rely on..." One of the primary goals of Security in-a-Box is to help demystify those two facets of reliability: to identify security tools that the community considers "strong," and to guide you through whichever aspects of "properly implemented" fall on your shoulders, as a user of those tools. Over the coming months, we expect to learn a little about how we've done so far, and we hope to learn a lot about how we can do better.

What has changed?

On September 6th, The Guardian, the New York Times and ProPublica jointly reported on a classified NSA program called BULLRUN that is dedicated to subverting various forms of encryption meant protect the privacy of online communications. Crucially, efforts by the NSA to ensure its own ability to bypass these protections has the effect of weakening them against other attackers, as well. It is virtually impossible to install "backdoors" into security devices, protocols, software or standards without compromising those systems more generally. (Nor does the NSA appear to be trying all that hard. One particularly blunt instrument in the $250 million BULLRUN arsenal involved blatant manipulation of standards setting initiatives, with the express goal of weakening any recommendations produced.)

The second half of Snowden's statement, mentioned above, is less optimistic: "Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." Or, as Bruce Schneier puts it, "If the NSA wants in to your computer, it's in. Period." So, what does this mean for users of Security in-a-Box? Admittedly, it means you're better off not being a personal target of the most well-resourced espionage organization in the world. But, even if you are—or if it turns out that other nefarious organizations and individuals have similar capabilities—the advice in this toolkit can make their lives much more difficult.

What remains?

We do not yet have specifics on what systems, standards, services and tools the NSA and its allies have attempted to undermine, but security researchers who have weighed in on the topic remain confident in the core technology behind most of the secure communication software recommended in this toolkit. One example is Pretty Good Privacy (also known as PGP or GPG), the encryption scheme implemented by gpg4usb, by the Enigmail add-on to the Thunderbird email client and by the APG application for Android. Another good example is Off the Record (OTR), the instant messaging (IM) encryption used by Pidgin and Adium, and by TextSecure for text messaging (SMS). Along with zRTP—the Voice over IP (VoIP) encryption used by a number of tools that do not yet appear in Security in-a-Box—these technologies have several things in common:

• They are Free and Open Source Software (FOSS), and they are based on open standards.

• They rely on end-to-end encryption, which means your content is scrambled when it leaves your computer or smartphone, and it stays that way until it reaches the person with whom you are communicating. Unlike other forms of encryption (HTTPS-protected webmail, for example), the tools listed above prevent your service provider from understanding the data you send and receive. This, in turn, protects you from anyone who might be monitoring or pressuring that provider.

• They have been around for a while, and are well-respected by the digital security community.

• Unfortunately, they are not as common as they should be, nor as easy to use as they could be. And, they do not work unless the person with whom you wish to communicate also uses them.

What does that mean for me?

At risk of getting a bit too technical a bit too soon, the following is a brief list of recommendations in light of what we have learned over the past few months. This will make more sense if you've already read through Security in-a-Box (or another guide like it), but even if you are new to this material, you might want to keep these suggestions handy as you begin to learn more about digital security.

1) At least one organization out there probably is recording everything you do or say on the Internet. But, that doesn't mean they can read and understand all of it! Use FOSS, end-to-end encryption tools to protect the content of your sensitive communications. You can read more about this below.

2) Even though attackers probably won't be able to read your end-to-end encrypted communication, we now know that at least one organization is trying really hard. To ensure that they, and others like them, are not successful, you should use strong keys. (For GPG, use at least a 2048 bit RSA key.) If you have an older, weaker (1024 bit and/or DSA) GPG key, now is probably a good time to create a new one. And, in general, ask around or search the the Web for information about other "details" you might not understand at first. As mentioned in the toolkit, for example, "authenticating" your encrypted email and instant messaging contacts is no less important than installing the software itself and exchanging keys. As cryptologists like to say, "the math works," but you have to do your part, as well.

3) Against a truly determined attacker with significant resources, the OTR-based messaging tools described in this resource—Pidgin and TextSecure—are in some ways safer than GPG-encrypted email. Specifically, this is because every message you send or receive using OTR is automatically encrypted with a new key. So, even if somebody records all of your (unreadable) messages over the course of several years, and then somehow gets their hands on your secret key, they still won't be able to decrypt all of that content. This is not true with GPG. In case you're curious, this property is called "perfect forward secrecy" (PFS), and it holds true for zRTP-encrypted VoIP tools, as well, including Jitsi used with the ostel.co service.

