Online Security for Internet Media Serving Severely Censored Countries

A white paper for SIDA’s October 2010 “Exile Media” conference

Eric S Johnson (updated January 2012)

For activists who make it a priority to deliver news to citizens of countries which try to control the information to which their citizens have access, the internet has provided massive new opportunities. But those countries’ governments also realise ICTs’ potential and, to various extents, implement countermeasures against the delivery of independent news via the internet. This paper covers what exile media can or should do to protect itself, addressing three categories of issues:  common computer security precautions,  defense against targeted attacks, and  circumventing cybercensorship, with a final note about overkill. For each of the issues mentioned below, specific examples from within the human rights or freedom of expression world can be provided where non-observance was catastrophic, but most of those who suffered problems would rather not be named.

Common computer security: The best defense is a good … The main threats to exile media’s successful use of ICTs—and ways to deal with those threats—are the same as for any other computer user: 1) Ensure all software regularly and automatically patches itself against newly-discovered security flaws (and e.g. to maintain up-to-date SSL certificate revocation lists). As with antivirus software, this may cost something; e.g. with Microsoft (Windows and Office), it may require your software be legally purchased (or you can use the WSUS Of- fline Update tool, which can help in low-bandwidth environments). Firefox, Chrome, Adobe Acrobat Reader and Flash player, iTunes, Skype (and other IM clients), and Java VM should update themselves (or at least prompt you to install newly-available updates), but it’s worth verifying from time to time. MBSA’s scan is more complete than Windows Update. The free (Windows-only) Secunia PSI vulnerability scanner / patch manager can help inform you about needed updates; other solutions, like IBM’s BigFix, are for-fee. Don’t forget to update your smartphone’s Android OS or iOS (on an iPhone). (~USD100/computer/yr to license Microsoft products) 2) Use a good antivirus on all workstations—one which constantly (at least daily) automatically updates its virus- fighting capabilities (e.g. TMIS, McAfee, NIS, AVG, Avira, Kaspersky, Avast, CA, Immunet, F-Secure, Microsoft Security Essentials; but use only one). When acquired as part of a “security suite,” an antivirus pro- gram will come with more-detailed firewall (although the one built in to Windows 7 or Mac OS 10.7 is just fine), anti-spam, and some level of malware protection. If you feel that more is better, consider adding Anti- malware, ThreatFire, and/or Ad-Aware (all free). Ensuring data execution prevention is on provides an additional security boost. (MSE, AVG, Avast free; others ~USD40/computer/year) 3) Avoid falling for phishing lures and malware (can’t say it too often!): a. Don’t open attachments to, or click on links in, e-mail messages from unknown senders—they might result in stolen documents, giving botnets (such as those tracked by ShadowServer) control over your computer, or allowing government law enforcement agencies remote access to your files (using e.g. offensive security products such as FinFisher, HackingTeam, and Vupen). If you must open an unknown attachment, consider scanning it with Jotti first. b. Never enter your password into a site accessed from a link in an e-mail, e.g. when your bank sends you a note saying “your statement’s ready to view” or Facebook says someone “wants to be friends,” type the URL into your browser (or use a shortcut from your “favourites” menu). (The URL in the hyperlink might be fake, in which case you’ll be clickjacked; you can’t tell the difference!) c. Never provide your online account login credentials to third parties such as that site which says “please enter your [for example, Gmail] account login and password so we can provide you with service X.” Some are legitimate, but many aren’t. If you log in, then at best someone will use your account to spam everyone in your address book; at worst, someone will stealthily monitor your account and/or use it to trick your friends into revealing important information. Check your e-mail accounts’ settings/options monthly to ensure there’s no unexplained forwarding. Deploy the free Simple Phishing Toolkit to test your employees; train the 15% who “fell for it” how to avoid being phished. 