Having weak passwords defeats all encryption - it is obvious that you need to use strong passwords. But at the same time you should never use the same password for different purposes.
We recommend you to have only a couple of strong passwords memorized, for things like disk encryption, password manager and gpg-key. All the other passwords (facebook, mail, ...) can be stored in a password manager like KeePassX. As method for generating strong passwords you can use Diceware.

Examples for bad passwords:

• :LOL1313le
• Coneyisland9/
• momof3g8kids
• 1368555av
• n3xtb1gth1ng
• qeadzcwrsfxv1331
• m27bufford

Generating strong passwords using Diceware method

You need a dice and a big wordlist. (This is a new good wordlist by EFF) To create your password stick seven (or more) random words from this list together. For each word you have to roll your dice five times, write down the resulting digits and look them up in the wordlist.

This creates passwords like siblingsurveybullfrogjestercobwebduvettasting.

Installing KeePassX on Linux Mint

1. Open the start menu and press the button to start Software Manager. Enter your password.
2. Type KeePassX into the search box in the top right of the window, then press Enter.
3. Double click onto Keepassx and click the button Install.
4. Start KeePassX and click on Database > New Database in the top menu.
5. Choose a strong master password (Diceware!) and click OK.
6. Save the new database by clicking Database > Save Database in the top menu.

Worth Mentioning

• Subgraph OS - An operating system built for anonymized and secure communication. Is still being developed, but could replace Linux Mint in the future.
• Qubes OS - A "resonably" secure operating system, but needs a big change in how you use the computer. Recommended for more advanced users.

Installing Linux Mint

1. Download Linux Mint from linuxmint.com. If you have a fairly modern computer choose the Cinnamon 64-bit edition. If your computer is older and lags running windows choose the Xfce 32-bit edition.
2. Verify that nobody has tampered the downloaded iso file. This step is very important, do not skip!
• Windows:
1. Download and install Gpg4win.
2. Download the two files on linuxmint.com/verify.
3. Open Kleopetra, which got installed with Gpg4win.
4. [TODO] Recive key 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
5. [TODO]
3. Burn the downloaded iso file to an empty usb stick.
• Linux:[TODO]
• Windows: Download and use the software Rufus with the default settings.
• Mac: Just right-click on the file and choose Burn Disk Image
4. Boot from the USB stick. For instructions on how to do that just search for "boot from usb stick [computer model you use]".
5. Follow the instructions on the screen to install Linux Mint.

   Important: On the forth page of the installer make sure to choose the option Encrypt the new Linux Mint installation for security

Basic settings for Linux Mint

To get all updates it is important that you choose Always update everything as update policy in the Update Manager. Your system will still be stable, even if this option is "officially" only recommended for experienced users.

Browsing with the Tor Browser hides your browsers fingerprint and your computers IP address, which authorities could use to get your real address. But you still have to take care to not accidentally reveal your identity by posting personal information on the internet. Searching for a place near to your real location on google maps can in certain circumstances be enough to reveal your identity.

You can get a new anonymous identity by clicking the Tor icon in the address bar and selecting New Identity. We recommend you to do this relativly often, at least each time the subject of your internet research changes.
(From planning a direct action to reading the news for example.)

Installing Tor Browser Launcher on Linux Mint

1. Open the Terminal (Linux Mint: in the bar on the bottom left). Then type the following statements and press Enter after each one.
1. sudo add-apt-repository ppa:micahflee/ppa
2. sudo apt-get update
3. sudo apt-get install torbrowser-launcher
2. Click the Tor icon in the address bar and click Security Settings.
3. Turn the Slider to Medium (for High continue reading).

Using NoScript (with Tor Browser)

JavaScript is a technology most websites use to show dynamic content. But having JavaScript enabled makes your browser more vulnerable to attacks which could reveal your real IP and compromise your computer.
Because of that we recommend that you disable JavaScript in the Tor Browser and only enable it temporarily for websites you trust.

1. Click the Tor icon in the address bar and click Security Settings.
2. Turn the Slider to High. This disables JavaScript on all websites.

If you want to enable JavaScript temporarily for the website you are visiting:

• Click the NoScript icon in the address bar and select Temporarily allow all this page.

Firefox (without Tor)

Install these addons to make Firefox a bit safer to use:

• HTTPS Everywhere
• uBlock Origin
• Decentraleyes
• NoScript - NoScript might be overkill if you use this Browser only for the few websites connected to your real identity.

We recommend Thunderbird as email client available for Linux, Windows and Mac.

To protect your identity it can make sense to have two (or more) different email addresses. One is connected to your name, to your work, family, etc. The other one is created anonymously through Tor Browser. To preserve the anonymity you have to use TorBirdy to run Thunderbird through Tor.

Thunderbird Profiles

If you want to use Thunderbird for both your official and your anonymous identity you can create a second Profile in Thunderbird. That way each time you start the application it asks what profile it should use. With profiles you get complete separation of the email accounts, the addressbook and the installed plugins.

1. To create a second profile you need to open the profile manager:
   • Linux: Open the Terminal (Linux Mint: in the bar on the bottom left). Type thunderbird -P and press Enter .
   • Windows: Select Start > Run... from the Windows Start menu. Enter thunderbird -P and press Ok . [TODO][Not verified!]
   • Mac: Open the Console. Type /Applications/Thunderbird.app/Contents/MacOS/thunderbird-bin -profilemanager and press Enter .
2. Uncheck the checkbox next to Use the selected profile without asking at startup to be able to choose between profiles at startup.
3. Press Create Profile... and follow the instructions.
4. Make sure the new created Profile is selected and press Start Thunderbird to begin setting up your new Profile.

Thunderbird Addons

Along with Thunderbird you should install several Addons. (If you created a second Profile you have to install this Addons only in that new Profile.)

