The natural human tendency is to share information to build trust and demonstrate competence. In resistance operations, this tendency must be consciously overcome. Information discipline requires constant vigilance and may feel antisocial, but it is essential for operational security.
+Effective compartmentalization requires strict discipline from all participants. The temptation to share information across cell boundaries for efficiency or social reasons must be resisted. Remember: the inconvenience of compartmentalization is far less than the consequences of cascade compromise.
+Zero Trust may seem paranoid, but it reflects the reality of operating in a hostile environment where compromise is not a matter of if, but when. The goal is not to prevent all compromise, but to limit its impact and maintain operational capability even under adverse conditions.
+Effective metadata minimization requires thinking about the digital traces of every action before taking it. This becomes second nature with practice, but initially requires conscious effort and planning. The investment in metadata discipline pays dividends in operational security and longevity.
+Adversary analysis requires ongoing intelligence collection through open sources, operational observation, and network reporting. This information must be systematically collected, analyzed, and updated to maintain accuracy and relevance.
+Threat scenarios should be realistic and based on actual adversary capabilities and historical precedents. Avoid both underestimating threats (leading to inadequate security) and overestimating them (leading to paralysis and ineffective operations).
+Effective risk management is an ongoing process that requires regular review and updates. Risk assessments should be updated whenever significant changes occur in the threat environment, organizational capabilities, or operational requirements.
+OpSec is only as strong as its weakest link. All participants must understand and consistently apply OpSec principles. A single careless action can compromise an entire operation and endanger all participants.
+The four layers are designed to work together, not in isolation. Effective implementation requires clear protocols for when to use each layer and how to coordinate between them while maintaining security.
+Self-hosted infrastructure requires ongoing security maintenance and monitoring. Server compromise can expose all communications and files, making proper security hardening and incident response planning essential.
+Layer 3 methods require advance planning and preparation. Emergency communication channels must be established and tested before they are needed, as crisis situations provide no time for setup and configuration.
+Even with strong technical anonymity, writing style, content knowledge, and publication patterns can potentially identify authors. Careful attention to operational security is essential for maintaining publisher anonymity.
+Communication protocols must evolve as threats change, technology advances, and operational requirements shift. Regular review and updating of protocol selection criteria ensures continued effectiveness and security.
+Session provides excellent security but has limitations: slower message delivery due to onion routing, limited group messaging features, and dependency on network connectivity. Plan accordingly for operational requirements.
+Self-hosted Matrix servers require ongoing maintenance including security updates, monitoring, backup verification, and performance optimization. Plan for dedicated technical resources or consider managed hosting with trusted providers.
+Briar's peer-to-peer architecture provides unique advantages: no central servers to compromise, offline messaging capability, and mesh networking for local communications. These features make it invaluable for high-security scenarios and network disruption situations.
+Signal's phone number requirement and centralized infrastructure make it unsuitable for high-risk resistance communications. Use Signal only for medium-risk scenarios and always in combination with more secure alternatives.
+Voice communications should be used sparingly in resistance operations due to security limitations. Prioritize text-based communications for most coordination, using voice only when real-time interaction is essential and cannot be achieved through other means.
+Group communications are inherently less secure than one-to-one communications due to multiple participants, varied security practices, and increased attack surface. Implement strict security protocols and regular security reviews for all group communications.
+Effective message verification requires developing a culture where verification is routine and expected. All participants must understand the importance of verification and consistently apply verification procedures without exception.
+Communication protocols must evolve continuously as threats change, technology advances, and operational requirements shift. Regular review and updating of protocols ensures continued effectiveness and security.
+While CryptPad provides excellent security for document collaboration, it has limitations: requires JavaScript enabled, limited offline functionality, and potential browser-based attacks. Use in combination with other security measures and maintain offline backups of critical documents.
+OnionShare requires both sender and recipient to use Tor Browser for access. Ensure all participants understand Tor usage and have secure access to Tor network. Monitor for network analysis attacks and use additional encryption for highly sensitive files.
+Encrypted cloud storage provides convenient access and collaboration features while maintaining reasonable security for medium-sensitivity files. Use in combination with other security measures and maintain local encrypted backups of critical files.
+Digital dead drops require careful planning and execution to maintain security. Physical dead drops pose additional risks including discovery, surveillance, and physical compromise. Use multiple redundant systems and maintain strict operational security.
+Secure version control provides accountability, collaboration, and change tracking while maintaining security. Implement appropriate security measures and operational procedures to protect sensitive documents throughout the collaboration lifecycle.
+Effective collaborative security protocols require clear roles, comprehensive procedures, ongoing training, and continuous improvement. Success depends on consistent implementation and participant commitment to security and operational excellence.
+Do not skip Part I to get to "more practical" technical content. The principles covered here determine whether technical measures will be effective or merely provide a false sense of security. Every security failure can be traced back to a violation of these fundamental principles.
+The most sophisticated communication systems are worthless without proper operational discipline. All participants must understand and consistently follow communication protocols, security procedures, and operational security practices.
+Focus first on implementing basic secure messaging (Chapter 4) before attempting to deploy complex multi-layer architectures. Solid implementation of fundamental tools is more valuable than poorly implemented advanced systems.
+This chapter establishes the five fundamental principles that must guide all resistance security decisions. These principles, derived from decades of resistance experience and modern security research, provide the conceptual framework for evaluating threats, designing countermeasures, and making operational decisions under pressure.
+ +Sections in this chapter:
+The Principle of Least Privilege states that every person, process, and system should have access only to the minimum resources necessary to perform their legitimate function. In resistance operations, this means limiting access to information, tools, and capabilities to the smallest set required for operational effectiveness.
+ +Violation: Sharing operational plans with all cell members regardless of their role +Consequence: Compromise of one member leads to exposure of entire operation
+ +Violation: Using shared accounts for multiple purposes +Consequence: Inability to track access or revoke permissions for specific individuals
+ +Violation: Granting administrative access to avoid permission requests +Consequence: Accidental or malicious damage to critical systems
+ +Need-to-Know is an information security principle that restricts access to sensitive information to only those individuals who require it to perform their duties. Unlike Least Privilege, which focuses on access controls, Need-to-Know addresses the content and scope of information sharing.
+ +CRITICAL - Information whose compromise would cause immediate operational failure
+SENSITIVE - Information whose compromise would significantly impact operations
+RESTRICTED - Information whose compromise would cause limited damage
+UNCLASSIFIED - Information that can be shared without operational impact
+Before sharing information in any meeting:
+1. Identify who needs this specific information
+2. Determine the minimum detail level required
+3. Consider whether the information can be compartmentalized
+4. Verify that all attendees have operational need for the information
+5. Document what was shared and with whom
+The natural human tendency is to share information to build trust and demonstrate competence. In resistance operations, this tendency must be consciously overcome. Information discipline requires constant vigilance and may feel antisocial, but it is essential for operational security.
+Compartmentalization is the practice of isolating information, people, and operations into discrete units (cells) that can function independently and have limited knowledge of other units. This structure prevents the compromise of one element from cascading through the entire organization.
+ +Operational Cells
+Support Cells
+Communication Cells
+Leadership Cells
+Standard Communication Flow:
+Operational Cell → Support Cell → Leadership Cell
+
+Emergency Communication Flow:
+Any Cell → Emergency Contact → Leadership Cell
+
+Cross-Cell Coordination:
+Cell A → Leadership Cell → Cell B
+(Direct cell-to-cell communication only for specific authorized operations)
+When a cell is compromised:
+Effective compartmentalization requires strict discipline from all participants. The temptation to share information across cell boundaries for efficiency or social reasons must be resisted. Remember: the inconvenience of compartmentalization is far less than the consequences of cascade compromise.
+Zero Trust is a security model that assumes no user, device, or communication can be trusted by default, even if they are inside the organization’s network or have been previously verified. Every access request must be authenticated, authorized, and continuously validated.
+ +Standard Verification Process:
+1. Something you know (password, passphrase, coded response)
+2. Something you have (device, token, physical key)
+3. Something you are (biometric, behavioral pattern)
+4. Somewhere you are (location verification, network analysis)
+5. Someone you know (trusted introducer, mutual contact)
+Zero Trust may seem paranoid, but it reflects the reality of operating in a hostile environment where compromise is not a matter of if, but when. The goal is not to prevent all compromise, but to limit its impact and maintain operational capability even under adverse conditions.
+Metadata is “data about data” - information that describes the characteristics of communications and activities without revealing their content. In resistance operations, metadata analysis can reveal operational patterns, network structures, and behavioral indicators even when all content is encrypted.
+ +Modern data analysis can identify:
+Metadata can be used to:
+Technical Metadata Reduction:
+1. Use Tor or similar anonymization networks
+2. Employ VPNs with no-logging policies
+3. Use disposable email addresses and accounts
+4. Regularly change device identifiers when possible
+5. Use different devices for different operational purposes
+Effective metadata minimization requires thinking about the digital traces of every action before taking it. This becomes second nature with practice, but initially requires conscious effort and planning. The investment in metadata discipline pays dividends in operational security and longevity.
+The five core security principles covered in this chapter provide the foundation for all resistance security operations:
+ +These principles must be applied consistently across all aspects of resistance operations, from technical tool selection to operational planning to daily security practices. They are not merely guidelines but operational requirements for survival in a hostile environment.
+ +While each principle is important individually, their real power comes from integrated application. Effective resistance security requires balancing these principles against operational requirements and human limitations. Perfect adherence to all principles simultaneously may be impossible, but conscious application of each principle to every security decision will dramatically improve operational security.
+ +Chapter 2 builds on these foundational principles by providing systematic approaches to threat assessment and operational environment analysis. Understanding these principles is essential preparation for the practical threat modeling exercises that follow.
+ +Next: Chapter 2: Threat Assessment and Operational Environment →
+ + + + + + +This chapter provides systematic methodologies for understanding and responding to threats in resistance operations. Effective threat assessment is the foundation of all security planning, enabling resistance practitioners to allocate resources appropriately and design countermeasures that address actual rather than imagined risks.
+ +Sections in this chapter:
+Adversary analysis is the systematic study of hostile forces to understand their capabilities, motivations, limitations, and likely courses of action. In resistance operations, this analysis must encompass both state and non-state actors who pose threats to operational security and participant safety.
+ +Capabilities:
+Motivations:
+Limitations:
+Capabilities:
+Motivations:
+Limitations:
+Capabilities:
+Motivations:
+Limitations:
+Capabilities:
+Motivations:
+Limitations:
+Assessment Matrix:
+1. Surveillance Infrastructure
+ - Mass data collection capabilities
+ - Real-time monitoring systems
+ - Data analysis and correlation tools
+ - International cooperation agreements
+
+2. Cyber Operations
+ - Offensive cyber capabilities
+ - Defensive monitoring systems
+ - Technical expertise and resources
+ - Legal authorities and constraints
+
+3. Human Intelligence
+ - Informant recruitment and management
+ - Infiltration capabilities
+ - Social engineering expertise
+ - Community presence and influence
+Understanding what drives adversary actions helps predict their behavior and identify potential vulnerabilities:
+ +Institutional Interests:
+Individual Motivations:
+Political Factors:
+Adversary analysis requires ongoing intelligence collection through open sources, operational observation, and network reporting. This information must be systematically collected, analyzed, and updated to maintain accuracy and relevance.
+A threat model is a structured representation of potential threats to an organization, operation, or individual, including the assets being protected, potential attackers, attack vectors, and consequences of successful attacks. Threat modeling provides the analytical foundation for security planning and resource allocation.
+ +Information Assets:
+Physical Assets:
+Operational Assets:
+For each asset category, identify potential threat actors:
+ +Threat Actor Analysis Template:
+Actor: [Name/Type]
+Motivation: [Why they would target this asset]
+Capability: [What they can do to compromise it]
+Opportunity: [When/how they could act]
+Impact: [Consequences of successful attack]
+Likelihood: [Probability assessment]
+Technical Attack Vectors:
+Human Attack Vectors:
+Physical Attack Vectors:
+Immediate Impacts:
+Long-term Impacts:
+Spoofing: Impersonating legitimate users or systems +Tampering: Modifying data or systems without authorization +Repudiation: Denying actions or transactions +Information Disclosure: Exposing sensitive information +Denial of Service: Preventing legitimate access to resources +Elevation of Privilege: Gaining unauthorized access or permissions
+ +Threat Scenario: [Descriptive Name]
+
+Background:
+- Current operational context
+- Recent events and triggers
+- Adversary capabilities and motivations
+
+Attack Sequence:
+1. Initial access or opportunity
+2. Escalation and exploitation
+3. Impact and consequences
+4. Potential responses and countermeasures
+
+Indicators:
+- Early warning signs
+- Detection opportunities
+- Confirmation methods
+
+Mitigation:
+- Preventive measures
+- Response procedures
+- Recovery plans
+Scenario 1: Communication Compromise
+Scenario 2: Infiltration Operation
+Scenario 3: Technical Surveillance
+Threat scenarios should be realistic and based on actual adversary capabilities and historical precedents. Avoid both underestimating threats (leading to inadequate security) and overestimating them (leading to paralysis and ineffective operations).
+Risk assessment is the systematic evaluation of potential threats to determine their likelihood and impact, enabling informed decisions about security investments and operational procedures. Risk assessment translates threat models into actionable priorities for security planning.
+ +Risk = Threat × Vulnerability × Impact
+
+Where:
+- Threat = Likelihood of attack occurring
+- Vulnerability = Probability of attack succeeding
+- Impact = Consequences of successful attack
+Likelihood Scale:
+Impact Scale:
+Risk Matrix:
+Impact → VL L M H C
+Likelihood ↓
+Very High M H H C C
+High L M H H C
+Medium L L M H H
+Low VL L L M H
+Very Low VL VL L L M
+
+Legend: VL=Very Low, L=Low, M=Medium, H=High, C=Critical
+Create comprehensive list of identified threats from threat modeling process:
+For each threat, assess organizational vulnerabilities:
+ +Technical Vulnerabilities:
+Procedural Vulnerabilities:
+Human Vulnerabilities:
+Assess potential consequences of successful attacks:
+ +Operational Impact:
+Security Impact:
+Strategic Impact:
+Rank risks based on calculated scores and strategic importance:
+ +Priority Categories:
+Reduce likelihood or impact through security controls:
+Shift risk to other parties or systems:
+Consciously accept certain risks:
+Eliminate risk by avoiding the activity:
+Effective risk management is an ongoing process that requires regular review and updates. Risk assessments should be updated whenever significant changes occur in the threat environment, organizational capabilities, or operational requirements.
