SSD ChangeLog
We're happy to share that Surveillance Self-Defense is now available in 10 languages, including recently released Portuguese. We are grateful to all who have worked to make these translations available. SSD's other recent updates and changes include:
Keeping Your Data Safe
We've added a warning to our Keeping Your Data Safe guide about trusting Microsoft's BitLocker in order to capture various threat models.
BitLocker's code is closed and proprietary, which means it is hard for external reviewers to know exactly how secure it is. Using BitLocker requires you trust that Microsoft provides a secure storage system without hidden vulnerabilities. On the other hand, if you're already using Windows, you are already trusting Microsoft to the same extent. If you are worried about surveillance from the kind of attackers who might know of or benefit from a back door in either Windows or BitLocker, you may wish to consider an alternative open source operating system such as GNU/Linux or BSD, especially a version that has been hardened against security attacks, such Tails or Qubes OS.
How to: Encrypt Your Windows Device
Our How to: Encrypt Your Windows Device outlines how to use open-source encryption suite, DiskCryptor, to encrypt your device. Please note that users have reported serious problems with DiskCryptor on Windows 8 with UEFI boot. We suggest you create a bootable disk image before attempting full disk encryption on these machines.
Surveillance Self-Defense Video Animations
As we mentioned before, EFF collaborated with AJ+ to create four video animations that have now been incorporated into SSD as standalone overviews.
- Protecting Your Devices From Hackers
- Using Password Managers To Stay Safe Online
- How to Make a Super-Secure Password Using Dice
- How Strong Encryption Can Help Avoid Online Surveillance
Why Metadata Matters
Those who collect or demand access to metadata, such as governments or telecommunications companies, argue that the disclosure (and collection) of metadata is no big deal. Unfortunately, these claims are just not true. Even a tiny sample of metadata can provide an intimate lens into a person’s life. Find out why metadata matters, who can access the metadata you transmit when you communicate, and how it might be used by checking out our new guide.
How to: Use OTR for Linux
We've added a new, step-by-step guide that explains how to use OTR for Linux. If you're a Mac or Windows user, please reference our other guides, How to: Use OTR for Mac and How to: Use OTR for Windows.
In the News
- A recent Citizen Lab report reveals a sophisticated phishing campaign targeting Iranian diaspora.
- A fake EFF site has been used as bait to distribute malware whose use has been connected to the Russian state.
- Peru’s executive branch adopted a legislative decree (DL 1182) dubbed "Ley Acosadora," or in English, "the Stalker Law," that allows warrantless access to Peruvians' location data.
- German domestic intelligence agency have been accused of trading its own data about their German citizens for access to the NSA's XKEYSCORE spying program.
- The UK government is looking to introduce an investigatory powers bill—a revival of the Snoopers' Charter with even more spying powers for the police and GCHQ.
SSD ChangeLog
We continue to update Surveillance Self-Defense thanks to our readers' great feedback. Most recently, we published SSD in Russian, Turkish, Vietnamese, French, and Urdu and are happy to share that SSD is now available in nine languages.
Here are a few other changes and additions we've recently made:
Surveillance Self-Defense Video Animations
EFF collaborated with AJ+, a global news community tailored to a younger generation, to create four video animations that will be incorporated into SSD as standalone guides in the future. In the meantime, you can find the collection of animations on the Internet Archive or individually linked below:
- Protect Your Devices From Hackers – Don't Get '0wned'
- Using Password Managers To Stay Safe Online
- How to Make a Super-Secure Password
- Tips to Help Avoid Online Surveillance
Creating Strong Passwords
In the "Syncing Your Passwords Across Multiple Devices" section of this guide, we clarify some matters pertaining to password storage options and highlighted what you should consider when syncing passwords across devices and/or storing passwords.
The updated text reads as follows: “Password managers that use their own servers to store or help synchronize your passwords are more convenient, but the trade-off is that they are slightly more vulnerable to attack. If you just keep your passwords on your computer, then someone who can take over your computer may be able to get hold of them. If you keep them in the cloud, your attacker may target that also. It's not usually a compromise you need to worry about unless your attacker has legal powers over the password manager company or is known for targeting companies or internet traffic. If you use a cloud service, the password manager company may also know what services you use, when, and where from.”
How to: Use Tor on Mac OS X
Check out our new, step-by-step guide that explains how to use Tor on Mac OS X. Windows users, please reference our Tor for Windows guide.
LGBTQ Youth?
Even today, LGBTQ youth face threats accessing online information and resources. This new SSD playlist can help.
In the News
- Hacking Team, an Italian company that sells surveillance software to governments, were themselves hacked. The company's internal documents confirmed that their products are used by a host of authoritarian regimes.
- The UK government admitted that its signals intelligence wing, GCHQ, spied on the human rights organization Amnesty International.
- Vietnamese blogger, Le Quoc Quan, is being released from prison after serving the full term of his 30-month sentence related to politically-motivated charges of tax evasion.
- Iran is still imprisoning netizens and blocking sites after two years of "reform."
