Merge branch 'master' of github.com:OpenNewsLabs/field-guide-security…

…-training-newsroom

.gitignore

@@ -0,0 +1,2 @@
+#Sphinx docs
+docs/_build

docs/Chapter01-01-BeingABetterTrainer.md

@@ -12,7 +12,7 @@ The time and effort that goes into preparing for a workshop can make a big diffe
   + Should participants do any pre-reading? A couple of recent news stories that give context to the material are always helpful.
   + Do participants need to download or install anything? Avoid a bandwidth fiasco by having everyone at least complete any downloads before you gather.
   + If your plans call for participants to install software in the session, make sure they all have the ability to actually do so -- check with the organization's IT department beforehand if necessary.
-  + Every email reminder should include everything that participants need, even if you've sent it all before. Don't make folks dredge up an old email to remember where to go or how to prepare.  
+  + Every email reminder should include everything that participants need, even if you've sent it all before. Don't make folks dredge up an old email to remember where to go or how to prepare.<br />
 + Consider offering office hours ahead of time, especially if you need folks to complete an installation.
 + If you’re planning a software walk-through, even if you’ve done 100 times, do it one more time on the machine you’ll be presenting from. You’d be surprised how often a new version of something thoroughly scrambles your plans.
 + Don't be afraid of a slide deck. Powerpoint probably deserves its [bad rap](https://duckduckgo.com/?q=powerpoint+makes+you+stupid&t=canonical&ia=web), but that doesn't mean you can't create a slide deck that adds context and visual aids.
@@ -44,7 +44,7 @@ Follow up on any questions you promised to come back to.
 
 + Review and revise your session plan within a day or two of the session. Look back over your plan and update it to reflect what actually worked in the session. Make any notes you wish you'd had handy this time, while those thoughts are still fresh in your mind.
 
-+ Mark your calendar: if you gave participants any next steps, or even if you didn't, follow up with everyone a week or two later to check in about whether they took any action, how it went, where they got stuck.  
++ Mark your calendar: if you gave participants any next steps, or even if you didn't, follow up with everyone a week or two later to check in about whether they took any action, how it went, where they got stuck.<br />
 
 ## Getting Better
 

docs/Chapter01-03-OrganizationalSelfAssessment.md

@@ -1,8 +1,15 @@
-## Organizational Self-Assessment
+# Organizational Self-Assessment
 
-These questions should help you build a better understanding of how your organization approaches security already. They also make a good starting point for a best practices list.  
+These questions should help you build a better understanding of how your organization approaches security already. They also make a good starting point for a best practices list.<br />
 
-### Questions for IT
+## How to use the information you collect
+
+* Tailor your recommendations for best practices (especially as they relate to newsroom-wide policies or changes to infrastructure). In many news organizations, you’ll find that the IT side and the newsroom side aren’t communicating with each other on these topics. This training and these conversations are a great way to help an organization get started.
+* Help select lessons and training modules to use from this curriculum.
+* Share a summary of your findings with the key stakeholders (both on the IT side and the newsroom leadership) so they can create benchmarks and track progress over time.
+
+
+## Questions for IT
 
 As a general rule, you want to work with, not against, internal IT policies. So if the newsroom enforces password updates every six months, that’s cool.
 
@@ -25,7 +32,7 @@ As a general rule, you want to work with, not against, internal IT policies. So
     * Have you communicated that plan to newsroom management?
     * Does that plan include post-mortem review?
 
-### Questions for newsroom leadership
+## Questions for newsroom leadership
 
 * Do you use collaborative document editing and storage services (eg. Google Drive, Dropbox, Trello, Evernote)?
     * Do you have a policy about whether or not to store "sensitive" information in these services?
@@ -38,15 +45,9 @@ As a general rule, you want to work with, not against, internal IT policies. So
 * Does your newsroom and technology team have a workflow for incident response (hacking, doxxing, etc)
 * What are your policies with regard to anonymous sourcing and have those policies been updated to include technological concerns?
 
-### Questions for reporters and editors
+## Questions for reporters and editors
 
 * What tools and techniques have you already tried?
 * What have you been meaning to try? And what has stopped you?
 * Are there tools or techniques you’d like to use but can’t because of internal editorial policies or internal IT policies?
 * Have specific incidents prompted you to seek out additional tools and/or training?
-
-### How to use the information you’ve collected
-
-* Tailor your recommendations for best practices (especially as they relate to newsroom-wide policies or changes to infrastructure). In many news organizations, you’ll find that the IT side and the newsroom side aren’t communicating with each other on these topics. This training and these conversations are a great way to help an organization get started.
-* Help select lessons and training modules to use from this curriculum.
-* Share a summary of your findings with the key stakeholders (both on the IT side and the newsroom leadership) so they can create benchmarks and track progress over time.

docs/Chapter02-01-Mobile-Security-Settings.md

@@ -5,9 +5,9 @@ This is the first short training module in a series of three trainings dedicated
 
 ## About this lesson plan
 
-**Review date:** June 5, 2017  
-**Lesson duration:** 20-30 minutes  
-**Level:** Introductory.  
+**Review date:** June 5, 2017<br />
+**Lesson duration:** 20-30 minutes<br />
+**Level:** Introductory.<br />
 This session is for journalists who may not realize how many permissions they have given to the third-party apps on their phone, and for those who are not regularly doing good security hygiene on their devices.
 
