Security Quick Reference Card

Security Quick Reference Card - Print this. Laminate it. Keep it in your bag.

Emergency Contacts

\! Organization \!\! Contact \!\! Use For

Freedom of the Press Foundation	Digital Security Team	Technical help, training, SecureDrop
Committee to Protect Journalists	Emergency Response	Threats, detention, legal emergencies
Reporters Committee (RCFP)	1-800-336-4243	Legal hotline (24/7 for urgent)
EFF	Legal Assistance	Digital rights, subpoena defense
Your Lawyer	(add your contact)	First call if detained

If Device Is Seized/Stolen

First 5 minutes:

Do NOT try to remote wipe yet (may alert adversary)
Get to a clean device (friend's phone, library computer)
Assess: Was device locked? Encrypted? What was on it?

Next 15 minutes (from clean device):

Change email password FIRST (it's the recovery for everything)
Change passwords: Signal, cloud storage, banking
Enable lockout/logout all sessions on critical accounts
THEN remote wipe if available (Find My, Google, etc.)

Source protection:

If source names/contacts were on device → warn them via backup channel
Assume all unencrypted content is compromised
Activate pre-arranged emergency protocols with sources

Burn It All Checklist

If you need to nuke everything fast:

\! Priority \!\! Action \!\! How

1	Revoke all sessions	Google/Apple account → Security → Sign out all devices
2	Change master passwords	Email, password manager, cloud storage
3	Revoke app passwords	Check Google/Apple for "App passwords" and OAuth grants
4	Rotate API keys	GitHub, cloud providers, any dev credentials
5	Remote wipe devices	Find My iPhone, Google Find My Device
6	Notify critical contacts	Editor, lawyer, trusted colleagues

Signal Safety Numbers

Always verify safety numbers with sources:

Open Signal conversation
Tap contact name → "View Safety Number"
Compare numbers in person or via separate channel
If numbers change unexpectedly → DO NOT COMMUNICATE until verified

Quick Signal hardening:

Settings → Privacy → Screen Lock ON
Settings → Privacy → Disappearing Messages → Set default
Settings → Privacy → Screen Security ON (blocks screenshots)
Settings → Chats → Backups → OFF (or encrypted only)

Device Seized at Border

Your rights (US):

You can refuse to unlock (5th Amendment) but device may be seized
Citizens cannot be denied entry for refusing
Non-citizens: more complex, consult lawyer before travel

Preparation:

Travel with clean/burner device when possible
Cloud-only workflow: nothing sensitive stored locally
Log out of all accounts before crossing
Know your lawyer's number by heart

If they take your device:

Get a property receipt
Note officer names/badge numbers
Do not consent to searches (but don't physically resist)
Contact lawyer immediately after

Encryption Reminders

\! What \!\! Check

Phone	Settings → Face ID/Touch ID → Data Protection enabled
Mac	System Preferences → Security → FileVault ON
External drives	Must be separately encrypted (VeraCrypt, APFS encrypted)
Cloud	Assume NOT encrypted for law enforcement (they can subpoena)

Remember: Encryption only works if device is OFF. Locked ≠ encrypted.

Quick Threat Assessment

Before starting sensitive work, ask:

What am I protecting? (sources, story, location, etc.)
Who wants it? (subject of story, government, competitor)
What can they do? (subpoena, hack, surveil, threaten)
What's proportionate? (match protection to actual threat)

Muscle Memory Habits

Practice until automatic:

Lock device when leaving it (even for 30 seconds)
Verify links before clicking (hover, check domain)
Pause before posting (does this reveal patterns/location?)
Signal for sources (never SMS, never regular calls)
Disappearing messages (default on for sensitive contacts)

References

Security & Opsec
Crypto	PGP · PGP Communication Guide · Key Management
Incident	Security Incident Runbook · Threat Modeling · Account Recovery
Hardware	Flipper Zero · HackRF · Yubikey
Culture	Hacker Culture · Operational Security