Merge branch 'master' of github.com:OpenNewsLabs/field-guide-security…

…-training-newsroom

docs/Chapter01-04-FramingStrategies.md

@@ -2,49 +2,49 @@
 
 ## Overview
 
-Many of the lesson plans in this guide are designed to stand alone, and some of the overview lessons skim a few key topics in a lunch hour. But if you're thinking about launching a series of workshops, it is worth also considering how you want to frame that series.
+Many of the lesson plans in this guide are designed to stand alone, and some of the overview lessons can cover a few key topics in a lunch hour. But if you're thinking about launching a series of workshops, it is worth considering how you want to frame that series.
 
 There are a lot of different ways to frame a conversation about digital security. Many trainers like to start with a review of basic digital literacy, to provide a foundation for subsequent trainings. Others start with threat modeling or risk assessment. This document is a great roundup of places to start a training series.
 
 * For some participants, this workshop will be their first opportunity to reflect on a subject that is conventionally framed as the domain of experts. Facilitating means showing that participants, too, have what they need to participate in the process.
 
 * No workshop starts from scratch. Everyone in the room brings some insight and some baggage. Participants will have useful digital security knowledge, but they also bring personal insecurities and myths that take time to debunk.
 
-* Adults usually expect understand the relevance of what we learn. That expectation can be challenging when we don’t have existing mental landscapes that help us make sense of new concepts and tools. Facilitating means providing useful frames of reference.
+* Adults usually expect to understand the relevance of what we learn. That expectation can be challenging when we don’t have existing mental landscapes that help us make sense of new concepts and tools. Facilitating means providing useful frames of reference.
 
-The good news is that a lot of great trainers have already done the hard work of articulating foundational concepts for digital security work that then open the conversation up to other specific practice and tools-based topics.
+The good news is that a lot of great trainers have already done the hard work of articulating foundational concepts for digital security work that then open the conversation up to other specific practice- and tools-based topics.
 
-Here are examples of lesson plans that different individuals and organizations use to facilitate their first sessions, and a brief explanation of the framing on which they rely.
+Here are examples of lesson plans you might use to facilitate a first session with newsroom colleagues, along with brief explanations of when these framings can be most helpful.
 
 ## How the Internet Works
 
-Mariel Garcia and Spyros Monastiriotis' [How the Internet Works](https://docs.google.com/document/d/1SmHfpm3Dy2ym9gUJfnA0hA12ytQ3LlW31Y5l_TCJkJo/edit) is a great introductory lesson plan that starts by walking through the basics of how information is stored and flows between devices on the internet. You can then talk about the vulnerable points in the chain – and start a conversation about the related good security practices. The lesson plan is intended for sessions lasting between two and four hours.
+Mariel Garcia and Spyros Monastiriotis' [How the Internet Works](https://docs.google.com/document/d/1SmHfpm3Dy2ym9gUJfnA0hA12ytQ3LlW31Y5l_TCJkJo/edit) is a great introductory lesson plan that starts by walking through the basics of how information is stored and flows between devices on the internet. You can then talk about the vulnerable points in the chain—and start a conversation about the related good security practices. The lesson plan is intended for sessions lasting between two and four hours.
 
 Tactical Technology Collective’s [How the Internet Works](https://gendersec.tacticaltech.org/wiki/index.php/Hands_On_How_the_internet_works), and the "How mobile communications work" module on [My Shadow](https://myshadow.org/train) cover similar material in shorter 30-minute activities.
 