 ### What will participants learn?

docs/Chapter02-02-Locking-Down-Mobile.md

@@ -6,9 +6,9 @@ secure mobile communications.
 
 ## About This Lesson Plan
 
-**Review date:** June 6 2017  
-**Lesson duration:** 30 mins (estimated),  longer if some Android phones need to be encrypted.  
-**Level:** Intermediate. This session assumes participants are able to make a reliable backup of the key data on their phones and have done so very recently. If they haven't, you *should not* proceed.  
+**Review date:** June 6 2017<br />
+**Lesson duration:** 30 mins (estimated),  longer if some Android phones need to be encrypted.<br />
+**Level:** Intermediate. This session assumes participants are able to make a reliable backup of the key data on their phones and have done so very recently. If they haven't, you *should not* proceed.<br />
 
 **Gotcha:** Consider how much time you have available before choosing to do this session. Are all your participants’ devices either brand new or recently [backed up](Chapter02-04-Mobile-Backups.md)? Do you have 30+ minutes and a low participant to trainer ratio? If not, you may want to either do this session in two parts on subsequent days (cover mobile device backups where you cover encrypted backups on one day, then actual encryption on the second day), *or* you share a link on backups and require participants to complete (or verify cloud backups) *before* this session.
 
@@ -39,7 +39,7 @@ Consider setting a calendar appointment for a week after the training, to remind
 
 ## Lesson plan
 
-**Introduction**  
+**Introduction**<br />
 Survey the room:
 
 -   Who’s lost their phone before? (Bonus points for the best story! If anybody lost theirs and got it back, might be a good time to ask if they were worried about the time it spent out of their control)
@@ -50,7 +50,7 @@ Survey the room:
 
 Spend some time on what makes a good passcode (length and randomness are good, birthdays and sequential numbers are bad). The [password](Chapter02-06-Passwords.md) lesson has more great resources on this question.
 
-**Walkthrough**  
+**Walkthrough**<br />
 Split people into groups by device types - instructions will differ for iOS vs Android. Everyone is going to ...
 
 + set a password or passcode,
@@ -63,7 +63,7 @@ For *lock screens,* a strong password is always recommended. A PIN or passcode i
 
 Biometric locking (eg. face or fingerprint recognition) is not recommended, as both are fakeable and do not offer the same degree of legal protection. For example, in the US you can be legally compelled to provide your biometrics to unlock a device by a court.
 
-Android phones offer pattern locking, which is also problematic and not as secure as a pas
+Android phones offer pattern locking, which is also problematic. It's not as secure as a passphrase, and weak to shoulder-surfing.
 
 When you tackle *lockscreen notifications* keep in mind that some users may opt to keep convenient but insecure notifications coming for day to day use and change the settings when they're in more vulnerable situations or traveling.
 

docs/Chapter02-03-Setting-Up-Signal.md

@@ -10,9 +10,9 @@ This lesson plan is intended to be taught as the third in a series, following [m
 
 ## About This Lesson Plan
 
-**Review date:** June 6, 2017  
-**Lesson duration:** 15-30 minutes   
-**Level:** Beginner  
+**Review date:** June 6, 2017<br />
+**Lesson duration:** 15-30 minutes <br />
+**Level:** Beginner<br />
 
 ### Preconditions
 
@@ -31,7 +31,7 @@ Smartphone: iPhone or Android
 Two excellent resources on how and why journalists are moving to Signal:
 
 + [Martin Shelton on Signal for Beginners](https://medium.com/@mshelton/signal-for-beginners-c6b44f76a1f0) 
-+ [Security Tips Every Signal User Should Know (The Intercept)](https://theintercept.com/2016/07/02/security-tips-every-signal-user-should-know/).
++ [Cybersecurity for the People: How to Keep Your Chats Truly Private With Signal (The Intercept)](https://theintercept.com/2017/05/01/cybersecurity-for-the-people-how-to-keep-your-chats-truly-private-with-signal/).
 This lesson draws from both.
 
 Review the Verification process for [Android](https://ssd.eff.org/en/module/how-use-signal-android)  and [iOS](https://ssd.eff.org/en/module/how-use-signal-iOS).
@@ -67,13 +67,13 @@ These screenshots reflect the iOS install process.
 
 1. Start by downloading and installing Signal. Visit <https://signal.org> for quick access to the most current download links.
 
