By now you should’ve learnt about the key points to analyse before choosing an instant messaging app and those apps we advise against as well as three apps we like a little more, but there are a lot of nuances to add at the end of this series. In this last chapter, we will discuss how to use the applications and how you should analyse what you communicate online.

To start with, let’s quickly talk about threat modelling. Threat modelling is an easy way to understand what level of security you need. Someone who simply uses their phone for trivial things does not have the same threat model as a journalist reporting on human rights or as an activist targeted by the government. Because an increase in privacy and security comes with the tradeoff of less usability, one should understand their threat model and act accordingly.

When we have talked about applications that respect your privacy, they are very good at avoiding big corporations to steal your data, and moderately good at stopping governments from targeting a big majority of people. What we mean with this is that anyone talking to their friends about how good last night’s party was should avoid using Instagram direct or WhatsApp not because they are concerned about their security being compromised, but because those companies make a profit from selling our data, and the more technology self-defence we practice as a community, the less powerful those mega-corporations are.

That does not mean that you should discuss illegal activities on signal. When thinking about what you should or shouldn’t say on a messaging app, ask yourself “do I ever want this message to be read in court?” If the answer is no, DO NOT send it.

No application is safe if there is spyware installed on your devices, which means that if your threat modelling puts you as a vulnerable target to spearfishing attacks by industry or governments, you should take extra steps, like only communicating about specific things face to face in a public space and not messaging anything online, regardless of how encrypted the messaging app is.

If you need to use technology to discuss things that you believe are a concern, you should take a few extra steps. Using a burner device that will be disposed of after the action, or after all the information has been gathered to write an article might be a good solution. Throwaway accounts that are not connected to any identifying information like emails or telephone numbers (using Session could be a great idea for that) is also a useful suggestion.

Within those communication apps, you can also toggle on-screen security, which would stop the application from allowing screenshots. This would help if there is spyware installed on your device that is trying to record your screen.

A quick note on “code” communication. There was a whole ass Cold War going the last century, with many intelligence agencies spying on each other. Your code words to describe situations “There is a lot of lemonade in my shopping trolley” will be easy to decipher by a judge, let alone an intelligence officer. Just don’t.

Ultimately, it is up to you to decide how much information you are putting on your device. Encryption means nothing if someone is directly spying on your phone, and if you wouldn’t say in front of a cop what you’re about to type to your mate, just don’t type it. Meet with them, have a chat whilst you walk around in the woods WITHOUT your phone and agree on your next meet up date face to face.

For everybody else who does not feel the government is a direct threat to their privacy, data companies ARE a direct threat to your privacy. This is a major problem that involves us all, and you should practice community self-defence. Ditch those spying apps from your phone and move over to stuff that respects you and your friends a little more. It only takes about a week to get used to a new application!


UA Tech&Sec support.

PS: We spend a great amount of time and energy learning to teach the public about this kind of stuff. If you appreciate our work, please consider donating to our project. UA is everybody, and within all of us, we can make a platform that will hopefully help in the revolution. Monero and Bitcoin donations are recommended (find our wallet addresses on the website), but if you can’t we also have PayPal and Patreon.

Paypal: unoffensive_animal(aatttt)tutanota(cddddot)com


This post continues from the one before, which you can find HERE.

By now you would’ve understood key components that make or break a messaging app and should’ve read the list of common applications we would advise against. Today, we would like to mention three applications we feel are much better in terms of respecting your privacy and security.

SIGNAL: Signal has, unsurprisingly, become the gold standard for encrypted messaging applications. Its Sealed Sender capabilities have managed to reduce a lot of the metadata sent out to their servers, it has a very simple and easy to use interface, allows for group chats, group phone calls and group video chats and it is of course open-sourced and end to end encrypted by default. There are two drawbacks to signal that are still important and should be considered depending on your own threat model. The first one is that Signal is centralised, which means if a government decided to block Signal servers, Signal would not work in that specific country (Belgium has just said they are thinking about doing exactly that!). It means there is a single point of failure, and although it would be very difficult to decrypt any information, all that data is being funnelled through a single point. The second big problem with Signal is that it requires user data in order to set up an account. That user data is also not some silly, throwaway email, they need your telephone number. In many countries around the world, obtaining a SIM card without an ID is a problem in itself, but even when that SIM is anonymous, leaking a phone number that is continuously attached to your device could mean being targeted via connectivity networks and being geolocated by telephone towers. Telephone numbers tend to be something personal, and sometimes you do not wish to give someone you just met your number. Those are the two main drawbacks in an otherwise very powerful application.