 ## Assessing Risk
 
-[Internews’ SaferJourno](https://www.internews.org/sites/default/files/resources/SaferJournoGuide_2014-03-21.pdf) includes a nice module on risk assessment (see page 17), [Frontline Defenders Workbook on Security](https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk), and Tactical Technology Collective’s [visual actor mapping](https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1) session are all good resources for facilitating conversations about risk and risk assessment, which can be a good starting point for discussing concrete steps that are important to take.
+[Internews’ SaferJourno](https://www.internews.org/sites/default/files/resources/SaferJournoGuide_2014-03-21.pdf) includes a nice module on risk assessment (see page 17). [Frontline Defenders Workbook on Security](https://www.frontlinedefenders.org/en/resource-publication/workbook-security-practical-steps-human-rights-defenders-risk) and Tactical Technology Collective’s [visual actor mapping](https://holistic-security.tacticaltech.org/exercises/explore/visual-actor-mapping-part-1) session are also good resources for facilitating conversations about risk and risk assessment. These can be good starting points for discussing concrete steps that are important to take.
 
 This framing is most helpful in an environment where participants are working closely together and share common risks.
 
 ## Where Your Data Lives
 
-[The Data Backup Matrix](https://level-up.cc/curriculum/protecting-data/data-backup-basics/activity-discussion/data-backup-matrix-creating-information-map/), a Level Up activity, asks participants to reflect on the places where their data is stored by facilitating creation of an "information map". This exercise is based on the idea that understanding what exactly is at stake in a digital security crisis and what the least and most vulnerable points are will enable subsequent risk assessment and tool learning.
+[The Data Backup Matrix](https://level-up.cc/curriculum/protecting-data/data-backup-basics/activity-discussion/data-backup-matrix-creating-information-map/), a Level Up activity, asks participants to reflect on the places where their data is stored by facilitating creation of an "information map." This exercise is based on the idea that understanding what exactly is at stake in a digital security crisis and what the least and most vulnerable points are will enable subsequent risk assessment and tool learning.
 
 This framing can be particularly helpful when working with groups that have had other digital security trainings but never really changed any of their practices, as this exercise can help them re-engage with the importance of better practices in their particular cases. This activity is intended for a session lasting 30 to 45 minutes.
 
 ## A Day in Your Life
 
-Tactical Technology Collective’s [A day in your life](https://gendersec.tacticaltech.org/wiki/index.php/Holistic_security_-_A_day_in_your_life) asks participants to create of a timeline, or a time-based "information map". The exercise is based on the idea that thinking about the times you are most vulnerable can help participants prioritize changes they want to make as they start building on their digital security skills.
+Tactical Technology Collective’s [A day in your life](https://gendersec.tacticaltech.org/wiki/index.php/Holistic_security_-_A_day_in_your_life) asks participants to create a timeline, or a time-based "information map". The exercise is based on the idea that thinking about the times you are most vulnerable can help participants prioritize changes they want to make as they build digital security skills.
 
-This framing is most helpful for groups where individual analysis is most appropriate, and when working with groups that have had other digital security trainings but never really changed any of their practices, as this exercise can help them re-engage with the importance of better practices in their particular cases. The activity is intended for a session lasting an hour.
+This framing is helpful for groups where individual analysis is most appropriate, and when working with groups that have had other digital security trainings but never really changed any of their practices, as this exercise can help them re-engage with the importance of better practices in their particular cases. The activity is intended for a session lasting an hour.
 
-## Tracking – Who's collecting our data? How? And why?
+## Tracking – Who's Collecting Our Data? How? And Why?
 
 Tactical Technology Collective’s [My Shadow](https://myshadow.org/train) includes a few great  activities and workshops crafted around the idea that people can more easily make sense of best practices if they start by talking about services people already use and the data that is being collected.
 
-This framing is particularly useful in newsrooms that cover low-risk topics but are interested in building digital security capacity. The planned activities that are available are divided into 30-minute modules, which you should complement with discussions on the topic.
+This framing is particularly useful in newsrooms that cover low-risk topics but are interested in building digital security capacity. The activities are divided into 30-minute modules, which you should complement with discussions on the topic.
 
 ## Reflecting on Existing Security Practices
 
@@ -56,7 +56,7 @@ This exercise isn't meant to be a stand-alone session, and can be a good warmup
 
 Some digital security trainers have used Kvinna till Kvinna’s [integrated security facilitation approach](http://www.integratedsecuritymanual.org/sites/default/files/samplestructure_0.pdf) based on the idea that collective discussions on what security means and the practices we already take to protect ourselves are a good way to continue building our security capacity.
 