4) Be aware that hiding basic data about your Internet and mobile phone "traffic" (also called "meta-data") is much more difficult than hiding the actual content of your communications. Examples of meta-data include: who you talk to, from where, when, for how long and through what channels. If you need to protect this sort of information from a well-connected adversary, use the Tor Browser anonymity tool (in addition to the other software recommended here), and make sure you study up on how to use it properly. Or, better yet, restart your PC with the Tails operating system (and learn how to use the Linux versions of those same tools). This will increase the likelihood that your Internet traffic is successfully anonymized by the Tor network.

5) Be careful with commercial software and services. Some of these resources, like Gmail, almost certainly offer strong privacy protections against outside attackers, but many of the companies who develop and operate them have shown a willingness to install monitoring code, backdoors and other "features" that weaken the security of their own software. Naturally, this is most relevant if you believe that these companies—or governments with direct influence over them—are likely to cooperate with those who oppose your online and offline activities. Keep in mind, however, that built-in surveillance mechanisms like this also represent fundamentally bad security design. (This warning applies to commercial operating systems, as well, by the way, including Microsoft Windows, Apple's Mac OS X and all major smartphone platforms.)

6) Make sure you are using the latest stable version of all security tools. And, while you're at it, learn how to "verify" the software you download (using checksums or digital signatures) to ensure that it's authentic. This won't protect you from a backdoor installed by the developer—voluntarily or under pressure from an organization like the NSA—but it will keep you safe from many other attacks.

Troubles all the way down?

At this point, you might be looking back at what we said about the NSA's BULLRUN program and thinking, "But even if I use trusted, open-source, end-to-end encryption software based on open, transparent standards—and even if I use it properly—how does that help me if the standards themselves have been poisoned by the NSA?" First of all, if it comes to light that the NSA has somehow compromised the most fundamental building-blocks upon which these particular encryption tools were built, and nobody has noticed, then yes; that will be a sad day. Lucky for us, that does not appear to be the case.

Encryption schemes like GPG, OTR and zRTP are themselves open standards, as are the underlying protocols and algorithms from which they were constructed: AES symmetric encryption, RSA asymmetric encryption and signing, DSA signing, Diffie-Hellman key agreement and SHA hash algorithms, among others. These building blocks—which are also used in secure data storage tools like VeraCrypt and KeePassXC—have all been around for quite some time. And, unlike some other standards, none have yet shown evidence of NSA sabotage.

That could change, of course, as the NSA was certainly involved at one level or another in the selection of many cryptographic standards, including several of those listed above. Regardless, the openness of these standards appears to be serving its intended purpose, and is clearly preferable to the alternative. Trusted cryptologists can at least dig the specifications, searching for intentional flaws as well as the accidental ones they've been watching out for all along, rather than just crossing their fingers and hoping for the best. Furthermore, the NSA's credibility as a defender of Internet security is pretty much shot these days, and one can hope that their role in the establishment of future standards will be severely curtailed for a good long while.

On 17th December 2014, the Government of India's Ministry of Communications and Information Technology issued an order to all licensed Internet Service Providers (ISPs) in the country to block access to 32 websites, effective immediately. Not only did the ban affect access to popular cultural sites such as archive.org, vimeo.com, dailymotion.com, but the order also blocked access to sites like github.com, pastebin.com, which are useful for all sorts of people but are especially popular with software developers.

A copy of the order that the MCIT's Department of Telecommunications sent to ISPs by email can be found here (356kB, compressed PDF) or here (2MB).

The Ministry's order was issued following a request from the Mumbai police's Anti-Terrorism Squad on 15th November 2014. The police request argued that the targeted web services were being used for "Jihadi Propaganda" by "Anti-National groups", and were encouraging youth in the country to join organisations like the Islamic State (ISIS/ISIL).

However, many of the blocked sites are large resources for general use by diverse communities which have no links to terrorism. Tools which are important in the daily work of India-based software developers are included in the banned sites, whose work in the IT sector is penalised by broad bans with the excuse of anti-terrorism measures.

As IT professionals in India attempt to continue to do their jobs, there has been a lack of information about the nature of the site bans. We thought it would be a good idea to do some research using free and accessible tools and to look at how censorship has been implemented, as well as the various circumvention techniques people are using.

A summary of our key findings

Between January 1st and 3rd 2015, we conducted censorship measurements from various Internet connections using seven different ISPs in India. These include TATA Communications and the state-run Mahanagar Telecom Nigam Limited (MTNL). The understanding we currently have is preliminary and draws on the browsing experience of several customers of different ISPs around India as well as information gained through the use of the open source censorship measurement toolkit provided by Open Observatory of Network Interference (OONI) and other manual tests we conducted.

The censorship order issued by the Ministry specifies what to block, but not how. Unsurprisingly, this has led to a situation where different ISPs are blocking sites using different techniques. Users of some ISPs may be able to circumvent the censorship by simply changing their DNS settings, while others will need to configure proxies or install circumvention software. In all cases we have observed, censorship can be bypassed using standard circumvention tools such as the Tor Browser.