4) Never lose physical control/possession of your computer. A rootkit or keylogger can be installed in seconds; then you’re compromised. Make sure your computer is set to always require a password upon boot; then, ensure your screensaver automatically locks your computer after a minute of inactivity, and if you walk away from your computer while it’s on, lock it (flag-L in Windows, ctrl-shift-eject under Mac OS). 5) Back up your data at least once every other week. This protects against potential loss due not only to attack, but also to (much more likely, and in fact inevitable) technical failure (e.g. of a hard drive). The simplest way is to set your computer to (overnight) copy your data (e.g. in Windows 7, c:\users\[your-name]\) to your backup medium; or, most OSes have simple backup programs built in (e.g. Windows Backup or Mac OS’s Time Machine). Or, there are third-party specialised backup programs used to automate the process (e.g. the open-source Cobian, AllwaySync or Acro- nis for Windows, Retrospect for the Mac). Be sure your backup media are fully encrypted (see below). Be sure to at least occasionally put a copy of your data “offsite” so that if your house burns, you don’t lose both your computer and your backup. Alternatively, use a secure online (“cloud”) service such as Dropbox, Wuala, or egnyte. Don’t forget to back up your site as well (it will eventually be hacked and erased, and you’ll want/need to restore it)—and when you do, include your CMS database (not just static pages). Finally, don’t forget to back up your mobile’s contact list too! (USD50/user for a high-capacity USB thumbdrive; Dropbox and Wuala are free; egnyte has a small fee) 6) Use strong passwords; set password recovery mechanisms. Passwords must be reasonably long (at least 20 characters) and relatively random (e.g. 3HorsesCapitalize.AnchorageBetter). Never use passwords consisting only of a name or anything in a dictionary—otherwise Cain & Abel (or its more sophisticated brute-force-cracking cousins) can guess it. When signing up for an online service, provide backup e-mail addresses, phone numbers, and/or security questions which can be used to authenticate you in case control of your account is lost. If you do lose control (or it’s shut), use personal contacts through RSF, HRW, or Internews (all affiliated with the Global Network Intiative, and therefore plugged in to large online service providers) to try to recover it. Don’t reuse identical passwords across services. If you consider your computer secure (e.g. you’re using whole-hard-disk encryption), use LastPass or Keepass to to make unique, strong passwords and remember them. Don’t share a password with co-workers or paste it on a PostIt on your monitor! 7) Secure your office and home wi-fi access points (APs). Set a new password for your AP’s control panel (the manufacturer-set default one is public knowledge). Then, make sure it’s using WPA (WPA2-AES is the best) for encryption, since the older WEP is highly insecure: sniffing open wi-fi is one of the simplest ways for snoops to get access to your entire digital life. Turn off WPS, since it provides attackers a “hole” through which to enter. 8) Don’t use public networks (e.g. wi-fi hotspots) except encryptedly. Use Firefox’s HTTPS Everywhere or (better) a virtual private network (VPN). Otherwise, the person sitting next to you in Starbucks could use DriftNet to see what you’re downloading, or FireSheep to sidejack access to your Facebook account to social- engineer her way into the confidence of your friends (unless you use the non- default encrypted access to Facebook, Twitter, and Google; the former two can be set, in your login preferences, to be “HTTPS only”), or Wireshark to see everything. 9) Encrypt your instant-messaging (IM) and VoIP communications by ensuring both ends of the conversation use either the real Skype (not the Chinese version, TOM Skype, which has cybercensorship and cybersurveillance built in), Gchat (IM via your Gmail webmail interface) or an encrypted IM client such as Pidgin+OTR, Miranda+OTR, or Jitsi+OTR for otherwise-unencrypted IM networks such as ICQ, Gtalk, AIM, MSN, and Y!, but both ends must use it. (VoIP via Zfone (using ZRTP) and Blink (using SIP/SRTP), like Skype, are completely encrypted—but also source-code-published so peer-reviewed and therefore more trustworthy.)

