Signal For Beginners

Signal For Beginners

Editor’s note: Signal provides good protection against dragnet surveillance, but the capabilities of state agencies and large corporations probably allow them to bypass the security provided by apps like this in targeted cases. In other words, Signal is not bulletproof. If your device is compromised, your message are compromised. We recommend Signal and other end-to-end encrypted communication methods as a baseline for safer communication, but in cases of serious risk, other measures must be taken.

By Martin Shelton / Originally published as Signal for Beginners at the Freedom of the Press Foundation

For some reason, people have gotten pretty interested in mobile security lately. So let’s talk about a secure messaging app called Signal.

Signal gives you encrypted messages, as well as voice and video calls. It relies on data, so it’s a great option for free calls and texts over wi-fi. This can be a huge advantage for those of us who don’t want to pay for SMS text messages and phone calls, or who want to make free international calls.

It’s not only convenient, but security experts recommend Signal for a few different reasons. Signal is end-to-end encrypted, meaning that no one but your device and conversational partner’s device can read the messages you send. The team behind the software, Open Whisper Systems, is a privacy centered not-for-profit organization, and relies on grants and donations. Perhaps most importantly, Signal is open source, meaning that the code is publicly viewable. It can be examined for potential security holes, and has stood up to auditing. All of these features make Signal one of the best options for boosting your communication security.

Getting started with Signal

First, find Signal for iPhone or Android here, or search for it in the App Store or Google Play store. It only works with other Signal users, so get your friends to use it too.

This is someone else’s device. I would never have 88 updates.

When you first launch the app, it will ask you to verify your phone number.

iPhone users: Type in your number and hit “Activate This Device.” You’ll receive a six-digit code via SMS text message, then type in the code and hit “Submit Verification Code.”

Android users: Type in your phone number, hit “Register” wait for the app to verify your phone number. When it finishes, it will ask if you want to make Signal your default messaging app, which will allow you to receive both SMS messages and Signal messages on the app. That’s up to you, but it’s important to remember that Signal will not encrypt conversations with anyone using regular old SMS text messages.

Your fresh Signal contact page on Android (left) and Signal on iPhone (right)

Click the messaging icon (with the pencil). From here, you can message your contacts who have installed the app. Click on someone who you want to talk to. That’s it — just type in the message and send. From inside the conversation, you can also click the phone icon in the top right corner to start an encrypted call.

Get fancy with messaging

Use group messaging
iPhone users: From the main screen, click the message icon at the top right. Click the group messaging icon in the top right.
Android users: Click the settings icon at the top right and hit “New group.”

From here, you can name your group and add multiple people. You can also change the group icon by clicking on the image to the left. Later, you can always make changes to the group by clicking the conversation settings for the group at the top right.

Signal on desktop
You can use Signal on your desktop as well! Before jumping in, think about whether Signal for desktop works for your situation. If you’re having highly sensitive conversations and think you may have malicious software on your personal computer, you probably don’t want to feed your encrypted messages into that infected machine. For example, if you’re infected with malicious software designed to log your keystrokes or send screenshots to a remote attacker, encryption won’t protect your messages.

If it makes sense for you, try Signal for your desktop. It offers similar messaging features to the mobile app, supporting messages, but not calls.

Attachments
You can send files by clicking the attachment (paperclip) icon at the bottom of a conversation. This is very important: you can send GIFs here.

Get fancy with security

Make messages disappear
If you want to delete a specific message, press and hold the message. When the menu pops up, click “Delete.” Because Signal stores all of your messages locally and not on a remote server, you are only deleting the message on your personal device. Your conversational partner may still have it.

If you and your conversational partner want to get rid of messages after a certain amount of time by default, there’s a way to do that.

iPhone users: Click on your conversational partner’s name at the top of the screen to open the conversations settings menu.
Android users: Click the settings icon (three dots) in the top right corner. Click “Disappearing Messages.”

Use the slider to change the amount of time you’d like to wait before messages disappear after they’ve been viewed — anywhere from 5 seconds to a week. Again, messages will disappear for both you and your conversational partner. If you change your mind later, you can always change your settings from this menu, or remove disappearing messages.

iPhone users: To delete all messages across all of your contacts, click the settings icon in the top left and navigate to Privacy > Clear History Logs.

