Resources for building further expertise

What follows is a curated list of links to guides, curricula, how-to’s and in-depth resources suitable for those who wish to build further expertise.

COMMUNITIES, LEARNING AND GUIDES

Comprehensive resources addressing digital security in general, and online communities where digital security is discussed.

PEN America’s Online Harassment Field Manual
https://onlineharassmentfieldmanual.pen.org/
Pen America
A resource containing effective strategies and resources that writers, journalists, their allies, and their employers can use to defend against cyber hate and fight online abuse.
Published: April 2018
Added: May 2018

EFF’s Security Education Companion
https://sec.eff.org
Electronic Frontier Foundation
A resource for people teaching digital security to their friends and neighbors.
Published: November 2017
Added: December 2017
Tags: curriculum, train-the-trainer

Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communication
https://ssd.eff.org/
Electronic Frontier Foundation
A guide to protection against surveillance, this guide also includes great material on personal digital security. Organized into overviews, tutorials, briefings, playlists.
Published: October, 2014, updated frequently (timestamp at the bottom of each guide.)
Added: June 2017
Tags: guides, surveillance

A First Look at Digital Security
https://www.accessnow.org/a-first-look-at-digital-security/
Access Now
A primer booklet for those beginning to think about digital security and threat modeling. Based around a series of useful personas. Open on github.
Published: last updated May 2017
Added: June 2017
Tags: guides, beginners

Introduction to Digital Security for Journalists Handout (NICAR 2018)

@mshelton, @geminiimatt, @mtigas, Sequoia McDowell, @camfassett
A thorough roundup of tools and best practices from NICAR 2018
Published: March 2018
Added: March 2018
Tags: guides, intros

11 tips for protecting your privacy and digital security in the age of Trump
https://freedom.press/news/11-tips-protecting-your-privacy-and-digital-security-age-trump/
Olivia Martin, Freedom of the Press Foundation
An introduction to digital security with brief descriptions and links to resources on threat modeling, strong authentication, secure communications, device encryption, browser security. The article also includes guidance on update hygiene, VPNs, and phishing.
Published: January, 2017
Added: June 2017
Tags: intros, lists, beginners

A DIY Guide to Feminist Cybersecurity
https://hackblossom.org/cybersecurity/
Noah Kelley, HACKBLOSSOM
This fairly guide covers basic explainers and links to tools for blocking online tracking, circumvention and anonymity tools, defending against malware, strong authentication practices, privacy on social media, as well as device and communication encryption. It does not include hands-on guides that walk users through use/installation of various tools.
Published: ?
Added: June 2017
Tags: guides

Journalists in Distress: Securing Your Digital Life
http://www.cjfe.org/journalists_in_distress_securing_your_digital_life
Canadian Journalists for Free Expression
The guide includes background information describing how data flows online and in mobile networks, as well as information on browser privacy and security, encrypted communications, social media privacy, internet cafe concerns, strong authentication, and information about technical threats from authorities.
Published: January 2017
Added: June 2017
Tags: guides

Security Training Resources for Security Trainers (Spring 2017 edition)
https://medium.com/cryptofriends/digital-security-training-resources-for-security-trainers-spring-2017-edition-e95d9e50065e
LINKS TO GUIDES/ARTICLES
Rachel Weidinger, Cooper Quintin, Martin Shelton, Matt Mitchell
A “meta-guide” for finding information on the current state of U.S. digital security training.
Published: Spring 2017
Added: June 2017

Digital Security and Source Protection for Journalists
https://susanemcg.gitbooks.io/digital-security-for-journalists/content/index.html
GUIDE (BORDERING ON A TEXTBOOK)
Susan E McGregor
A comprehensive and well-written paper on digital security for Journalists. Written in 2014, most of the content is still relevant.
Published: 2014
Added: June 2017

Committee to Protect Journalists Security Guide: Technological Security
https://cpj.org/reports/2012/04/technology-security.php
GUIDE
CPJ staff
Part of CPJ’s comprehensive Journalism security guide.
Published: 2012, updated since (note: asked for update policy)
Added: June 2017