1. To open the addon manager press the toolbar entry and press Add-ons.
2. To install each of the following Addons enter the addon's name into the search box and click on Install
• Enigmail - PGP message encryption.
• TorBirdy - Run Thunderbird over the Tor anonymity network.
3. Restart Thunderbird for the changes to take effect.

Thunderbird Account Settings

[TODO]

Privacy-Conscious Email Providers

Jabber + OTR (Off-the-record encryption) is the equivalent to Email + PGP for chatting. You can choose between different applications on your computer and smartphone to use it. OTR similar to PGP provides End-to-End encryption. This means, that even the server you use to communicate with others can not read your messages. Different to Email both parties have to be online and (with Tor Messenger) per default no chat history is saved.

Installing Tor Messenger on Linux

1. Open this link to the website of Tor Messenger. Download and save the Linux (64-bit) version of Tor Messenger and both files starting with sha256sums to your Downloads directory.
2. Open the Terminal (Linux Mint: in the bar on the bottom left). Then type the following statements and press Enter after each one.
   (Hint: If you feel lazy you can complete filenames by pressing Tab.)
1. cd Downloads
2. gpg --keyserver keys.gnupg.net --recv 6DA77FAA
3. gpg --verify sha256sums-signed-build.txt.asc
   The output should contain the line gpg: Good signature from "Sukhbir Singh <azadi@riseup.net>"
   The fingerprint in the last line should match E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA
4. sha256sum -c sha256sums-signed-build.txt 2>/dev/null | grep OK
   The output should end with OK



You have now verified that your download of Tor Messenger has not been manipulated. If some of the commands produced not the expected output it might be possible that you are being attacked.

In that case delete all downloaded files by typing the commands:

1. rm tor-messenger*
2. gpg --delete-keys --yes --batch 6DA77FAA

Then try everything again from a different location or internet access point.

5. tar -xvaf tor-messenger* -C ~
6. cd ~/tor-messenger
7. ./start-tor-messenger.desktop --register-app
8. Press the button in the start menu to logout. After you have logged in again, you should be able to start Tor Messenger from the start menu.
   The software checks for updates every time it is run and installs updates automatically. Congrats, now it is time to create a jabber account and start messaging!

Configuration of Tor Messenger

1. Start Tor Messenger and connect to the Tor Network.
2. In the Account Wizard window choose XMPP as protocol.
3. Open the Tor Browser to create a new Jabber account. We recommend systemli as provider, but they are by far not the only ones. In the Tor Browser open the address https://jabber.systemli.org:5281/register_web and fill out the form.
4. Back in the Tor Messenger application enter your chosen username into the username field and jabber.systemli.org into the domain field. (If you choose to register with systemli.)
5. In the next window just enter your password and click Next.
6. Click onto XMPP Options to show the advanced options. When you scroll the window down a bit you should see a field with the name Server. Here you can enter the address of a hidden server, if your Jabber provider supports this. For systemli accounts enter x5tno6mwkncu5m3h.onion and press Next and finish the account wizard.
7. Tor Messenger does never autoconnect, click on Connect.
8. If you did input a hidden server and connect for the first time: There will be a security warning: requested domain name does not match the server's certificate. This time and only this time press Add Exception and click Confirm Security Exception.


Never do this under any other circumstance! It is only safe in case you connect the first time to a hidden server.
9. As last thing we recommend you to right-click into the empty Tor Messenger window (not the accounts window) and select Show Offline Contacts.

Chatting with Tor Messenger

To start chatting with a contact over jabber you need to add them to your contact list. For that you need their jabber address. It looks like an email adress, for example: username@jabber.systemli.org

1. In the top menu click on File > Add Contact...
2. Type your contacts address into the username field and click Ok
3. Your contact gets a message where they have to allow your contact request. If they accept, the contact should not be greyed out in your contact list anymore.
4. To start a chat double-click onto the new contact and send a message.
5. You could start chatting now, but wait. To be sure that you are not being eavesdropped it is critical that you verifiy your contacts identity. Click on Verify in the chat window and follow the instructions on the screen.
   Only if the small lock symbol in the upper right corner of the chat window is green can you be sure that the chat is properly secured.

Small hint: If you are the one getting a contact request there is one more thing you should do after you clicked on Allow and your contact texted you. In the chat window right-click on your contacts jabber address and click Add Contact... > Contacts. Only then can you see your contacts online status.

Mobile clients

Guides

• Surveillance Self-Defense by EFF - Guide to defending yourself from surveillance by using secure technology and developing careful practices.
• Email Self-Defense by FSF - A guide to fighting surveillance with GnuPG encryption.

OpSec (Operational Security)

• Clandestine Mobile Phone Use (1)
• Clandestine Mobile Phone Use (2)
• Tools to evade stylometrics
• Using Codes

Information

• Surveillance Industry Index - Database of surveillance products.
• Freedom of the Press Foundation - Supporting and defending journalism dedicated to transparency and accountability since 2012.

Tools

• Fake Name Generator - Generate a random identity, with full address, phone number and more.
• ipleak.net - IP/DNS Detect - What is your IP, what is your DNS, what informations you send to websites.
• PRISM Break - We all have a right to privacy, which you can exercise today by encrypting your communications and ending your reliance on proprietary services.
• Security in-a-Box - A guide to digital security for activists and human rights defenders throughout the world.
• AlternativeTo.net - Great collection of open source online and self-hosted software sorted by likes.
• SecureDrop - An open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. It was originally created by the late Aaron Swartz and is currently managed by Freedom of the Press Foundation.
• Reset The Net - Privacy Pack - Help fight to end mass surveillance. Get these tools to protect yourself and your friends.
• Security First - Umbrella is an Android app that provides all the advice needed to operate safely in a hostile environment.