Targeted attacks: Higher—or hire—technology Attacks can come in many forms; defending against all of them is impossible, but there are steps to take—some easier, some more sophisticated. 10) Globally, internet traffic is massive and dispersed; surveilling you online isn’t always easy for your attacker. A hostile party is more likely to try to get your hard drive. Ensure all workstations—especially portable ones which are more likely to be lost or stolen—are using whole-hard-disk encryption (WDE). (The “Windows login password” without WDE can be circumvented by a USD20 USB-to-SATA bridge.) Windows’ top version, Ultimate (and its more-often-pirated corporate version, Enterprise) includes WDE (Bitlocker; most 2010-or-later notebooks (except in Russia and China, where TPM’s theoretically not allowed) are TPM 1.2-compliant, but otherwise you’d have to carry a USB “key”); so does the newest version of Mac OS X, Lion (10.7; FileVault 2); for Linix users, LUKS is built in to the Ubuntu distro. There are also free (if harder-to-use) WDE solutions: the multi-platform TrueCrypt and Windows-only Compusec. And there are a number of for-fee programs (e.g. PGP WDE or Check Point FDE for Windows, SecureDoc or SafeGuard for Mac OS X). (In all cases, disable your Firewire port, since it can be used by Passware to crack your disk’s encryption if your computer’s not entirely off.) Any of the above can also be used to encrypt removable media such as thumbdrives, although the optimal thumbdrive solution is an IronKey, which has encryption built-in. (Simply creating an encrypted vault for your data files (e.g. Windows’ EFS, Apple’s FileVault) is better than nothing, but substandard: when you use your computer, you leave traces all over the hard drive, so unless everything’s encrypted, an experienced forensics specialist can discover a great deal about you, even without access to your core data.) (Built-in-to-your-hard-drive encryption like Digisafe DiskCrypt would be as good as any of the above.) If you encrypt your drive, you have less need for programs like CCleaner or AShampoo’s WinOptimizer which empty temporary data caches and more thoroughly erase files. (~USD90 to upgrade Windows; USD59 for a 1G IronKey D200) 11) To defend against online snooping, encrypt your computer’s communication with your mail server. Gmail is the only major free webmail provider which encrypts (using HTTPS) all access (so do some smaller services such as Hushmail, Riseup, SAFe-mail, and the German GMX); Hotmail (and the Russian Yandex) allow HTTPS webmail access but you need to turn it on; if you use Yahoo (or most others, e.g. Mail.ru, 163.com, qq.com, rediff.com), assume your communications aren’t secure. (All of the Big Three webmail providers allow encrypted access via POP3/IMAP, although with Yahoo it requires upgrading to its USD2/mo Plus.) To encrypt the transmission of mail from within a mail client, you need to dig into its settings: a. in Outlook 2010, “file -> account settings -> account settings -> [select your account] -> change -> more settings -> advanced,” both enable SSL and enter in your mail server’s SSL port (usually 465 for sending (SMTP) and 995 for receiving (POP3/IMAP)). You will usually also need to indicate (on the “outgoing server” tab) that “my outgoing server requires authentication: use the same settings as my incoming mail server.” b. Thunderbird is more likely to automatically configure SSL use, but if it doesn’t, the “tools -> account settings -> server settings / outgoing server -> edit” allows manual configuration; in addition to setting server name and port, don’t forget to click “use name and password.” Some hosting companies will also require you to use a different server name (than your usual one) and/or a non-standard port (e.g. 587/993) for sending and/or receiving encryptedly. (No cost.) 12) Defend against attempts by cybersnoops to listen to even your encrypted (HTTPS) web traffic. a. Be sure all of your computers in “hostile” countries are using an OS which originated outside that country (ideally, one from a relatively free country)—most easily, by buying your notebook (with pre-installed OS) abroad. Otherwise, the OS may have had inserted into it (at install time) a new “trusted root certificate” which would enable the government’s gateway devices (e.g. from Blue Coat, Palo Alto, Packet Forensics, Narus, or Cisco) to successfully conduct “man-in- the-middle” (MITM) interception of your SSL traffic (e.g. communications with Gmail). If you live in China, tell your browser not to trust the CNNIC CA (or, use a Firefox add-in such as CertPatrol or CertLock); otherwise, the Chinese government might be listening in to your encrypted web sessions. b. When your browser warns you about a “bad certificate” (which is what would be created by a simple MITM attack using Burp Suite), assume communication with that site isn’t secure. 