SESSION: Session App is the youngest app on our list, but it has made incredible progress and we would go as far as saying that we prefer it over Signal. It is a decentralised, open-source app backed by about 1800 nodes around the globe that routes all your traffic through onion routing, which means there is no IP leak and other identifying metadata is stripped off. The biggest and most important feature that makes Session stand out is that you do not require ANY personal information to sign up. No email address. No telephone number. No name. NOTHING. How fucking cool is that?! The fact that they’ve now implemented voice and video calls, onion routed and in a very user-friendly way, has won all the points needed for us to push it to n1! Let’s not forget about drawbacks tho. Because it is decentralised, it takes a little longer for the message to be received by your friend. This is barely noticeable on text and even photos, but it might take a few extra seconds for a video to send or to download! The second, more important drawback is that Session does not enforce Perfect Forward Secrecy. This is a complicated system where encryption keys get substituted regularly so if someone was to steal the key somehow they would only be able to decrypt some messages and not entire conversations. Session does not implement PFS, but as the encryption key is saved in your device, if your device was compromised the text would already be in plain text. Whilst we understand Session’s mitigation against that attack, they should implement PFS for extra security. Session is the app we would advise for all of you to talk to each other on a regular basis.

Read more here:

BRIAR: Briar is an incredibly interesting application. End to end encryption by default and an open-source application that will only run on Android devices (sorry iPhone users). It runs through P2P connectivity, which means no server or nodes to depend on. When you message someone on Briar, the message travels through the TOR network directly to your friend’s device without depending on any specific centralised systems. Briar is also a very useful tool when the network is down. Police will, during intense riot situations, jam the network in order to stop any form of connectivity. Briar circumvents those problems by allowing users to connect through a Bluetooth mesh or a wifi mesh, without depending on the telephone network. This, of course, has a distance limitation. The drawbacks should be obvious. A P2P connection is not anonymous. The message is encrypted and if someone was sniffing the connection they would not be able to read your texts or see the photos, but the recipient of your text is able to work out the network you connect to and some device identifiers which could be used to de-anonymise you. As mentioned before, it only runs on Android, so compatibility might be a problem. Finally, briar has a usability problem. Because it is P2P and your messages are not stored in a server, they cannot be sent to your friend unless your friend is also connected. Briar is an incredible app and we highly recommend it, but we would advise you to use this app for specific situations and only with people you trust. Briar is without a doubt, the app we would use when the armed revolution starts!

Find Briar here:

Keep an eye for our next instalment of this miniseries, which will be a more practical use and advice on how to talk to each other.

Remember that apps only know what you tell them. We will talk about what to say and what not to say in our last instalment about messaging apps! 


UA Tech&Sec 101 support.

PS: We volunteer our time, but we cannot volunteer all our funds too in order to keep this project alive. If you have the means and like what we do, please consider donating a few coins. Monero is our favourite way, you can find the wallet address on our website, but if you don’t use cryptocurrencies you can donate over Paypal and Patreon too!
PayPal: unoffensive_animal(aaattt)tutanota(ddddot)com


alf cuts a vent to a chicken farm with boltcutters

This post is a continuation of a series, the previous post can be found HERE

We have talked about the different key points that make a good instant messaging app, and it is time to name and shame applications you should never use for any communications (from organising a demo to organising a coffee date, fuck using the apps below!)

SMS (Text) Messages. We’ve already talked about this but your SMS are sent in plain text and literally, everybody can read them. Don’t use text unless necessary.

FACEBOOK, INSTAGRAM AND SOCIAL MEDIA MESSAGING: Facebook Messenger, Instagram Direct and other social media private messaging apps are NEVER safe to use. They work in a centralised network, they are (for the most part) not encrypted and they only serve one purpose: to collect your data. All the big social media names also have no problem complying with governments when requested, so your metadata, text and media will be shared on request. WhatsApp is an incredibly common instant messaging application you should delete from your phone immediately. Since it was acquired by Meta (Facebook) this has become an even more important thing.

WHATSAPP: WhatsApp is a closed source application (which means no one can read the code to tell if what WhatsApp says is true) and although they say it has End to End Encryption, Facebook can read any texts that have been marked as abusive, which brings into question the truth about their encryption. They collect heaps of metadata (location, time, date, users involved in the conversation and so on) which is not encrypted and they have an extensive track record of collaborating with the government. Move your family away from WhatsApp and delete the app. Seriously.

iMESSAGE: iMessage is also heavily advised against. For iPhone users only, iMessage was a very useful app when it was first introduced, making texts free for a lot of people! There are many problems with iMessage but here are a few important ones. The app’s code is closed. Their encryption protocol is trash. They collaborate with the NSA and will give information to governments on request. It is not a safe app.

TELEGRAM: Telegram needs to be completely trashed and put in the bin. This will divide many people and might make you feel uncomfy inside, but telegram is NOT a safe app. They have managed to sell themselves as a privacy and security messaging application, but the amount of problems with the application is staggering. To start with, Telegrams encryption is not enabled by default. This is such a massive problem that should make you uninstall the app immediately just because of it, but there are a few other bits to talk about. Telegram collects user information, does not hash it and permanently shares that information with the parent company. They DO NOT encrypt metadata (so the conversation logs are available) and thanks to a not-so-open-sourced code dealing with their bespoke cryptography, the company CAN READ YOUR MESSAGES even when encrypted! Telegram is so not an application to use, not for group chats, not for private chats, not for anything. There are much better alternatives to explore. In the next article, we will give you a few options for better messaging apps to use. Keep an eye out!


