Digital Security Workshop

Introduction: Why Security Culture?

Security isn't just about tools—it's a mindset and practice we build together.

"Digital security is as much of a mindset as it is a toolkit, and there are concepts to consider regardless of whether you're first getting started or you're a seasoned veteran. Before you start seeking out solutions, take a minute to step back and consider the whole picture of what you're trying to accomplish. Good security decisions begin with proper knowledge about your own situation" - EFF Surveillance Self-Defense, 7 steps to digital security

Resource:

EFF: Your Security Plan

Why Your Audience Should Care and Act this is a good one for both teaching and learning perspective!

Workshop Goal

Develop practical security habits using the 7 steps to digital security

Knowledge is Power The Weakest Link Simpler is Safer (& easier = more likely to use) Trust if you must, but know who you're trusting There is No One Perfect Security Plan What's Secure Today May Not Be Secure Tomorrow

Knowledge is Power: Threat Modeling

Understanding your threats is the foundation of security.

"To start, ask yourself the following questions:

What do I want to protect?
Who do I want to protect it from?
How likely is it that I'll need to protect it?
How bad are the consequences if it doesn't work out?
How much trouble am I willing to go through to try to prevent potential consequences?

Once you answer these questions you can better assess your digital security needs and create a security plan (sometimes called a threat model). You already have more power than you think!"

Resource:

What Is Fingerprinting? (PDF)

When Different Threat Models Are in the Same Room

Key Threats to Consider

Personal information leaks
Targeting based on opinions or affiliations
Infiltration of groups
Browser fingerprinting
Prosecution based on digital evidence

The Weakest Link: Your Devices

Personal devices are often the most vulnerable point in our security.

"The old adage that "a chain is only as strong as its weakest link" applies to security too. For example, the best door lock is worthless if you have cheap window latches. Similarly, using an encrypted chat app to share personal photos won't protect the confidentiality of those photos if you store unencrypted copies on your laptop and your laptop is stolen. Think about every part of your information and computer use and try to identify any weak links in your digital security practices."

Resource:

Overview of Web Browsing Security

EFF Security Basics

Device Vulnerabilities

Your Phone: Constantly connected to cloud services, location tracking, sensor access (mic/camera), insecure backups

Your Computer: Clipboard hijacking, browser fingerprinting, unsecured Wi-Fi connections, malware risks

websites, default search providers, ad providers, microsoft, apple, etc - are all tracking you, farming your data - especially and unless you tell them not to/change your default setttings

Simpler is Safer (& easier = more likely to use)

A unified security suite simplifies protection for everyday use. It might even work a lil bit!

Sometimes the safest solution may be the least technical solution. Computers can be great for many things, but sometimes the security issues of a simple pen and paper can be easier to understand, and therefore easier to manage.

Password Security Essentials

Use Proton Pass (or a reputable open source password manager) for secure password management. If you want autofill enabled in a browser (especially on desktop devices) you may need the corresponding browser extension as well, if available.
Consider KeePassXC for fully offline password management if local storage is preferred
Create unique passwords for every account - especially your password manager
Generate strong passwords (12+ characters with variety like letters, numbers, capitalization, special characters - change these settings in proton pass and generate, or use random methods like dice, etc.)
Never reuse passwords across sites - it's better to just write them on paper than to re-use them

Two-Factor Authentication (2FA)

Always enable 2FA when available
Use authenticator apps like 2FAS, Aegis (Android) or Raivo (iOS)
Avoid SMS-based 2FA when possible
Store backup codes securely

Proton Setup Guide

Proton VPN: Use "Secure Core" servers when possible
Proton Mail: End-to-end encrypted email
Proton Drive: Secure file storage
Proton Pass: Password manager

Matrix Homeserver

Our private communication platform for secure collaboration.

"Matrix is an open standard for interoperable, decentralized, real-time communication with end-to-end encryption." - Matrix.org

Why Matrix?

End-to-end encrypted by default
Self-hosted for community privacy
Open source and transparent
Works across all devices

Key Features

Secure group chats
File sharing with encryption
Voice and video calls
Community spaces

Getting Started

1

Download Element from element.io ( or your preferred Matrix client )

2

Select "Sign in with a different server"

3

Enter: distorted.work or if that fails, matrix.distorted.work

4

Create your secure account - if you use an email address, use proton pass to generate an alias

More Expensive Doesn't Mean More Secure

Open source software, for example, is often free, well supported and vetted by a large community who have full access to the source code, and often more secure than expensive proprietary solutions.

"Don't assume that the most expensive security solution is the best, especially if it takes away resources needed elsewhere. Low-cost measures like shredding trash before leaving it on the curb can give you lots of bang for your security buck."

