(I’ve been not knowing where to begin with this for about a year and mostly just preferring to run trainings and one-on-one consultations instead—for which I’m still available. So in lieu of perfection I’ve shared something of use. Anything I’ve missed please let me know! This is a working guide. Also, the field is always changing. There is no perfect solution just better practices. I ask only that you use this guide responsibly and ethically and be careful where you share it. Security is a weapon. Who do you want to arm?)
Doxxing is releasing people’s personal information and using it to hurt them. This can be a legitimate course of action against well researched and confirmed nazi targets but it is more often used against activists and minorities by forums such as the chaniverse. Make some time to protect yourself and your friends. Set aside a whole afternoon and do this. Or better yet, set up a crypto party with a group of close friends and do it together…. with snacks! We don’t have to do this perfectly, but the more we do the better our chances of getting out safely, and protecting our friends in the process. It’s a really satisfying feeling knowing you’ve done it too. The other part of this is community and self defense but that’s another post.
Power not paranoia security framework (Concept courtesy of LA-NLG)
- Security culture, including technical, is a form of expressing love and solidarity. We all have a sense of it from being marginalized, targeted, activists. It’s about harnessing those good instincts with knowledge and practice.
- Rather than toxic paranoia we can practice a culture of mutual-aid and support around tech security. We can build power instead of paranoia and meet people where they’re at. From there we can have communities of practice that normalize better practices in a way that is resilient in a crisis.
General Information and Communications Security
- Infocec and ComSec are broad and crucial fields that this guide will not cover in great detail. The basic idea is easy, keep our information in the hands of who we want to have it only. But the implementation is much more complicated. The best place to start as usual is with the EFF guide.
What is doxxing?
- Publication of people’s personal information without consent. This is usually done in an enemy territory and accompanied by subsequent actions such as trying to get someone fired or even arrested through true or false disclosure of information
Think like a hacker!
- Imagine you’re trying to hack yourself or someone else. A first step is enumeration or information gathering which is most commonly done through OSint or, Open Source Intelligence. This is just making sense of all the publicly available data someone leaves on the internet.
- Net security: solutions change quickly. Fluid situation. More important to learn how to think about vulnerabilities than to learn rigid tools.
- Protecting identity online: what are the juicy infos and how would they be found
- Some data vulnerabilities are obvious, some are more subtle
- People generally want a handful of nice little solutions to solve all their problems but that’s not real life. Protecting your privacy is hard, especially for activists. It’s a dynamic and ongoing process and the best bet is to start thinking like a hacker… or an identity thief.
- Threat modeling is about honestly identifying who and what are your key risks, what you’re protecting, and what you are willing to do to protect it
- Not only protecting yourself but also your community
- You can be used as leverage against others.
- Metadata: Think of the outside of the envelope. >> address, paper type, dates, names, locations, fingerprints, etc. You can’t see the content but there’s still a lot of information. Warrants are often not needed. Whatsapp stores and shares metadata. Signal does not.
- Using metadata they can build a social web to identify organizers through analyzing irregular and regular patterns of communication and linking it to major events.
- Threat modeling against the nsa is prohibitively difficult for most people
- Focus on threat actor you can and are willing to model against such as other federal agencies, state police, average hacker, local police, and fash slobs
- Tech security means making yourself a less vulnerable target rather than invulnerable. No one is perfect.
- Social engineering is the conscious manipulation of people’s expectations in order to accomplish a desired goal.
- Think ‘wearing a hi-vis jacket to sneak into Disney World‘ but only, often more sociopathic.
- Phishing and spear phishing are forms of social engineering that usually use an avenue of communication such as text message, phone call, or email to gain access to a persons critical information often through trickery.
- The most common forms of this are people calling, texting, or emailing with some general bit of information about you at your disposal so that you trust them and then trying to access more information. The easiest solution is to always go right to the actual organization the person is claiming to work for. So, if your bank is calling and asking for some information (which actually they’d never do) to be safe, call your bank directly and ask them about it. If google asks you to change your password don’t click the links in the email, instead go to google directly and change your password.
- The first step is to make a list (write it down) of all of your social media profiles. This isn’t just twitter and facebook. This is your old ass myspace or livejournal. Your instagram. Etsy. LinkedIn. Couchsurfers. Fetlife. Your old backpages ad. Etc. Of these, facebook and linkedin are probably the most common offenders but you need to check all of them and just delete the ones you don’t need any more. Even if the information is outdated, it could still be used to confirm or sift through other evidence found elsewhere.
- What is made public?