Lock screen notification security
Even when your phone is locked, someone with physical access can still read the message and sender name on your lock screen. But we can fix that.

iPhone users: you can find these settings under Settings > Notifications > “Show.” On this page, you can have Signal display sender name and message, sender name only, or no name or message.

Android users: Device > Sound & notification > When device is locked. On this page, you can have Signal show all notifications, “Hide sensitive information content” or don’t show notifications at all. If you still want alerts but don’t want names or messages visible on your lock screen, hit “Hide sensitive information content.”

Now your messages aren’t readable on your lock screen.

Session verification
On most messengers, there is no way to know that your message isn’t intercepted by a third party. With Signal, you can verify that the current conversation is secure for both messages and calls. Consider verifying your session for sensitive conversations.

You can verify your session with safety numbers. Open a conversation with someone. For iPhone, click the person’s name at the top of the screen, and tap “Show Safety Number.” On Android, click the Settings > Conversation settings > Verify safety numbers. From there, you’ll see a QR code and your safety numbers.

If you and your conversational partner are seeing the same numbers, your session is secure. You want to verify that your numbers match on a different channel — for example, over Twitter DMs, Facebook, Google Hangouts, or a regular old phone call.

If you’re in person with someone, one of you can click “Scan code.” Scan the other person’s QR code with your camera.

You won’t need to verify safety numbers again until someone starts a new session (e.g., when someone gets a new phone).

Signal is not bulletproof

Perhaps it goes without saying, but encryption won’t help with someone who has physical access to your unlocked phone. If you haven’t done so, password protect your device. Exit Signal and turn on your passcode.

iPhone users: Settings app > Touch ID & Passcode
Android users: Settings app > Security > Screen lock

Remember that strong encryption won’t help if your device or your partner’s device is compromised with malware. For example, some kinds of malware are designed to send screenshots of your messages to a remote hacker. The best defense is to simply install new software updates for Signal and your device itself. These updates usually contain valuable security patches; get them as soon as possible.

If your phone is ever lost or stolen, thieves can copy and read data off the device, including your encrypted messages. Luckily it’s pretty easy to protect your device with disk encryption. If you use a modern password-protected iPhone, your device is already encrypted. A few Android devices are encrypted by default (the Pixel line, and some phones in the Nexus line). Android users can enable disk encryption in minutes.

Signal retains nearly no metadata — who spoke to whom, when, and the length of a call. Importantly, however, it’s not designed to prevent live eavesdroppers from capturing metadata.

iPhone users: Signal lets you see your Signal call history from your phone app, like any other call. This might be convenient, but may also allow your iPhone to sync this call history with iCloud (including who spoke to whom, when, and the call length). If you use iCloud and don’t want to upload call history on Signal, double check that it’s turned off: Settings > Privacy > Show Calls in Recents > Disabled.

Signal will occasionally drop calls or texts, and because it relies on data, there will be times you’ll prefer to use phone minutes instead. We need regular phone calls and texts sometimes. That’s okay. But we can protect more of our communications and encourage our friends to do the same.

You’re caught up!

That’s nearly everything new users should know about Signal. If it’s a service you value, consider donating to Open Whisper Systems. For technical folks, contribute code. And if you want to learn more about how to get started with digital security, read Securing Your Digital Life Like a Normal Person. Feel free to reach out with thoughts or suggestions.

Edit: I’ve changed the old donation links to newer ones, and I’ve updated information on Signal’s iOS call history and iCloud. I’ve also clarified about what Signal can and can’t protect with respect to metadata.

This article is crossposted with the Freedom of the Press Foundation. Last updated October 21, 2018.

Signal for Beginners is republished here under a Creative Commons Attribution 4.0 International (CC BY 4.0) license. Click here for more on security culture.

How to Browse the Internet Anonymously

How to Browse the Internet Anonymously

Anytime you browse the internet, your ISP (Internet Service Provider), government agencies such as the NSA and GCHQ, and most of the websites you visit are tracking everything you do.