SSD ChangeLog
In Surveillance Self-Defense news, we've revamped the home page to make navigating the site a bit easier. Now you can access all of the SSD guides directly from the home page by hovering over "Overviews," "Tutorials," or "Briefings." You can still access the full list of guides by clicking on the Index. We're also excited to announce that this week we launched SSD in Thai.
Here are a few other changes and additions we've recently made:
How to: Use Signal - Private Messenger
Open Whisper Systems recently released its newest version of Signal. Signal is an app for iPhone that, prior to its newest update, allowed users to make end-to-end encrypted phone calls to other Signal users. The 2.0 version allows users to send end-to-end encrypted group, text, picture, and video messages between Signal on iPhone and TextSecure and RedPhone on Android. We've updated our How to: Use Signal - Private Messenger guide accordingly.
How to: Delete Your Data Securely
Our original How to: Delete Your Data Securely guide was an all-in-one guide, including tips for secure deletion on Mac OS X, Windows, and *nix operating systems. We've since written separate guides for each Mac OS X, Windows, and Linux so readers don't have to sift through unnecessary content. Additionally, we originally gave instructions on using Eraser to delete data from Windows and *nix operating systems; our new guides teach readers how to delete their data using BleachBit.
New Glossary Terms
Below are new terms that have been added to the SSD glossary.
Seven Steps to Digital Security
We've added a new module, Seven Steps to Digital Security that outlines some basic tips to consider when thinking about your own digital security.
In the News
- Be wary of new "secure" messaging tools. Joseph Bonneau talks about why Zendo's one-time pad technology may not be the "game changer" the company's founder says it is.
- New trends in online sex extortion include this Android app.
- The FBI has been ordered to reveal its surveillance tactics on communities thanks to the ACLU.
- Think your iPhone password is secure? This IP Box that costs less than $300 bypasses Apple's 10-guess lockout, and can guess all possible 4-digit passwords in 111 hours.
- Belarus has banned Tor and other anonymizing software.
- The UN Human Rights Council has established a special rapporteur on the right to privacy.
SSD ChangeLog
We continue to receive great, constructive feedback from readers. Many of your suggestions have sparked more in-depth edits which we'll share with you in the coming months. We're also working on an SSD homepage revamp, which will allow for a more user-friendly navigating experience to our guides. Meanwhile, we're answering some FAQs from users and addressing a couple of content tweaks:
You don't mention keyloggers...any reason why?
Keyloggers are tools which record everything you type on a computer keyboard, and covertly send that data to an attacker. Keylogging software has been around since at least the 1970s, when Russian spies placed physical bugs into the Selectric typewriters used at American embassies. We include keyloggers in the general discussion of the risks of malware, but don't specifically mention them as a separate class of tracking device. While physical keyloggers still exist, keylogging itself is mostly implemented using software these days. Any malicious software that conducts keylogging will also generally have many more functions (such as monitoring audio or recording screen activity) than just keylogging.
We felt that by concentrating on keylogging, we'd mislead people about the ways in which malware can do far more, including bypassing some of the strategies that one might intuitively think could dodge tools that record keystrokes (i.e. using onscreen keyboards, or moving the mouse and typing extra keystrokes outside the password entry box when typing passwords). Given that you don't know what malware may be used against you, it's better to defend yourself against all malware, rather than take steps that may only work on a small subset of malware.
What's the difference between KeePass and KeePassX?
KeePassX is a cross-platform version of the Windows-only KeePass program. KeePassX also works on Windows, OS X, and Linux. We always try and recommend software that works across different operating systems, both for simplicity's sake, and because it allows people the freedom to move more easily between computer platforms.
Computerization of health records raises many security and privacy issues - any plans to address these in SSD?
EFF keeps a close eye on the digitization of health records and the privacy issues this raises, but SSD concentrates on securing individuals against surveillance, rather than what happens to your private data when it's taken out of your hands. We don't have any plans to cover health records in particular, but we do plan to cover strategies for securing your data when it's held by third-parties (like cloud services), where that's possible.
Attending Protests (United States and International)
We've elaborated on a statement originally published in our Attending Protests guides. We initially suggested that if you attend a protest and are concerned about being identified, you might cover your face as to not be identified in photos. Runa Sandvik pointed out that while this is sound advice in some U.S. states and countries, masks may get you into trouble in other locations due to anti-mask laws. We've updated the text to reflect this.
In the News
- A Spanish judge believes using secure email services is a dangerous sign of terrorist tendencies.
- The British Prime Minister takes this one step further: if only we made all legal Internet communications insecure, we'd all be safer from terrorists.
- Verizon and its advertising partner, Turn, have been caught using Verizon Wireless's UIDH tracking header to resurrect deleted tracking cookies and share them with dozens of major websites and ad networks, forming a vast web of non-consensual online tracking.
- Surveillance technologies such as drones and CCTVs are a growing security concern, particularly in Latin America.
- President Obama's cybersecurity legislative proposal that was released last week lacks substantive protections and enhancements for computer security.
