Activists Toolkit

For a militant digital resistance!
Work in progress!

Passwords

Having weak passwords defeats all encryption - it is obvious that you need to use strong passwords. But at the same time you should never use the same password for different purposes.
We recommend you to have only a couple of strong passwords memorized, for things like disk encryption, password manager and gpg-key. All the other passwords (facebook, mail, ...) can be stored in a password manager like KeePassX. As method for generating strong passwords you can use Diceware.

Examples for bad passwords:

Generating strong passwords using Diceware method

You need a dice and a big wordlist. (This is a new good wordlist by EFF) To create your password stick seven (or more) random words from this list together. For each word you have to roll your dice five times, write down the resulting digits and look them up in the wordlist.

This creates passwords like siblingsurveybullfrogjestercobwebduvettasting.

If you have a Tails stick around you can generate Diceware passwords faster without rolling dices:
  1. Start or restart Tails in non-persistent mode.
  2. Open the Terminal. Then copy and paste the following code into the Terminal. To confirm press Enter.
    curl --socks5-hostname 127.0.0.1:9050 -s https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt | shuf -n 7 -r --random-source /dev/random
  3. Important: Shut down Tails immediately without doing anything else.

Installing KeePassX on Linux Mint

  1. Open the start menu and press the button to start Software Manager. Enter your password.
  2. Type KeePassX into the search box in the top right of the window, then press Enter.
  3. Double click onto Keepassx and click the button Install.
  4. Start KeePassX and click on Database > New Database in the top menu.
  5. Choose a strong master password (Diceware!) and click OK.
  6. Save the new database by clicking Database > Save Database in the top menu.

PC Operating Systems + Encryption

Linux Mint

Linux Mint is an easy to use Linux Distribution based on Ubuntu. [Update setting?]

Tails

Tails is an operating system you always boot from an usb stick. [blabliblup]

Worth Mentioning

Installing Linux Mint

  1. Download Linux Mint from linuxmint.com. If you have a fairly modern computer choose the Cinnamon 64-bit edition. If your computer is older and lags running windows choose the Xfce 32-bit edition.
  2. Verify that nobody has tampered the downloaded iso file. This step is very important, do not skip!
  3. Burn the downloaded iso file to an empty usb stick.
  4. Boot from the USB stick. For instructions on how to do that just search for "boot from usb stick [computer model you use]".
  5. Follow the instructions on the screen to install Linux Mint.

    Important: On the forth page of the installer make sure to choose the option Encrypt the new Linux Mint installation for security

Basic settings for Linux Mint

To get all updates it is important that you choose Always update everything as update policy in the Update Manager. Your system will still be stable, even if this option is "officially" only recommended for experienced users.

Browser

Browsing with the Tor Browser hides your browsers fingerprint and your computers IP address, which authorities could use to get your real address. But you still have to take care to not accidentally reveal your identity by posting personal information on the internet. Searching for a place near to your real location on google maps can in certain circumstances be enough to reveal your identity.

You can get a new anonymous identity by clicking the Tor icon in the address bar and selecting New Identity. We recommend you to do this relativly often, at least each time the subject of your internet research changes.
(From planning a direct action to reading the news for example.)

Tor Browser can only protect your real identity if your computer is safe. Keep all of your software up-to-date!

Installing Tor Browser Launcher on Linux Mint

  1. Open the Terminal (Linux Mint: in the bar on the bottom left). Then type the following statements and press Enter after each one.
    1. sudo add-apt-repository ppa:micahflee/ppa
    2. sudo apt-get update
    3. sudo apt-get install torbrowser-launcher
  2. Click the Tor icon in the address bar and click Security Settings.
  3. Turn the Slider to Medium (for High continue reading).

Using NoScript (with Tor Browser)

JavaScript is a technology most websites use to show dynamic content. But having JavaScript enabled makes your browser more vulnerable to attacks which could reveal your real IP and compromise your computer.
Because of that we recommend that you disable JavaScript in the Tor Browser and only enable it temporarily for websites you trust.

  1. Click the Tor icon in the address bar and click Security Settings.
  2. Turn the Slider to High. This disables JavaScript on all websites.

If you want to enable JavaScript temporarily for the website you are visiting:

Firefox (without Tor)

You should use Firefox without Tor only for logging in to services directly connected to your real identity (facebook, online banking...) or for trivial activities which need a high internet bandwith, like streaming movies.

Install these addons to make Firefox a bit safer to use:

Email + PGP

We recommend Thunderbird as email client available for Linux, Windows and Mac.

To protect your identity it can make sense to have two (or more) different email addresses. One is connected to your name, to your work, family, etc. The other one is created anonymously through Tor Browser. To preserve the anonymity you have to use TorBirdy to run Thunderbird through Tor.

If you are using Thunderbird on Mac or Windows you are endangering yourself and the people you are communicating with. Please think about installing Linux.

Thunderbird Profiles

If you want to use Thunderbird for both your official and your anonymous identity you can create a second Profile in Thunderbird. That way each time you start the application it asks what profile it should use. With profiles you get complete separation of the email accounts, the addressbook and the installed plugins.

  1. To create a second profile you need to open the profile manager:
    • Linux: Open the Terminal (Linux Mint: in the bar on the bottom left). Type thunderbird -P and press Enter .
    • Windows: Select Start > Run... from the Windows Start menu. Enter thunderbird -P and press Ok . [TODO][Not verified!]
    • Mac: Open the Console. Type /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin -profilemanager and press Enter .
  2. Uncheck the checkbox next to Use the selected profile without asking at startup to be able to choose between profiles at startup.
  3. Press Create Profile... and follow the instructions.
  4. Make sure the new created Profile is selected and press Start Thunderbird to begin setting up your new Profile.