Tinfoil Press
https://mshelt.onl/tinfoil.press/
COMMUNITY
An online community space founded by Martin Shelton
A tinfoil-hat free zone to discuss digital security and Journalism with others in the field. Now inactive, but available as an archive.
Published: ?
Added: May 2018

LevelUP
https://level-up.cc/
CURRICULUM/GENERAL TRAINING GUIDANCE
A pedagogical resource for those providing digital safety and security training.
Published: June 2016
Added: June 2017

Digital Security Resources for Media Trainers
http://saferjourno.internews.org/pdf/SaferJourno_Guide.pdf
CURRICULUM/GENERAL TRAINING GUIDANCE
Manisha Aryal, Dylan Jones, Internews
An in-depth and still relevant guide to digital security for Journalists.
Published: 2014
Added: June 2017

Rory Peck Trust Digital Security Resources
https://rorypecktrust.org/resources/digital-security
GUIDE
Links to videos and other resources on secure communication and digital security. (Includes a well-developed risk assessment series for journalists.)
Published: various
Added: June 2017

Information Security for Journalists
http://www.tcij.org/node/1016
Silkie Carlo & Arjen Kamphuis, the Center for Investigative Journalism
GUIDE (Advanced)
12/2017: This resource is not currently available. Reached out to TCIJ for more info. – abh
This guide focuses on security concerns for investigative journalists, particularly those with sophisticated attackers. This guide examines threat modeling, hardware security, enhancing operating system security (e.g., with TAILS), disk and communications encryption (e.g., PGP and OTR), file data and metadata, browser privacy tools, circumvention software, and strong password practices. (Great advanced guide,but probably not the best guide to give to users who are new to digital security, since they are likely to be overwhelmed and decide that digital security is not for them.)
Published: 2016
Added: June 2017

How to Lead a Digital Security Workshop
https://motherboard.vice.com/en_us/article/how-to-give-a-digital-security-training
ARTICLE/101 TRAINING ADVICE
Rachel Weidinger, Cooper Quintin, Martin Shelton, Matt Mitchell via Motherboard
How to get started on digital security training for first-timers. The short guide encourages new and would-be security trainers with some considerations for effective training. These considerations include how to think about practical security advice, planning and logistics, building knowledge, focusing on teaching narrowly-scoped mastery, as well as self-presentation and audience engagement in security trainings.
Published: February 2017
Added: June 2017

My Shadow Training Curriculum (Tactical Tech)
https://myshadow.org/train and https://gitlab.com/ttc/data-privacy-training/tree/master/content for easier access to .md content
CURRICULUM
Tactical Tech
Tactical Tech’s training curriculum for their “My Shadow” project focused on privacy. It focuses on privacy and digital security awareness-raising, and includes some easy recommendations for general audiences. You can select lesson modules, workshop information, and print out corresponding PDF handouts. (The gitlab link is currently most accessible than the main website, with the a
Published: late 2016
Updated: June 2017

SAFETAG
https://safetag.org/#audit
Internews, Multiple Human Rights International Training Organizations
These are resources on security support for different types of collectives (usually organizations, but also networks of varying complexities). Includes conducting pentesting audits, training, incident response processes, persuading organizations and leadership to adopt security tool, practices and policies, etc. (When groups and industries fully commit to safe practices and behaviors for staff and users, this is the next step beyond ad hoc “trainings” and peer recommendations, since doing security at a collective level is vastly more effective than doing it in a scattershot manner.)
**Published: **2016, new edition to be published late 2017
Added: June 2017
Tags: Security for Groups, Security for Networks, Organizational Security

Organizational Security Wiki
https://orgsec.community/display/OS
Internews, Multiple Human Rights International Training Organizations
These are resources on security support for different types of collectives (usually organizations, but also networks of varying complexities). Includes conducting pentesting audits, training, incident response processes, persuading organizations and leadership to adopt security tool, practices and policies, etc. (When groups and industries fully commit to safe practices and behaviors for staff and users, this is the next step beyond ad hoc “trainings” and peer recommendations, since doing security at a collective level is vastly more effective than doing it in a scattershot manner.)
Published: early 2016, intermittent additions
Added: June 2017
Tags: Security for Groups, Security for Networks, Organizational Security

