Course Readings

All Citizen Clinic currently or previously assigned readings in one place.

Introduction to Public Interest Cybersecurity

Sean Brooks, Center for Long-Term Cybersecurity. “Defending Politically Vulnerable Organizations Online” [https://cltc.berkeley.edu/wp-content/uploads/2018/07/CLTC_Defending_PVOs.pdf]

Citizen Lab’s “About Us” Paper. [https://citizenlab.ca/wp-content/uploads/2018/05/18033-Citizen-Lab-booklet-p-E.pdf]

Citizen Lab’s Security Planner. [https://securityplanner.org/]

Sandro Contenta, Toronto Star. “How these Toronto sleuths are exposing the world’s digital spies while risking their own lives” [https://www.thestar.com/news/canada/2019/12/13/from-a-tower-in-toronto-they-watch-the-watchers-how-citizen-lab-sleuths-are-exposing-the-worlds-digital-spies-while-risking-their-own-lives.html]

Havron et al. "Clinical computer security for victims of intimate partner violence." In Proceedings of the 28th USENIX Security Symposium (pp. 105-122).[https://www.nixdell.com/papers/2019-usenix_clinical_security_FULL.pdf]

Deji Olukotun, Access Now. “Spyware in Mexico: an interview with Luis Fernando García of R3D Mexico” [https://www.accessnow.org/spyware-mexico-interview-luis-fernando-garcia-r3d-mexico/]

Tactical Tech's Annual Report [https://cdn.ttc.io/s/tacticaltech.org/Tactical-Tech-2018-Annual-Report.pdf]

Ethics and the Citizen Clinic Code of Conduct

Citizen Clinic. "Student Code of Conduct" [https://www.citizenclinic.io/Clinic_Curriculum/Modules/Ethics/Student_Code_of_Conduct/]

Shannon Vallor, The Markkula Center for Applied Ethics. “An Introduction to Cybersecurity Ethics” [https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf]

Old School INFOSEC: Basic Controls

Le Blond et al. “A look at targeted attacks through the lense of an NGO” [www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf]

Sean Brooks, CLTC, TechSoup Webinar. “Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making Practical Improvements.”: [https://cltc.berkeley.edu/2019/02/25/cltc-and-citizen-clinic-present-cybersecurity-in-low-risk-organizations-webinar/]

Citizen Lab’s Security Planner. [https://securityplanner.org/]

Electronic Frontier Foundation’s Surveillance Self-Defense guide. [https://ssd.eff.org/]

Alex Gaynor. “What happens when you type google.com into your browser's address box and press enter?" [https://github.com/alex/what-happens-when]

Rus Shuler. “How Does the Internet Work?” [web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm]

Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape

Stephen Arnold. “Telestrategies - An Interview with Dr. Jerry Lucas” [http://www.arnoldit.com/search-wizards-speak/telestrategies-2.html]

Joseph Cox. “I Gave a Bounty Hunter $300. Then He Located Our Phone” [https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile]

Vernon Silver and Ben Elgin. “Torture in Bahrain Becomes Routine With Help From Nokia Siemens” [https://web.archive.org/web/20111006185329/http://www.bloomberg.com/news/2011-08-22/torture-in-bahrain-becomes-routine-with-help-from-nokia-siemens-networking.html]

John Scott-Railton et al, Citizen Lab. “Bittersweet: Supporters of Mexico’s soda tax targeted with NSO exploit links” [https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/]

Problem Diagnosis and Reframing

Netgain. “Digital Security and Grantcraft Guide” [fordfoundation.org/media/3334/digital-security-grantcraft-guide-v10-final-22317.pdf]

Arthur Turner. “Consulting Is More Than Giving Advice” [https://hbr.org/1982/09/consulting-is-more-than-giving-advice]

Thomas Wedell-Wedellsborg. “Are You Solving the Right Problems?” [https://hbr.org/2017/01/are-you-solving-the-right-problems]

Threat Modeling & Bounding Risk Assessments

Electronic Frontier Foundation, “Surveillance Self-Defense: Your Security Plan” [https://ssd.eff.org/en/playlist/activist-or-protester#your-security-plan]

NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations.” Chapter 2 only. [https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf or Shutdown Mirror]

NIST SP 800-39 “Managing Information Security Risk.” Chapter 2 only. [https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf or Shutdown Mirror]

NISTIR 8062 “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” [https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf or Shutdown Mirror]

Contextual & Capacity Research

SAFETAG, Internews. "SAFETAG Guide" Skim to Section 2.2, then read Section 2.2 and Section 2.3. [https://safetag.org/guide/]

Read and Explore Examples About PESTLE. (use an ad-blocker!) [https://pestleanalysis.com/what-is-pestle-analysis/]

Jorge Luis Sierra. “Digital and Mobile Security for Mexican Journalists and Bloggers” [https://freedomhouse.org/sites/default/files/Digital%20and%20Mobile%20Security%20for%20Mexican%20Journalists%20and%20Bloggers.pdf]

Information Gathering

Ruba Abu-Salma et al. “Obstacles to the Adoption of Secure Communication Tools” [https://ieeexplore.ieee.org/abstract/document/7958575/]

Jeanette Blomberg et al. "An Ethnographic Approach to Design" [https://www.researchgate.net/publication/262363851_An_Ethnographic_Approach_to_Design]

Jenna Burrell. "The Field Site as a Network: A Strategy for Locating Ethnographic Research" [https://doi.org/10.1177/1525822X08329699]

Collaboration on International ICT Policy in East and Southern Africa. “Safeguarding Civil Society: Assessing Internet Freedom and the Digital Resilience of Civil Society in East Africa” - Read each chapter, but for one country only. [https://cipesa.org/?wpfb_dl=237]

Lofland and Lofland. Read Chapter 5 (66-98) "Logging Data" in "Analyzing social settings: A guide to qualitative observation and analysis" [https://searchworks.stanford.edu/view/10531063]

Open Source Research Methods, Safety, and Tools

Awesome OSINT [https://github.com/jivoi/awesome-osint]

Ian Barwise. “Open-Source Intelligence (OSINT) Reconnaissance” [https://medium.com/@z3roTrust/open-source-intelligence-osint-reconnaissance-75edd7f7dada]

Conor Fortune, Amnesty International. “Digitally dissecting atrocities – Amnesty International’s open source investigations.” [https://www.amnesty.org/en/latest/news/2018/09/digitally-dissecting-atrocities-amnesty-internationals-open-source-investigations/]

OSINT Framework [https://osintframework.com/]

OSINT.link [https://osint.link]

Travis Lishok, Protective Intelligence. “Part I: An Introduction To OSINT Research For Protective Intelligence Professionals” [https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt1]

Travis Lishok, Protective Intelligence. “Part 2: An Introduction To OSINT Research For Protective Intelligence Professionals” [https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt2]

SECALERTS - Automated Security Audit [https://secalerts.co/security-audit]

Security Law and Policy Factors

James C. Scott. “Seeing Like a State” - Chapter 9 [https://libcom.org/files/Seeing%20Like%20a%20State%20-%20James%20C.%20Scott.pdf]

Kim Fong et al. “A CRIMSon Tide of Data: An Assessment of Potential Privacy Problems of the Consolidate Records Information Management System” [http://people.ischool.berkeley.edu/~strush/CRIMS_FongRowlandTrush_Feb2018.pdf]

Adversary Persona Development

Julian Cohen. “Playbook Based Testing.” [https://medium.com/@HockeyInJune/playbook-based-testing-5df4b656113a]

Bill Marczak and John Scott-Railton, Citizen Lab. “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents” [https://citizenlab.ca/2016/05/stealth-falcon/]

Nick Merrill, Daylight Security Research Lab. "Adversary Personas" [https://daylight.berkeley.edu/adversary-personas/]

Microsoft’s STRIDE and related blog posts. [https://cloudblogs.microsoft.com/microsoftsecure/2007/09/11/stride-chart/]

Threat Scenario Development

Mitre’s ATT&CK Wiki. [https://attack.mitre.org/]