This data is often used to generate profiles of individuals preferences, purchasing behavior, travel, habits, etc, then packaged and sold to marketing companies, political advertisers, and other bidders. Politically, internet surveillance is used to suppress resistance movements, identify dissidents, and encourage self-censorship.

Threat Models

Most technological infrastructure globally is controlled by corporations and the government. That means that online security will always be risky. We don’t recommend using the internet for any particularly dangerous purposes. This is not a guide for advanced users, underground activists, or anyone with a high-level threat model.

However, using this method can be useful for any organizer concerned with security and privacy. If you are still considering whether to go underground or stay aboveground, you should take steps to remain anonymous.

What is Tor?

Tor is a volunteer-run service that provides both privacy and anonymity online by masking who you are and where you are connecting. The service also protects you from the Tor network itself—you can have good assurance that you’ll remain anonymous to other Tor users.

For people who might need occasional anonymity and privacy when accessing websites, Tor Browser provides a quick and easy way to use the Tor network.

The Tor Browser works just like a regular web browser. Web browsers are programs you use to view web sites. Examples include Chrome, Firefox, and Safari. Unlike other web browsers, though, the Tor Browser sends your communications through Tor, making it harder for people who are monitoring you to know exactly what you’re doing online, and harder for people monitoring the sites you use to know where you’re connecting from.

Keep in mind that only activities you do inside of Tor Browser itself will be anonymized. Having Tor Browser installed on your computer does not make things you do on the same computer using other software (such as your regular web browser) anonymous.

How to Install Tor

  1. Visit https://torproject.org
  2. Download the appropriate software for your operating system
  3. Follow the instructions to install the software

How to Use Tor

The first time Tor Browser starts, you’ll get a window that allows you to modify some settings if necessary. You might have to come back and change some configuration settings, but go ahead and try to connect to the Tor network by clicking the Connect button.

A new window will open with an orange bar that illustrates Tor Browser connecting to the Tor network.

The first time Tor Browser starts, it might take a long time; but be patient, within a minute or two Tor Browser will open and congratulate you.

You will be greeted by a welcome screen.

Some features of a normal web browser can make you vulnerable to man-in-the-middle attacks. Other features have previously had bugs in them that revealed users’ identities. Turning the security slider to a high setting disables these features. This will make you safer from well-funded adversaries who can interfere with your Internet connection or use new unknown bugs in these features. Unfortunately, turning off these features can make some websites unusable. The default low setting is fine for everyday privacy protection, but you can set it to high if you are worried about sophisticated attackers, or if you don’t mind if some websites do not display correctly.

Finally, browsing with Tor is different in some ways from the normal browsing experience. We recommended reading these tips for properly browsing with the Tor Browser and retaining your anonymity.

Advanced Option: TAILS

A more advanced security option is to use TAILS. TAILS is a live operating system that you can start on almost any computer from a USB stick or a DVD.

It aims at preserving your privacy and anonymity, and helps you to:

  • use the Internet anonymously and circumvent censorship;
    all connections to the Internet are forced to go through the Tor network;
  • leave no trace on the computer you are using unless you ask it explicitly;
  • use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

You can learn more about using TAILS on their website: https://tails.boum.org/


Portions of this material have been adapted from EFF’s SSD project under the CC BY 3.0 license.

Weaponising Europe’s General Data Protection Regulations

Weaponising Europe’s General Data Protection Regulations

by Liam Campbell

What Is GDPR?

GDPR is a European legal framework intended to protect personal data, provide greater data transparency, and give people greater control over their data. It requires any group that stores or processes data to follow strict policies to ensure security. It also entitles individuals to request personal data reports and deletion, both of which must be completed within 30 days by any group holding the data.

Who does GDPR apply to?

At minimum, GDPR applies to any group or company which stores the data of EU citizens or residents, in practice it applies primarily to data processing entities based in the EU. This can include corporations, political parties, activist groups, and even individuals.

What are the consequences of negligence?

Violation reports are investigated, a warning is usually issued, data may be deleted, data processing may be restricted, and continued violations can result in fines up to €20,000,000 or 4% of revenue, whichever is greater. The consequences are significant enough to even warrant serious concern among large corporations.