WMC Speech Project - Tools and Resources
http://www.womensmediacenter.com/speech-project/tools-resources/
Women’s Media Center - multiple authors
These are resources and tools to support the The WMC Speech Project, which is dedicated to expanding women’s freedom of expression and curbing online harassment and abuse. Included are resources to assist with immediate and ongoing harassment, guides to digital security from the perspective of preventing doxxing and online harassment, and links to organizations with similar goals
Published: late 2016, ongoing additions
Added: January 2018
Tags: Security for Groups, Online Harassment, Organizational Security, Personal Security

The Holistic Security Manual - Tactical Tech
https://holistic-security.tacticaltech.org/
Tactical Tech - multiple authors
This manual takes a holistic approach to security, treating physical, psycho-social, and digital security as part of a greater whole rather than addressing them separately. It describes a process with Prepare-Explore-Strategize-Act phases to produce security recommendations tailored to specific circumstances.
Published: September 2016
Added: January 2018
Tags: Security for Groups, Organizational Security, Personal Security

CPJ - Emergency Response Team
https://cpj.org/emergency-response/
CPJ staff
This team provides safety and security tools and information for journalists, in addition to rapid response assictance for journalists at risk.
Published: undated
Added: January 2018
Tags: Security For Groups, Personal Security, Emergency Support

Global Journalist Security
https://www.journalistsecurity.net/
Global Journalist Security staff
This organization provides hostile environment training for journalists and other at-risk groups. Their main focus seems to be physical security, but they also have a Digital Security For Newsrooms course.
Published: undated
Added: January 2018
Tags: Physical Security, Security for Groups, Personal Security

Global Investigative Journalism Network - Helpdesk
https://helpdesk.gijn.org/support/solutions/articles/14000036509-safety-and-security
Multiple authors
Guides covering physical and digital security for journalists, along with a helpdesk to provide support with queries related to the covered topics.
Published: undated
Added: January 2018
Tags: Physical Security, Security for Groups, Personal Security

Dart Center for Journalism and Trauma
https://dartcenter.org/
Multiple authors
Guides and teaching resources to support journalists reporting on traumatic topics and events.
Published: undated
Added: January 2018
Tags: Physical Security, Security for Groups, Psychological Support

International SOS
https://www.internationalsos.com/
International SOS staff
Risk management consulting and support for organizations operating in hostile environments.
Published: undated
Added: January 2018
Tags: Physical Security, Security for Groups, Risk Management

Control Risks https://www.controlrisks.com// Control Risks staff Risk management consulting and support for organizations operating in hostile environments. Published: undated Added: January 2018 Tags: Physical Security, Security for Groups, Risk Management

On Call International
http://www.oncallinternational.com/
On Call International staff
Risk management consulting and support for travelers and organizations operating in hostile environments.
Published: undated
Added: January 2018
Tags: Physical Security, Security for Groups, Risk Management

PERSONAL DIGITAL SECURITY

Resources for securing accounts and personal digital integrity.

Security Planner
https://securityplanner.org/
Citizen Lab staff
A resource that provides digital security recommendations based on responses to a few simple questions. It’s a good starting-point for basic digital security policies for journalists in low-risk situations.
Published: December 2017
Added: January 2018 Tags: Personal Digital Security

Security for Journalists: Part 1: the Basics
https://source.opennews.org/articles/security-journalists-part-one-basics/
Jonathan Stray
A beginner-friendly introduction to threat modeling, strengthening authentication, identifying phishing attacks, as well as device encryption. While this resource came out in 2014, its lessons are still applicable today.
Published: 2014
Added: June 2017

Defending Accounts Against Common Attacks
https://source.opennews.org/guides/defending-accounts/
MIX: LINKS TO GUIDES, ARTICLES, TOOLS.
Martin Shelton/OpenNews
A curated list of account security resources and articles from Martin Shelton – a really good overview.
Published: 2014-2017
Added: June 2017

