January 19, 2018

HOWTO: Protect your small organization against electronic adversaries

October is “cyber security awareness month“. Among other notable announcements, Google just rolled out “advanced protection” — free for any Google account. So, in the spirit of offering pragmatic advice to real users, I wrote a short document that’s meant not for the usual Tinker audience but rather for the sort of person running a small non-profit, a political campaign, or even a small company.

If there’s one thing we learned from the leaks of the DNC emails during the 2016 presidential campaign it’s this: cyber-security matters. Whether or not you believe that the release of private campaign emails cost Clinton the election, they certainly influenced the process to the extent that any political campaign, any small non-profit, and any advocacy group has to now consider the possible impacts of cyber-attacks against their organizations. These could involve espionage (i.e., internal secrets being leaked) or sabotage (i.e., internal data being corrupted or destroyed). And your adversaries might be criminal hackers or foreign nation-state governments.

If you were a large multinational corporation, you’d have a dedicated team of security specialists to manage your organization. Unfortunately, you’re not and you can’t afford such a team. To help out, I’ve written a short document summarizing low-cost tactics you can take to reduce your vulnerabilities using simple techniques like two-factor authentication, so a stolen password isn’t enough for an attacker to log into your account. This document also recommends particular software and hardware configurations that move your organization “into the cloud” where providers like Google or Microsoft have security professionals who do much of the hard work on your behalf.




  1. Trying to visit https://www.cs.rice.edu/~dwallach/howto-electronic-adversaries.pdf in Firefox is giving a Error code: SEC_ERROR_UNKNOWN_ISSUER.

  2. Lawrence D’Oliveiro says:

    ldo@theon:security> wget https://www.cs.rice.edu/~dwallach/howto-electronic-adversaries.pdf
    –2017-10-26 11:21:34– https://www.cs.rice.edu/~dwallach/howto-electronic-adversaries.pdf
    Resolving http://www.cs.rice.edu (www.cs.rice.edu)…
    Connecting to http://www.cs.rice.edu (www.cs.rice.edu)||:443… connected.
    ERROR: The certificate of ‘www.cs.rice.edu’ is not trusted.
    ERROR: The certificate of ‘www.cs.rice.edu’ hasn’t got a known issuer.
    ERROR: The certificate of ‘www.cs.rice.edu’ was signed using an insecure algorithm.

    • Dan Wallach says:

      With Chrome on Mac or PC, everything works. Please try that, or please try dropping from https to http and see if that makes a difference.

      Also, I’ve heard reports that the PDF renderer in Firefox doesn’t work properly. If you use Adobe Acrobat, Chrome, or Apple Preview, everything should work.

  3. Trying to fetch as “http://” just redirects to “https://”.

    I was able to download the PDF file using “wget –no-check-certificate”, but it sure seems ironic to have to do that for a document about electronic security.

    • Dan Wallach says:

      Please let me know (either here or via private email) what your computer’s configuration is (OS version, browser version, etc.) so I can help my university’s IT group debug the problem. Thanks!