What is a personal data request?

Anyone can submit a request for a comprehensive report on any data which relates to them, and these reports must include all data and a list of systems which store or process that data. Requests must be fulfilled in under 30 days. This is relatively easy for big businesses who have invested in compliance software, but intermediate businesses have much more difficulty, and small groups or individuals struggle the most. Processing a data request manually can take 30+ minutes per request because all systems must be checked.

What is a deletion request?

Anyone in the EU can request that their data be deleted from some or all systems. The data must be permanently deleted and all systems must be checked for data. This can also take 30+ minutes to complete per request, depending on the systems.

How do you weaponise GDPR?

Opposition groups and companies which perpetuate ecocide can be easily flooded with GDPR requests. Each individual email address warrants a separate request. If someone has 3 email addresses and a request template, they can consume 1-3 hours of a company, group, or individual’s time and resources by investing a few minutes. If the request is not completed in 30 days, or if the report is incomplete, they can report the offense for investigation. Additionally, any company, group, or individual that does not have GDPR compliant opt-in features and privacy statements can also be reported, even without a 30 day waiting period.

Strategic mass reporting can consume significant resources among medium sized targets, and can be devastating for smaller targets. This is a tactic which requires minimal training, is highly asymmetric, and can be very disruptive when targets are selected intelligently. I recommend identifying candidates like: climate science denial groups, fossil fuel lobbyists, regional oil and gas distributors, politicians, logging companies, and opposition movements.

 

Extinction Rebellion: Security Analysis of Ireland’s Movement

Extinction Rebellion: Security Analysis of Ireland’s Movement

Editor’s note: DGR acknowledges that Extinction Rebellion and Extinction Rebellion Ireland are valuable and necessary contributors to a broader ecosystem of activism. The analysis in this article is relevant for many movements and it’s republished from Medium with permission from the author.

Image credit: Truthout.org on Flickr

by Roderick Campbell

Extinction Rebellion Ireland (XRI) is growing at a decent speed and has already hosted a number of public marches and street art performances. The movement currently follows the Extinction Rebellion International principles and policies, which make it a fully decentralised and non-hierarchical movement which is open to anyone who wants to participate. In Ireland they are currently opting for a consensus based approach to decisionmaking rather than a democratic process, and they are experimenting with using “circles” to organise around key issues like finance, tactics, and policies. The community is somewhat divided on the details, especially regarding the ambiguity of some of Extinction Rebellion’s principles and how they should be interpreted. There is also contention around the details of decisionmaking processes and key financial decisions.

This is very much a social experiment, and you can tell the movement is young and raw. Individual participants run the gamut from brand-new activists to seasoned community organisers, from upper class people to significantly underpriveleged people, and from those living in intensely rural settings to those living in the big cities. The diversity of participants is staggering. There seems to be a central division between those who espouse fundamentally capitalist beliefs and call for incremental progress through government lobbying and public relations stunts, to outright socialists who are calling for the abolition of capitalism and profound restructuring of government institions. Likewise, there is a division between those who believe that climate change is a serious concern but a vaguely distant threat, to those who believe climate collapse is actively occurring and poses a risk of near-term extinction. These divisions are obviously exploitable, and will inevitably identified by opposition forces (e.g. fossil fuel industry propaganda teams).

Below I outline some of my most immediate security concerns. Please note that I’m highlighting these concerns in order to help XRI identify and address them before they fall victim to malicious parties. I will approach these concerns from the perspective of an oppositional force in order to highlight the seriousness of these vulnerabilities.

Crippling Through Consensus

Perhaps the most easily exploitable aspect of Extinction Rebellion Ireland (XRI) is that they’re currently using consensus rather than democracy, which means that they only progress on a tactic or solution if everyone agrees. If one participant wishes to block the decision they can grind everything to a halt. There is no process for dealing with people who consistently obstruct decisions, so it would be easy for a member of the opposition to join XRI meetings and simply blockade all decisions while pretending to do so in good faith — though even if they blockaded XRI without pretending to be sincere, there are no existing procedures for dealing with them. A small handful of malicious individuals could easily cripple XRI and prevent most progress.