SSD ChangeLog
One of our aims in creating Surveillance Self-Defense (SSD) is to provide a resource for combatting online spying that is quickly and consistently updated to keep track of current events and the changing capabilities of both protective tools, and the attackers they defend against. We'll be blogging regularly here to catalog the clarifications, corrections and new information we've added to the site.
Many of these changes are based on reader feedback. We'd like thank everyone for all the messages you've sent and encourage you to continue providing your notes and suggestions, which helps us preserve SSD as a reliable resource for people all over the world. Please keep in mind that some feedback may take longer to incorporate than others, so if you've made a substantive suggestion, we may still be working on it!
How to: Delete Your Data Securely
On a *nix operating system, we recommend using sfill to securely delete anything left in the free space of your drive. Secure-delete is available for Debian, Mint, and Ubuntu but is not installed by default, so you’ll probably need to install it using your distribution’s package management software (sometimes known as a “Software Manager”). (If you use RedHat, Fedora, OpenSUSE, or Mandriva, and know how to use alien to convert packages from deb format to rpm, you can find the deb for secure-delete here.) The article explains what to do once it's installed.
How to: Use OTR for Mac
An issue was found with Adium notifications on OS X; they are logged by default, meaning there is a record of Adium chats even if logging is turned off. The article now explains how to disable Adium notifications so they will not be logged by the underlying operating system.
How to: Use OTR for Windows
While Pidgin's download page uses "HTTPS" and is therefore relatively safe from tampering, the website it directs you to to download the Windows version of Pidgin is currently Sourceforge, which uses unencrypted "HTTP," and therefore offers no protection. That means that the software you download could potentially be tampered with before you download it. The article expands on the level of this risk, based on your threat model.
How to: Use PGP for Linux, How to: Use PGP for Mac OS X, How to: Use PGP for Windows PC
If you use two-factor authentication with Google (and depending on your threat model you probably should!) you cannot use your standard Gmail password with Thunderbird. Instead, you will need to create a new application-specific password for Thunderbird to access your Gmail account. See Google's own guide for doing this.
Additionally, we flagged that in October 2014, the GPG Tools team, who package GPG for the Mac OS X platform, announced that they would soon be charging for GPGMail, the part of their package that lets you use GPG with Apple's Mail application. Because our PGP guide for Mac explains how to use GPG with Thunderbird, it doesn't require that component. You can just use the zero-cost part of the GPG Suite. In addition, all of these tools are "free software" in the FLOSS sense that you are still allowed to freely examine, edit and redistribute GPG Mail's underlying source code. For more information, see GPG Tools' own FAQ on their decision.
How to: Use RedPhone (Android), How to: Use TextSecure (Android)
Several of you asked why RedPhone and TextSecure cannot be downloaded without signing up for Google Play. In the guide, we explain that to prevent tampering or data collection by third parties, it would be better if this software was downloadable outside of Google's "Google Play" app store. Unfortunately, for now, these programs use some of Google's infrastructure for software updates and for "push" notifications, which requires using their store ecosystem. You can read more about the creators' reasoning for this decision here.
Structural Changes
Dates that indicate when articles were last updated are now present at the bottom of each guide.
In the News
- Open Whisper Systems (makers of RedPhone and TextSecure) recently announced an agreement with Facebook's WhatsApp to include compatible encryption in its proprietary Android client; we hope to document this alternative shortly.
- Detekt is a new malware detection tool, aimed at protecting activists and others targeted by illicit state surveillance.
- EFF examines what security protections popular messaging services provide.
- We're also working to ensure that websites will be able to offer their users encrypted connections much more easily.
- The Tor Browser will soon be unavailable for older (Mac OS X 10.6) Macs.
Welcome to Surveillance Self-Defense
We’re thrilled to announce the relaunch of Surveillance Self-Defense (SSD), our guide to defending yourself and your friends from digital surveillance by using encryption tools and developing appropriate privacy and security practices. The site launches today in English, Arabic, and Spanish, with more languages coming soon.
SSD was first launched in 2009, to “educate Americans about the law and technology of communications surveillance…” and to provide information on how to use technology more safely. Not long after, in the midst of the 2009 Iranian uprising, we launched an international version that focused on the concerns of individuals struggling to preserve their right to free expression in authoritarian regimes.
In the time since the Snowden revelations, we’ve learned a lot about the threats faced by individuals and organizations all over the world—threats to privacy, security, and free expression. And there is still plenty that we don’t know. In creating the new SSD, we seek to help users of technology understand for themselves the threats they face and use technology to fight back against them. These resources are intended to inspire better-informed conversations and decision-making about digital security in privacy, resulting in a stronger uptake of best practices, and the spread of vital awareness among our many constituents.
We invite you to take a look at SSD, and to provide us with feedback (we’ve made it easy: there’s a feedback dropdown on every page). Right now, the site is available in just three languages, but we soon plan to expand, with Vietnamese, Russian, Persian, and several other languages in our sights. And if you think we’ve missed something, please let us know. The threats are always changing, so our advice should change to keep up.