13) Create backup Windows, Gmail, and Facebook accounts and populate them with some legitimate data so you can “give away” access to them when you’re arrested and threatened. 14) Establish a relationship with the management of the company(s) hosting your domain and your site (and ensure your technical and administrative contact information for both of them is up-to-date) for three reasons: a. In a social engineering scenario, an attacker impersonates you, convinces your hosting company to provide access to your domain or site, gains control, and alters or deletes your content. You would like to ensure that your hosting company has a personal relationship with you, so that they will verify third-party attempts to be given access your site’s control panel before allowing them to proceed. b. In a hacking scenario, an attacker takes advantage of vulnerabilities in the software on the server used to host and deliver your content to visitors. You would like to be able to ensure your hosting company keeps its software—most importantly, your CMS (SPIP, WordPress, Joomla, Drupal)— up-to-date with whatever patches fix the most-recently-discovered bugs (although it’s more likely you’ll have to do this updating yourself). c. In a betrayal scenario, your hosting company has a commercial presence in many countries and may cave to pressure from one of those countries’ governments to impede your site’s operation or provide information to security services. Use a hosting company which is less vulnerable because it operates only in the US or Europe. In any of these cases, if something happens, you want to be prepared to quickly find someone at your hosting provider with whom to talk, to provoke quick miti- gation action. ISPs known to have been friendly in the past include Shinjiru in Malaysia and OVH in France. (~USD50/month instead of USD10/mo for hosting) 15) Secure your server. Keep your server software up-to-date. Use a vulnerability scanning service like the free Cy- berSpark (or regularly run pen-testing software such as free Metaspolit, Nmap, Arachni or for-fee Tenable Nessus, Acunetix) to monitor your site’s performance and security, so you can quickly act upon easily-detected weakness- es. Ensure any databases of your users (e.g. credentials for logging in to your site, or your mailing list’s e-mail addresses) are encrypted and/or hash-salted. Don’t keep logfiles with IP addresses (if they’re hacked, bad guys could identify your visitors). Consider setting your site’s default to provide services by HTTPS (using e.g. a free server cert from StartSSL). Consider implementing DNSSEC; verify it with Verisign’s testing tool. 16) Acquire hardened hosting, to fend off distributed denial-of-service (DDoS) attacks which would prevent your constituency’s access to your site. (DDoS results when your opponent hires—for as little as USD50/day—the services of a botnet (thousands of PCs) to create an excessive amount of access to your content, thus overwhelming your site’s ability to respond and making your site inaccessible to legitimate visitors.) There are several approaches you can take, either individually or in combination: a. Use a hosting service (e.g. blogger.com) located on an ISP which is well-provisioned with bandwidth (at least two upstream providers, at least 1 gbps each), which increases the likelihood that the resources to deal with DDoS attacks are available. b. Buy DDoS protection from a third party which specialises in repulsing online attacks. VirtualRoad (set up by the Danish media support organisation IMS), PRQ, RIMU, and ServerOrigin make available services starting at as low as USD150/mo (although the onboarding fee can be more); Arbor Networks, Nexusguard, Staminus, or Prolexic offer higher-end commercial-grade on- and off-site protection, but their prices are higher (~USD500/mo per 1-gbps/100K-pps of protection). c. Mirror your site in several locations around the world, and implement anycast in BGP to differentially adver- tise your IP address depending on who’s visiting your site. This way, visitors from different parts of the world will “see” different mirrors of your site. At a minimum, this allows you to distribute a DDoS attacker’s fire- power across more than one site; ideally, if the DDoS attacks are originating from a limited subnet, your mirror “closest” to the attack source may be rendered inoperable, but would function as a sort of magnet or sink for the DDoS attack, enabling the rest of your mirrors (or, at least, the mirror