Scenario: I am the head of a PR (propaganda) agency for the fossil fuel industry and I’ve identified this weakness. I hire a small team of individuals to join XRI Facebook groups, join the XRI Slack, and participate in all key meetings both in person and via Zoom. These individuals do not need to be skilled at all, so I would select them based on their cover stories. I would give preference to older individuals, since they are perceived to be more trustworthy, and I would favour anyone who has a background in “feel good” activism so that they seem credible. Their entire job will be to bring up “legitimate” concerns about every issue and to trade off on blocking decisions, that way it’s not too obvious.

Outcome: XRI decisionmaking is ground to a halt, effectively the only actions which become possible are those which the fossil fuel industry has authorised because all others are blocked by the small team of paid trolls. These blockade participants may arouse some degree of suspicion, but it is impossible to definitively accuse them of maliciousness. This tactic will continue to work so long as consensus decisionmaking is in effect and/or so long as participation is open to the general public.

Consistent, Controlled Conflict

Groups like XRI are highly diverse, and they always include big personalities. There are a handful of especially divisive issues which are guaranteed to generate conflict and endless argument. Some of the prominent issues include:

  • Urgently dismantling capitalist systems (“capitalism relies on infinite growth on a finite planet, which is irrational”).
  • Emotional violence as violence (“if we hurt someone’s feelings it constitutes violence and is against the XRI policies”)
  • Property destruction as nonviolence (“if we sabotage a pipeline it does not directly harm anyone and is therefore nonviolent”)
  • Quantifiability of tactics (“we should not pursue tactics which have no quantifiable outcomes”)
  • Naming and shaming (“we cannot mention any names” & “no naming and shaming only applies to XR participants and the general public”)

Leveraging these key issues to generate internal conflict would be effective because they all address valid, but generally unresolveable issues. They divide people along key lines: capitalism/socialism, idealist/pragmatist, and analytical/emotional. Each of these groups constitute a large ratio of XRI’s participants and can therefore generate substantial conflict with very little prompting. Most of these debates occur on Facebook and Slack, and can therefore be instigated and sustained by fake accounts.

Scenario: I am a member of a prominent opposition party and my objective is to cause enough sustained dissent within XRI to cripple an upcoming national strike. I coordinate a dozen party volunteers via Facebook. Each volunteer sets up 2–3 fake Facebook accounts and email addresses, primarily using images of attractive young women to ensure they are inundated with incoming friend requests, which significantly reduces the amount of work needed to create a realistic looking account. Once the accounts have several dozen friends the volunteers are prompted to add them to prominent XRI groups on Facebook, where each fake account regularly initiates arguments about one of the key issues outlined above. The volunteer trolls also engage with each others’ content in order to make the arguments appear authentic and lively. Once the accounts have become regonisable in the community they request to be added to the XRI Slack where they continue baiting arguments.

Outcome: XRI participants end up wasting time and energy on divisive arguments rather than working on actions or making progress toward resolving organisational gaps. Moreover, individuals who engage in arguments will be likely to form cliques and grudges until active members leave out of frustration and emotional exhaustion. XRI currently has no process for resolving these disputes or making critical interpretive decisions, so this tactic would work indefinitely.

Daylight Robbery

Extinction Rebellion and XRI have significant access to funding. The International account generally holds between €500,000 and €1,000,000 in cash and they are beginning to allocate relatively large amounts of funding to individual Extinction Rebellion groups. For example, XRI has been offered €10,000 without strings attached, and an additional €40,000 with minimal strings attached.

The biggest financial obstacle facing XRI and other regional XR groups is accessing funds, because they are often used for illegal activities. Under normal circumstances, XRI members would join forces and create a legal entity (e.g. limited company) to receive and process the funds; this approach requires individual XRI members to sign their name to the company and take on significant legal liabilities. Conversely, individual XR members could be directly paid out the funds as wages, which carries slightly less legal liability but lacks transparency, creates infighting, and makes resource purchases difficult. Another option is to set up an out-of-country legal entity, which provides significant legal protection but requires a trustworthy foreign national. The last option is to receive payment in bitcoin and withdraw cash from bitcoin ATMs, which provides the most legal protection but lacks transparency and requires several trustworthy individuals.