+Operational Security (OpSec) is the process of protecting critical information and activities from adversary intelligence collection and analysis. OpSec focuses on identifying and controlling information that could be used to compromise operations, rather than just protecting classified information.
+ +Critical Information Categories:
+Critical Information Examples:
+Personnel Information:
+- Real names and personal details
+- Communication addresses and identifiers
+- Role assignments and responsibilities
+- Skill sets and expertise areas
+- Personal vulnerabilities and pressure points
+
+Operational Information:
+- Mission objectives and success criteria
+- Operational timelines and milestones
+- Resource requirements and allocations
+- Coordination mechanisms and protocols
+- Contingency plans and alternatives
+
+Technical Information:
+- Communication methods and frequencies
+- Security procedures and protocols
+- Equipment specifications and capabilities
+- Software configurations and vulnerabilities
+- Network architecture and access points
+Apply threat modeling to identify how adversaries might collect and use critical information:
+ +Collection Methods:
+Analysis Capabilities:
+Identify how critical information might be exposed:
+ +Information Leakage Points:
+Vulnerability Assessment Questions:
+For each piece of critical information:
+1. Who has access to this information?
+2. How is this information stored and transmitted?
+3. What activities might reveal this information?
+4. What patterns might indicate this information?
+5. How could an adversary collect this information?
+6. What would an adversary do with this information?
+Evaluate the likelihood and impact of information compromise:
+ +Risk Factors:
+Implement measures to protect critical information:
+ +Information Control Measures:
+Activity Control Measures:
+1. Mission Overview
+ - Objectives and scope
+ - Timeline and milestones
+ - Success criteria
+
+2. Critical Information List
+ - Information categories
+ - Sensitivity levels
+ - Access requirements
+
+3. Threat Assessment
+ - Adversary capabilities
+ - Collection methods
+ - Analysis capabilities
+
+4. Vulnerability Analysis
+ - Exposure points
+ - Risk factors
+ - Mitigation priorities
+
+5. Countermeasure Plan
+ - Protective measures
+ - Implementation timeline
+ - Responsibility assignments
+
+6. Monitoring and Review
+ - Effectiveness metrics
+ - Review schedule
+ - Update procedures
+Training and Awareness:
+Monitoring and Enforcement:
+Integration with Operations:
+OpSec is only as strong as its weakest link. All participants must understand and consistently apply OpSec principles. A single careless action can compromise an entire operation and endanger all participants.
+Chapter 2 has provided the analytical framework necessary for understanding and responding to threats in resistance operations:
+ +Section 2-1 established methodologies for analyzing adversary capabilities, motivations, and limitations across different threat actor categories.
+ +Section 2-2 introduced systematic threat modeling approaches for identifying and analyzing potential attacks against resistance operations.
+ +Section 2-3 provided risk assessment frameworks for prioritizing threats and allocating security resources effectively.
+ +Section 2-4 covered operational security fundamentals for protecting critical information and activities from adversary intelligence collection.
+ +The threat assessment and OpSec methodologies covered in this chapter provide the analytical foundation for all subsequent security planning and implementation. The communication systems, operational procedures, and advanced techniques covered in later parts of this manual should be selected and configured based on the threat assessment and risk analysis conducted using these frameworks.
+ +Threat assessment and OpSec are not one-time activities but ongoing processes that must be regularly updated as the operational environment changes. New threats emerge, adversary capabilities evolve, and operational requirements shift, requiring continuous monitoring and adaptation of security measures.
+ +This chapter establishes the multi-layer communication architecture that forms the backbone of secure resistance communications. Rather than relying on a single communication method, effective resistance networks employ multiple complementary systems, each optimized for specific security requirements and operational scenarios.
+ +Sections in this chapter:
+The multi-layer communication architecture is based on several key principles derived from both historical resistance experience and modern security research:
+ +No single communication system can address all security requirements and operational scenarios. Multiple layers provide redundancy and ensure that compromise of one system does not eliminate all communication capabilities.
+ +Different communications require different security levels. Using maximum security for all communications is both unnecessary and operationally ineffective, while using insufficient security for critical communications is dangerous.
+ +Communication systems must support actual operational requirements. Systems that are too complex, slow, or unreliable will be abandoned in favor of less secure but more usable alternatives.
+ +Each layer employs different strategies for minimizing metadata exposure, from onion routing to time delays to broadcast methods that eliminate recipient identification.
+ +Security Level Assessment:
+1. Content Sensitivity
+ - Public information (low security)
+ - Internal coordination (medium security)
+ - Operational details (high security)
+ - Critical intelligence (maximum security)
+
+2. Participant Risk
+ - Public supporters (low risk)
+ - Active participants (medium risk)
+ - Cell leaders (high risk)
+ - Key operatives (maximum risk)
+
+3. Adversary Capabilities
+ - Local law enforcement (basic capabilities)
+ - Federal agencies (advanced capabilities)
+ - Intelligence services (sophisticated capabilities)
+ - Authoritarian regimes (comprehensive capabilities)
+Primary Tools: Session Messenger, Briar +Security Features:
+Use Cases:
+Primary Tools: Element/Matrix (self-hosted), CryptPad +Security Features:
+Use Cases:
+Primary Tools: OnionShare, encrypted email, physical methods +Security Features:
+Use Cases:
+Primary Tools: Tor hidden services, distributed platforms +Security Features:
+Use Cases:
+Phase 1: Foundation (Weeks 1-4)
+- Implement basic secure messaging (Signal/Session)
+- Establish fundamental security procedures
+- Train core participants in basic tools
+
+Phase 2: Collaboration (Weeks 5-8)
+- Deploy self-hosted Matrix server
+- Implement CryptPad for document collaboration
+- Establish group communication protocols
+
+Phase 3: Advanced Security (Weeks 9-12)
+- Implement Briar for high-risk scenarios
+- Establish OnionShare for file transfers
+- Deploy emergency communication channels
+
+Phase 4: Full Architecture (Weeks 13-16)
+- Integrate all layers into coherent system
+- Implement advanced security protocols
+- Establish training and support systems
+The four layers are designed to work together, not in isolation. Effective implementation requires clear protocols for when to use each layer and how to coordinate between them while maintaining security.
+Layer 1 provides maximum security for time-sensitive communications during high-risk operations. This layer prioritizes security and anonymity over convenience and features, making it suitable for:
+ +Layer 1 systems use onion routing (similar to Tor) to protect communication metadata:
+ +Communication Path:
+User A → Entry Node → Middle Node → Exit Node → User B
+
+Each hop only knows:
+- Entry Node: User A's identity, Middle Node's identity
+- Middle Node: Entry Node's identity, Exit Node's identity
+- Exit Node: Middle Node's identity, User B's identity
+
+No single node knows both sender and recipient
+Strengths:
+Configuration:
+Security Settings:
+- Enable disappearing messages (shortest duration)
+- Disable read receipts and typing indicators
+- Use random Session ID, not linked to identity
+- Enable onion routing for all communications
+- Disable message notifications and previews
+Operational Procedures:
+Strengths:
+Configuration:
+Network Settings:
+- Enable Tor for internet connections
+- Enable Bluetooth for local mesh networking
+- Enable WiFi for local area networking
+- Disable location services and contact access
+Operational Procedures:
+Standard Communication Protocol:
+1. Verify recipient identity through out-of-band channel
+2. Establish secure session using verified identity
+3. Communicate using coded language even in encrypted channels
+4. Confirm message receipt through separate channel if critical
+5. Delete conversation and rotate identity if compromised
+Layer 2 balances security with collaboration functionality, providing encrypted group communications, file sharing, and document collaboration while maintaining strong security protections. This layer supports:
+ +Layer 2 systems use self-hosted infrastructure to maintain control over security and data:
+ +Infrastructure Components:
+- Matrix Homeserver (Element/Synapse)
+- CryptPad Collaboration Server
+- File Storage Server (Nextcloud/ownCloud)
+- VPN Server for secure access
+- Backup and Recovery Systems
+Capabilities:
+Server Setup:
+Synapse Server Configuration:
+- Deploy on dedicated server with full disk encryption
+- Configure behind VPN with restricted access
+- Enable end-to-end encryption for all rooms
+- Disable federation with public Matrix servers
+- Implement strong authentication and access controls
+Client Configuration:
+Element Security Settings:
+- Enable cross-signing for device verification
+- Verify all room participants and their devices
+- Enable secure backup for encryption keys
+- Disable read receipts and typing notifications
+- Use strong, unique passwords with 2FA
+Capabilities:
+Server Setup:
+CryptPad Configuration:
+- Self-host on secure server infrastructure
+- Configure with strong encryption settings
+- Disable analytics and external connections
+- Implement access controls and user limits
+- Regular security updates and monitoring
+Usage Protocols:
+Document Security Procedures:
+1. Create documents only on self-hosted instance
+2. Use strong passwords for document protection
+3. Share access links only through secure channels
+4. Regularly review and revoke document access
+5. Export and backup important documents securely
+Communication Security Procedures:
+1. Verify participant identities before adding to groups
+2. Use coded language for sensitive topics
+3. Regularly rotate encryption keys and passwords
+4. Monitor for unusual activity or access patterns
+5. Implement incident response procedures for compromise
+Secure Group Creation Process:
+1. Define group purpose and security requirements
+2. Identify necessary participants and their roles
+3. Create encrypted room/channel with appropriate settings
+4. Invite participants through secure out-of-band verification
+5. Establish group communication protocols and procedures
+6. Regular review of membership and access permissions
+Self-hosted infrastructure requires ongoing security maintenance and monitoring. Server compromise can expose all communications and files, making proper security hardening and incident response planning essential.
+Layer 3 provides backup communication channels that function independently of internet infrastructure and resist network disruption, censorship, and surveillance. This layer ensures communication capability when other systems fail and provides:
+ +Layer 3 systems use store-and-forward methods that don’t require simultaneous online presence:
+ +Asynchronous Communication Flow:
+Sender → Intermediate Storage → Recipient
+
+Benefits:
+- No real-time correlation between sender and recipient
+- Resistance to network timing analysis
+- Functionality during partial network outages
+- Time delays that complicate surveillance
+Capabilities:
+Configuration:
+OnionShare Security Settings:
+- Use Tor Browser for all access
+- Enable automatic shutdown after download
+- Set short expiration times for shared files
+- Use strong passwords for protected shares
+- Access only from secure, anonymous devices
+Operational Procedures:
+Secure File Transfer Process:
+1. Create encrypted archive of files to share
+2. Generate OnionShare link with password protection
+3. Share link and password through separate secure channels
+4. Monitor for successful download and automatic shutdown
+5. Verify receipt through separate communication channel
+Recommended Services:
+Security Configuration:
+Email Security Setup:
+- Create accounts using Tor and anonymous information
+- Use strong, unique passwords with 2FA when available
+- Enable PGP encryption for all sensitive communications
+- Configure automatic message deletion
+- Access only through Tor or secure VPN
+Digital Dead Drops:
+Physical Dead Drops:
+Operational Time Delays:
+- Minimum 24-hour delay between message creation and pickup
+- Random additional delays to prevent pattern analysis
+- Staggered access times to avoid correlation
+- Multiple intermediate steps to break timing chains
+Message Verification Process:
+1. Cryptographic signatures to verify sender authenticity
+2. Predetermined code words or phrases for verification
+3. Separate channel confirmation of message receipt
+4. Cross-reference with other intelligence sources
+5. Verification of message integrity and completeness
+Emergency Communication Sequence:
+1. Attempt primary communication channels (Layers 1-2)
+2. If primary channels fail, activate Layer 3 protocols
+3. Use predetermined emergency contact methods
+4. Implement duress codes if under coercion
+5. Activate backup communication networks
+6. Establish new primary channels when possible
+Layer 3 methods require advance planning and preparation. Emergency communication channels must be established and tested before they are needed, as crisis situations provide no time for setup and configuration.
+Layer 4 provides one-to-many communication capabilities with strong sender anonymity and censorship resistance. This layer supports public-facing communications while protecting the identity and location of the sender:
+ +Layer 4 systems use anonymity networks to protect sender identity:
+ +Tor Hidden Services Architecture:
+Publisher → Tor Network → Hidden Service → Public Access
+
+Anonymity Features:
+- Publisher identity hidden from readers
+- Publisher location hidden from network operators
+- Content hosted on distributed network
+- Censorship resistance through multiple access points
+Capabilities:
+Setup Procedures:
+Hidden Service Configuration:
+1. Install and configure Tor on secure server
+2. Generate .onion address and private keys
+3. Configure web server to serve content locally
+4. Test access through Tor Browser
+5. Implement security hardening and monitoring
+IPFS (InterPlanetary File System):
+Blockchain Platforms:
+Multi-Platform Publishing:
+Account Management:
+Anonymous Account Creation:
+1. Use Tor Browser for all account creation
+2. Use temporary email addresses for registration
+3. Provide minimal or false personal information
+4. Use VPN or proxy for additional protection
+5. Maintain separate identities for different purposes
+Content Publication Security:
+1. Remove metadata from all files before publication
+2. Use generic writing style to avoid stylometric analysis
+3. Avoid revealing specific knowledge or experiences
+4. Use stock images or create original graphics
+5. Review content for operational security implications
+Publication Planning Process:
+1. Define target audience and communication objectives
+2. Develop content calendar and publication schedule
+3. Create content following security and anonymity guidelines
+4. Review content for operational security implications
+5. Coordinate publication across multiple platforms
+6. Monitor engagement and adjust strategy as needed
+Even with strong technical anonymity, writing style, content knowledge, and publication patterns can potentially identify authors. Careful attention to operational security is essential for maintaining publisher anonymity.
+Selecting appropriate communication protocols requires systematic evaluation of security requirements, operational needs, and available resources. This section provides frameworks for making these decisions systematically rather than ad hoc.
+ +Threat Level Matrix:
+ Low Medium High Critical
+Content Risk L1-4 L1-3 L1-2 L1 Only
+Participant L2-4 L1-3 L1-2 L1 Only
+Timing Risk L2-4 L1-3 L1-2 L1 Only
+Network Risk L3-4 L2-4 L1-3 L1-2
+
+Legend: L1=Layer 1, L2=Layer 2, etc.