We saw a variety of different block pages across multiple ISPs. Here are screenshots of the six we captured.

• “The page you have requested has been blocked, because the URL is banned”
• “This site has been blocked as per the instruction of Competent Authority”
• “<!–This is a comment. Comments are not displayed in the browser–>”
• “The requested url is blocked, based on the blocking Instruction order received from the Department of Telecommunications, Ministry of Communications & IT, Government of India”
• “HTTP Error 404 — File or Directory not found”
• The page you have requested has been blocked, because the URL is banned.”

Besides finding that different ISPs use different methods of blocking, we also found that the same sites might be blocked with different methods even from the same ISP. The "not found" and "this is a comment" error pages appeared across multiple ISPs, which could indicate that there are multiple layers of blocking so that if the first one "fails open" another layer catches it. Even so, the blocking is unreliable--when requesting the same site many times, it sometimes loads and sometimes yields a censorship message or error page.

TATA appears to be using a proxy server to inspect and modify traffic to certain IP addresses. If the request is for one of the censored sites, a block page is returned instead. We can tell that the filtering is only being applied to certain IP addresses by sending HTTP requests for censored hostnames to the IP addresses of unrelated websites. Using some TATA connections, requests to some IP addresses are blocked based on the content of the request, while requests for those same hostnames sent to other IPs are not blocked. In particular, requests to google.com IPs containing host headers requesting blocked hostnames return the block page for those hostnames, while requests to yahoo.com IP addresses do not.

Instead of Deep Packet Inspection, MTNL appears to be using a combination of DNS-based and IP-based blocking approaches. Their DNS resolvers gives an incorrect answer (59.185.3.14) for the censored hostnames. It is possible to see the block page that MTNL users experience by browsing to http://59.185.3.14/ from anywhere in the world. Some MTNL customers were still able to connect to github's correct IP, while others were not.

Most of the reports collected using OONI are available here. These reports contain evidence of other sites being blocked in addition to the 32 websites specified in the December 17th order. The other sites are apparently being blocked using the same infrastructure, but we have not been able to determine under what authority their blocking has been ordered.

Other domains which appeared blocked on MTNL during testing included adult websites featuring Indian people although other adult websites listed in the alexa-top-1000 were not observed to be blocked. Censorship of advertisement, music sharing, and file hosting websites was also observed.

How can one circumvent this censorship?

In some cases, as ISPs are only blocking HTTP connections, while allowing access to sites over HTTPS, one could try to manually access the site using https:// instead of http:// in the URL. Regardless of whether the webpages you access are being censored or not, we recommend using the HTTPS Everywhere plugin in your web browser to automatically use the HTTPS version of many sites.

When the censorship is DNS-based, it can usually be circumvented by changing the DNS configuration on your device to use nameservers hosted outside of India. Two popular public DNS services are offered by OpenDNS and Google's public DNS.

We were also able to access the blocked websites using Tor Browser at all times.

Another option is to use a Virtual Private Network (VPN) hosted outside the country and a couple of services which offer this are The RiseUp Collective (Free) and iVPN (Paid). Mobile users using Android devices can also use Psiphon.

Additional resources

If you would like to understand more about censorship techniques or help collect more data, here are some useful resources that you might want to refer to:

• Open Observatory of Network Interference provides a set of open source tools that can be used to test and collect technical data about censorship and network tampering. We have made the reports generated from the data we collected using OONI here.

• URL lists provided by CitizenLab were also used during testing.

• Tor Browser is a free and open source software tool, which lets you securely circumvent censorship and surveillance and allows you to access resources on the Internet anonymously.

• For other resources about circumvention tools and tactics, and general digital security advice, please see Tactical Techology Collective's Security-in-a-box project.

• The Center for Internet and Society is an organisation based in Bangalore, India, which is actively working on policy for Internet governance, censorship and surveillance in India.

Current state of things

Following a new order issued on 31st December 2014, 4 of the 32 websites have subsequently been unblocked. The unblocked sites are github.com, vimeo.com, dailymotion.com and weebly.com

We will keep monitoring this censorship and publish any other relevant findings over the next few days. If you are a software developer or an IT professional who wants to help us collect more data from multiple ISPs in India, please contact us at censorship-in@chaoslab.in. Please use this PGP key if you would like to send us an encrypted email.

To read the larger dialogue on Twitter about this blocking of websites, please follow the hashtag #GOIblocks.

This blog post was co-authored by Kaustubh Srikanth, Leif Ryge, Aaron Gibson and Claudio Guarnieri and originally appeared in Huffingtonpost.in on 6th January, 2015