Resources:

Tor Project FAQ

EFF Tool Guides

Open Source Security Tools

Tor Browser: For anonymous browsing
Linux: Privacy-focused operating systems, transparency (mostly) - choose a non-corporate sponsored, security friendly version if you switch to linux - and don't be afraid to try several distributions before deciding on your "daily driver" - if you ever do. There are many possibilities here. I usually, but not always, prefer a Debian-based OS myself.
uBlock Origin: Open-source ad/tracker blocker
Matrix: Decentralized communications

Note: Tor+VPN configurations require careful consideration. VPN-before-Tor may leak DNS, while Tor-before-VPN defeats Tor's anonymity. See Tor Project's VPN guidance

Trust if you must, but know who you're trusting

Free services often come with hidden privacy costs

Computer security advice can end up sounding like you should trust absolutely no one but yourself. In the real world, you almost certainly trust plenty of people with at least some of your information, from your close family or partner to your doctor or lawyer. What's tricky in the digital space is understanding who you are trusting, and with what. You might give a list of passwords to your lawyers, but you should think about what power that might give them or how easily a bad actor could then access your passwords. You might save documents in a cloud service like Dropbox or Google that are only for you, but you're also letting Dropbox and Google access them too.

"Online or offline, the fewer people you share a secret with, the better chance you have to keep it private.""

Resource:

EFF Security Scenarios

EFF SSD One-Sheet (PDF)

Privacy-First Alternatives

Maps: OsmAnd or Organic Maps (OpenStreetMap-based)

Photos: Encrypted storage (Proton Drive) or encrypted physical drive, usb drive, or sd card.

Physical Media: Encrypted USB/SD cards should use LUKS (Linux) or BitLocker (Windows) with strong passwords

Communications: Our Matrix server

Settings: Turn off location history, ad tracking, photo geotagging

There is No One Perfect Security Plan - and What's Secure Today May Not Be Secure Tomorrow

Security is an ongoing practice, not a destination.

Make a security plan that works for you, and for the risks you face. A perfect security plan on paper won't work if it's too difficult to follow day-to-day.

"Security is a process, not a product. Real security requires understanding your unique situation and developing practices accordingly." - EFF Surveillance Self-Defense

Trying to protect all your data from everything all the time is impractical and exhausting. But, have no fear! Security is a process, and through thoughtful planning, you can put together a plan that's best for you. Security isn't just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats. In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This is the process of security planning, often referred to as "threat modeling ."

Resource:

EFF Surveillance Self-Defense

EFF Further Learning

Maintenance Practices

Use complex passwords and modern protocols for home Wi-Fi
Regularly audit app permissions
Share information only when necessary
Stay updated with security resources, update apps
Check our Matrix server for updates

It is important to continually re-evaluate your security practices. Just because they were secure last year or last week doesn't mean they're still secure. Keep an eye on big security news when you can (most people don't need to overdo this: think "huge data breach of an important piece of software like a password manager " type of news that's so important that it reaches big tech-focused media outlets like Wired or The Verge, or even The New York Times or The Washington Post, not "this specific exploit targets a specific CPU"), and check sites like SSD, because we update our advice to reflect changes in our understanding and the realities of digital security. Remember: effective security is a continual process.

Action Plan & Resources

Putting knowledge into practice.

Security Action Plan

Set up Proton ecosystem - Email, VPN, Drive
Secure phone settings - Disable tracking, location services
Join our Matrix server - Secure communications
Audit high-risk apps - Remove unnecessary apps?
Install privacy tools - uBlock Origin, privacy browsers

Join Our Community

Server: distorted.work or matrix.distorted.work

Web client: element.distorted.work

Download/Install Client: Element, Element X (desktop/mobile)

I must share the authorization token with you before you will be allowed to register!

In encrypted chats, members must verify each other before being able to view messages.

Key Verification: Always verify encryption keys in-person or via secondary channels for sensitive communications

When prompted to set up recovery codes, do it - you will need them. Save in proton pass as a note or something.

We'll use this platform to coordinate future meetings, share resources, and provide support.

Extreme Security: When Basic Isn't Enough

For high-risk scenarios, specialized tools provide enhanced protection.

Advanced Security Tools

Tails OS: Amnesic live OS that never writes to disk when used as designed (booted from USB in persistent mode)
Qubes OS: Security-oriented OS using Xen virtualization to isolate tasks into qubes (Tor not enabled by default)
Public/Private Key Encryption: GPG for email and file encryption
YubiKey & similar: Physical, hardware based security keys for 2FA and encryption

Important Note: These tools often require some technical expertise, close attention, and lots of patience to use correctly. Only use them if your threat model/personal tolerance requires this level of security, and you are willing to learn how to use them in a safe, helpful way.

When to Use Extreme Measures

Journalists in hostile environments
Activists facing government surveillance
Handling highly sensitive information
Protecting against advanced persistent threats
When physical safety is at risk

Security Plan Assessment (SWOT)

Strengths: What aspects of your security plan work well?

Weaknesses: Where are you most vulnerable?

Opportunities: What tools or practices could improve your security?

Threats: What specific risks does your threat model include?

Resource:

Tails OS Documentation

Qubes OS Documentation

EFF: Public Key Encryption Systems

EFF: Glossary (terms & definitions)