Thunderbird Addons

Along with Thunderbird you should install several Addons. (If you created a second Profile you have to install this Addons only in that new Profile.)

  1. To open the addon manager press the toolbar entry menu and press Add-ons.
  2. To install each of the following Addons enter the addon's name into the search box and click on Install
  3. Restart Thunderbird for the changes to take effect.

Thunderbird Account Settings

[TODO]

Privacy-Conscious Email Providers

Systemli

Systemli provides you not only with an email address but with a personal owncloud, too.

You need an invitation code to register.

Riseup

Riseup recently had to comply with two warrants. Since then they have changed their system to an encrypted email storage, which gives you a bit more security against these types of warrants. But it does not replace the need for End-to-End encryption.

You need an invitation code to register.

Jabber + OTR

Jabber + OTR (Off-the-record encryption) is the equivalent to Email + PGP for chatting. You can choose between different applications on your computer and smartphone to use it. OTR similar to PGP provides End-to-End encryption. This means, that even the server you use to communicate with others can not read your messages. Different to Email both parties have to be online and (with Tor Messenger) per default no chat history is saved.

Installing Tor Messenger on Linux

  1. Open this link to the website of Tor Messenger. Download and save the Linux (64-bit) version of Tor Messenger and both files starting with sha256sums to your Downloads directory.
  2. Open the Terminal (Linux Mint: in the bar on the bottom left). Then type the following statements and press Enter after each one.
    (Hint: If you feel lazy you can complete filenames by pressing Tab.)
    1. cd Downloads
    2. gpg --keyserver keys.gnupg.net --recv 6DA77FAA
    3. gpg --verify sha256sums-signed-build.txt.asc
      The output should contain the line gpg: Good signature from "Sukhbir Singh <azadi@riseup.net>"
      The fingerprint in the last line should match E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA
    4. sha256sum -c sha256sums-signed-build.txt 2>/dev/null | grep OK
      The output should end with OK

      5. You have now verified that your download of Tor Messenger has not been manipulated. If some of the commands produced not the expected output it might be possible that you are being attacked.

      In that case delete all downloaded files by typing the commands:

      1. rm tor-messenger*
      2. gpg --delete-keys --yes --batch 6DA77FAA

      Then try everything again from a different location or internet access point.

    5. tar -xvaf tor-messenger* -C ~
    6. cd ~/tor-messenger
    7. ./start-tor-messenger.desktop --register-app
    8. Press the button in the start menu to logout. After you have logged in again, you should be able to start Tor Messenger from the start menu.
      The software checks for updates every time it is run and installs updates automatically. Congrats, now it is time to create a jabber account and start messaging!

Configuration of Tor Messenger

  1. Start Tor Messenger and connect to the Tor Network.
  2. In the Account Wizard window choose XMPP as protocol.
  3. Open the Tor Browser to create a new Jabber account. We recommend systemli as provider, but they are by far not the only ones. In the Tor Browser open the address https://jabber.systemli.org:5281/register_web and fill out the form.
  4. Back in the Tor Messenger application enter your chosen username into the username field and jabber.systemli.org into the domain field. (If you choose to register with systemli.)
  5. In the next window just enter your password and click Next.
  6. Click onto XMPP Options to show the advanced options. When you scroll the window down a bit you should see a field with the name Server. Here you can enter the address of a hidden server, if your Jabber provider supports this. For systemli accounts enter x5tno6mwkncu5m3h.onion and press Next and finish the account wizard.
  7. Tor Messenger does never autoconnect, click on Connect.
  8. If you did input a hidden server and connect for the first time: There will be a security warning: requested domain name does not match the server's certificate. This time and only this time press Add Exception and click Confirm Security Exception.

    9. Never do this under any other circumstance! It is only safe in case you connect the first time to a hidden server.
  9. As last thing we recommend you to right-click into the empty Tor Messenger window (not the accounts window) and select Show Offline Contacts.

Chatting with Tor Messenger

To start chatting with a contact over jabber you need to add them to your contact list. For that you need their jabber address. It looks like an email adress, for example: username@jabber.systemli.org

  1. In the top menu click on File > Add Contact...
  2. Type your contacts address into the username field and click Ok
  3. Your contact gets a message where they have to allow your contact request. If they accept, the contact should not be greyed out in your contact list anymore.
  4. To start a chat double-click onto the new contact and send a message.
  5. You could start chatting now, but wait. To be sure that you are not being eavesdropped it is critical that you verifiy your contacts identity. Click on Verify in the chat window and follow the instructions on the screen.
    Only if the small lock symbol in the upper right corner of the chat window is green can you be sure that the chat is properly secured.

Small hint: If you are the one getting a contact request there is one more thing you should do after you clicked on Allow and your contact texted you. In the chat window right-click on your contacts jabber address and click Add Contact... > Contacts. Only then can you see your contacts online status.

Mobile clients

Conversations

Conversations supports not only OTR encryption but the supperior OMEMO encryption. The problem is only, that right now there is no Desktop application capable of OMEMO in a safe way.

Download conversations in the F-Droid appstore if you can not pay for the software. (But please support the developers if possible!)

Available for: Android

ChatSecure

ChatSecure is the recommended alternative to Conversations for iOS.

Available for: iOS

Secure Deletion

It is currently not possible to delete files on USB-Sticks, SD-Cards or Solid State Disks (SSD).
Therefore it is super important to only store encrypted data on these storage devices.

Recommended Reading

Guides

OpSec (Operational Security)

Information

Tools