Mitre’s PRE-ATT&CK Techniques. [https://attack.mitre.org/techniques/pre/]

Mitre’s Common Vulnerabilities and Exposures search.[https://cve.mitre.org/cve/]

Changing Security Behaviors

The Engine Room. “Ties That Bind: Organisational Security for Civil Society” [https://www.theengineroom.org/civil-society-digital-security-new-research/]

Adrienne Porter Felt et al. “Improving SSL Warnings: Comprehension and Adherence” [https://dl.acm.org/citation.cfm?id=2702442]

Francesca Musiani and Ksenia Ermoshina. “What is a Good Secure Messaging Tool? The EFF Secure Messaging Scorecard and the Shaping of Digital (Usable) Security” [https://www.westminsterpapers.org/articles/10.16997/wpcc.265/]

Alma Whitten and Doug Tygar. “Why Johnny Can’t Encrypt” [https://www.usenix.org/legacy/publications/library/proceedings/sec99/full_papers/whitten/whitten_html/index.html]

Social Engineering and Phishing

Citizen Clinic. "Phishing Simulation Policy" [https://www.citizenclinic.io/Clinic_Infrastructure/Phishing_Simulation/]

Masashi Crete-Nishihata et al, Citizen Lab. "Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community" [https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/]]

Micah Lee, The Intercept. “It’s Impossible To Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.” [https://theintercept.com/2018/04/28/computer-malware-tampering/]

Rachel Tobac. Social Proof Security. “How I would Hack You: Social Engineering Step-by-Step” [https://www.youtube.com/watch?v=L5J2PgGOLtE]

Designing Security Training

Electronic Frontier Foundation. “Am I the Right Person?” [https://sec.eff.org/articles/right-person-to-train]

Electronic Frontier Foundation. “How to Teach Adults” [https://sec.eff.org/articles/how-to-teach-adults]

Browse the rest of EFF’s Security Education Companion. [https://sec.eff.org/]

Rachel Weidinger et al. “How To Give A Digital Security Training” [https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40]

Rachel Weidinger et al. “Digital Security Training Resources for Security Trainers, Fall 2019 Edition” [https://medium.com/cryptofriends/digital-security-training-resources-for-security-trainers-spring-2017-edition-e95d9e50065e]

Psychosocial Resilience

Angela Chen. The Verge. “Moderating content doesn’t have to be so traumatic” [https://www.theverge.com/2019/2/27/18243359/content-moderation-mental-health-ptsd-psychology-science-facebook]

Sam Dubberley and Michele Grant. First Draft. “Journalism and Vicarious Trauma” [https://firstdraftnews.org/wp-content/uploads/2017/04/vicarioustrauma.pdf]

Sarah Jeong, Charlie Warzel, Brianna Wu, Joan Donovan. New York Times. “Everything is GamerGate” [https://www.nytimes.com/interactive/2019/08/15/opinion/gamergate-twitter.html] - Read all of the four essays.

Beyond Hacking: Harmful Information (Misinformation and Harassment)

Tahmina Ansari, First Draft. “This Muslim journalist embraced social media until it ‘ruined’ his life” [https://firstdraftnews.org/this-muslim-journalist-embraced-social-media-until-it-ruined-his-life/]

Nicholas Monaco and Carly Nyst. Institute For The Future. “State-Sponsored Trolling: How Governments Are Deploying Disinformation as Part of Broader Digital Harassment Campaigns”. Read pages 3 to 21 & 45 to 51. [http://www.iftf.org/statesponsoredtrolling]

Sarah Oh and Travis L. Adkins. InterAction. “Disinformation Toolkit.” [https://staging.interaction.org/documents/disinformation-toolkit/]

Cindy Otis. USA Today. “Americans could be a bigger fake news threat than Russians in the 2020 presidential campaign” [https://www.usatoday.com/story/opinion/2019/07/19/disinformation-attacks-americans-threaten-2020-election-column/1756092001/]

Reply All podcast. “#112 The Prophet” Listen to or read transcript. [https://www.gimletmedia.com/reply-all/112-the-prophet]


Last update: July 27, 2020