AD/_XL,DC


DIGITAL SELF-DEFENSE

For everyone, especially persecuted groups


ADVANCED SECURITY & PRIVACY

For everyone, especially journalists, academics, public servants


AI, SECURITY TESTING, WEB DEVELOPMENT

Ethical hacking, web publishing, AI/LLM


OPERATIONAL SECURITY & ANONYMITY

For activists, whistle blowers, freedom fighters


CENSORSHIP EVASION

For anyone under oppressive governments


PERSONAL SECURITY, ANTI-SURVEILLANCE

For activists, whistle blowers, freedom fighters


NEWS, RESOURCES

Technology, freedom, democracy | Tools, education




DIGITAL SELF-DEFENSE

Threats | 1.1
Passwords | 1.2
2FA/MFA | 1.3
Phones, Computers | 1.4
Calls, Messages | 1.5
Email | 1.6
Search | 1.7
Updates | 1.8
VPN | 1.9
AI | 1.10
TL;DR


Intended Reader

This chapter is for everyone, but is extra important for persecuted groups. | 2026.02.06

Booking, Support

Book security testing or workshop. And support the development of Abstrude.





THREATS | 1.1

Basic Threat Assessment

What needs to be protected, from who, and how?

Assets

Passwords, credit cards, bank logins, email and social media accounts, direct messages, browsing and search history, personal notes, contacts, medical data, plans and intellectual property, photos/videos, camera/mic, location data (GPS), and more.

Adversaries

Hackers, scammers, business competitors, ex-partners, politically motivated groups – governments prone to overreach, nation state actors. What sort of organizations or individuals might target you? Use your conclusions to plan your efforts. If unclear, go ahead and implement at least the foundational measures presented in this chapter.





PASSWORDS | 1.2

Managing Passwords

Use a password manager to create, store, and access your passwords. For example Proton Pass – free, Bitwarden – free and open source, KeePassXC – free and open source. Avoid LastPass!

Password Quality

Longs string of random letters, numbers and special characters. Absolute minimum 12 characters, but there's nothing stopping you from having 50-60 characters in each password, since you're simply copying and pasting them from a manager.

Passphrases

Five or six long words put together – that are not easy for someone to simply guess. Use that as your master password – to log into your password manager. Better yet, add a few letters, numbers, and special characters to that.

Never Re-use

Each service and device you log into, should have unique passwords.

15.110.000.000+ Breached Passwords

"A 'breach' is an incident where a site's data has been illegally accessed by hackers and then released publicly. Review these breaches to see what personal information was compromised and take appropriate action, such as changing passwords."Troy Hunt

Check if your passwords have been breached

2FA, Settings

Do not allow web browser/password manager integration, instead – copy/paste passwords. Set manager to automatically clear clipboard and log out.

Use 2FA for login, read more below.

Referral

Sign up for Proton Pass – 14 days free!





2FA/MFA | 1.3

Second Layer of Security

After entering your password, you're prompted to enter a short code, generated by an app on your phone. Even if, or rather when your passwords are leaked – your accounts are still protected, since whoever has gotten hold of your passwords – usually don't have access to your phone.

2FA/MFA Apps

Twilio's Authy and Proton's Authenticator are good examples. More alternatives here. Avoid SMS for 2FA!

Physical Keys

There's also physical USB-keys, which is considered even more secure. Read here!

Password Manager and Email

2FA is very important for a password manager – since it stores all your passwords, and for an email login – since it's usually the single point of access to reset forgotten passwords for other services (which could be abused by a malicious actor).

Referral

Sign up for Proton Authenticator – 14 Days Free!





PHONES, COMPUTERS | 1.4

Basic

This is basic. Full section on smartphones and computers are linked here!

– Set the longest possible PIN-code/password (random, hard to guess; not your kid's birthday)
– Deactivate unlock via facial scan, and fingerprint (at least don't use thumb or index finger)
– Delete sensitive or no longer needed files on device, and cloud
– Activate whole disk encryption

Apps & Permissions

– Delete all apps/programs you don't use
– Limit the permissions each app; e.g. only maps and a few others need access to location/GPS (set to only when using)
– No app needs access to all your photos/videos, give access to specific ones only
– Most apps don't need access to text messages (SMS/MMS)





CALLS, MESSAGES | 1.5

Signal

Signal is encrypted end-to-end by default, messages can be set to disappear automatically, and is very easy to use. Recommended by security experts, incl. the NSA-whistle blower Edward Snowden, and the Swedish Military.

