The document provides an overview of digital security best practices for activists in Sri Lanka. It discusses that absolute security does not exist and security is a shared responsibility. It then covers creating strong passwords, using private browsing, encrypting emails, using Tor to access blocked sites, and securing mobile phones. Basic guidelines are given around being mindful of sensitive data on mobile phones and using encryption apps like Skype to chat securely. Network surveillance capabilities are also outlined. The document aims to educate on digital safety measures for at-risk groups.

1. Primer: Digital security for Sri
Lankan activists
Sanjana Hattotuwa
TED Fellow
Architect and Curator, Groundviews

3. State of play?

6. There is no absolute
security

7. Security is a shared
responsibility

8. Security is only as
good as weakest link

9. How the Internet works

10. Layers of the internet

11. Compromise on every level
Spyware, malware,
keyloggers
Man in the middle
attacks
ISPs, GSM location info

12. Passwords

13. Creating a strong password
• I was born on 9th April 1977 in Colombo
• Iwbo9A1977iC
• Why are you sad today?
• WrU:-(2d?
• My advice – at least 10 alpha-numeric and ASCII
characters
• If on public PC, try to copy and paste passwords online.
NEVER type them in.

14. Remembering passwords
https://lastpass.com

15. Posting content online

16. Common-sense posting
• Know the laws in your country pertaining to liability, libel
etc.
• When signing up for a blog account where you will be
publishing sensitive content, do not use you personal email
address or information
• In your blog posts and profile page, do not post pictures of
yourself or friends
• Do not use your real name and do not give personal details
• Schedule posts: Blog platforms like Wordpress allow uses to
automatically publish a post on a designated date and time.

17. Common-sense posting
• On social networks, create one account for activism
under a false but real-sounding name (so your account
won’t be deleted) but don’t tell your friends about it.
• Information on Facebook, stays on Facebook. Be
careful what you upload and say.
• Never join a sensitive group with your real account.
Use your fake account to join activism groups.
• Don’t use paid services. Your credit card can be linked
back to you.

18. Choosing a web browser

19. Internet Explorer 9
www.beautyoftheweb.com

20. Firefox 16

21. Firefox Mobile

22. Google Chrome

23. Google Chrome Mobile

24. Browsing without trails

25. Private browsing in IE

26. Private browsing in Firefox

27. Incognito browsing in Chrome

28. EFF’s HTTPS Everywhere
https://www.eff.org/https-everywhere

29. DNSCrypt
http://www.opendns.com/technology/dnscrypt

30. Email

31. Safe & best email practices
• Use a signature
• If email security is REALLY a need, go for GPG
encrypted emails
• Stick to plain text / Do not use fancy email templates
• Do not click on unknown attachments (esp. from
unknown senders)

32. • http://www.mozilla.com/en-US/thunderbird
• Spam and phishing protection
• Built for Gmail and easy to set up
• Thunderbird warns you when you click on a link which appears to be taking you to a
different Web site than the one indicated by the URL in the message.

33. GPG for Mac / OS X

34. GPG for Windows

35. Online, quick encryption

36. Safe & best email practices
• Use phonetics to convey meaning: “Ooman writes” “whoman rites”
“see I d” “ma hinder” “go tub a yaar”
• Use words instead of human rights – say food, heat or supplies. E.g.
“the heat is bad”, “the food is poor”, “supplies are bleak”.
• Use BCC for group emails
• Never use the same email for advocacy, professional emails, personal
correspondence
• Subject lines are NEVER encrypted
• Caution and prevention more than remedy

37. 2 step authentication for Gmail
http://support.google.com/accounts/bin/topic.py?
hl=en&topic=14118&parent=TopLevel&ctx=topic

38. Securely chatting

39. Skype chat [Compromised?]
http://skype.com

40. Pidgin
http://pidgin.im

41. Off The Record (OTR)
http://www.cypherpunks.ca/otr

42. Off The Record (OTR)
http://www.youtube.com/watch?v=aV6-s9o9bVw

43. Getting to blocked pages

44. TOR

45. Google Good to Know

46. Google Good to Know

47. Google Good to Know

48. Mobile phone security

49. What do you have on your mobile?
• Contact names
• Phone numbers
• Emails
• SMS history
• Call logs
• Photos
• Video
• Audio
• Calendar information
• Maybe even files
• In short, not too different from data on your PC, and perhaps even more
sensitive

50. Basic guidelines
• Security on mobiles is still not as advanced as computers
• Be mindful of data stored on mobile
• Is it secured via a password?
• Are there messages, call logs, emails or other data that can compromise
security for self, colleagues and partners?
• Invest in smartphone that can run Skype mobile for secure conversations
• Do NOT share confidential information over SMS

51. Surveillance
• For every phone currently on the network (receiving a signal, regardless of
whether the phone has been used to call or send messages) the network
operator has the following information:
– The IMEI number – a number that uniquely identifies the phone hardware
– The IMSI number – a number that uniquely identifies the SIM card
– The TMSI number, a temporary number that is re-assigned regularly according to
location or coverage changes but can be tracked by commercially available
eavesdropping systems
– The network cell in which the phone is currently located. Cells can cover any
area from a few meters to several kilometers, with much smaller cells in urban
areas and even small cells in buildings that use a repeater aerial to improve signal
indoors.
– The location of the subscriber within that cell, determined by
triangulating the signal from nearby masts. Again, location accuracy depends on the
size of the cell - the more masts in the area, the more accurate the positioning.

52. Mobile phone security primer
http://www.mobileactive.org/howtos/mobile-security-risks

53. Security in a box
https://security.ngoinabox.org

54. Thank you
sanjanah@gmail.com