+Content Sensitivity:
+Participant Risk Level:
+Timing Sensitivity:
+Requirement Assessment:
+1. Participants
+ - One-to-one communication
+ - Small group (3-10 participants)
+ - Large group (10+ participants)
+ - Broadcast (one-to-many)
+
+2. Content Type
+ - Text messages only
+ - File sharing required
+ - Voice/video communication
+ - Collaborative editing
+
+3. Timing Requirements
+ - Real-time communication required
+ - Near real-time acceptable (minutes)
+ - Asynchronous acceptable (hours)
+ - Delayed acceptable (days)
+
+4. Reliability Requirements
+ - Mission-critical (must not fail)
+ - Important (failure causes problems)
+ - Useful (failure is inconvenient)
+ - Optional (failure is acceptable)
+Use Layer 1 When:
+Layer 1 Tool Selection:
+Session Messenger:
+- Best for: Routine high-security communications
+- Strengths: Easy to use, good mobile support
+- Limitations: Requires internet connection
+
+Briar:
+- Best for: Offline and mesh networking scenarios
+- Strengths: No servers, offline capability
+- Limitations: More complex setup and usage
+Use Layer 2 When:
+Layer 2 Tool Selection:
+Element/Matrix:
+- Best for: Group communications and coordination
+- Strengths: Rich features, federation capability
+- Limitations: Requires server infrastructure
+
+CryptPad:
+- Best for: Document collaboration and editing
+- Strengths: Real-time collaboration, no accounts required
+- Limitations: Limited to document-based collaboration
+Use Layer 3 When:
+Use Layer 4 When:
+Escalation Procedures:
+Normal Operations → Layer 2 (Collaboration)
+Increased Surveillance → Layer 1 (High Security)
+Network Disruption → Layer 3 (Failsafe)
+Public Communications → Layer 4 (Broadcasting)
+
+De-escalation Procedures:
+Emergency → Layer 3 → Layer 1 → Layer 2
+Crisis → Layer 1 → Layer 2 → Normal Operations
+Communication protocols must evolve as threats change, technology advances, and operational requirements shift. Regular review and updating of protocol selection criteria ensures continued effectiveness and security.
+Chapter 3 has established the multi-layer communication architecture that provides the foundation for secure resistance communications:
+ +Section 3-1 introduced the strategic framework and principles underlying the multi-layer approach to communication security.
+ +Section 3-2 detailed Layer 1 systems for high-risk real-time communication with maximum security and anonymity protection.
+ +Section 3-3 covered Layer 2 systems that balance security with collaboration functionality for ongoing operational coordination.
+ +Section 3-4 described Layer 3 failsafe and offline methods that provide backup communication capabilities independent of internet infrastructure.
+ +Section 3-5 explained Layer 4 anonymous broadcasting systems for public communications with sender anonymity and censorship resistance.
+ +Section 3-6 provided systematic frameworks for selecting appropriate communication protocols based on security requirements and operational needs.
+ +The multi-layer architecture provides a comprehensive framework for resistance communications, but effective implementation requires:
+ +Chapter 4 builds on this architectural foundation by providing detailed configuration and operational guidance for the secure messaging systems that form the core of Layers 1 and 2. Understanding the architectural principles covered in this chapter is essential preparation for the practical implementation guidance that follows.
+ +Next: Chapter 4: Secure Messaging and Voice Communications →
+ + + + + + +This chapter provides detailed configuration and operational guidance for implementing secure messaging systems within the multi-layer communication architecture. Each messaging system covered here serves specific security requirements and operational scenarios, from maximum-security real-time coordination to secure group collaboration.
+ +Sections in this chapter:
+Session Messenger provides maximum security messaging through onion routing and the Signal Protocol, making it ideal for Layer 1 high-risk communications. Session eliminates phone number requirements and metadata collection while providing strong encryption and anonymity protection.
+ +# Download Session from official sources only
+# Desktop: https://getsession.org/download
+# Mobile: Official app stores or F-Droid
+
+# Verify download integrity (desktop)
+gpg --verify session-desktop-linux-x86_64-*.AppImage.sig
+Security Settings Checklist:
+□ Disable read receipts
+□ Disable typing indicators
+□ Enable disappearing messages (shortest duration)
+□ Disable message notifications
+□ Disable message previews
+□ Enable screen security (mobile)
+□ Disable automatic media downloads
+Session ID Best Practices:
+1. Generate new Session ID for each operational role
+2. Use random Session ID, not recovery phrase
+3. Record Session ID securely for sharing with contacts
+4. Never link Session ID to real identity or other accounts
+5. Rotate Session IDs regularly (monthly or per operation)
+Network Configuration:
+- Always use Tor Browser or Tor proxy for desktop access
+- Enable VPN on mobile devices before using Session
+- Disable automatic updates to prevent traffic analysis
+- Use public WiFi from locations unconnected to identity
+- Avoid using Session on home or work networks
+Device Hardening for Session:
+1. Use dedicated device not linked to real identity
+2. Enable full disk encryption
+3. Use strong device lock screen password
+4. Disable biometric authentication
+5. Install minimal additional software
+6. Regular security updates through secure channels
+Session OpSec Procedures:
+1. Create new Session ID for each operation or role
+2. Share Session ID only through secure out-of-band channels
+3. Verify contact identity before sensitive communications
+4. Use coded language even in encrypted messages
+5. Delete conversations regularly
+6. Monitor for unusual behavior or timing
+Secure Contact Addition Process:
+1. Generate Session ID and share through secure channel
+2. Verify recipient received correct Session ID
+3. Send test message with predetermined verification phrase
+4. Confirm identity through separate communication channel
+5. Establish communication protocols and schedules
+Identity Verification Methods:
+- Out-of-band verification through trusted intermediary
+- Predetermined code words or phrases
+- Reference to shared experiences or knowledge
+- Voice verification through separate secure channel
+- Physical meeting for high-value contacts
+Message Retention Settings:
+- Use shortest available timer (5 seconds to 1 week)
+- Adjust based on message sensitivity and operational needs
+- Ensure all participants understand and enable feature
+- Verify messages actually disappear on all devices
+- Use manual deletion for immediate removal
+Secure Messaging Practices:
+1. Use coded language for sensitive topics
+2. Avoid specific names, locations, or times
+3. Break complex information into multiple messages
+4. Use predetermined code words for common concepts
+5. Verify critical information through separate channels
+Emergency Response Protocols:
+1. Duress Codes: Predetermined phrases indicating compromise
+2. Burn Procedures: Rapid deletion of all Session data
+3. Emergency Contacts: Backup communication methods
+4. Fallback Protocols: Alternative communication channels
+5. Recovery Procedures: Re-establishing secure communications
+Session provides excellent security but has limitations: slower message delivery due to onion routing, limited group messaging features, and dependency on network connectivity. Plan accordingly for operational requirements.
+Element/Matrix provides secure group communications and collaboration features through self-hosted infrastructure, making it ideal for Layer 2 secure collaboration systems. Self-hosting ensures complete control over security and data while providing rich communication features.
+ +Minimum Server Specifications:
+- CPU: 2 cores, 2.4 GHz
+- RAM: 4 GB (8 GB recommended)
+- Storage: 50 GB SSD (100 GB+ for larger deployments)
+- Network: Reliable internet connection with static IP
+- OS: Ubuntu 20.04 LTS or Debian 11 (recommended)
+# Update system and install security updates
+sudo apt update && sudo apt upgrade -y
+
+# Install fail2ban for intrusion prevention
+sudo apt install fail2ban ufw -y
+
+# Configure firewall
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+sudo ufw allow ssh
+sudo ufw allow 80
+sudo ufw allow 443
+sudo ufw enable
+
+# Disable root login and password authentication
+sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
+sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
+sudo systemctl restart ssh
+# Install Synapse Matrix server
+sudo apt install matrix-synapse -y
+
+# Generate configuration
+sudo -u matrix-synapse /usr/bin/python3 -m synapse.app.homeserver \
+ --server-name your-domain.com \
+ --config-path /etc/matrix-synapse/homeserver.yaml \
+ --generate-config \
+ --report-stats=no
+# Install PostgreSQL for better performance
+sudo apt install postgresql postgresql-contrib -y
+
+# Create Matrix database and user
+sudo -u postgres createuser --pwprompt synapse_user
+sudo -u postgres createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapse_user synapse
+
+# Configure Synapse to use PostgreSQL
+sudo nano /etc/matrix-synapse/homeserver.yaml
+# Database configuration in homeserver.yaml
+database:
+ name: psycopg2
+ args:
+ user: synapse_user
+ password: your_secure_password
+ database: synapse
+ host: localhost
+ cp_min: 5
+ cp_max: 10
+# Enable end-to-end encryption in homeserver.yaml
+encryption_enabled_by_default_for_room_type: all
+trusted_key_servers:
+ - server_name: "matrix.org"
+ verify_keys:
+ "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+
+# Disable federation for security
+federation_domain_whitelist: []
+# Registration and access control
+enable_registration: false
+registration_shared_secret: "your_very_long_random_string"
+allow_guest_access: false
+enable_registration_captcha: false
+
+# Rate limiting
+rc_message:
+ per_second: 0.2
+ burst_count: 10
+
+rc_registration:
+ per_second: 0.17
+ burst_count: 3
+# Privacy and security settings
+enable_metrics: false
+report_stats: false
+enable_media_repo: true
+max_upload_size: 50M
+
+# Disable unnecessary features
+enable_group_creation: false
+autocreate_auto_join_rooms: false
+# Download and install Element Web
+cd /var/www
+sudo wget https://github.com/vector-im/element-web/releases/download/v1.11.8/element-v1.11.8.tar.gz
+sudo tar -xzf element-v1.11.8.tar.gz
+sudo mv element-v1.11.8 element
+sudo chown -R www-data:www-data element
+{
+ "default_server_config": {
+ "m.homeserver": {
+ "base_url": "https://your-domain.com",
+ "server_name": "your-domain.com"
+ }
+ },
+ "disable_custom_urls": true,
+ "disable_guests": true,
+ "disable_login_language_selector": true,
+ "disable_3pid_login": true,
+ "brand": "Resistance Communications",
+ "integrations_ui_url": "",
+ "integrations_rest_url": "",
+ "bug_report_endpoint_url": "",
+ "features": {
+ "feature_pinning": "disable",
+ "feature_custom_status": "disable",
+ "feature_custom_tags": "disable"
+ }
+}
+# Create admin user
+register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008
+
+# Create regular users (admin only)
+# Use Element admin interface or command line tools
+Secure Room Setup:
+1. Create private, invite-only rooms
+2. Enable end-to-end encryption for all rooms
+3. Set appropriate power levels for participants
+4. Configure message retention policies
+5. Establish room-specific communication protocols
+# Database backup script
+#!/bin/bash
+BACKUP_DIR="/backup/matrix"
+DATE=$(date +%Y%m%d_%H%M%S)
+
+# Create backup directory
+mkdir -p $BACKUP_DIR
+
+# Backup database
+sudo -u postgres pg_dump synapse > $BACKUP_DIR/synapse_$DATE.sql
+
+# Backup media files
+tar -czf $BACKUP_DIR/media_$DATE.tar.gz /var/lib/matrix-synapse/media
+
+# Encrypt backups
+gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
+ --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
+ --output $BACKUP_DIR/synapse_$DATE.sql.gpg $BACKUP_DIR/synapse_$DATE.sql
+
+# Remove unencrypted backup
+rm $BACKUP_DIR/synapse_$DATE.sql
+Self-hosted Matrix servers require ongoing maintenance including security updates, monitoring, backup verification, and performance optimization. Plan for dedicated technical resources or consider managed hosting with trusted providers.
+Briar provides true peer-to-peer messaging without central servers, making it ideal for high-security scenarios and situations where internet infrastructure is unreliable or compromised. Briar supports Bluetooth, WiFi, and Tor connections for maximum flexibility.
+ +Official Sources:
+- F-Droid: https://f-droid.org/packages/org.briarproject.briar.android/
+- Google Play: https://play.google.com/store/apps/details?id=org.briarproject.briar.android
+- Direct APK: https://briarproject.org/download-briar/
+
+Desktop Beta:
+- Available for testing but not recommended for operational use
+- Mobile version provides full functionality
+Setup Checklist:
+□ Create strong password for Briar account
+□ Enable screen lock on device
+□ Configure network settings (Tor, WiFi, Bluetooth)
+□ Disable automatic backups to cloud services
+□ Review and adjust privacy settings
+□ Test connectivity through different network types
+Network Settings:
+1. Tor: Enable for internet connections
+ - Provides anonymity and censorship resistance
+ - Required for remote contact connections
+ - May be slower but more secure
+
+2. WiFi: Enable for local area networking
+ - Direct device-to-device connections
+ - Faster than Tor for local communications
+ - Use only in secure environments
+
+3. Bluetooth: Enable for close-proximity messaging
+ - Works without internet or WiFi
+ - Very short range (10-30 meters)
+ - Useful for covert meetings and mesh networking
+Contact Addition Methods:
+1. QR Code Exchange:
+ - Generate QR code in Briar
+ - Scan contact's QR code in person
+ - Most secure method for initial contact
+
+2. Briar Link Sharing:
+ - Generate Briar link for contact
+ - Share through secure out-of-band channel
+ - Verify identity after connection
+
+3. Introduction by Mutual Contact:
+ - Existing contact introduces new contact
+ - Provides verification through trusted intermediary
+ - Useful for expanding secure networks
+Identity Verification Process:
+1. Exchange contact information through secure channel
+2. Verify identity through predetermined questions or codes
+3. Confirm connection through separate communication method
+4. Establish communication protocols and schedules
+5. Regular re-verification for high-value contacts
+Contact Management Security:
+- Use aliases instead of real names
+- Regularly review and clean contact lists
+- Remove contacts who are no longer active
+- Monitor for unusual behavior or timing
+- Implement contact rotation for high-risk operations
+Briar Message Features:
+1. Private Messages:
+ - One-to-one encrypted messaging
+ - Automatic forward secrecy
+ - Message deletion and retention controls
+
+2. Private Groups:
+ - Small group messaging (recommended <10 people)
+ - Invitation-only membership
+ - Shared group keys and forward secrecy
+
+3. Forums:
+ - Larger group discussions
+ - Topic-based organization
+ - Moderation and access controls
+
+4. Blogs:
+ - One-to-many publishing
+ - RSS-like feed functionality
+ - Comment and discussion features
+Briar Security Procedures:
+1. Use coded language for sensitive topics
+2. Enable message deletion timers when available
+3. Regularly clear message history
+4. Monitor contact online status patterns
+5. Use different devices for different operational roles
+6. Implement emergency deletion procedures
+Mesh Network Configuration:
+1. Enable WiFi and Bluetooth on all devices
+2. Ensure devices are within range (WiFi: 100m, Bluetooth: 30m)
+3. Configure Briar to use local networks
+4. Test message routing through intermediate devices
+5. Establish mesh network protocols and procedures
+Mesh Network Security:
+- Only enable mesh in secure, controlled environments
+- Monitor for unauthorized devices joining network
+- Use temporary mesh networks for specific operations
+- Disable mesh when not needed to reduce attack surface
+- Implement physical security for mesh network areas
+Store-and-Forward Messaging:
+- Messages stored locally when contacts offline
+- Automatic delivery when contacts come online
+- Configurable storage limits and retention
+- Encrypted storage on device
+- Manual message deletion for sensitive content
+Briar Communication Protocols:
+1. Regular Check-ins:
+ - Scheduled online times for message exchange
+ - Staggered schedules to avoid pattern analysis
+ - Emergency contact procedures
+
+2. Message Handling:
+ - Immediate reading and response to urgent messages
+ - Delayed response for routine communications
+ - Message verification for critical information
+
+3. Group Management:
+ - Clear roles and responsibilities
+ - Invitation and removal procedures
+ - Conflict resolution and moderation
+Emergency Response with Briar:
+1. Emergency Contacts:
+ - Predetermined emergency contact procedures
+ - Multiple backup contacts for redundancy
+ - Emergency message formats and codes
+
+2. Compromise Response:
+ - Immediate contact removal if compromise suspected
+ - Message deletion and device sanitization
+ - Alternative contact methods activation
+
+3. Network Disruption:
+ - Mesh networking activation for local communications
+ - Store-and-forward for delayed message delivery
+ - Physical meeting coordination through Briar
+Briar's peer-to-peer architecture provides unique advantages: no central servers to compromise, offline messaging capability, and mesh networking for local communications. These features make it invaluable for high-security scenarios and network disruption situations.