-1. You will be prompted to confirm your device and phone number. ![Phone confirmation screen](img/ch2-4/image6.png)
+1. You will be prompted to confirm your device and phone number. ![Phone confirmation screen](img/ch2-4/small-image6.png)
 
-1. Next, Signal/Open Whisper Systems will send you a six-digit verification code. Add it. ![Verification Code Example](img/ch2-4/image4.png) ![Submit the verification code.](img/ch2-4/image7.png)
+1. Next, Signal/Open Whisper Systems will send you a six-digit verification code. Add it. ![Verification Code Example](img/ch2-4/small-image4.png) ![Submit the verification code.](img/ch2-4/small-image7.png)
 
 1. Android users: Signal will offer to become your default messaging app. Say yes! You can still use Signal to send cleartext messages to contacts who don't use the app, and you won't miss messages.
 
-1. You'll know that you've set Signal up correctly when you see the Welcome! popup. You can allow the system to access your contacts and send you notifications. *(NOTE: in the newest version of iOS, it is possible to continue without giving access to your contacts)* ![Welcome!](img/ch2-4/image5.png)![Notifications](img/ch2-4/image3.png)
+1. You'll know that you've set Signal up correctly when you see the Welcome! popup. You can allow the system to access your contacts and send you notifications. *(NOTE: in the newest version of iOS, it is possible to continue without giving access to your contacts)* ![Welcome!](img/ch2-4/small-image5.png)![Notifications](img/ch2-4/small-image3.png)
 
 ### For Android:
 
@@ -133,8 +133,7 @@ Similarly, the journalist should take as many steps and precautions a possible t
 
 + [How To Keep Your Chats Truly Private With Signal](https://theintercept.com/2017/05/01/cybersecurity-for-the-people-how-to-keep-your-chats-truly-private-with-signal/)
 + [Martin Shelton on Signal for Beginners](https://medium.com/@mshelton/signal-for-beginners-c6b44f76a1f0) 
-+ [Security Tips Every Signal User Should Know (The Intercept)](https://theintercept.com/2016/07/02/security-tips-every-signal-user-should-know/)
-
++ [Cybersecurity for the People: How to Keep Your Chats Truly Private With Signal (The Intercept)](https://theintercept.com/2017/05/01/cybersecurity-for-the-people-how-to-keep-your-chats-truly-private-with-signal/).
 
 **More great lesson plans**
 

docs/Chapter02-04-Mobile-Backups.md

@@ -7,9 +7,9 @@ Getting everyone started backing up their phones is a great way to make sure eve
 
 ## About This Lesson Plan
 
-**Review date:** Dec 5, 2017  
-**Lesson duration:** This should take under an hour.  
-**Level:** Introductory  
+**Review date:** Dec 5, 2017<br />
+**Lesson duration:** This should take under an hour.<br />
+**Level:** Introductory<br />
 
 **What materials will participants need?**
 

docs/Chapter02-05-Good-Hygiene-For-Apps.md

@@ -4,8 +4,8 @@
 Overview:  Don't let orphaned apps degenerate into an unlocked back door to your account.
 
 ## About This Lesson Plan
-**Review date:** October 9, 2017  
-**Lesson duration:** 30 minutes  
+**Review date:** October 9, 2017<br />
+**Lesson duration:** 30 minutes<br />
 
 ### Level
 Introductory. This is a great exercise to do as a group. Sometimes people need to convene and be reminded together to do this little bit of homework. This could also be a great icebreaker to a longer and more challenging lesson -- everyone will leave knowing that they got something done! Think of it as an install party, for uninstalling.
@@ -19,7 +19,7 @@ You want some way to share links with folks. <https://etherpad.opennews.org/> is
 ### How should the instructor prepare?
 Review the recommended reading.
 
-Take stock of any social networks that your own office is active in that aren't on this list and find the privacy settings and connected apps for that network. Consider [filing an issue](https://github.com/OpenNewsLabs/newsroom-security-curricula/issues) or pull request if those instructions should be part of this lesson plan.  
+Take stock of any social networks that your own office is active in that aren't on this list and find the privacy settings and connected apps for that network. Consider [filing an issue](https://github.com/OpenNewsLabs/newsroom-security-curricula/issues) or pull request if those instructions should be part of this lesson plan.<br />
 
 
 ## Lesson Plan
@@ -50,7 +50,7 @@ It is worth taking a moment to take a look at any additional social networks tha
 
 ### Bonus: Recognized Devices, Cookies, Keys
 This is also a good opportunity to explore the "recognized logins" section of each platform.  Even though old logins and expired keys are less likely to serve as a vector for an outsider,
-it's a great opportunity to spot any suspicious logins or behavior.  
+it's a great opportunity to spot any suspicious logins or behavior.<br />
 
 #### Github
 * Active sessions: <https://github.com/settings/security>