- Go through the privacy settings. Under settings. Then Privacy. Tighten them all up. I also really suggest the “limit past posts” feature. It sets all of yr past posts to friends only which I think is best. I don’t think people actually need public posts unless they’re celebs. ppl can just copy paste or whatever. Another important and lesser known thing is changing your username which is actually yr url handle. That’s under General. Make it anything but for the love of god not yr real name. I suggest changing your last name as well to a fake one or an abbreviation of yr name and then if you get zucced you can change it back or photoshop something up. Just that full names are verrrry useful for identifying people.
- Another weird little thing is go to your profile, click friends, then click friends privacy, and then make your friends list and things you follow private. They’re default public
- What is made public?
- Once you’ve gone through all of that (you may also want to set-up 2fa in the sign-on features) navigate to your profile and then edit your about me section. IMO you shouldn’t have anything here. No jobs, education, birthdate, city, etc. If you must have them make double triple sure that they’re only set to friends and not public or friends of friends. These may seem trivial but they’re the number one way to doxx someone. If you enjoy the birthday wishes or whatever then at least make yr year visible to “only me”. Another thing is that I suggest not having family or relatives on that section or if your family insists have it set to visible to “only me” bc as activists, the alt-right will always target our families. Once you’ve gone through and thought about all of those side menus, go back to your profile. Here’s a little known one that is nonetheless suppperrr helpful in doxx defense. On the horizontal menu that says timeline, about, friends…. click the drop down menu on more and go to manage sections. Make literally like all of that shit not visible. It’s really easy to figure out where people live and go regularly from their likes and groups especially and those don’t really need to be private. But even the music can do it if for example you like a local band or something. Make sure you scroll down that list and get all of them though. That shit’s often public too! : (
- So do this to all of your social media accounts and think in terms of vulnerabilities and what you would use to doxx yrself if you wanted to.
- The linkedin settings are particularly nuts. They’re a major databroker and it’s just such a huge vulnerability to list yr workplaces and schools on a public forum. I encourage ppl to ask whether they actually ever get jobs from linkedin or just feel like they should have it. If you can’t delete it tho, at least set it to friends only and shut off all of that data broker shit. Delete old shit that you don’t need and tighten up other things like couchsurfing (no name). Also remember that you can do reverse image searches so use distinct images or none at all if possible.
- Google yourself!
- Google dorking is just a big extension of boolean logic that allows you to do custom tailored deep searches on google which you can use to find stuff about you. Just try lots of different types of google searches of yourself. Some sites you can ask to take down old things about you but some you cant. Your youtube favorites and comments can even be revealing.
- Use Pipl.com to see what sources of information there are about you
- Finding uncommon social medias like your old livejournal or a resume that you put online randomly somewhere
- A strong password is a major part of defense against malicious hacking. Best way to have strong passwords is password manager such as LastPass or for more secure and local storage KeePassX
- 2 factor identification(2FA): a thing you have and a thing you know. So like you know your password and you have a phone. It sends you a code to your phone to confirm your identity.
- Recognizes devices.
- Sends out a thing with a new device: never recognizes you with a vpn which can be tedious
- Protests are a major privacy risk for many activists. If you’re going here are some tips to prevent doxxing:
- Cover your face and anything identifiable like tattoos.
- Wear contacts instead of glasses or like a dollar store pair that you can get rid of.
- Cops and fascists have even been known to use photos of people’s backbacks or shoes as identifiers so really try to be as unidentifiable as possible.
- FOR THE LOVE OF GOD DO NOT RSVP ON THE EVENT PAGE OR MAKE PUBLIC POSTS ABOUT GOING! Imagine you’re a cop or fascist, that’s the first places you’d go.
- Several times lately people have gotten screwed because they said things like “I’m gonna go fight some nazis in X” with the hashtag of the event. Don’t be that person. Don’t fight nazis to be cool. Fight them because they’re fucking nazis.
- As unfortunate as this is, having identifiable body types (such as bigger folk) or identifiable skin tones (such as the only PoC in a white people black bloc) can be a big vulnerability. Just be mindful of best practices and your personal risk level when trying to bloc up.
- A honeypot is a fake site or server designed to draw the victim to it and trap them or steal their information in some way. Both fascists and the state use this tactic. An ordinary VPN such as Tunnel Bear, NordVPN, or the Riseup/Calyx VPN thwarts this though. A VPN or Tor disguise your IP adress or the name of your computer on a given network. In general, just be careful. Your IP address is also linked to your geographic location without the use of these tools.
- Google Activity
- Make sure to delete everything by ALL TIME and turn off all of the data trackers including the maps and youtube ones. This is scary stuff just a heads up.
- Data indexers
- These are the a-holes that post all of your addresses and phone numbers and family etc. in one place. Opt-out of as many of these as is possible for you.
- There are more under the additional resources section
- Data brokers
- These are the guys that sell all your stuff to big companies. They’re responsible for tons of random spam and malware attempts that you get hit with including contributing to big surveillance from the government.
- Add’l resources
- Add’l resources