+While Signal is not recommended for the highest-security resistance communications due to phone number requirements and centralized infrastructure, it remains widely used and can be secured for medium-risk communications when properly configured and used with appropriate operational security.
+ +Secure Signal Installation:
+1. Download only from official sources:
+ - iOS: Apple App Store
+ - Android: Google Play Store or Signal.org
+ - Desktop: signal.org/download
+
+2. Verify installation integrity:
+ - Check app signatures and certificates
+ - Verify download checksums when available
+ - Use clean device for installation
+Phone Number Considerations:
+1. Use dedicated phone number not linked to real identity:
+ - Prepaid phone with cash purchase
+ - VoIP number from privacy-focused provider
+ - Temporary number for specific operations
+
+2. Registration Process:
+ - Use VPN or Tor during registration
+ - Register from location unconnected to identity
+ - Disable SMS backup and cloud sync
+Signal Security Settings:
+□ Enable registration lock with strong PIN
+□ Disable read receipts
+□ Disable typing indicators
+□ Enable disappearing messages (shortest duration)
+□ Disable message notifications and previews
+□ Enable screen lock and screen security
+□ Disable automatic media downloads
+□ Turn off contact discovery
+□ Disable link previews
+Privacy Configuration:
+1. Profile Settings:
+ - Use pseudonym instead of real name
+ - Avoid identifying profile photos
+ - Disable profile sharing with contacts
+
+2. Contact Management:
+ - Manually add contacts instead of syncing
+ - Use contact names that don't reveal identity
+ - Regularly review and clean contact list
+
+3. Group Settings:
+ - Disable group link sharing
+ - Require admin approval for new members
+ - Use descriptive but non-identifying group names
+Network Protection:
+1. VPN Usage:
+ - Always use VPN when using Signal
+ - Choose VPN provider with no-logging policy
+ - Use different VPN servers for different operations
+
+2. Tor Integration:
+ - Use Signal through Tor proxy when possible
+ - Configure Orbot on Android for Tor routing
+ - Accept slower performance for better anonymity
+
+3. Network Monitoring:
+ - Monitor for unusual network activity
+ - Use network analysis tools to verify Tor routing
+ - Avoid using Signal on monitored networks
+Signal OpSec Procedures:
+1. Contact Verification:
+ - Verify safety numbers for all contacts
+ - Re-verify after app updates or device changes
+ - Use out-of-band verification for critical contacts
+
+2. Message Security:
+ - Use coded language for sensitive topics
+ - Enable disappearing messages for all conversations
+ - Manually delete sensitive messages immediately
+ - Avoid sending identifying information
+
+3. Group Management:
+ - Limit group size to operational necessity
+ - Use separate groups for different purposes
+ - Regularly review group membership
+ - Remove inactive or compromised members
+Device Hardening for Signal:
+1. Physical Security:
+ - Use strong device lock screen
+ - Enable remote wipe capability
+ - Avoid leaving device unattended
+ - Use device encryption
+
+2. App Security:
+ - Keep Signal updated to latest version
+ - Enable app-specific lock if available
+ - Disable Signal in app switcher/recent apps
+ - Clear app cache regularly
+
+3. Backup Security:
+ - Disable automatic cloud backups
+ - Use local encrypted backups only if necessary
+ - Regularly delete old backup files
+ - Secure backup storage and access
+Known Signal Limitations:
+1. Metadata Collection:
+ - Phone numbers linked to accounts
+ - Message timing and frequency data
+ - Contact discovery information
+ - Server connection logs
+
+2. Centralized Infrastructure:
+ - Single point of failure and control
+ - Subject to legal demands and pressure
+ - Potential for service disruption
+ - Limited user control over security
+
+3. Phone Number Requirement:
+ - Links account to identity verification system
+ - Enables contact discovery and correlation
+ - Difficult to maintain anonymity
+ - Vulnerable to SIM swapping attacks
+Signal Risk Mitigation:
+1. Use for medium-risk communications only
+2. Combine with other communication layers
+3. Implement strong operational security
+4. Regular account rotation and cleanup
+5. Monitor for service changes and updates
+6. Prepare alternative communication methods
+Signal's phone number requirement and centralized infrastructure make it unsuitable for high-risk resistance communications. Use Signal only for medium-risk scenarios and always in combination with more secure alternatives.
+Voice communications present unique security challenges due to real-time requirements, voice recognition possibilities, and the difficulty of implementing strong encryption. This section covers secure voice communication methods and operational security procedures.
+ +Secure VoIP Configuration:
+1. Signal Voice Calls:
+ - End-to-end encrypted voice calls
+ - Verify safety numbers before sensitive calls
+ - Use coded language and predetermined phrases
+ - Keep calls brief and focused
+
+2. Element/Matrix Voice:
+ - Encrypted voice calls through Matrix protocol
+ - Self-hosted infrastructure for maximum control
+ - Group voice calls with access controls
+ - Integration with text messaging
+
+3. Briar Voice (Future):
+ - Peer-to-peer voice calls without servers
+ - Currently in development
+ - Will provide maximum security when available
+Landline and Mobile Security:
+1. Operational Phones:
+ - Use dedicated phones not linked to identity
+ - Prepaid phones purchased with cash
+ - Regular phone rotation and disposal
+ - Physical security and access controls
+
+2. Call Security:
+ - Assume all traditional calls are monitored
+ - Use only for non-sensitive communications
+ - Implement coded language and phrases
+ - Keep calls brief and infrequent
+
+3. Location Security:
+ - Disable GPS and location services
+ - Use phones only in secure locations
+ - Avoid patterns in call timing and location
+ - Physical separation from personal devices
+Secure Call Procedures:
+1. Pre-Call Planning:
+ - Determine necessity of voice communication
+ - Prepare coded language and key points
+ - Verify recipient identity and availability
+ - Choose secure location and timing
+
+2. Call Execution:
+ - Verify recipient identity at call start
+ - Use predetermined identification phrases
+ - Speak clearly but avoid identifying characteristics
+ - Keep calls brief and focused on essential information
+
+3. Post-Call Security:
+ - Verify information received through separate channel
+ - Document essential information securely
+ - Clear call logs and temporary data
+ - Monitor for signs of interception or compromise
+Voice Security Techniques:
+1. Voice Modification:
+ - Speak in different pitch or tone
+ - Use accent or speech pattern changes
+ - Employ voice changing software when possible
+ - Practice consistent voice modifications
+
+2. Language Security:
+ - Use coded language for sensitive topics
+ - Avoid names, locations, and specific details
+ - Employ predetermined phrases and responses
+ - Implement duress codes for emergency situations
+
+3. Content Security:
+ - Limit sensitive information in voice calls
+ - Use voice for coordination, text for details
+ - Verify critical information through separate channels
+ - Avoid discussing operational specifics
+Emergency Voice Procedures:
+1. Emergency Identification:
+ - Predetermined emergency phrases
+ - Duress codes indicating compromise
+ - Authentication challenges and responses
+ - Emergency contact escalation procedures
+
+2. Emergency Information:
+ - Essential information only
+ - Predetermined emergency message formats
+ - Location and timing information
+ - Resource and assistance requirements
+
+3. Emergency Response:
+ - Immediate response protocols
+ - Backup communication activation
+ - Security assessment and adjustment
+ - Follow-up verification procedures
+Backup Voice Communication:
+1. Amateur Radio:
+ - Licensed amateur radio operations
+ - Digital modes for text over radio
+ - Mesh networking and repeater systems
+ - Emergency communication networks
+
+2. Satellite Communications:
+ - Satellite phones for remote areas
+ - Satellite internet for VoIP calls
+ - Emergency satellite communication services
+ - Cost and availability considerations
+
+3. Mesh Voice Networks:
+ - Local mesh networking with voice capability
+ - Peer-to-peer voice over WiFi
+ - Offline voice communication systems
+ - Integration with existing mesh networks
+Voice communications should be used sparingly in resistance operations due to security limitations. Prioritize text-based communications for most coordination, using voice only when real-time interaction is essential and cannot be achieved through other means.
+Group communications present amplified security challenges due to multiple participants, varied security practices, and increased metadata exposure. This section provides frameworks for managing group communications securely while maintaining operational effectiveness.
+ +Group Classification:
+1. High-Security Cells (3-7 members):
+ - Operational planning and coordination
+ - Maximum security protocols required
+ - Layer 1 communications (Session, Briar)
+ - Strict access controls and verification
+
+2. Coordination Groups (8-15 members):
+ - Cross-cell coordination and resource sharing
+ - High security with collaboration features
+ - Layer 2 communications (Matrix/Element)
+ - Role-based access and permissions
+
+3. Support Networks (16+ members):
+ - Broader support and resource networks
+ - Medium security with usability focus
+ - Layer 2/3 communications
+ - Moderated access and content controls
+
+4. Public Communications (unlimited):
+ - Public outreach and information sharing
+ - Layer 4 broadcasting systems
+ - Anonymous participation options
+ - Open access with moderation
+Secure Group Creation:
+1. Purpose Definition:
+ - Clear operational purpose and scope
+ - Security requirements assessment
+ - Participant role definitions
+ - Communication protocols establishment
+
+2. Member Selection:
+ - Operational necessity verification
+ - Security clearance and vetting
+ - Role-appropriate access levels
+ - Ongoing membership review
+
+3. Technical Setup:
+ - Appropriate platform selection
+ - Security configuration implementation
+ - Access controls and permissions
+ - Backup and recovery procedures
+
+4. Operational Procedures:
+ - Communication protocols and schedules
+ - Information sharing guidelines
+ - Conflict resolution procedures
+ - Emergency response protocols
+Group Role Structure:
+1. Administrators:
+ - Full group management permissions
+ - Member addition and removal authority
+ - Security configuration control
+ - Emergency response coordination
+
+2. Moderators:
+ - Content moderation and enforcement
+ - Limited member management
+ - Protocol enforcement authority
+ - Conflict resolution responsibility
+
+3. Active Members:
+ - Full participation in group discussions
+ - File sharing and collaboration access
+ - Voice in group decisions
+ - Operational task assignments
+
+4. Observers:
+ - Read-only access to group content
+ - Limited participation in discussions
+ - No access to sensitive materials
+ - Probationary or support role status
+Technical Access Controls:
+1. Matrix/Element Groups:
+ - Power level configuration for different roles
+ - Room encryption and access controls
+ - Invitation-only membership
+ - Message retention and deletion policies
+
+2. Signal Groups:
+ - Admin approval for new members
+ - Disappearing messages for all participants
+ - Group link sharing disabled
+ - Regular membership review and cleanup
+
+3. Briar Groups:
+ - Invitation-only private groups
+ - Peer-to-peer verification required
+ - Local group management
+ - Offline capability maintenance
+Group Information Security:
+1. Classification Levels:
+ - Public: Shareable without restriction
+ - Internal: Group members only
+ - Restricted: Specific roles only
+ - Classified: Administrators only
+
+2. Sharing Protocols:
+ - Clear marking of information sensitivity
+ - Verification of recipient authorization
+ - Secure transmission methods
+ - Access logging and monitoring
+
+3. Content Guidelines:
+ - No personal identifying information
+ - Coded language for sensitive topics
+ - Operational security considerations
+ - Legal and safety implications
+Group Discussion Protocols:
+1. Topic Management:
+ - Separate channels for different topics
+ - Clear topic guidelines and scope
+ - Moderation of off-topic discussions
+ - Archive and retention policies
+
+2. Participation Guidelines:
+ - Respectful and professional communication
+ - Constructive contribution requirements
+ - Conflict resolution procedures
+ - Enforcement and consequences
+
+3. Security Reminders:
+ - Regular security awareness messages
+ - Operational security reminders
+ - Protocol updates and changes
+ - Emergency procedure reviews
+Compromise Indicators:
+1. Technical Indicators:
+ - Unusual login patterns or locations
+ - Unexpected message deletions or modifications
+ - New members without proper authorization
+ - System configuration changes
+
+2. Behavioral Indicators:
+ - Unusual communication patterns
+ - Inappropriate information requests
+ - Violation of established protocols
+ - Suspicious timing or coordination
+
+3. External Indicators:
+ - Law enforcement activity
+ - Media attention or exposure
+ - Adversary knowledge of group activities
+ - Correlation with other security incidents
+Group Compromise Response:
+1. Immediate Actions:
+ - Suspend group communications
+ - Notify all members through backup channels
+ - Assess scope and impact of compromise
+ - Implement emergency security measures
+
+2. Investigation:
+ - Determine source and method of compromise
+ - Assess information exposed or stolen
+ - Identify affected members and operations
+ - Document lessons learned
+
+3. Recovery:
+ - Create new secure group with updated security
+ - Re-verify all member identities
+ - Implement additional security measures
+ - Resume operations with enhanced protocols
+
+4. Prevention:
+ - Update security procedures based on lessons learned
+ - Provide additional training to group members
+ - Implement monitoring and detection improvements
+ - Regular security assessments and reviews
+Group communications are inherently less secure than one-to-one communications due to multiple participants, varied security practices, and increased attack surface. Implement strict security protocols and regular security reviews for all group communications.