Securing Your Digital Life Like a Normal Person
https://medium.com/@mshelton/securing-your-digital-life-like-a-normal-person-a-hasty-and-incomplete-guide-56437f127425
GUIDE (101)
Martin Shelton
A very approachable guide to better security practices for the average user of the internet.
Published: December 2015, regularly updated
Added: June 2017

The Motherboard Guide to Not Getting Hacked
https://motherboard.vice.com/en_us/article/the-motherboard-guide-to-not-getting-hacked
GUIDE (101)
Vice, Joseph Cox and Lorenzo Franceschi-Bicchierai
A basic guide to personal digital security from Motherboard.
Published: August, 2016
Added: June 2017

Umbrella from Security First
https://secfirst.org/index.html
MULTIPLE GUIDES (ANDROID, TEXT FILES) Umbrella is a huge conglomeration of numerous other guides, including EFF’s SSD, Security-in-a-Box, humanitarian physical safety guides, and many more – complete list of guides here.
Security First
An open source (github) app with checklists and details about online and physical security.
Published: 2015, actively updated
Added: June 2017

Digital Privacy at the U.S. Border
https://www.eff.org/wp/digital-privacy-us-border-2017
GUIDE
Sophia Cope, Amul Kalia, Seth Schoen, Adam Schwartz, Electronic Frontier Foundation
In light of the looming U.S. travel ban targeted at individuals traveling to and from primarily Muslim countries, the Electronic Frontier Foundation Part released this whitepaper to examine travelers’ security options at the U.S. border. The paper examines the basics of risk assessment, as well as legal, technical, and practical concerns when you are preparing to leave, arriving at the border, and what to do afterwards. The guide also examines your rights, U.S. border policy, a wide range tools you can use to protect yourself, and their constraints.
Published: March 2017
Added: June 2017

Anti-phishing and Email Hygiene
https://freedom.press/training/email-security-tips/
TOOL-SPECIFIC GUIDE
Harlo Holmes, Freedom of the Press Foundation
This guide covers threat modeling, authentication practices, as well as common phishing tactics and how to avoid them.
Published: December 2016
Added: June 2017

Password Managers for Beginners
https://medium.com/@mshelton/password-managers-for-beginners-d1f49866f80f
TOOL-SPECIFIC GUIDE
Martin Shelton
A beginner-friendly guide describing why password managers are useful, branching into three step-by-step guides for getting started with 1Password, LastPass, and KeePass.
Published: November 2016
Added: June 2017

Two Factor Auth
https://twofactorauth.org/
TOOL-SPECIFIC GUIDE
Josh Davis, et. al.
Two Factor Auth is a list of popular websites, and information on whether they support two-factor authentication. It offers links with instructions for setting up two-factor authentication on each web service. On github here.
Published: June 2017
Added: June 2017

Two-Factor Authentication for Newsrooms
https://medium.com/@mshelton/two-factor-authentication-for-newsrooms-a873060ea405
TOOL-SPECIFIC GUIDE
Martin Shelton
This guide examines how to use two-factor authentication by breaking it down into multiple methods, and walking through how to set it up, using Gmail as one example. It also describes some considerations for its use in a team setting.
Updated: May 2017
Added: June 2017

The Impossible Task of Creating a “Best VPNs” List Today
https://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/
TOOL-SPECIFIC GUIDE
Yael Grauer
This article lays out the many, many issues with choosing a VPN, including logging, using preshared keys, and outdated encryption protocols.
Published: June 2016
Added: June 2017

The Motherboard Guide to VPNs
https://motherboard.vice.com/en_us/article/the-best-vpns-ranked
TOOL-SPECIFIC GUIDE
Lorenzo Franceschi-Bicchierai via Vice/Motherboard
The basics of choosing a VPN, and a few practical recommendations for specific VPNs.
Published: March 2017
Added: June 2017

Encrypting your laptop like you mean it
https://theintercept.com/2015/04/27/encrypting-laptop-like-mean/
TOOL-SPECIFIC GUIDE
Micah Lee
A detailed resource on disk encryption for Mac devices with FileVault, Windows PCs with BitLocker, and Linux machines at the time of installation. The guide covers several attacks for stealing data from an unencrypted device.
Published: May 2015
Added: June 2017

SECURE COMMUNICATION

Resources and tools for secure digital communication.

