10

In the last months I have seen some operational security mistakes from people on our side that cost us dear, but could have been easily avoided with a little bit of technical knowledge. So I decided to write a basic digital security guide that might come in handy for more non-technical people.

Who is this guide for? This guide is aimed at the average Joe that wants to get active, at people who audit votes, organize peaceful demonstrations, local politicians or even parents fighting Critical Race Theory. It recommends tools that are either free or cheap, are easy to use and require little technical knowledge.

Who is this guide NOT for? Any kind of illegal activity or people who need military grade protection (e.g. high ranking politicians). If you plan to go full 1776, leave your phone at home.

A few general security tips

Nothing that is transmitted digitally is ever 100% private. Even if it is encrypted in transmission, the receiving device might be backdoored, your conversation may be uploaded in plain text to a backup service or your contact might screenshot your messages and sell you out a few weeks later. If you need to communicate safely, meet in person, have a walk in the park, and leave your phone at the office.

When you send an unencrypted e-mail or a text message, government agencies can read the content of your communication the second you send it. Each and every mail and text you ever send is stored in gigantic databases, often for years, sometimes forever, depending on how high ranking of a target you are. Your phone calls are easily accesible and are recorded and automatically transcribed as well. The same goes for data stored in cloud services like Dropbox, OneDrive or iCloud. If your data is not end-to-end encrypted, assume that every low ranking FBI agent and up can access it.

You might ask yourself, if the feds can get to your data anyways, why even bother with security? Because using secure means of communication buys you time, reduces the attack vector they have against you and potentially exposes people and companies collaborating with the enemy.

Security for your data consists of many layers, from physical access to your devices to using non-guessable passwords. First step is to make sure that only you can use your devices. Secure the laptop with a password, put it into a lockable drawer and lock the room where it is in.

If you are active on internet forums like this there are additional threats. There are a few ways the enemy could try to get your true identity, even if they don't have access to server logs. That's why you should open as little third party content as possible that gets linked on patriotic sites. PDFs can be an infection vector, Google Docs leak your Google account, even simple images can hide malicious code. Do not take offers to "collaborate" if you get them on patriotic forums that are under close scrutiny by the powers that be.

What you can do to improve your privacy and security

Signal app for mobile messaging: Signal is a classic for secure messaging, it was developed after the Snowden leaks and uses state of the art end-to-end encryption. Use this app to send messages, organize a group, and make phone calls. All patriots should have Signal installed on their phone.

ProtonMail for e-mail communication: ProtonMail has come under attack lately for some dubious decisions they made, like logging the IP address of their users, but they are still the best privacy focused mail service out there. The company's original goal was to protect Swiss scientists and EU parliamentarians from foreign intelligence services. Based in Switzerland, it enjoys their solid privacy laws and the encryption they use has never been broken. Note that you only get encrypted communication if you send from your ProtonMail to another ProtonMail user.

A Virtual Private Network (VPN) for posting information on the web: A VPN hides the actual IP address of your device behind an IP address of the VPN company. It protects you from being identified when you surf the web, post a comment on social media, YouTube or any other place. Note that the company that provides the VPN can obviously see everything you do, therefore use only privacy focused VPNs with a good reputation. I recommend Mulvad, Windscribe or AirVPN, but the reliability and ownership of these companies may change at any time.

Avoid Google Chrome: Replace Chrome with an alternative browser that isn't collecting your data 24/7. Safari, Firefox, Brave browser are all better options. I recommend Firefox with the uBlock Origin addon. Firefox has the advantage of encrypting your bookmarks if you sync them via your Firefox account with other devices.

iPhone over Androids: In general I would recommend iPhones over Androids, since Apple is pretty privacy focused and Google basically lives off collecting and selling your data. There is a reason why there is a lot of talk about law enforcement hacking into iPhones but you never hear them having any problems with Android phones. Disk encryption with the secure enclave on modern Apple SOCs is top notch. But you need to be aware that both phone operating systems can be backdoored by three letter companies quite easily. The picture changes if you start to install custom ROMs on your Android phone, but this is out of reach for most people.

Avoid cloud storage like iCloud or Dropbox: All the major cloud storage providers have full access to the data you upload there and liberally give access to this data to federal agencies. It is hard to find a free and secure cloud storage but MEGA checks the most important boxes. It was founded by Kim Dotcom, the German entrepeneur that got swatted by police because Hollywood demanded so. All data is end-to-end encrypted which is very rare among cloud storage providers.

Use full disk encryption on your laptop and your phone: For Windows this means you need to activate BitLocker which comes with Windows 10 pro and up. All iPhones and many modern Android phones come with full disk encryption already enabled. If you lock your device by biometric means, e.g. your fingerprint or your face you can be forced to unlock it on the spot. If you use a passcode you can claim to not remember it. Note that a judge can put you in prison indefinitely until you agree to unlock your device.

Feel free to point out better alternatives to my suggestions or where I got it wrong. This topic is quite complex and I plan to improve this guide and keep it up-to-date.