XRI is open to anyone and operates on a consensus model, which means that a dedicated group of thieves could potentially steal tens of thousands of euro by infiltrating the XRI community, driving financial decisions toward methods they can control, and working as a group to mask their actions and mitigate any risk of being caught.

Scenario: A group of 10 friends hear that XRI will soon receive €40,000 in funding. They join XRI groups, the Slack platform, and begin attending all meetings in order to build rapport. These individuals understand the logistical challenges facing XRI and they advise XRI to leverage bitcoin to receive the funds in order to take advantage of its many benefits, namely its anonymity and significantly reduced legal liability. XRI participants express concern about ensuring the funds are safely handled and can be transparently accounted. The group of thieves suggest a best practice: a “circle” of designated people should all have access to the bitcoin wallet in order to monitor the funds and keep each other honest. All 10 of the friends join the circle and insist that many people should have access in order to avoid centralisation and hierarchy. Once the funds are in the bitcoin wallet, they almost immediately disappear into another wallet and are then laundered through one of many services. The funds are eventually divided among the friends and nobody can identify who took the bitcoins.

Outcome: XRI loses €40,000 in funding and has a reduced likelihood of receiving additional funds. The Extinction Rebellion brand is tarnished and media coverage is diverted away from actions and toward the robbery. Extinction Rebellion funders are globally disenfranchised and become less likely to provide financial resources in the future.

Summary

By compiling this analysis I hope to highlight several significant security risks, which can be exploited by malicious third parties with minimal resources or expertise to cripple the Extinction Rebellion movement in Ireland. These approaches are not new, they have been used before to undermine movements, but they have not yet been used against Extinction Rebellion. My hope is that, by highlighting them, Extinction Rebellion can resolve the issues before oppositional parties exploit them or, at the very least, Extinction Rebellion participants will be more likely to identify them before they cause critical damage to the movement.

All of these weaknesses can be effectively counteracted, but only if we’re aware of them before we fall victim to them.

Lessons from the Irish Republican Army’s Green Book

Lessons from the Irish Republican Army’s Green Book

Editor’s note: this article contains extensive excerpts from the Irish Republican Army’s Green Book, one of their key training documents during their 20th-century struggle against British occupation.

Written by Liam Campbell

“Don’t be seen in public marches, demonstrations or protests. Don’t be seen in the company of known Republicans, don’t frequent known Republican houses. Your prime duty is to remain unknown to the enemy forces and the public at large.”

Like all successful underground organisations, the Irish Republican Army maintained a strict firewall between their aboveground and underground movements, this ensured that publicly identifiable individuals could not be pressured into revealing underground militants, providing a certain level of safety for both groups. The Irish Republican Army also emphasized the importance of abstaining from alcohol or other drugs, which they identified as the single greatest threat to any guerilla organisation.

“Many in the past have joined the Army out of romantic notions, or sheer adventure, but when captured and jailed they had after-thoughts about their allegiance to the Army. They realised at too late a stage that they had no real interest in being volunteers. This causes splits and dissension inside prisons and divided families and neighbours outside.”

When recruiting, the Irish Republican Army recognised that successful underground members had certain characteristics; they were intelligent, reliable, and they were capable of giving their total allegiance to the cause. These characteristics ensured that they would consistently obey often difficult orders from the chain of command, regardless of the personal cost, and despite any personal issues they may have with their superior officers. Certain qualities could disqualify a person as a candidate: emotionalism, sensationalism, and adventurism were among them.

“The enemy, generally speaking, are all those opposed to our short-term or long-term objectives. But having said that, we must realise that all our enemies are not the same and therefore there is no common cure for their enmity. The conclusion then is that we must categorise and then suggest cures for each category. Some examples: We have enemies through ignorance, through our own fault or default and of course the main enemy is the establishment.”

One of the most essential features of the Green Book was the precision with which it defined enemies. You cannot wage a successful war if your targets are poorly defined. The Irish Republican Army identified three categories of enemy:

Enemies through ignorance are those individuals who can be cured through education. Tactics included marches, demonstrations, wall slogans, press statements, publications, and person-to-person communication. The Green Book stressed that self education was essential, which included ideological understanding and also tactical knowledge about how to organise large groups of people and how to successfully execute different actions.