Surveillance Self-Defence Against the Trump Administration
https://theintercept.com/2016/11/12/surveillance-self-defense-against-the-trump-administration/
INTRO ARTICLE/SHORT LIST OF STEPS
Micah Lee, The Intercept
Framed for “activists and other concerned citizens.” Some steps are basic (encrypt your phone), some are more advanced (use Qubes).
Published: November 2016
Added: June 2017

Surveillance Self-Defence for Journalists
https://medium.com/the-intercept/surveillance-self-defense-for-journalists-ce627e332db6
INTRO ARTICLE/SHORT 101 CHECKLIST OF STEPS
The Intercept
Checklists for secure digital communications.
Published: January 2017
Added: June 2017

Edward Snowden on how to Reclaim your Privacy
https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/
INTRO ARTICLE/SHORT 101 LIST OF STEPS
Micah Lee, The Intercept
Snowden himself on how to regain as much of that sweet sweet privacy as possible.
Published: November, 2015
Added: June 2017

Signal for Beginners
https://medium.com/@mshelton/signal-for-beginners-c6b44f76a1f0
TOOL GUIDE
Martin Shelton
A primer for using Signal for newcomers. Covers setup, using the app, and potential risks.
Published: November 2016
Added: June 2016

How to Keep Your Chats Truly Private with Signal
https://theintercept.com/2017/05/01/cybersecurity-for-the-people-how-to-keep-your-chats-truly-private-with-signal/
Micah Lee, The Intercept
A thorough, step-by-step guide on using Signal as securely as possible. The guide includes a short video overview, and information on securing your mobile device, hiding lock screen messages, deleting old messages, exchanging video and photos, group chat, voice and video, adding contacts, verification, and using the desktop app.
Published: May 2017
Added: June 2017

Off the Record Messaging
https://otr.im/
Various
For those who want to dive deeper, this is the home of OTR, the encrypted, authenticated and deniable messaging protocol (very similar to what is used by Signal.)
Published: Unknown (updated continuously)
Added: June 2017

Signals, Intelligence
https://medium.com/@thegrugq/signal-intelligence-free-for-all-5993c2f72f90
Thegrugq
A useful resource for understanding how Signal’s encryption works and the various forms of metadata it exposes in routine use.
Published: November 2015
Added: June 2017

Upgrading WhatsApp Security
https://medium.com/@mshelton/upgrading-whatsapp-security-386c8ce496d3
Martin Shelton
A short guide that walks through improving WhatsApp’s security by turning off and removing cloud backups, adjusting privacy settings, encryption key change notifications, and using session verification, as well as information on securing the device itself (e.g., with device encryption).
Published: February 2017
Added: June 2017

Opening Secure Channels for Confidential Tips
https://source.opennews.org/articles/opening-secure-channels-confidential-tips/
Martin Shelton
An overview of securing communications with confidential sources.
Published: February 2017
Added: June 2017

SecureDrop
https://docs.securedrop.org/en/stable/index.html
Various
SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources.
Published: updated regularly
Added: June 2017

EVENTS

RightsCon
https://www.rightscon.org/
n/a
Yearly conference focused on human rights and digital technology.
Published: n/a
Added: January 2018

Global Investigative Journalism Conference
https://gijc2017.org/
n/a
Yearly conference hosted by the GIJN and various other institutions. Focuses on issues related to investigative journalism, with some digital security content.
Published: n/a
Added: January 2018

Contributing

To contribute a link, please open a pull request. This is a community-curated list, so we welcome additions, edits, deletions (in the case of content that no longer exists) and other helpful changes. We attempt to maintain a standard format to make this list more readable by both robots and humans, so please follow the format below when submitting or editing links.

To add a link please follow this format:

**<title>**<br />
<url><br />
*<authors> (csv)*<br />
<description> (single paragraph, or sentence)<br />
**Published:** <date> (date known to be published or updated)  format:  [month] [yyyy]
**Added:** <added> (date added to this list) [month] [yyyy]
**Tags:** <tags> (keywords, csv)