Telegram

Telegram is less secure, and less private than Signal, but still better than most main-stream options (WhatsApp, Messenger, Instagram, TikTok, X/Twitter). Messages are not end-to-end encrypted by default (meaning encryption keys and message contents are in the hands of Telegram, which effectively is an attack surface), but the feature is available in the application (called Secret Chats). Messages can be set to disappear automatically.





EMAIL | 1.6

Layered Security

Proton Mail – used by journalists, security experts, and millions of people around the world, has multiple layers of security. All applications are open source and independently audited.

Always* Encrypted

The easiest way to send end-to-end encrypted emails is when both the sender and recipient use Proton Mail. *An email sent to or from a non-Proton Mail user – will not be encrypted, while in transit. However, you can use the Password-Protected Emails feature to send emails securely to people who don’t use Proton Mail. Select a password in the composer before clicking send – that email will be inaccessible to both Proton's staff – and staff at your recipient’s email provider.

Proton Mail’s zero-access architecture means they can never access your emails. Emails from other service providers are instantly encrypted on Proton Mail's servers using your public key, therefor Proton Mail do not have the technical ability to decrypt your messages. They cannot hand your emails over to anyone. This all happens automatically, no need for specific skills, methods, or tools.

Proton Sentinel

Accounts enrolled in the Sentinel program are monitored 24-7-365 by a threat detection platform, and teams of security analysts equiped with AI, specialized in detecting infiltration and takeover attempts.

2FA/MFA

Use an app, or a hardware USB/NFC-key to verify your identity. YubiKey and other U2F/FIDO2-compliant keys are supported. Due to their physical nature, physical keys are one of the best ways to protect an account.

Tracking Protection

Proton lets you read emails without advertisers watching you, building a profile on you, or serving you ads based on your online activity and email contents. The web app automatically blocks tracking pixels and hides your IP address.

Avoid Webmail

Use installed application, avoid email in web browsers.

Referral

Sign up for Proton Mail – 14 Days Free!




SEARCH | 1.7

Avoid Google

Boycott Google, Bing, and other really big names. Switch to a more private engine, such as:

startpage.com/en/about-us
duckduckgo.com/compare-privacy
search.brave.com (AI optional)





UPDATES | 1.8

Automatic

Keeping everything up-to-date. Most apps, software, plugins, operating systems, and device firmware can be set to search for and install updates automatically. This protects against a lot of malware/virus and other threats.





VPN | 1.9

Virtual Private Network

An application on your device, makes your data unreadable (encrypted) before it leaves your device to travel through WiFi and the internet, via a tunnel. Your data travels to a computer/server on the internet. On this server, your data is made readable (decrypted). From this point, your data travels just like normal internet traffic, to it's end goal – such as a news site, or forum.

This way, your Internet Service Provider – ISP, can't track what you're doing on the internet. This is crucial if you're using some WiFi at a café, airport, or your maybe employer.

Also, when your traffic exits the VPN-node, to travel that last distance to for example a forum, the forum-server wont know who you are – only that your traffic came from a specific VPN-server. Still, well resourced actors (APTs) – such as nation states, can and do easily de-anonymize you. Read more here!

VPN Providers' Reputation

Ultimately a VPN provider is just someone elses computer, and they can read all your traffic – as if it was just regular internet traffic without VPN. Therefor, essentially, you choose to trust a reputable VPN provider more than you trust some network (that you don't own or control), for example that random café or airport WiFi. Well known VPNs are - in theory, generally, a lot more trustworthy than that "FREE AIRPORT WIFI" - which could actually be set up and/or surveilled by any bad actor - in other words, it might have nothing to do woth the airport, hotel, or café that's mentioned in the WiFi-name.

Two providers with very good reputation are:

protonvpn.com
mullvad.net

Configuration

In it's settings, configure the VPN-app to:

– Choose a specific country's exit node (not your current country)
– Activate the killswitch

Ideally also:

– Disable WebRTC
– Disable IPv6
– Don't change any DNS settings on your device (the VPN-app will handle DNS)

Checks & Verifications

Verify VPN connection: whatismyip.com | whatismyipaddress.com – IPv4 must be different with/without VPN
Check for DNS leaks: dnsleaktest.com | controld.com – All IPs must be from the same service provider
– Check for WebRTC leaks: browserleaks.com | dnsleaktest.com/webrtc
– Check for IPv6 leaks: whatismyip.com | whatismyipaddress.com – Verify that IPv6 is different with/without VPN (or not detected/none). If using a terminal (Linux, Windows, macOS, Android, iOS):

curl -4 -v icanhazip.com

Warning – "israeli" Companies

ExpressVPN
CyberGhost (VPN)
Private Internet Access (VPN)
ZenMate (VPN)
Intego (VPN, antivirus)