+Message verification and authentication ensure that communications are genuine, unmodified, and from verified senders. This is critical in resistance operations where disinformation, impersonation, and message manipulation are common adversary tactics.
+ +Message Signing Process:
+1. PGP/GPG Signatures:
+ - Generate PGP key pair for signing
+ - Sign all sensitive messages with private key
+ - Recipients verify with public key
+ - Maintain secure key management practices
+
+2. Signal Protocol Verification:
+ - Automatic cryptographic signatures
+ - Safety number verification between contacts
+ - Forward secrecy and message authentication
+ - Regular verification of contact keys
+
+3. Matrix/Element Verification:
+ - Cross-signing device verification
+ - Message authentication codes
+ - Key verification through multiple channels
+ - Regular key rotation and verification
+Cryptographic Key Security:
+1. Key Generation:
+ - Use secure random number generation
+ - Generate keys on secure, offline systems
+ - Use strong key lengths (RSA 4096, ECC 384)
+ - Implement proper key backup and recovery
+
+2. Key Distribution:
+ - Verify key fingerprints through out-of-band channels
+ - Use key signing parties for verification
+ - Implement web of trust for key validation
+ - Regular key rotation and update procedures
+
+3. Key Storage:
+ - Encrypt private keys with strong passphrases
+ - Store keys on secure, encrypted devices
+ - Implement key escrow for critical operations
+ - Regular backup and recovery testing
+Contact Authentication Methods:
+1. Out-of-Band Verification:
+ - Phone calls to verify identity
+ - In-person meetings for key exchange
+ - Trusted intermediary introductions
+ - Physical document verification
+
+2. Challenge-Response Authentication:
+ - Predetermined questions and answers
+ - Shared secret verification
+ - Historical knowledge verification
+ - Behavioral pattern recognition
+
+3. Multi-Factor Authentication:
+ - Something you know (password/passphrase)
+ - Something you have (device/token)
+ - Something you are (biometric/behavioral)
+ - Somewhere you are (location verification)
+Message Verification Procedures:
+1. Content Verification:
+ - Cryptographic signature verification
+ - Message integrity checking
+ - Timestamp validation
+ - Source authentication
+
+2. Context Verification:
+ - Message content consistency
+ - Timing and sequence verification
+ - Cross-reference with other sources
+ - Operational context validation
+
+3. Behavioral Verification:
+ - Writing style and pattern analysis
+ - Communication timing patterns
+ - Operational knowledge verification
+ - Relationship context validation
+Impersonation Prevention:
+1. Technical Measures:
+ - Strong cryptographic authentication
+ - Device fingerprinting and verification
+ - Network analysis and monitoring
+ - Automated anomaly detection
+
+2. Procedural Measures:
+ - Regular identity verification
+ - Predetermined authentication protocols
+ - Suspicious activity reporting
+ - Cross-verification through multiple channels
+
+3. Human Factors:
+ - Training in impersonation detection
+ - Awareness of social engineering tactics
+ - Verification of unusual requests
+ - Reporting of suspicious communications
+Integrity Verification:
+1. Cryptographic Protection:
+ - Message authentication codes (MAC)
+ - Digital signatures for non-repudiation
+ - Hash verification for content integrity
+ - Timestamp verification for freshness
+
+2. Operational Protection:
+ - Message sequence numbering
+ - Duplicate message detection
+ - Replay attack prevention
+ - Message correlation and validation
+
+3. Recovery Procedures:
+ - Integrity failure response protocols
+ - Message re-transmission procedures
+ - Alternative verification methods
+ - Incident reporting and investigation
+Regular Verification Procedures:
+1. Daily Operations:
+ - Verify sender identity for all sensitive messages
+ - Check message signatures and authentication
+ - Cross-reference with expected communications
+ - Report anomalies and suspicious activity
+
+2. Weekly Reviews:
+ - Review all contact verifications
+ - Update authentication credentials
+ - Assess verification procedure effectiveness
+ - Train participants in verification techniques
+
+3. Monthly Audits:
+ - Comprehensive verification system review
+ - Update verification procedures and protocols
+ - Assess and address verification failures
+ - Implement improvements and enhancements
+Emergency Authentication:
+1. Duress Codes:
+ - Predetermined phrases indicating compromise
+ - Subtle indicators of coercion
+ - Emergency authentication procedures
+ - Backup verification methods
+
+2. Emergency Contacts:
+ - Alternative contact methods for verification
+ - Trusted intermediaries for authentication
+ - Emergency communication protocols
+ - Rapid response verification procedures
+
+3. Crisis Response:
+ - Immediate verification of emergency communications
+ - Rapid authentication of crisis information
+ - Emergency decision-making protocols
+ - Post-crisis verification and assessment
+Effective message verification requires developing a culture where verification is routine and expected. All participants must understand the importance of verification and consistently apply verification procedures without exception.
+Communication scheduling and protocols provide the operational framework for secure communications, defining when, how, and under what circumstances different communication methods should be used. Proper scheduling minimizes metadata exposure while ensuring operational effectiveness.
+ +Temporal Security Principles:
+1. Pattern Avoidance:
+ - Avoid regular communication schedules
+ - Randomize communication timing
+ - Use predetermined time windows
+ - Implement communication blackout periods
+
+2. Time Delays:
+ - Introduce random delays between messages
+ - Use store-and-forward for non-urgent communications
+ - Implement minimum delay periods
+ - Coordinate timing across multiple participants
+
+3. Operational Timing:
+ - Align communications with operational requirements
+ - Avoid communications during high-risk periods
+ - Coordinate timing with other operational activities
+ - Plan for emergency communication needs
+Communication Schedule Planning:
+1. Operational Requirements:
+ - Identify communication needs and timing
+ - Assess urgency and priority levels
+ - Determine participant availability
+ - Plan for contingencies and emergencies
+
+2. Security Considerations:
+ - Assess surveillance and monitoring risks
+ - Implement timing randomization
+ - Plan for communication security measures
+ - Coordinate with other security protocols
+
+3. Resource Allocation:
+ - Assign communication responsibilities
+ - Allocate technical resources and infrastructure
+ - Plan for backup and redundancy
+ - Implement monitoring and maintenance
+Protocol Framework:
+1. Purpose and Scope:
+ - Define communication objectives
+ - Identify participants and roles
+ - Establish security requirements
+ - Determine success criteria
+
+2. Technical Specifications:
+ - Select appropriate communication tools
+ - Configure security settings
+ - Implement access controls
+ - Establish backup procedures
+
+3. Operational Procedures:
+ - Define communication workflows
+ - Establish authentication procedures
+ - Implement verification protocols
+ - Plan for emergency situations
+
+4. Monitoring and Review:
+ - Implement effectiveness monitoring
+ - Regular protocol review and updates
+ - Incident response and improvement
+ - Training and compliance enforcement
+Implementation Process:
+1. Planning Phase:
+ - Develop detailed implementation plan
+ - Identify required resources and training
+ - Assess risks and mitigation strategies
+ - Establish timeline and milestones
+
+2. Testing Phase:
+ - Test protocols in safe environments
+ - Verify technical functionality
+ - Train participants in procedures
+ - Identify and address issues
+
+3. Deployment Phase:
+ - Gradual rollout of new protocols
+ - Monitor implementation effectiveness
+ - Provide ongoing support and training
+ - Adjust protocols based on experience
+
+4. Maintenance Phase:
+ - Regular protocol review and updates
+ - Ongoing training and compliance monitoring
+ - Incident response and improvement
+ - Long-term effectiveness assessment
+Emergency Communication Framework:
+1. Emergency Classification:
+ - Immediate threat to personnel safety
+ - Operational compromise or exposure
+ - Communication system failure
+ - External crisis or disruption
+
+2. Emergency Response:
+ - Immediate notification procedures
+ - Emergency contact activation
+ - Backup communication system deployment
+ - Crisis coordination and management
+
+3. Emergency Recovery:
+ - Damage assessment and analysis
+ - System restoration and recovery
+ - Lessons learned and improvement
+ - Return to normal operations
+Contingency Communication Plans:
+1. System Failure:
+ - Primary system backup procedures
+ - Alternative communication methods
+ - Emergency contact protocols
+ - Service restoration procedures
+
+2. Compromise Response:
+ - Immediate isolation and containment
+ - Alternative system activation
+ - Participant notification and protection
+ - Investigation and recovery
+
+3. External Disruption:
+ - Network outage response
+ - Censorship and blocking countermeasures
+ - Physical security threats
+ - Legal and regulatory challenges
+Protocol Compliance Framework:
+1. Monitoring Systems:
+ - Automated compliance checking
+ - Regular audit and review procedures
+ - Participant self-assessment
+ - Peer review and feedback
+
+2. Compliance Metrics:
+ - Protocol adherence rates
+ - Security incident frequency
+ - Communication effectiveness measures
+ - Participant satisfaction and feedback
+
+3. Improvement Process:
+ - Regular protocol review and updates
+ - Training and education programs
+ - Incentive and recognition systems
+ - Corrective action procedures
+Protocol Enforcement:
+1. Education and Training:
+ - Initial protocol training for all participants
+ - Regular refresher training and updates
+ - Specialized training for specific roles
+ - Ongoing education and awareness
+
+2. Monitoring and Feedback:
+ - Regular compliance monitoring
+ - Constructive feedback and guidance
+ - Recognition of good practices
+ - Early intervention for issues
+
+3. Corrective Action:
+ - Progressive discipline for violations
+ - Additional training and support
+ - Temporary restriction of access
+ - Removal from communication systems
+
+4. Continuous Improvement:
+ - Regular protocol effectiveness review
+ - Participant feedback integration
+ - Best practice identification and sharing
+ - Protocol updates and enhancements
+Communication protocols must evolve continuously as threats change, technology advances, and operational requirements shift. Regular review and updating of protocols ensures continued effectiveness and security.
+Chapter 4 has provided comprehensive guidance for implementing secure messaging and voice communications within the multi-layer communication architecture:
+ +Section 4-1 covered Session Messenger configuration for maximum-security real-time communications with onion routing and metadata protection.
+ +Section 4-2 detailed Element/Matrix self-hosted setup for secure collaboration systems with end-to-end encryption and rich features.
+ +Section 4-3 explained Briar peer-to-peer messaging for decentralized communications without central servers.
+ +Section 4-4 provided Signal security best practices for medium-risk communications with proper operational security.
+ +Section 4-5 addressed voice communication security challenges and secure voice communication methods.
+ +Section 4-6 covered group communication management with appropriate security controls and access management.
+ +Section 4-7 detailed message verification and authentication procedures to ensure communication integrity and authenticity.
+ +Section 4-8 established communication scheduling and protocols for operational effectiveness while maintaining security.
+ +For new resistance networks, implement secure messaging capabilities in this order:
+ +The messaging systems covered in this chapter provide the foundation for secure communications, but many resistance operations also require secure file sharing and collaboration capabilities. Chapter 5 builds on these messaging foundations to provide comprehensive file sharing and collaboration security.
+ +This chapter provides comprehensive guidance for implementing secure file sharing and collaboration systems that support resistance operations while maintaining strong security protections. Effective collaboration requires balancing accessibility and usability with security requirements, ensuring that sensitive documents and information remain protected throughout the collaboration lifecycle.
+ +Sections in this chapter:
+CryptPad provides real-time collaborative document editing with client-side encryption, making it ideal for secure document collaboration in resistance operations. Unlike traditional cloud office suites, CryptPad encrypts all content in the browser before transmission, ensuring that even the server operators cannot access document contents.