serving your target population) to remain operational. Mirror hosting can be cheap, but you need some technical proficiency to enable mirrors to automatically keep up-to-date and to set up anycast. d. Outsource the mirroring to a content delivery network (CDN) such as the free/low-cost CloudFlare and Incap- sula or for-fee Akamai, Limelight, or EdgeCast. A stopgap measure to mitigate an attack is to simplify your site’s home page so it doesn’t load elements from a CMS (which places a heavy load a server). The simplest landing page would start with a CAPTCHA challenge; only humans will be able to pass through to your (presumably much more content-heavy, and therefore demanding of server resources) home page. Team Cymru and eQuality (at no cost) help rights defenders protect themselves against—or recover from—a DDoS attack. For a more-detailed look the DDoS problems activists face, see Berk- man’s study on the topic. For a more-detailed look at how to defend against a DDOS attack, see Access’s guide. 17) Split access to your site and/or blog into two: a public one for visitors and a private one (secret domain; encrypted-only access) to make it impossible for attackers to even try to break in to your cPanel / CMS; even more secure, constrain cPanel access to via an SSH tunnel (requiring you to have a pre-authorised cert instead of (or in addition to) the more-usual login/password combination); yet more secure, use a Tor hidden service. 18) Expect all use of telephones (landline, mobile, SMS) to communicate with people in “hostile” countries to be under surveillance on the level of the phone company, where intercepting calls and/or tracking who’s in touch with whom is trivial. Most phones can be remotely turned by the phone company (an emergency warning feature), which makes it easy to be geolocated. If specialised software has been installed in advance, a mobile phone’s mi- crophone could be turned on remotely, regardless of whether the phone looks on. Even without telco assistance, nearby mobile phone use can be intercepted by virtually anyone with an IMSI catcher. Any time a mobile phone’s on, its location is being recorded its telco’s SIM and, possibly, by the phone itself (for location-dependent services’ use)—regardless of whether the phone is GPS-capable and/or GPS is enabled. 19) Satellite phones (Thuraya, Iridium, Inmarsat (R)BGAN) have GPS technology built in and periodically tell their “mother satellite service” where they are; to preserve confidentiality of your location, turn off your satphone’s GPS (or GPS sending), or hack it to provide false information. With the right technology (such as that provided by Shoghi), hostile governments can even intercept satphone communications, including reading whatever self- locating data the phones are sending. 20) With its location cache, call log, and contact list, your mobile phone is a primary target of security services. If possible, use a phone which requires the entry of a strong password before every use—a newer BlackBerry or An- droid phone is ideal; an iPhone is a poor substitute (passcodes are only four digits); unfortunately most ordinary mobile phones (and even most smartphones) do not offer this feature. Even if they did, a police forensics expert would have no problem using a special card reader to get the data off your SIM, since it’s difficult to securely encrypt it. If you use voicemail, make sure to change your password so that it’s not left at the default one set by the phone company (otherwise it can easily be guessed, and monitored by literally anyone). Only BlackBerry OS 4.2 (and up), a Droid Pro, or a Samsung Galaxy S II comes with the built-in “whole hard disk encryption” that is much more secure. Users of older (but not newer) Google Nexus phones can encrypt their data with WhisperCore. 21) Use caution with social network sites (SNSs) such as Facebook, LinkedIn, Renren, Kaixin001, Odnoklassniki, Vkontakte, or Orkut. There are multiple ways in which users’ presumption of confidentiality regarding the data posted on SNSs is not justified, ranging from auxiliary applications with which SNS users share information about friends to the SNSs’ own changing privacy policies. Ensure you’re okay with your SNS’s privacy settings’ permis- siveness (e.g. you can choose to opt out of LinkedIn’s social advertising). Assume everything on an SNS is public: lists of friends, postings, profile data, even IM content (e.g. Facebook chat). Remember that online data is persis- tent, e.g. once you’ve posted it, it’ll likely remain there (or somewhere, i.e. the Wayback Machine) forever. At the very least, ensure your SNS access is encrypted (e.g. turn on Facebook’s “use SSL” option).

