Be Safe, Be Secure

If you are a journalist or activist operating in an area where you feel at risk, contact us. We can offer you resources, such as web hosting, servers, or DDoS protection, as well as technical support.

You can reach us at info gladsheimr [at] protonmail [dot] com.

Secure Messaging

The most important thing to consider is to use end to end encrypted channels. The second most important thing is to avoid having the metadata of your conversations stored and used by a company you do not trust.

The best choice for this is Signal. All communication is end to end encrypted: the one-on-one chats, the group chats and even the audio and video calls. The company does not store any metadata.

The Signal application has a very familiar interface for anyone who has used WhatsApp or Messenger before.Signal also allows users to send documents, pictures and videos, and to forward messages.

Signal allows users to send photographs that can only be viewed once, for very sensitive content. It also allows the users to set a timer after which their messages will be deleted from the chat (and, automatically, from the recipient as well).

The news about Signal being breached is not true. The news about Signal being under attack is also not true. The Signal team reassured its users of this (on Twitter).

Signal is tied to your real phone number, so the people that you chat with can see if. If you are concerned about this, you can learn about how you can get around this problem by using a secondary phone number with Signal.

If you do not want your phone number associated with your chats at all, and you can not use any of the methods listed above to register a secondary phone number with Signal, use Threema. It allows you to skip linking your phone number to your account so that your contacts can never see it.

If the people you need to stay in touch with can not or will not install Signal, the second best option is WhatsApp, which is end to end encrypted as well. However, WhatsApp is owned by Facebook and part of your metadata is stored and used by them. Both one-on-one chats and group chats are end to end encrypted.If you want to take an extra step to ensure your conversations on WhatsApp are never stored in the long term, make sure to never enable back-ups.

Instagram, which is also owned by Facebook, has implemented end to end encrypted chats for their users in Russia and Ukraine only.

Facebook Messenger also had end to end encrypted chats, but only for one-on-one conversations. These encrypted chats need to be enabled manually from the Messenger app, by tapping the profile of a person and then tapping “Go to secret conversation”. You can also enable messages that are deleted after a certain time by tapping on the timer icon in the chat box at the bottom.

The same is true for Telegram: it offers end to end encrypted chats, but only if you enable them manually. In the end to end encrypted chats, you can enable messages that are deleted after a certain time. If you take a screenshot in an end to end encrypted chat on Telegram, your chat partner is notified of this fact, so taking screenshots of sensitive media is discouraged.

Securing your online accounts

For every online account you have, check whether you can enable two-factor authentication. Without two-factor authentication, a person who can guess or reveal your password can take over your account. With two-factor authentication, that person will also need access to your second factor: your phone or your password app.

The most important online accounts that you must have two-factor authentication for is your email account and your banking account. Next, set two-factor authentication on any online account that has your card stored, as well as for your social media accounts.

Back up your files

Store your most important files (documents, pictures, work related files) on a hard drive or USB stick. This way, even if your laptop or computer gets a virus, it will never reach these very important files.

After you have backed up your most important files, try to keep the hard drive or USB safe and try not to connect it to any device that has access to the Internet (unless you need to restore the files). The biggest threat to these files are ransomware or wiper viruses, that either encrypt or delete all your data.

Beware of suspicious emails

There are many phishing campaigns that aim to either infect users with a virus or to fool a user into handing over sensitive data.

Beware of any emails that ask you to introduce your password into a field to check whether you have been hacked. This is not a method to check whether you have been hacked. Your password should never be used for anything other than logging in.

The same is true if you are asked to enter your bank account details or your personal identification details into any form that you do not know the origin of. If the bank itself did not contact you, then any email that seems to ask you for banking details is fake.

If you receive emails with attachments and you are not sure if the emails are legitimate, try to contact the sender through another channel. If they are a person you know, send them a message or call them, asking whether they send you an email with an attachment. If they are a company, try to reach their call center or send them a message through a form on their site.

If you are not sure whether the email is legitimate and you can not verify this, but the attachments seem important, download them and do not open them. Instead, upload them to Google Drive and open them inside Google Drive. You can view any kind of common file here: a document, an excel sheet, a photo, a video. If you don’t even recognize the file type of an attachment, ignore the email completely.

Use Tor

Access to certain websites on the Internet may be blocked for you, or you may not feel comfortable having your browsing history associated with your identity. The Tor network can help you in this case.

You can download the Tor Browser from the official website and you can find installation instructions to install it here.

You can also install the Tor Browser on Android Phones, and use it instead of your browser. The browser is called Onion Browser for iOS.

Some people use the Tor Browser instead of a browser like Firefox or Chrome, for all of their Internet traffic.

If you would like all Internet traffic that your phone generates to go through Tor, and be uncensored and untraceable, then you can use Orbot on Android or iOS. This application redirects all the Internet traffic that the other applications on your phone initiate through Tor.

The way the Tor network works is that every time you visit a website, your traffic goes through three different points (called Tor nodes - you can think of them as three more computers). This means that, for someone monitoring your traffic, you seem to only connect to the first node (called an Entry Tor Node), whereas the website you are talking to can only see your traffic coming out of the last node (the Exit Node).

This huge advantage of using the Tor Browser is you can access websites which may be censored in your area, and you can do all your work without fearing that someone can see your traffic. Use the Tor Browser when you need to access websites which are blocked, or when you don’t want your network traffic associated with your identity.

However, there is one important thing to keep in mind: the IP addresses on Entry Nodes and Exit Nodes are public. The two main consequences of this are:

1. Some websites will not work as they normally do, when you visit them through Tor. The best example is banking websites. If you try to do bank transactions by accessing your bank website through the Tor Browser, the bank may react to this and give you a call, or it may block your access. Paypal may suspend your account if you access it through the Tor Browser.
2. The Entry Nodes are sometimes blocked as well, in some areas. This makes it harder for people to browse the Internet safely.

However, there is a good solution to the second point. If you know that you are working in an area that blocks access to Tor Entry Nodes (you get an error that you can not connect), then you can use Tor Bridges or Snowflake. These two work as an extra “node” in front of the Entry Node, with IP addresses that are either not very public (in the case of Bridges) or entirely dynamic (in the case of Snowflake).

You can learn how to use Tor Bridges here.

And you can learn to use Snowflake here.

If the Tor-related websites are blocked or unavailable for you, it might mean that these websites are censored in your area. The Tor team recommends the following:

Another way to get bridges is to send an email to bridges@torproject.org. Leave the email subject empty and write “get transport obfs4” in the email’s message body. Please note that you must send the email using an address from one of the following email providers: Riseup or Gmail.