+ +CryptPad Security Architecture:
+1. Client-Side Encryption:
+ - All encryption/decryption occurs in browser
+ - Server never sees unencrypted content
+ - Zero-knowledge architecture
+ - User controls all cryptographic keys
+
+2. Document Access Control:
+ - Cryptographic access control
+ - Share links contain encryption keys
+ - No server-side access management
+ - Perfect forward secrecy for documents
+
+3. Anonymous Usage:
+ - No account required for basic usage
+ - Optional accounts for additional features
+ - No personal information collection
+ - IP address protection through Tor
+CryptPad Server Specifications:
+- CPU: 2+ cores, 2.4 GHz minimum
+- RAM: 4 GB minimum, 8 GB recommended
+- Storage: 50 GB SSD minimum
+- Network: Reliable internet with static IP
+- OS: Ubuntu 20.04 LTS or Debian 11
+# Install Node.js and dependencies
+curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -
+sudo apt-get install -y nodejs git
+
+# Clone CryptPad repository
+git clone https://github.com/xwiki-labs/cryptpad.git
+cd cryptpad
+
+# Install dependencies
+npm install --production
+
+# Copy and configure settings
+cp config/config.example.js config/config.js
+// config/config.js security settings
+module.exports = {
+ httpUnsafeOrigin: 'https://your-domain.com',
+ httpSafeOrigin: 'https://your-sandbox-domain.com',
+
+ // Disable analytics and external connections
+ logToStdout: false,
+ logLevel: 'error',
+ logFeedback: false,
+
+ // Security headers
+ httpHeaders: {
+ "X-XSS-Protection": "1; mode=block",
+ "X-Content-Type-Options": "nosniff",
+ "Access-Control-Allow-Origin": "*"
+ },
+
+ // Disable registration for private instances
+ disableEmbedding: true,
+ restrictRegistration: true,
+
+ // File upload limits
+ maxUploadSize: 20 * 1024 * 1024, // 20 MB
+
+ // Disable external services
+ adminEmail: false,
+ supportMailbox: false
+};
+Secure Document Workflow:
+1. Document Creation:
+ - Access CryptPad through Tor Browser
+ - Create document without account registration
+ - Use strong password for document protection
+ - Configure appropriate access permissions
+
+2. Collaboration Setup:
+ - Generate secure sharing link
+ - Share link through secure communication channel
+ - Verify collaborator identity before sharing
+ - Establish collaboration protocols and guidelines
+
+3. Access Management:
+ - Use view-only links for read-only access
+ - Implement edit permissions carefully
+ - Regular review of document access
+ - Revoke access when no longer needed
+CryptPad Security Practices:
+1. Password Protection:
+ - Use strong, unique passwords for sensitive documents
+ - Share passwords through separate secure channels
+ - Regular password rotation for long-term documents
+ - Document password management procedures
+
+2. Access Control:
+ - Limit sharing to necessary participants only
+ - Use appropriate permission levels (view/edit/own)
+ - Regular review and cleanup of shared documents
+ - Monitor document access and activity
+
+3. Content Security:
+ - Avoid including identifying information
+ - Use coded language for sensitive topics
+ - Regular content review and sanitization
+ - Secure deletion of obsolete documents
+Secure Collaboration Procedures:
+1. Document Standards:
+ - Consistent naming conventions
+ - Clear version identification
+ - Standardized formatting and structure
+ - Security classification markings
+
+2. Editing Protocols:
+ - Coordinated editing schedules
+ - Change tracking and documentation
+ - Conflict resolution procedures
+ - Review and approval processes
+
+3. Communication Integration:
+ - Coordinate document work through secure messaging
+ - Use separate channels for document discussion
+ - Verify changes through multiple channels
+ - Document decision-making processes
+CryptPad Document Types:
+1. Rich Text Documents:
+ - Collaborative word processing
+ - Real-time editing and comments
+ - Export to various formats
+ - Version history and restoration
+
+2. Spreadsheets:
+ - Collaborative data analysis
+ - Formula and calculation support
+ - Chart and graph creation
+ - Data import and export
+
+3. Presentations:
+ - Collaborative slide creation
+ - Real-time presentation mode
+ - Media embedding and formatting
+ - Export and sharing options
+
+4. Code Editor:
+ - Collaborative code development
+ - Syntax highlighting and formatting
+ - Multiple programming language support
+ - Version control integration
+
+5. Kanban Boards:
+ - Project management and task tracking
+ - Collaborative workflow management
+ - Progress monitoring and reporting
+ - Team coordination and communication
+CryptPad Integration:
+1. Communication Integration:
+ - Link CryptPad with secure messaging
+ - Coordinate document work through Matrix/Element
+ - Use OnionShare for large file transfers
+ - Integrate with project management workflows
+
+2. Backup and Export:
+ - Regular document backup procedures
+ - Export to encrypted archives
+ - Offline document storage
+ - Recovery and restoration procedures
+
+3. Workflow Automation:
+ - Document templates and standards
+ - Automated backup and archiving
+ - Integration with other collaboration tools
+ - Workflow monitoring and optimization
+While CryptPad provides excellent security for document collaboration, it has limitations: requires JavaScript enabled, limited offline functionality, and potential browser-based attacks. Use in combination with other security measures and maintain offline backups of critical documents.
+OnionShare provides anonymous file sharing over the Tor network without requiring central servers or user accounts. This makes it ideal for secure file transfers where sender anonymity is critical and traditional file sharing services pose security risks.
+ +OnionShare Security Features:
+1. Tor Hidden Services:
+ - Anonymous file sharing over Tor network
+ - No central servers or intermediaries
+ - Sender location and identity protection
+ - Censorship resistance and availability
+
+2. Ephemeral Sharing:
+ - Automatic shutdown after download
+ - Time-limited sharing windows
+ - One-time download capability
+ - No persistent file storage
+
+3. Access Control:
+ - Password protection for shared files
+ - Custom URLs for additional security
+ - Download monitoring and logging
+ - Automatic security measures
+# Install OnionShare on Ubuntu/Debian
+sudo apt update
+sudo apt install onionshare
+
+# Install from Flatpak (alternative)
+flatpak install flathub org.onionshare.OnionShare
+
+# Verify Tor installation and configuration
+sudo apt install tor
+sudo systemctl enable tor
+sudo systemctl start tor
+OnionShare File Sharing Process:
+1. File Preparation:
+ - Create encrypted archive of files to share
+ - Remove metadata from files
+ - Verify file integrity and content
+ - Organize files for efficient sharing
+
+2. OnionShare Configuration:
+ - Launch OnionShare application
+ - Add files or folders to share
+ - Configure security settings
+ - Generate sharing URL and password
+
+3. Secure Distribution:
+ - Share URL through secure communication channel
+ - Share password through separate secure channel
+ - Provide download instructions and verification
+ - Monitor for successful download completion
+
+4. Post-Sharing Security:
+ - Verify automatic shutdown after download
+ - Clear OnionShare logs and temporary files
+ - Confirm recipient received files successfully
+ - Document transfer for operational records
+OnionShare Advanced Features:
+1. Website Hosting:
+ - Host static websites anonymously
+ - Share information without file downloads
+ - Temporary website deployment
+ - Anonymous content distribution
+
+2. Receive Mode:
+ - Anonymous file upload capability
+ - Secure submission systems
+ - Whistleblower and leak platforms
+ - Anonymous feedback collection
+
+3. Chat Mode:
+ - Anonymous chat rooms
+ - Temporary communication channels
+ - Group coordination without accounts
+ - Emergency communication systems
+Security Configuration Checklist:
+□ Enable password protection for all shares
+□ Set automatic shutdown after download
+□ Configure short expiration times
+□ Disable public mode for sensitive files
+□ Enable stealth mode for additional security
+□ Use custom titles and descriptions carefully
+□ Monitor download activity and logs
+□ Clear temporary files after sharing
+OnionShare OpSec Procedures:
+1. File Preparation:
+ - Encrypt files before adding to OnionShare
+ - Remove all metadata and identifying information
+ - Use generic filenames and folder structures
+ - Verify file content for security implications
+
+2. Sharing Security:
+ - Generate strong passwords for file protection
+ - Use secure channels for URL and password distribution
+ - Verify recipient identity before sharing
+ - Monitor sharing activity for anomalies
+
+3. Post-Sharing Cleanup:
+ - Verify automatic shutdown and file deletion
+ - Clear OnionShare application logs
+ - Remove temporary files and caches
+ - Document successful transfer completion
+OnionShare Integration Strategies:
+1. Communication Integration:
+ - Coordinate file sharing through secure messaging
+ - Use Matrix/Element for sharing coordination
+ - Integrate with CryptPad for document collaboration
+ - Link with project management workflows
+
+2. Backup and Archiving:
+ - Use OnionShare for secure backup distribution
+ - Anonymous archival and storage systems
+ - Emergency document distribution
+ - Disaster recovery file sharing
+
+3. Operational Integration:
+ - Intelligence sharing and distribution
+ - Resource and material distribution
+ - Training material and documentation sharing
+ - Emergency communication and coordination
+# OnionShare command-line automation
+#!/bin/bash
+
+# Prepare files for sharing
+SHARE_DIR="/tmp/secure_share"
+mkdir -p "$SHARE_DIR"
+
+# Copy and encrypt files
+cp sensitive_files/* "$SHARE_DIR/"
+gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
+ --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
+ --output "$SHARE_DIR/encrypted_files.gpg" "$SHARE_DIR/*"
+
+# Remove unencrypted files
+rm "$SHARE_DIR"/*.txt "$SHARE_DIR"/*.pdf
+
+# Start OnionShare with security settings
+onionshare-cli --receive --public --auto-stop-timer 3600 \
+ --password "$(openssl rand -base64 32)" "$SHARE_DIR"
+OnionShare requires both sender and recipient to use Tor Browser for access. Ensure all participants understand Tor usage and have secure access to Tor network. Monitor for network analysis attacks and use additional encryption for highly sensitive files.
+Encrypted cloud storage services provide convenient file storage and sharing with client-side encryption, making them suitable for medium-security file storage and collaboration when properly configured and used with appropriate operational security measures.
+ +Encrypted Cloud Storage Options:
+1. Mega:
+ - Client-side encryption with user-controlled keys
+ - 20 GB free storage, paid plans available
+ - File sharing with password protection
+ - Browser and mobile app access
+
+2. Proton Drive:
+ - Zero-access encryption architecture
+ - Integration with ProtonMail ecosystem
+ - Swiss privacy laws and jurisdiction
+ - End-to-end encrypted file sharing
+
+3. Tresorit:
+ - Business-focused encrypted storage
+ - Advanced access controls and permissions
+ - Compliance with privacy regulations
+ - Enterprise security features
+
+4. SpiderOak:
+ - Zero-knowledge architecture
+ - Cross-platform synchronization
+ - Version history and backup features
+ - Business and enterprise plans
+Cloud Storage Security Assessment:
+1. Encryption Implementation:
+ - Client-side encryption with user-controlled keys
+ - Zero-knowledge architecture
+ - Strong encryption algorithms and key lengths
+ - Secure key management and storage
+
+2. Privacy and Jurisdiction:
+ - Privacy-friendly legal jurisdiction
+ - No data retention or sharing requirements
+ - Transparent privacy policies
+ - Independent security audits
+
+3. Access Controls:
+ - Strong authentication and access controls
+ - Two-factor authentication support
+ - Granular sharing permissions
+ - Activity monitoring and logging
+
+4. Operational Security:
+ - Secure account creation and management
+ - Anonymous payment options
+ - Tor and VPN compatibility
+ - Data portability and export options
+Anonymous Account Setup:
+1. Network Security:
+ - Use Tor Browser for account creation
+ - Connect through VPN for additional protection
+ - Use public WiFi unconnected to identity
+ - Avoid home or work network connections
+
+2. Account Information:
+ - Use temporary email address for registration
+ - Provide minimal or false personal information
+ - Use strong, unique passwords
+ - Enable two-factor authentication
+
+3. Payment Security:
+ - Use anonymous payment methods when possible
+ - Cryptocurrency payments for anonymity
+ - Prepaid cards purchased with cash
+ - Avoid linking to personal financial accounts
+Cloud Storage Security Settings:
+□ Enable two-factor authentication
+□ Use strong, unique passwords
+□ Configure secure recovery options
+□ Enable login notifications and monitoring
+□ Review and configure sharing permissions
+□ Set up secure backup and recovery
+□ Configure automatic logout and session timeouts
+□ Review privacy and security settings regularly
+Secure File Preparation:
+1. Encryption:
+ - Encrypt sensitive files before upload
+ - Use strong encryption algorithms (AES-256)
+ - Implement secure key management
+ - Regular key rotation for long-term storage
+
+2. Metadata Removal:
+ - Strip metadata from all files
+ - Use generic filenames and folder structures
+ - Remove identifying information and traces
+ - Sanitize file content for security implications
+
+3. Organization:
+ - Use consistent naming conventions
+ - Implement logical folder structures
+ - Apply security classifications
+ - Document file organization and access
+Secure Sharing Procedures:
+1. Permission Management:
+ - Use minimum necessary permissions
+ - Implement time-limited access when possible
+ - Regular review and cleanup of shared files
+ - Monitor file access and download activity
+
+2. Sharing Security:
+ - Use password protection for shared files
+ - Share access credentials through secure channels
+ - Verify recipient identity before sharing
+ - Monitor sharing activity for anomalies
+
+3. Collaboration Protocols:
+ - Establish clear collaboration guidelines
+ - Coordinate file access and editing
+ - Implement version control procedures
+ - Document collaboration activities
+Cloud Storage Backup Strategy:
+1. Local Backups:
+ - Maintain encrypted local copies of critical files
+ - Regular backup verification and testing
+ - Secure backup storage and access controls
+ - Offline backup for maximum security
+
+2. Multi-Provider Strategy:
+ - Use multiple cloud storage providers
+ - Distribute files across different services
+ - Implement redundancy for critical files
+ - Regular synchronization and consistency checks
+
+3. Recovery Procedures:
+ - Document recovery procedures and access
+ - Test recovery procedures regularly
+ - Maintain secure access to recovery credentials
+ - Plan for provider service disruption
+Cloud Storage Monitoring:
+1. Access Monitoring:
+ - Regular review of account activity logs
+ - Monitor for unauthorized access attempts
+ - Track file access and sharing activity
+ - Investigate anomalies and suspicious activity
+
+2. Security Maintenance:
+ - Regular password and credential updates
+ - Security setting review and updates
+ - Software and application updates
+ - Provider security update monitoring
+
+3. Compliance and Cleanup:
+ - Regular file review and cleanup
+ - Remove obsolete and unnecessary files
+ - Update access permissions and sharing
+ - Document retention and disposal procedures
+Encrypted cloud storage provides convenient access and collaboration features while maintaining reasonable security for medium-sensitivity files. Use in combination with other security measures and maintain local encrypted backups of critical files.
+Digital dead drops provide asynchronous file sharing without direct contact between sender and recipient, using various online and offline methods to transfer files while minimizing metadata exposure and maintaining operational security.