Cybercensorship: Help the mouse frustrate the cat China’s “great firewall” is only the best-known cybercensorship effort. A dozen countries seriously filter their domestic internet in order to limit access to content of a politically sensitive nature: Bahrain, China, Cuba, Eritrea, Ethiopia, Iran, Saudi Arabia, Syria, Turkmeni- stan, Uzbekistan, Vietnam, and Yemen. (Another 25 countries’ ‘net censorship is relatively symbolic and/or is targeted at other content: sex, hate speech, religion, gaming, piracy; North Korea has no pub- licly-available internet to censor.) All cybercensorship starts with blocking domains, e.g. browsers’ requests to return any content from facebook.com (or its underlying IP address(es)) are prevented from being satisfied. Some countries also conduct keyword searches in the URLs, blocking web requests containing words or phrases on the (secret) blacklist; China is an example. A very few firewalls (ex. Tunisia’s until January 2011) implement “deep packet inspection,” looking at the contents of incoming web traffic and blocking (or altering) it if certain words are found. Some countries admit their cybercensorship by presenting, in lieu of a blocked site, an explanation; others simply hope users will attribute “page not found” errors to the internet’s general flakiness. (Possibly more insidious (e.g. in Belarus) is “shaping,” when a government slows access to certain sites, thus making netizens think the problem is at the provider’s end, or punishing (e.g. in China), where an attempt to view blocked content results in your international internet access being cut for about ten minutes.) There is no one-stop solution to figure out what’s cybercensored; most countries’ firewalls don’t publish lists of filtered URLs. The crowdsourced Herdict and RespectMyNet offer users the opportunity to report content they believe blocked or throttled. The cybercircumvention tool Alkasir uses a similar method but actually verifies all reports, then split-tunnels its users’ traffic (proxying only what’s known to be blocked) based on its lists. The VPN Astrill does the same, but only for China (and doesn’t make public its whitelist); the FireFox add-on AutoProxy does something similar, but only as a “simple web proxy” rather than a VPN. The Open Internet Project has created a series of pages listing the blocked content it believes is most popular for each country (e.g. Iran), and GreatFirewall.biz tracks what’s blocked in China, in real time. Citizen Lab’s (private) rTurtle and Astrubal’s (public) 403 Checker are tools which can be deployed by a user inside a cybercensoring country to verify whether a predefined list of URLs are blocked. All cybercensorship-busting solutions work in more or less the same way: they “proxy” blocked content through an intermediate server which isn’t blocked (until, of course, it is). A cottage industry has grown up to help cybercensored internet users be able to find and use proxies. A censored netizen’s most reliable and complete solution is the purchase and use of a PPTP-, L2TP-, or OpenVPN-based VPN subscription for about USD5/mo; a recent report cata- logued over 100 VPN providers, of which WiTopia, SmartVPN, StrongVPN, and 12vpn are among the larger ones (most are multi-platform). But internauts without a Western credit card or PayPal account must find other options. The simplest are the thousands of (HTTP, SOCKS; PHP, CGI, Glype, Zelune) free browser proxies which can be found via a Google search; most are ad-supported. But browser proxies often operate unencryptedly, are sometimes unable to handle sophisticated JavаScript (of which many of the more-popular often-blocked sites such as Facebook and YouTube make liberal use), and are themselves easily blocked by censors. Psiphon is one such browser proxy with several twists: it’s written to accommodate the most-blocked sites’ content, and it’s harder to block since its servers’ addresses are not public (new users must be invited in by existing users). Downloadable, free proxy clients are also popular: Hotspot Shield, Freegate, UltraSurf, Tor, and Puff (aka Simurgh) dominate the field (some can even be run off a thumbdrive); smaller ones include Your Freedom, Alkasir, JonDonym, and Gpass. (Freegate serves only China-source users.) 22) Increase your anonymity by using any of the above cybercircumvention solutions—they will prevent your ISP from logging what sites you’re visiting (helping defend against Palantir’s data mining, but also preventing governments from tracking who posted what, on which blog, when). From among them, Tor’s design offers the maximum guarantee of anonymity, but somewhat slows down internet usage. For maximum protection (and to foil DNS poisoning, yet another cybercensorship mechanism used by e.g. Kazakhstan) use an alternative DNS service such Google DNS, OpenDNS, OpenNIC, or DNS Advantage. Also, when masking the ownership of a site, “privacy-guard” the domain name registration, hosting plan ownership, and server IP information, and beware using third-party embed systems such as Google Analytics which can be traced to you. 23) Help provide consumers with cybercircumvention information they need to access your (blocked) content as well as to more generally render their governments’ filtration attempts unsuccessful. Determine what sources of advice and software are not blocked from within your target population’s country and publish URLs of services such as Sesawe, Technical ways to get around censorship, the 12 pm Tutorials, or