-Contexts in which this framing can be helpful: when working in newsrooms where security needs are much broader than what is typically covered in digital security curriculum. The lesson plan is intended for a session lasting between two and four hours.
+This framing can be helpful in newsrooms where security needs are much broader than what is typically covered in digital security curriculum. The lesson plan is intended for a session lasting two to four hours.
 
 ## This is Awesome
 
@@ -80,7 +80,7 @@ Contexts in which this framing can be helpful: when you want to set a tone that
 
 ## Understanding and Honoring Needs and Expectations
 
-DJ and Nicolás Sera-Leyva have written extensively about understanding and managing expectations in digital security trainings over at [Level Up](https://www.level-up.cc/you-the-trainer/setting-expectations-for-participants-organizers-and-yourself/). Communicating with participants, rather than relying entirely on what a trainer *thinks* they need and expect, will make any training more effective.
+DJ and Nicolás Sera-Leyva have written extensively about understanding and managing expectations in digital security trainings at [Level Up](https://www.level-up.cc/you-the-trainer/setting-expectations-for-participants-organizers-and-yourself/). Communicating with participants, rather than relying entirely on what a trainer *thinks* they need and expect, will make any training more effective.
 
 The first session is great to help get the whole group in sync, which sometimes means identifying the expectations that should be kindly adjusted so that we do not get caught up in promises we cannot keep. DJ and Nicolás offer the following messages to address some of the most common expectation-reality gaps in digital security trainings:
 

docs/Chapter01-05-PathwaysChoosingLessons.md

@@ -8,16 +8,16 @@ Some users will want to lead a formal series of in-depth workshops, while others
 
 ### Just mobile
 
-1. [Mobile Security Settings](docs/Chapter02-01-Mobile-Security-Settings.md)
-2. [Backing up Mobile Devices](docs/Chapter02-02-Mobile-Backups.md)
-3. [Locking Down Mobile Devices](docs/Chapter02-03-Locking-Down-Mobile.md)
-5. [Physical Security](docs/Chapter02-09-Physical-Security.md) -- iPhones are already encrypted but Android users should set up disk encryption.
-4. [Setting up Signal](docs/Chapter02-04-Setting-Up-Signal.md)
+1. [Mobile Security Settings](Chapter02-01-Mobile-Security-Settings.md)
+2. [Backing up Mobile Devices](Chapter02-02-Mobile-Backups.md)
+3. [Locking Down Mobile Devices](Chapter02-03-Locking-Down-Mobile.md)
+5. [Physical Security](Chapter02-09-Physical-Security.md) -- iPhones are already encrypted but Android users should set up disk encryption.
+4. [Setting up Signal](Chapter02-04-Setting-Up-Signal.md)
 
 ## Secure email use
 
-2. [Passwords](docs/Chapter02-06-Passwords.md)
-3. [Two-factor Authentication](docs/Chapter02-07-Two-Factor-Authentication.md)
-4. [Phishing](docs/Chapter02-08-Phishing.md)
+2. [Passwords](Chapter02-06-Passwords.md)
+3. [Two-factor Authentication](Chapter02-07-Two-Factor-Authentication.md)
+4. [Phishing](Chapter02-08-Phishing.md)
 
 Savvy readers will note that this guide doesn't currently include a guide to encrypting email with GPG or PGP. Why? It's hard to use and history has shown that most folks don't use it properly. As Martin Shelton has pointed out, [newsrooms have better options](https://source.opennews.org/articles/how-lose-friends-and-anger-journalists-pgp/).

docs/Chapter02-03-Locking-Down-Mobile.md

@@ -48,7 +48,7 @@ Survey the room:
 -   How many have encryption set up?
 -   How many apply updates regularly?
 