+ +Online Dead Drop Methods:
+1. Temporary File Hosting:
+ - Anonymous file upload services
+ - Time-limited file availability
+ - Password protection and encryption
+ - No registration or account requirements
+
+2. Public File Sharing:
+ - Anonymous uploads to public platforms
+ - Steganography in public images
+ - Hidden data in public documents
+ - Coded filenames and locations
+
+3. Email Dead Drops:
+ - Shared email accounts with draft messages
+ - Temporary email services
+ - Encrypted email with delayed delivery
+ - Anonymous email forwarding services
+
+4. Social Media Dead Drops:
+ - Hidden data in social media posts
+ - Steganography in public images
+ - Coded messages in public forums
+ - Anonymous file sharing through platforms
+Offline Dead Drop Methods:
+1. Physical Media:
+ - USB drives in predetermined locations
+ - SD cards hidden in public spaces
+ - Encrypted data on physical media
+ - QR codes with encrypted data
+
+2. Network Dead Drops:
+ - WiFi networks with shared files
+ - Bluetooth file sharing in public spaces
+ - Local network file sharing
+ - Mesh network file distribution
+
+3. Hybrid Systems:
+ - Combination of online and offline methods
+ - Multiple redundant channels
+ - Backup and verification systems
+ - Emergency fallback procedures
+Dead Drop Establishment:
+1. Location Selection:
+ - Choose publicly accessible locations
+ - Avoid surveillance and monitoring
+ - Ensure reliable access for all parties
+ - Plan for multiple backup locations
+
+2. Security Configuration:
+ - Implement strong encryption for all data
+ - Use secure authentication and verification
+ - Establish access protocols and timing
+ - Plan for compromise detection and response
+
+3. Communication Protocols:
+ - Establish signaling systems for availability
+ - Coordinate access timing and procedures
+ - Implement verification and confirmation
+ - Plan for emergency communication
+Dead Drop OpSec Procedures:
+1. Access Security:
+ - Use different identities for different drops
+ - Vary access timing and patterns
+ - Monitor for surveillance and compromise
+ - Implement counter-surveillance measures
+
+2. Data Security:
+ - Encrypt all data before placement
+ - Use strong authentication and verification
+ - Implement data integrity checking
+ - Plan for secure data destruction
+
+3. Communication Security:
+ - Use coded language for coordination
+ - Separate channels for different purposes
+ - Verify all communications and instructions
+ - Monitor for interception and compromise
+Data Hiding Methods:
+1. Image Steganography:
+ - Hide data in image files
+ - Use steganography tools (steghide, outguess)
+ - Embed in publicly posted images
+ - Maintain image quality and appearance
+
+2. Document Steganography:
+ - Hide data in document metadata
+ - Use invisible text and formatting
+ - Embed in publicly available documents
+ - Maintain document functionality
+
+3. Audio/Video Steganography:
+ - Hide data in multimedia files
+ - Use least significant bit encoding
+ - Embed in publicly shared media
+ - Maintain media quality and playback
+# Steganography automation script
+#!/bin/bash
+
+# Hide encrypted file in image
+steghide embed -cf cover_image.jpg -ef secret_file.gpg -sf output_image.jpg -p "password"
+
+# Extract hidden file from image
+steghide extract -sf output_image.jpg -xf extracted_file.gpg -p "password"
+
+# Verify file integrity
+sha256sum secret_file.gpg extracted_file.gpg
+Dead Drop Management:
+1. Regular Monitoring:
+ - Check dead drop status and availability
+ - Monitor for compromise or interference
+ - Verify data integrity and accessibility
+ - Update security measures as needed
+
+2. Maintenance Procedures:
+ - Regular cleanup and sanitization
+ - Update encryption and security measures
+ - Refresh locations and access methods
+ - Test backup and recovery procedures
+
+3. Incident Response:
+ - Detect and respond to compromise
+ - Implement emergency procedures
+ - Activate backup systems and locations
+ - Investigate and document incidents
+Dead Drop Lifecycle:
+1. Establishment:
+ - Plan and configure dead drop systems
+ - Test functionality and security
+ - Train participants in procedures
+ - Document access and protocols
+
+2. Operation:
+ - Regular use and monitoring
+ - Maintenance and security updates
+ - Incident response and recovery
+ - Performance optimization
+
+3. Retirement:
+ - Secure decommissioning procedures
+ - Data sanitization and destruction
+ - Location cleanup and restoration
+ - Documentation and lessons learned
+Digital dead drops require careful planning and execution to maintain security. Physical dead drops pose additional risks including discovery, surveillance, and physical compromise. Use multiple redundant systems and maintain strict operational security.
+Version control systems track changes to documents over time, enabling collaboration while maintaining security and accountability. For resistance operations, version control must balance collaboration needs with security requirements, ensuring that document history and changes remain protected.
+ +Secure Version Control Requirements:
+1. Encryption:
+ - All document versions encrypted at rest
+ - Secure transmission of changes and updates
+ - Client-side encryption when possible
+ - Strong key management and protection
+
+2. Access Control:
+ - Role-based access to documents and versions
+ - Granular permissions for different operations
+ - Authentication and authorization controls
+ - Audit logging and monitoring
+
+3. Anonymity and Privacy:
+ - Anonymous or pseudonymous contributions
+ - Metadata protection and minimization
+ - Location and timing privacy
+ - Identity separation and compartmentalization
+
+4. Integrity and Authenticity:
+ - Cryptographic verification of changes
+ - Digital signatures for accountability
+ - Tamper detection and prevention
+ - Change attribution and verification
+Version Control Approaches:
+1. Centralized Model:
+ - Single authoritative repository
+ - Centralized access control and management
+ - Simplified coordination and synchronization
+ - Single point of failure and control
+
+2. Distributed Model:
+ - Multiple repository copies
+ - Decentralized collaboration and synchronization
+ - Resilience and redundancy
+ - Complex coordination and conflict resolution
+
+3. Hybrid Model:
+ - Combination of centralized and distributed features
+ - Flexible access and collaboration options
+ - Balanced security and usability
+ - Adaptable to different operational requirements
+# Initialize secure Git repository
+git init --bare secure-docs.git
+cd secure-docs.git
+
+# Configure security settings
+git config core.sharedRepository group
+git config receive.denyNonFastForwards true
+git config receive.denyDeletes true
+
+# Set up encryption with git-crypt
+git-crypt init
+git-crypt add-gpg-user user@example.com
+
+# Configure .gitattributes for encryption
+echo "*.txt filter=git-crypt diff=git-crypt" >> .gitattributes
+echo "*.md filter=git-crypt diff=git-crypt" >> .gitattributes
+Secure Document Workflow:
+1. Document Creation:
+ - Create documents in secure environment
+ - Apply appropriate security classifications
+ - Remove metadata and identifying information
+ - Initialize version control tracking
+
+2. Collaboration:
+ - Clone repository to secure local environment
+ - Make changes using secure editing tools
+ - Commit changes with descriptive messages
+ - Push changes through secure channels
+
+3. Review and Approval:
+ - Review changes through secure communication
+ - Approve changes through established procedures
+ - Merge approved changes to main branch
+ - Document approval and decision-making
+
+4. Distribution:
+ - Export approved versions for distribution
+ - Apply final security measures and encryption
+ - Distribute through secure channels
+ - Monitor access and usage
+Document Change Management:
+1. Change Proposal:
+ - Identify need for document changes
+ - Propose changes through secure channels
+ - Review and approve change proposals
+ - Assign responsibility for implementation
+
+2. Change Implementation:
+ - Create feature branch for changes
+ - Implement changes following security guidelines
+ - Test and verify changes
+ - Submit changes for review and approval
+
+3. Change Review:
+ - Review changes for content and security
+ - Verify compliance with guidelines and standards
+ - Approve or request modifications
+ - Merge approved changes to main branch
+
+4. Change Documentation:
+ - Document changes and rationale
+ - Update version numbers and metadata
+ - Communicate changes to stakeholders
+ - Archive change documentation
+Document Conflict Resolution:
+1. Conflict Detection:
+ - Identify conflicting changes and versions
+ - Assess impact and implications
+ - Notify affected parties and stakeholders
+ - Initiate resolution procedures
+
+2. Conflict Analysis:
+ - Analyze conflicting changes and requirements
+ - Identify root causes and contributing factors
+ - Assess options and alternatives
+ - Develop resolution strategy
+
+3. Conflict Resolution:
+ - Implement agreed-upon resolution
+ - Update documents and version control
+ - Communicate resolution to stakeholders
+ - Document lessons learned and improvements
+
+4. Prevention:
+ - Improve coordination and communication
+ - Update procedures and guidelines
+ - Provide additional training and support
+ - Monitor for recurring issues
+Version Control Security:
+1. Repository Protection:
+ - Encrypt repository data at rest
+ - Secure transmission and access protocols
+ - Strong authentication and access controls
+ - Regular security audits and monitoring
+
+2. Access Management:
+ - Role-based access controls
+ - Principle of least privilege
+ - Regular access review and cleanup
+ - Secure credential management
+
+3. Backup and Recovery:
+ - Regular encrypted backups
+ - Secure backup storage and access
+ - Tested recovery procedures
+ - Disaster recovery planning
+
+4. Monitoring and Auditing:
+ - Access logging and monitoring
+ - Change tracking and attribution
+ - Security incident detection and response
+ - Compliance monitoring and reporting
+Version Control OpSec:
+1. Identity Management:
+ - Use pseudonyms for version control
+ - Separate identities for different projects
+ - Avoid linking to real identities
+ - Regular identity rotation and cleanup
+
+2. Communication Security:
+ - Coordinate version control through secure channels
+ - Separate communication for different purposes
+ - Verify all communications and instructions
+ - Monitor for interception and compromise
+
+3. Device Security:
+ - Use dedicated devices for version control
+ - Secure device configuration and management
+ - Regular security updates and maintenance
+ - Secure disposal and sanitization
+Secure version control provides accountability, collaboration, and change tracking while maintaining security. Implement appropriate security measures and operational procedures to protect sensitive documents throughout the collaboration lifecycle.
+Collaborative security protocols provide the operational framework for secure file sharing and collaboration, defining roles, responsibilities, procedures, and security measures that ensure effective collaboration while maintaining security and operational security requirements.
+ +Collaborative Security Framework:
+1. Roles and Responsibilities:
+ - Document owners and administrators
+ - Content contributors and editors
+ - Reviewers and approvers
+ - Security officers and monitors
+
+2. Access Controls:
+ - Role-based access permissions
+ - Document classification and handling
+ - Time-limited and conditional access
+ - Regular access review and cleanup
+
+3. Security Procedures:
+ - Document creation and classification
+ - Secure sharing and distribution
+ - Change management and approval
+ - Incident response and recovery
+
+4. Monitoring and Compliance:
+ - Activity monitoring and logging
+ - Compliance verification and auditing
+ - Security incident detection and response
+ - Continuous improvement and optimization
+Protocol Development Process:
+1. Requirements Analysis:
+ - Identify collaboration needs and objectives
+ - Assess security requirements and constraints
+ - Analyze stakeholder roles and responsibilities
+ - Define success criteria and metrics
+
+2. Protocol Design:
+ - Develop security architecture and controls
+ - Design operational procedures and workflows
+ - Create training and documentation materials
+ - Plan implementation and deployment
+
+3. Testing and Validation:
+ - Test protocols in safe environments
+ - Validate security and operational effectiveness
+ - Identify and address issues and gaps
+ - Refine protocols based on testing results
+
+4. Implementation and Monitoring:
+ - Deploy protocols in operational environment
+ - Monitor effectiveness and compliance
+ - Provide ongoing training and support
+ - Continuously improve and optimize
+Document Classification Framework:
+1. Classification Levels:
+ - Public: No restrictions on distribution
+ - Internal: Organization members only
+ - Restricted: Specific roles and need-to-know
+ - Classified: Highest security, minimal access
+
+2. Handling Requirements:
+ - Storage and transmission security
+ - Access controls and permissions
+ - Sharing and distribution procedures
+ - Retention and disposal requirements
+
+3. Marking and Labeling:
+ - Clear classification markings
+ - Handling instruction labels
+ - Distribution and access restrictions
+ - Review and declassification dates
+Document Lifecycle Security:
+1. Creation:
+ - Security classification assignment
+ - Initial access control configuration
+ - Metadata and content security review
+ - Version control initialization
+
+2. Collaboration:
+ - Secure sharing and access procedures
+ - Change management and approval
+ - Version control and tracking
+ - Security monitoring and compliance
+
+3. Review and Approval:
+ - Content review and verification
+ - Security assessment and clearance
+ - Approval and authorization procedures
+ - Final version preparation and distribution
+
+4. Archival and Disposal:
+ - Long-term storage and preservation
+ - Access control maintenance
+ - Secure disposal and destruction
+ - Documentation and record keeping
+Collaboration Workflow:
+1. Project Initiation:
+ - Define collaboration objectives and scope
+ - Identify participants and roles
+ - Establish security requirements and procedures
+ - Set up collaboration infrastructure and tools
+
+2. Document Development:
+ - Create initial documents and structure
+ - Assign roles and responsibilities
+ - Implement security controls and procedures
+ - Begin collaborative development process
+
+3. Review and Revision:
+ - Regular review and feedback cycles
+ - Change management and approval
+ - Version control and tracking
+ - Quality assurance and verification
+
+4. Finalization and Distribution:
+ - Final review and approval
+ - Security clearance and classification
+ - Distribution and access management
+ - Monitoring and maintenance
+Collaboration Quality Assurance:
+1. Content Quality:
+ - Accuracy and completeness verification
+ - Consistency and standardization
+ - Clarity and readability assessment
+ - Technical and factual review
+
+2. Security Quality:
+ - Security classification verification
+ - Access control validation
+ - Operational security compliance
+ - Risk assessment and mitigation
+
+3. Process Quality:
+ - Procedure compliance verification
+ - Workflow efficiency assessment
+ - Participant satisfaction evaluation
+ - Continuous improvement identification
+Training Program Components:
+1. Security Awareness:
+ - Document classification and handling
+ - Operational security procedures
+ - Threat awareness and mitigation
+ - Incident reporting and response
+
+2. Technical Training:
+ - Collaboration tool usage and configuration
+ - Security feature implementation
+ - Troubleshooting and support
+ - Best practices and optimization
+
+3. Procedural Training:
+ - Workflow and process procedures
+ - Role responsibilities and expectations
+ - Quality assurance and compliance
+ - Communication and coordination
+
+4. Ongoing Support:
+ - Regular training updates and refreshers
+ - Technical support and assistance
+ - Procedure clarification and guidance
+ - Performance feedback and improvement
+Collaboration Support System:
+1. Technical Support:
+ - Help desk and troubleshooting
+ - System administration and maintenance
+ - Security monitoring and response
+ - Performance optimization and tuning
+
+2. Procedural Support:
+ - Process guidance and clarification
+ - Workflow optimization and improvement
+ - Compliance monitoring and enforcement
+ - Training and development support
+
+3. Security Support:
+ - Security incident response and investigation
+ - Risk assessment and mitigation
+ - Security awareness and education
+ - Compliance auditing and verification
+Effective collaborative security protocols require clear roles, comprehensive procedures, ongoing training, and continuous improvement. Success depends on consistent implementation and participant commitment to security and operational excellence.
+Chapter 5 has provided comprehensive guidance for implementing secure file sharing and collaboration systems that support resistance operations while maintaining strong security protections:
+ +Section 5-1 covered CryptPad secure document collaboration with client-side encryption and real-time collaborative editing capabilities.