Everyone’s Guide to Bypassing Internet Censorship. Publish the e-mail address (appropriate to your constituency’s language) of Sesawe’s global cybercircumvention technical support desk. Distribute to your cybercensored friends a private Psiphon server, or set up a private CGIProxy proxy server of your own. Recommend particular software based on field tests (since the cyber- censors in e.g. China and Iran successfully block the use of some proxy clients—until the proxy clients change servers). No one’s ever been punished for per se circumventing their country’s internet censorship. (No cost) 24) If you secure additional funding to support the battle against cybercensorship, consider financing the provisioning of additional free-for-the-user circumvention capabilities (more bandwidth, or even a branded circumvention solution) targeting your users. Any of the above proxy client providers would be glad to help. (~USD1/user/mo) 25) Explore alternative ways to deliver your content to netizens behind firewalls. For instance, make it possible to subscribe to receive news by e-mail via a mailing list. Use a professional mailing list management service such as iContact, Constant Contact, GetResponse, or MailChimp to preserve total control over your list’s confidentiality, maximise delivery rates, and ease list maintenance. Make sure users can subscribe by e-mail, to avoid a potential web censorship choke-point. (~USD10/mo)

Too-serious security All of the above advice is directed at people with a moderate level of security concern. If your demands are high—for instance, you’re a diplomat with state secrets, or a businessman with trade secrets—then your needs are different, perhaps even bulletproof. For instance, you would need a laptop screen privacy protector to protect against a (in this case literal) side-channel attack, and ought to store at least your most secret data using steganography or in hidden encrypted TrueCrypt volumes (for plausible deniability), and you and everyone you know should have end-to-end PKI encryption (under either S/MIME (built in to Outlook and Thunderbird) or OpenPGP (GnuPG, netpgp, PGP Desktop, Enigmail, AGP, GPG4Browsers)) for your e-mail (or an equivalent web-based solution such as SecureComs or StrongWebmail), and you should probably avoid using mobile phones at all (even if you’re running end-to-end encryption on all of them, e.g. Whisper’s RedPhone and TextSecure apps for Android phones, or for J2ME phones Cryp- toSMS or Secure SMS for SMSes, and PhoneCrypt or CryptoPhone for voice) (and you should have InTheClear ready to wipe your phone when in danger of being taken). You should know something about sweeping for conventional surveillance (bugs) and about self-defence, and you should be armed (and wear armor). And your organisation should have GPS-disabled end-to-end-encrypted satellite phones and should perhaps be experimenting with blackout-resistant technologies like mesh networks, e.g. NAF’s Commotion (in case your government shuts down the national internet). These are all answers to real issues, but they’re overkill for the simpler field of promoting freedom of access to information, and unless/until you’ve taken care of all the basics described in this paper, you shouldn’t allow yourself to be distracted by them.

The fields of online security, and of internet censorship and circumvention, are fast-moving. Additional sources of advice (in addition to those mentioned above) from organisations investing ongoing effort in providing ICT support to activists working in dangerous situations include: Counterpart International’s Information Security Coalition Front Line Defenders’ Digital Security and Privacy for Human Rights Defenders Tactical Technology Collective (TTC)’s NGO-in-a-Box, Security Edition EFF’s Surveillance Self-Defense and Defending Privacy at the US Border Access Now’s Protecting your Security Online IT46’s Making the right choices: Recommendations for secure and sustainable hosting of independent media websites Global Voices’ Anonymous Blogging with WordPress & Tor Movements.org’s How to Organize on Facebook Securely Freerk Ohling’s Internet Censorship Wiki ONI’s Access Denied Freedom House (FH)’s Freedom on the Net FrontLineSMS’s User Guide to Data Integrity FIDH’s Les Bases de la Sécurité Informatique CPJ’s 10 Tools of Online Oppressors Greenhost’s Basic Internet Security IT-Political Association of Denmark’s Polippix Jens Kubieziel’s Techniken der digitalen Bewegungsfreiheit International News Safety Institute (INSI)’s Safety Resources InfoSec Without Borders IT help for NGOs Small World News’ Guide to Safely Using Satellite Phones Privacy International’s Human Rights Defenders’ Privacy Workshop Curriculum TTC, FH, IFJ, the IMS, the DRC, Internews, Civil Rights Defenders, Videre, Digital Democracy, and others regularly hold courses throughout the world on cybersecurity for developing-country activists and journalists.

Postscript Additional suggestions—from policy advocacy to activists’ physical safety—are available from a wide variety of sources. Examples include ICNL’s civil society survival tip-sheet, communications support from Advocacy Interna- tional, hostile environment trainings from Centurion, technology support from Witness, journalist safety guides from INSI, and others. This guide is dedicated to the many extraordinarily brave individuals who stand up to defend their own and others’ rights in less-free countries—and to their family members who too often also pay the price.