"...quietly operated by an 'israeli'-owned company [Kape Technologies] with close connections to that country’s 'national security state', including /.../ Unit 8200 and Duvdevan Units of the 'israeli' [Occupation] Forces [iOF aka. 'iDF'] /.../ involved in many of 'israel’s' most outrageous hacking, surveillance and assassination programs, acting as spies and death squads. Unit 8200, for example, has been the source of much of the world’s most infamous spying software, including Cellebrite and Pegasus, the program used to snoop on tens of thousands of the world’s top politicians and journalists, including by Saudi Arabia, who used it to help track down and kill Washington Post columnist Jamal Khashoggi."Mint Press

LastPass

This password manager has been revealed to be not only very insecure, but also owned by "israeli"-connected malware investors, same as behind the NSO Group. – Addie Lamarr

Referral

Sign up for Proton VPN – 14 Days Free!





AI – LLM | 1.10

Lumo

Proton Lumo – no need to create a user account or log in. No logs, open source, ad-free, high-privacy jurisdiction. "We keep no logs of what you ask, or what I reply. Your chats can’t be seen, shared, or used to profile you." Read more here and here.

Ask

Ask Brave – a single interface that consolidates search and AI chat. "We don’t collect personal information about you, your device or your searches. We also don’t transmit information to the web that could be used to profile you or track you..." Read more here.

Offline

Better yet – run models offline, locally – in Ollama. Learn here!





TL;DR

Assessment

– What to protect, from who, how

Passwords

Bitwarden, Proton Pass; Unique, long, complex, 2FA

2FA

Authy, Proton Auth; For password manager, email, etc.

Phones

– Limit permissions, delete apps/files, encrypt, disable biometric, long PIN

Computers

– Advertising IDs, delete files, encrypt, disable biometric, Linux

Calls & Messages

Signal; Auto-delete messages

Email

Proton Mail; 2FA, Sentinel

Search

DuckDuckGo, Startpage, Brave Search

Updates

– Automatic for everything, everywhere

VPN

Mullvad, Proton; killswitch, Stealth, Shadowsocks

AI

Brave AI, Proton Lumo (guest), or offline





BOYCOTT, DIVESTMENT, SANCTIONS AGAINST "israel"

The global Boycott, Divestment and Sanctions (BDS) movement, firmly believes that ending the complicity of states, corporations, and institutions in “israel’s” ongoing, live-streamed genocide against 2.3+ million Palestinians in Gaza [and the West Bank] is the most effective form of solidarity with the Palestinian struggle to end the genocide and dismantle “israel’s” 78-year-old regime of settler-colonialism and apartheid.bdsmovement.net


BOYCAT – ETHICAL SHOPPING

Search brands and scan products, to see if it’s being boycotted and why. Make ethical shopping choices with confidence!boycat.io


JMAIL, JEFFTUBE – THE "israel"/TRUMP/EPSTEIN FILES

Read the PDF-file emails! [SFW, redacted]jmail.world Watch the videos! [SFW, censored]jmail.world/jefftube




WEAPONS OF MASS EDUCATION℠

AD/_XL,DC

Abstrude

From Latin abstrūdō; to conceal, hide, push or thrust away. Evolved to abstruse; difficult to comprehend or understand, obscure. Synonyms; cryptic, covert, secret.

Privacy

No tracking, no cookies. Only HTML and CSS, plus one JavaScript function for color inversion – sessionStorage, deleted when closing browser.

Technical

Optimized for Brave – a privacy and security oriented browser.

Legal

All information is provided in a best effort, beginner friendly manner. Intended for educational purposes only – how anyone make use of it, is their own responsibility. By choosing to utilize any of the mentioned tools or methods – in part or in whole, You confirm Your agreement with the aforementioned statement.

Booking

Book security testing or workshop.

Support

The continued efforts of developing Abstrude can be supported via:

Buy Me a Coffee (Stripe)
– BTC bc1qxtfks0vy3x6w9p7t9cvxkxsx56ptmfm0wydwld
– ETH 0xa1AEbebe632D8170D7a4d716B44Ef93F64Ed62c6
– Referrals Proton | Starlink | Simply

Contact

hind.rajab@abstru.de | Instagram | UpScrolled | Substack | Twitter/X | GitHub

[A]bstrude © 2025 – 2026


"Fascism, in itself, is less 'ideological' in so far as it openly proclaims the principle of domination, that is elsewhere concealed." ― Theodor Adorno