+ +Section 5-2 detailed OnionShare anonymous file transfer over Tor network for secure, ephemeral file sharing without central servers.
+ +Section 5-3 explained encrypted cloud storage services (Mega/Proton) for convenient file storage and sharing with appropriate security measures.
+ +Section 5-4 described digital dead drop systems for asynchronous file sharing without direct contact between participants.
+ +Section 5-5 covered version control systems for sensitive documents, enabling collaboration while maintaining security and accountability.
+ +Section 5-6 established collaborative security protocols that provide the operational framework for secure file sharing and collaboration.
+ +For resistance networks implementing secure file sharing and collaboration:
+ +The file sharing and collaboration systems covered in this chapter work in conjunction with the secure messaging systems from Chapter 4 to provide comprehensive communication and collaboration capabilities. Together, these systems form the foundation for secure resistance operations covered in Part III.
+ +This manual contains sensitive information about resistance operations and security practices. Ensure you are accessing this content through secure channels (Tails OS, Tor Browser, or other anonymizing tools) and following proper operational security protocols.
+If you are new to resistance operations, start with the Preface and Introduction, then proceed through Part I: Foundations before advancing to more technical sections. Each chapter builds upon previous knowledge.
+Distribution: This manual is designed for decentralized distribution through secure channels. Share responsibly and only with trusted individuals who have a legitimate need for this information.
+ +Updates: This manual will be updated regularly as new threats emerge and technologies evolve. Check the source repository for the latest version.
+ +Support: For questions or contributions, contact the Bureau of Decentralized Resistance through secure channels only.
+ + + + +Resistance movements in the 21st century face unprecedented challenges. Unlike historical resistance operations that primarily contended with human intelligence networks and physical surveillance, modern movements must operate within a digital panopticon of mass surveillance, algorithmic analysis, and predictive policing.
+ +The scenario addressed in this manual—resistance against a technologically advanced authoritarian regime—represents the ultimate stress test for operational security. The adversary possesses:
+ +Every digital action creates metadata that can be analyzed to reveal:
+The most dangerous misconception in modern resistance is believing that encryption alone provides security. While encryption protects content, metadata analysis can reveal operational structures, timing, and relationships even when communications are encrypted.
+No single security measure is sufficient. Effective resistance security requires multiple overlapping layers:
+ +Before implementing any security measures, you must understand:
+ +Assets - What are you protecting?
+Adversaries - Who are you protecting against?
+Capabilities - What can your adversaries do?
+Consequences - What happens if security fails?
+Perfect security is incompatible with operational effectiveness. Every security measure introduces complexity, reduces convenience, and creates potential failure points. The art of resistance security lies in finding the optimal balance between:
+ +Operate under the assumption that some level of compromise is inevitable:
+Reduce the number of ways you can be compromised:
+Organize information and access on a need-to-know basis:
+Maintain consistent security practices:
+Security is not a destination but an ongoing process:
+Technology can only provide the foundation for security—human behavior determines whether that foundation holds. The most sophisticated technical measures are worthless if participants:
+ +Effective resistance security requires developing a culture where:
+This manual provides practical guidance for implementing the security concepts outlined above. It is organized to support both learning and reference use:
+ +Part I: Foundations establishes the theoretical framework and threat assessment methodologies that inform all subsequent technical recommendations.
+ +Part II: Communication Systems provides detailed guidance for implementing secure communication networks using proven tools and techniques.
+ +Part III: Operational Security covers the human and procedural elements necessary to maintain security in practice.
+ +Part IV: Advanced Operations addresses specialized topics for mature resistance networks operating under extreme threat conditions.
+ +Appendices provide quick reference materials, detailed configuration guides, and external resources for continued learning.
+ +The journey from security novice to competent resistance operator requires patience, practice, and mentorship. This manual provides the roadmap, but you must walk the path:
+ +New practitioners should follow this sequence:
+Resistance requires courage—not the absence of fear, but action in spite of fear. The security measures in this manual cannot eliminate risk; they can only manage it. Every person who chooses resistance accepts some level of danger in service of a greater cause.
+ +This manual honors that courage by providing the best possible guidance for staying safe while fighting for justice. Use it wisely, share it responsibly, and remember that your security protects not just yourself, but everyone who depends on you.
+ +The stakes are high. The tools are available. The choice is yours.
+ + + + + + + + +Part I establishes the theoretical and practical foundations necessary for all resistance security operations. Before implementing any technical measures or operational procedures, resistance practitioners must understand the fundamental principles that govern security in hostile environments and develop the analytical skills necessary to assess threats and design appropriate countermeasures.
+ +This part addresses the most critical question in resistance security: How do you think about security in a way that leads to effective protection?
+ +Upon completing Part I, you will be able to:
+ +The five fundamental principles that must guide all resistance security decisions:
+ +1-1: Principle of Least Privilege - Limiting access to the minimum necessary for operational effectiveness
+ +1-2: Need-to-Know Basis - Compartmentalizing information to prevent cascade failures
+ +1-3: Compartmentalization and Cell Structure - Organizing resistance networks to contain compromise
+ +1-4: Zero Trust Verification - Assuming compromise and requiring continuous authentication
+ +1-5: Metadata Minimization - Reducing the digital traces that reveal operational patterns
+ +Systematic approaches to understanding and responding to threats:
+ +2-1: Understanding Your Adversary - Analyzing capabilities, motivations, and limitations of hostile forces
+ +2-2: Threat Model Development - Creating structured assessments of risks and vulnerabilities
+ +2-3: Risk Assessment Framework - Quantifying and prioritizing security investments
+ +2-4: Operational Security (OpSec) Fundamentals - Translating threat assessments into practical procedures
+ +Before diving into specific principles and procedures, it’s essential to understand the fundamental shift in thinking required for effective resistance security. This shift involves:
+ +In normal life, we optimize for convenience, efficiency, and ease of use. In resistance operations, security becomes the primary consideration, with convenience secondary. This doesn’t mean making things unnecessarily difficult, but rather accepting that some inconvenience is the price of safety.
+ +Normal social and professional relationships operate on trust and good faith. Resistance operations must assume that trust can be compromised, either through infiltration or coercion, and build verification mechanisms into all critical processes.
+ +Most people respond to security threats after they become apparent. Resistance operations must anticipate threats and implement countermeasures before they’re needed, because by the time a threat is obvious, it may be too late to respond effectively.
+ +Personal security practices focus on protecting yourself. Resistance security must consider how your actions affect the safety of others in your network, and how their actions affect your safety.
+ +While encryption is essential, it only protects the content of communications, not the metadata that reveals who is talking to whom, when, and from where. Metadata analysis can reveal network structures and operational patterns even when all communications are encrypted.
+ +This argument fundamentally misunderstands the nature of authoritarian surveillance. The goal is not just to find evidence of wrongdoing, but to map networks, predict behavior, and suppress dissent before it becomes effective.
+ +While authoritarian regimes have significant advantages, they also have limitations and vulnerabilities. Understanding both their capabilities and their constraints is essential for developing effective resistance strategies.
+ +No security system is perfect, and pursuing perfect security often leads to systems so complex and restrictive that they cannot be used effectively. The goal is appropriate security for your specific threat environment and operational requirements.
+ +The principles and methodologies covered in Part I provide the foundation for all subsequent technical and operational guidance:
+ +Each technical recommendation and operational procedure in later parts derives from the fundamental principles established here. Understanding these foundations is essential for adapting the manual’s guidance to your specific circumstances and for making sound security decisions when facing novel situations.
+ +Do not skip Part I to get to "more practical" technical content. The principles covered here determine whether technical measures will be effective or merely provide a false sense of security. Every security failure can be traced back to a violation of these fundamental principles.
+Ready to begin? Start with Chapter 1: Core Security Principles →
+ + + + + + +Part II addresses the critical challenge of maintaining secure communications within resistance networks operating under advanced surveillance. This part provides comprehensive guidance for implementing multi-layer communication architectures that balance security requirements with operational effectiveness.
+ +Communication security is the backbone of resistance operations. Without secure communications, resistance networks cannot coordinate activities, share intelligence, or maintain operational security. However, communication also represents the greatest vulnerability, as every communication creates metadata that can be analyzed to reveal network structures, operational patterns, and individual behaviors.
+ +Upon completing Part II, you will be able to:
+ +Modern surveillance systems focus less on communication content (which can be encrypted) and more on communication metadata (which reveals patterns even when content is protected). Every digital communication generates metadata including:
+ +This metadata can be analyzed to:
+Perfect communication security would require:
+Perfect operational effectiveness would require:
+Practical resistance communications must balance these competing requirements through carefully designed architectures that provide appropriate security for specific use cases while maintaining operational effectiveness.
+ +Part II is organized around a four-layer communication architecture that provides different security levels for different operational requirements:
+ +Use Case: Time-sensitive coordination during active operations +Security Level: Maximum security, minimal metadata +Tools: Session Messenger, Briar mesh networking +Characteristics:
+Use Case: Planning, document sharing, and ongoing coordination +Security Level: High security with collaboration features +Tools: Element/Matrix (self-hosted), CryptPad +Characteristics:
+Use Case: Emergency communications and backup channels +Security Level: Maximum reliability and availability +Tools: OnionShare, encrypted email, physical dead drops +Characteristics:
+Use Case: Public communications and propaganda distribution +Security Level: Sender anonymity and censorship resistance +Tools: Tor hidden services, distributed publishing platforms +Characteristics:
+Establishes the theoretical framework and practical implementation of multi-layer communication systems:
+ +3-1: Multi-Layer Communication Strategy - Overall architecture and layer selection criteria
+ +3-2: High-Risk Real-Time Communication (Layer 1) - Maximum security for time-sensitive operations
+ +3-3: Secure Collaboration Systems (Layer 2) - Balancing security with collaboration needs
+ +3-4: Failsafe and Offline Methods (Layer 3) - Backup and emergency communication channels
+ +3-5: Anonymous Broadcasting (Layer 4) - Public communications and information distribution
+ +3-6: Communication Protocol Selection - Choosing appropriate tools and methods for specific scenarios
+ +Provides detailed configuration and operational guidance for secure messaging systems:
+ +4-1: Session Messenger Configuration - Maximum security messaging with onion routing
+ +4-2: Element/Matrix Self-Hosted Setup - Secure collaboration platform implementation
+ +4-3: Briar Peer-to-Peer Messaging - Decentralized messaging without servers
+ +4-4: Signal Security Best Practices - Operational security for mainstream secure messaging
+ +4-5: Voice Communication Security - Secure voice calls and audio communications
+ +4-6: Group Communication Management - Security protocols for multi-participant communications
+ +4-7: Message Verification and Authentication - Ensuring message integrity and sender verification
+ +4-8: Communication Scheduling and Protocols - Operational procedures for secure communications
+ +Covers secure systems for document collaboration and file sharing:
+ +5-1: CryptPad Secure Document Collaboration - Real-time collaborative editing with encryption
+ +5-2: OnionShare Anonymous File Transfer - Secure file sharing over Tor network
+ +5-3: Encrypted Cloud Storage (Mega/Proton) - Secure cloud storage for resistance operations
+ +5-4: Digital Dead Drops - Asynchronous file sharing without direct contact
+ +5-5: Version Control for Sensitive Documents - Managing document versions and changes securely
+ +5-6: Collaborative Security Protocols - Operational procedures for secure collaboration
+ +Part II is designed for progressive implementation, allowing resistance networks to start with basic secure communications and gradually add more sophisticated capabilities:
+ +Phase 1: Basic Secure Messaging
+Phase 2: Collaboration Infrastructure
+Phase 3: Advanced Architecture
+Phase 4: Operational Integration
+Each communication system and protocol covered in Part II includes specific security considerations:
+ +Technical Security:
+Operational Security:
+Strategic Security:
+The most sophisticated communication systems are worthless without proper operational discipline. All participants must understand and consistently follow communication protocols, security procedures, and operational security practices.
+Part II builds directly on the foundational principles and threat assessment methodologies covered in Part I:
+ +Part II also provides the foundation for the operational security procedures covered in Part III and the advanced techniques covered in Part IV.
+ +Focus first on implementing basic secure messaging (Chapter 4) before attempting to deploy complex multi-layer architectures. Solid implementation of fundamental tools is more valuable than poorly implemented advanced systems.
+Ready to begin? Start with Chapter 3: Communication Layer Architecture →
+ + + + + + +This Field Manual (FM-R1) provides comprehensive guidance for establishing and maintaining secure communication networks within decentralized resistance movements. It is specifically designed for individuals and groups operating under the threat of an authoritarian regime with advanced surveillance capabilities.
+ +The manual synthesizes proven operational security practices, modern cryptographic tools, and time-tested resistance strategies into a coherent framework that can be implemented by newcomers to resistance operations while remaining valuable to experienced practitioners.
+ +This manual covers:
+ +This manual does not cover:
+ +Accessing, storing, or distributing this manual may be considered suspicious activity by hostile authorities. Take appropriate precautions:
+This manual builds upon decades of resistance experience and the work of countless individuals who have risked their freedom and lives for justice. Special recognition goes to:
+ +This manual is a living document that must evolve with changing threats and technologies. Feedback is essential for maintaining its effectiveness and accuracy.
+ +This manual is provided for educational purposes only. The authors and distributors:
+ +Users are solely responsible for understanding and complying with applicable laws in their jurisdiction and for assessing the risks of their activities.
+ +Ready to begin? Proceed to the Introduction to understand the threat landscape and fundamental security concepts that underpin all resistance operations.
+Next: Introduction →
+ + + + + + +This manual contains sensitive information about resistance operations and security practices. Ensure you are accessing this content through secure channels (Tails OS, Tor Browser, or other anonymizing tools) and following proper operational security protocols.
+If you are new to resistance operations, start with the Preface and Introduction, then proceed through Part I: Foundations before advancing to more technical sections. Each chapter builds upon previous knowledge.
+The most dangerous misconception in modern resistance is believing that encryption alone provides security. While encryption protects content, metadata analysis can reveal operational structures, timing, and relationships even when communications are encrypted.
+New practitioners should follow this sequence:
+Accessing, storing, or distributing this manual may be considered suspicious activity by hostile authorities. Take appropriate precautions:
+Ready to begin? Proceed to the Introduction to understand the threat landscape and fundamental security concepts that underpin all resistance operations.
+