Seeking Feedback: ActivistChecklist.org - digital security guides

No kings baby!

The check list is weak. Like for protection against advanced spyware, the recommendation is like update your computer, remove apps you don’t need. Everyone knows this and it’s basic.

The lockdown mode is the relevant bit, but you want more of that kind of protection.

Open to suggestions if you have any specific things you think should be included!

We’ll have a GrapheneOS guide in a few weeks for the hardcore folks.

Thank you for creating this list!

It was important to me that the protest participant checklist included physical checkpoints (clothing and tattoos, etc.). I often participate in protests, and police are increasingly trying to track more physical traces through cameras and such. So a physical checklist that goes beyond digital aspects is very helpful.

In your spyware protection checklist, you can do device recommendations. The latest iPhone with Apple’s Marketing Term for Memory Tagging and latest pixels have a ton of security hardware for non-persistence, breaking exploitation chains, and reducing attack surface by having their own modems, chipsets, etc.

In the same checklist, you can recommend Molly.im as a client for Signal since it allows blocking messages from unknown contacts and not use Whatsapp at all, since almost all latest spyware delivery involved some previously infected unknown sending an attachment or message that auto executed.

In the same checklist you should ask them to disable MMS/other fancy text features like iMessage reactions and use plain text SMS. They should also use their cell providers features to lock SIM and portability if available, since sim swaps are also a nice way to get identity and/or deliver malware to leaders of a cause through their own supporters.

On desktops, if possible, they should open their attachments on the browser using gmail/gdrive instead of downloading on their own computer. If they have to download it, they should use something like virustotal to scan, and then open it in some software like dangerzone, a seperate VM, etc.

They should also be advised to take sha256 hashes of their own filesystems regularly and publish it on something like twitter to have some credible defense against digital evidence planting like how CP is often used to convict activists. Ideally they should use tails and their mobile devices only and not use regular computers at all to prevent evidence planting and forensics. These are only surface level measures though, since if the State wishes to convict, it can do it as easily on a traffic ticket as it can on a graver crime. As Stalinist Vyshinsky said: Give me the man and I will give you the case against him - Wikipedia

There have been some previous attempts at this by security researchers. One I saw on hn a lot was: Basic Security Guide (Tech Solidarity) by tptacek, but I disagree on some recommedations like:

Don’t use your fingerprint to lock/unlock devices.

GrapheneOS has a 2-factor unlock with fingerprint+pin to use along with a strong password, which is better than any other option available right now. For other devices, this is still good advice.

Don’t use an Android phone, use an iPhone instead.

Again, GrapheneOS exists.

Do install HTTPS everywhere

Redundant with strict https check in all modern browsers.

Rest of the list is excellent advice for security.

Ah brilliant. Hadn’t even thought to make device recommendations. Yes, we should definitely add that. I’ll make a note (might not get to it few a few weeks).

I think suggesting Molly is also a good idea.

I also think SIM locking is obvious addition somewhere on the site. Though I’m not sure I’ve ever heard of SIM swapping being used as part of a spyware attack. Do you have any reference on that?

As far as disabling iMessage, that’s a tough one. You’re gaining spyware protection but you’re losing a ton of privacy benefits. SMS texts are much easier to surveil. My current assessment is that Lockdown Mode or Advanced Protection Program is a decent trade-off between privacy (end to end encryption) and security (not getting spyware). Open to hearing counter-points on this!

Thanks for sharing your thoughts!

I think FBI issued an advisory for sim swaps: Internet Crime Complaint Center (IC3) | Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from US Public

Overall, it is hard to find “proof” of a method used in an exploit, since the incentive is to hide it for as long as possible.

In the ideal world, they would only use Signal, and text would only be spam, bank messages, and the like. No personal communication on SMS should be the standard, but I understand that sounds foreign in US social circles.

On the other hand, I also want to thank you for doing this. It is a thankless job trying to create resources for the people not literate about tech, where everyone has criticism and few have initiative.

Yeah I really wouldn’t, it’s basically just opportunistic E2EE. The vulnerabilities are going to be in the messages app itself mostly, which has a lot of internal hardening against exploits.

Famous last words.

We’ve had a few major updates since last posting here.

• Doxxing Defense Guide - To help reduce your attack surface for anyone who is using OSINT techniques to try to find you online, expose your private information, and harass you.
• ICE Watch Digital Security Checklist - For anyone doing rapid response or constitutional observing of ICE activities. This has quickly become the most popular page on the site.
• Surveillance News - A place we started to collect all the surveillance news we encounter.

We also started a Bluesky account: ActivistChecklist.org

As always, feedback welcome.