Enemies through our own fault are the ones created by the Irish Republican Army’s actions, which includes personal conduct and the collective conduct of the movement. These enemies vary greatly. The elderly woman whose door was pulled off its hinges by an IRA member evading capture who doesn’t receive an immediate apology and recompense, the family and friends of an informer who has been punished without their being notified of the reason, and also the collateral victims of violence.

Members of the establishment who consciously take actions to maintain the status quo in politics, media, policing, and business. Although some of these enemies are clearly identifiable, most of them operate with various degrees of anonymity as bureaucratic cogs in a vast machine of oppression; this means that one of the greatest challenges is accurately identifying establishment members. Surprisingly, execution is not always the best way to make a member of the establishment ineffective, often it is better to expose them as liars, hypocrites, collaborators, or subjects of public ridicule.

“Many figures of speech have been used to describe Guerrilla Warfare, one of the most apt being ‘The War of the Flea’ which conjured up the image of a flea harrying a creature of by comparison elephantine size into fleeing (forgive the pun). Thus it is with a Guerrilla Army such as the I.R.A. which employs hit and run tactics against the Brits while at the same time striking at the soft economic underbelly of the enemy, not with the hope of physically driving them into the sea but nevertheless expecting to effect their withdrawal by an effective campaign of continuing harassment contained in a fivefold guerrilla strategy.”

The Irish Republican Army’s strategy included a war of attrition, the destruction of high-value assets, to make large regions ungovernable, to sustain a propaganda campaign, and to protect the movement against criminals, collaborators, and informers. The Green Book emphasized that volunteers need to achieve more than just killing enemy personnel, they must also create and maintain support systems that would not only carry the movement through the war, but would also facilitate a smooth transition after military victory had been achieved.

“Most volunteers are arrested on or as a result of a military operation. This causes an initial shock resulting in tension and anxiety. All volunteers feel that they have failed, resulting in a deep sense of disappointment. The police are aware of this feeling of disappointment and act upon this weakness by insults such as “you did not do very well: you are only an amateur: you are only second-class or worse”. While being arrested the police use heavy-handed `shock` tactics in order to frighten the prisoner and break down his resistance. The prisoner is usually dragged along the road to the waiting police wagon, flung into it, followed by the arresting personnel, e.g., police or Army. On the journey to the detention centre the prisoner is kicked, punched and the insults start. On arrival he is dragged from the police wagon through a gauntlet of kicks, punches and insults and flung into a cell.”

Capture was one of the greatest fears that volunteers lived with on a daily basis, so the Green Book addressed these concerns in detail and prepared volunteers for that possibility. This section was broken down into the actual arrest, the interrogation, and the legal process. There were three categories of torture that volunteers could face: physical, subtle psychological, and humiliation. Physical torture often took the form of beatings, kicking, punching, and cigarette burns. Psychological torture could include threats to family, friends, and self, or threats of assassination and disfigurement. Humiliation included being stripped naked, remarks about the prisoner’s sexual organs, and removing symbolic defense mechanisms.

One of the ways the Green Book prepared volunteers was by reminding them that they could only be held and tortured for a maximum of 7 days. Although the experience would likely be horrific, it could only last for a relatively brief duration; if they confessed or capitulated during their interrogation they could easily face a lifetime in prison where they would experience much of the same torture. One of the coping strategies they employed was to form images in their minds or on the surrounding walls, directing their concentration away from the interrogators and diverting it toward positive or neutral ideas, even something as simple as a flickering candle or a leaf.

Overall, what the Green Book does is it clearly lays out the ideological foundations of the movement, the requirements of its volunteers, the methodology for identifying and categorising enemies, the tactics that should be employed, and it also addresses the greatest fears of volunteers and teaches them how to cope in the event that they must face them. These are the foundational psychological requirements that are needed to recruit and retain effective underground guerillas. They must know why they are taking action, what their actions will achieve, how to behave, who they are targeting, and they need to know that they will be able to overcome their fears should they need to face them.