-Spend some time on what makes a good passcode (length and randomness are good, birthdays and sequential numbers are bad). The [password](LINK TK) lesson has more great resources on this question.
+Spend some time on what makes a good passcode (length and randomness are good, birthdays and sequential numbers are bad). The [password](Chapter02-06-Passwords.md) lesson has more great resources on this question.
 
 **Walkthrough**  
 Split people into groups by device types - instructions will differ for iOS vs Android. Everyone is going to ...

docs/Chapter02-06-Passwords.md

@@ -1,7 +1,7 @@
 # Passwords and Password Management
 
 ## Overview
-Passwords are the bedrock of account security, but hard to get right. This lesson provides a methodology for understanding how to take a harm reduction approach to password management. Participants should have a clear understanding of phishing (LESSON LINK TK) and [two factor authentication](docs/Chapter02-07-Two-Factor-Authentication.md), or you should cover those topics with Password Management.
+Passwords are the bedrock of account security, but hard to get right. This lesson provides a methodology for understanding how to take a harm reduction approach to password management. Participants should have a clear understanding of [phishing](Chapter02-08-Phishing.md) and [two factor authentication](Chapter02-07-Two-Factor-Authentication.md), or you should cover those topics with Password Management.
 
 ## About This Lesson Plan
 
@@ -146,7 +146,7 @@ The strategy we'd recommend is to come up with a short password based on a memor
 
 #### Keeping that Password Secure
 
-If you force yourself to type your email password every time you check your email, you’ll do a much better job of remembering your password. But a strong password isn’t enough to keep your email safe. You also need to enable [two-factor authentication](docs/Chapter02-07-Two-Factor-Authentication.md). If you haven't already covered 2FA, do it now.
+If you force yourself to type your email password every time you check your email, you’ll do a much better job of remembering your password. But a strong password isn’t enough to keep your email safe. You also need to enable [two-factor authentication](Chapter02-07-Two-Factor-Authentication.md). If you haven't already covered 2FA, do it now.
 
 Slightly trickier is securing other central services. The same basic rules apply: secure, unique password plus 2FA. Examples of these services include: Apple ID (for participants with iPhones, iPads, or Macs), Google Account (especially for Android, even if not using GMail), Facebook, Twitter, WhatsApp, Signal.
 
@@ -188,7 +188,7 @@ Remember that we're taking a harm reduction approach here. Some people just won
 
 1.  Have everyone strongly secure their primary email account. If you only do one thing, do this.
 
-2.  Encourage everyone to use single sign on wherever it is available (This is "Sign In With Google" or "Sign in With Facebook"). If you have secured your single sign on account, this is a good option. Click approve the first time, any subsequent login is automatic but **still secure**. Note: make sure every one knows how to watch for the difference between using Facebook or Google to sign  in and giving an app or service permission to access your Facebook or Google data. Sign-in With Google is totally secure and fine, but be very careful about what other access you grant apps that are using Google Sign-In. Don’t just "click okay" and accept whatever access they are asking for. (Note to trainers: consider covering [Mobile Security Settings](docs/Chapter02-01-Mobile-Security-Settings.md) to ensure that participants understand this.)
+2.  Encourage everyone to use single sign on wherever it is available (This is "Sign In With Google" or "Sign in With Facebook"). If you have secured your single sign on account, this is a good option. Click approve the first time, any subsequent login is automatic but **still secure**. Note: make sure every one knows how to watch for the difference between using Facebook or Google to sign  in and giving an app or service permission to access your Facebook or Google data. Sign-in With Google is totally secure and fine, but be very careful about what other access you grant apps that are using Google Sign-In. Don’t just "click okay" and accept whatever access they are asking for. (Note to trainers: consider covering [Mobile Security Settings](Chapter02-01-Mobile-Security-Settings.md) to ensure that participants understand this.)
 
 3.  Use the "reset my password by email" link. It’s very secure (almost as secure as single sign-on) and as long as you don’t use a weak or reused password to start, it guarantees that no-one will be able to sign in as you later without access to your account.
   a.  Use a random password and don’t save it! Especially for sites you don’t visit often, just using a throw-away password can be the most secure thing.