UA Tech&Sec Support

PS: If you appreciate the work we do, please send a few coins. We could do with some support.

Crypto addresses are on our website but PayPal and Patreon you can find just below!
PayPal: unoffensive_animal(aattt)tutanota(doottt)com


Let’s talk about instant messaging communication. Since smartphones have become more and more embedded in our lives, instant messaging apps have taken a primary role in how we communicate. They are simple, they are fast, and they allow for photos and videos and even video calls over the internet, taking a huge step forward from the SMS/MMS capabilities of phones in the past.

But technology has more to it than accessibility, and instant messaging apps are not all created equal. In the next instalments of this series, we will talk about the apps we recommend and those that we advise against, but for now, we would like to define a few concepts that are very important for you to choose how you communicate with friends.

SMS/MMS texts are a decades-old protocol to send texts or media. They are reliable, but they are completely visible to telecommunication companies and governments as well as anyone with sufficient knowledge to connect to a telecommunications antenna. Stay away from them!

End to End Encryption BY DEFAULT should be the gold standard. Encryption is a process where the text sent is scrambled and can only be transformed into plain text by the recipient, who possesses a private key able to understand the “language” of the scrambled text. Many apps have encryption features, but only those that are encrypted by default (not as a “private conversation” feature) should be used.

Metadata is the information about the text, image or video you are sending. The metadata of a message could be the time and date it was sent, who the sender is, who the recipient is, the location of the sender and whatever other information an app collects and sends with the actual message. Applications that do not leak metadata are of course preferable when communicating with others.

Centralised, Decentralised and P2P Networks are different ways that your messages travel from your phone to your friend’s phone. 

Centralised networks work as follows: You send a message, it travels (hopefully encrypted) to a centralised server, and the server then sends that message over to your friend. The problem with Centralised networks is that there is one single location that has all the power. It means that the government can enforce censorship by blocking the servers, and even simply by raiding the servers and taking them away. There is a second problem with centralised networks. Even if your message is encrypted, depending on the app you are using the server will have various degrees of metadata knowledge. That means that if someone can access that centralised server, they can tell who is sending and receiving messages, at what time and even locations. Signal app is an example of an Encrypted, Centralised Messaging App.

Decentralised networks solve this problem. They use multiple nodes, so your message travels from you to a node, from that node to another and so on until it arrives in your friend’s app. This fixes a couple of problems. The first one, you cannot simply take down one server to stop someone from communicating with somebody else. In the second one, you can add extra layers of encryption on each node (like a TOR network), rendering any leftover metadata useless). The drawback of decentralised networks is that they are slower than centralised ones (sometimes by nanoseconds, but sometimes it’s a lot more noticeable!). Session App is an example of an encrypted, decentralised instant messaging app.

P2P or Peer2Peer is more of a connection than a network. When you use an instant messaging app with P2P the users will synchronise without the need for a secondary server or multiple nodes. This method makes things a lot safer. There is no risk of a compromised server, or of someone running multiple malicious nodes attempting to either deanonymize you or somehow collect metadata. There is one big problem with this. Both you and your friend need to be connected at the same time for that message to travel from your device to their device. If you send a message when your friend is offline, and then you go offline, even if your friend connects that message will still sit on your phone, as you are no longer attempting to send it. A second problem with encrypted P2P connections is that they do not anonymise you. Your friend could be able to tell information about your device and network as you are both connected.

Now that you know a few of the parameters you should consider before messaging someone, we will be able to talk about which apps we would advise to uninstall and then set on fire, and which apps are recommended to use, but we will do that on future instalments to not bore you to death with technical knowledge!


UA Tech&Sec Department.

PS: UA is a collaborative, not for profit project that never makes enough money to cover costs. If you enjoy our content, please consider donating. We have crypto addresses on our website (for ultimate privacy we advise you send through Monero, not Bitcoin), but there is also Paypal and Patreon.

Please consider sending even if it is a single coin, it all helps!
Paypal: unoffensive_animal(aaaaatttt)tutanota(doooot)com


In past instalments we’ve talked about creating a safe password for your smartphone and how to use a password manager for all other accounts, but something was left behind that needs addressing.

As we mentioned before, data leaks can happen, and even tho the passwords to access an account on any internet platform tend to be stored hashed, it can be unhashed by people with the right tools.

So there is no point having a great password that then gets leaked and cracked, right? We can do something about this too.

Multifactor authentication is a way of ensuring whoever is sending the credentials to an account is actually the person who owns that account. It normally uses two of these three:

  • Something you know (usually, your password!)
  • Something you have (your smartphone, or a hardware key, or some other object)
  • Something you are (fingerprints, biometrics and so on)

We have talked about the dangers of biometrics already and we would highly advise you to not use them. That said, you still can use two factor authentication (2FA) by giving something you know (your password) and something you have (either a hardware key, or an application on your smartphone).

This is how it works; when you log in on Facebook, you are asked for your email and password. You have done your job right and know that the password is complicated and stored in your Bitwarden account. So you select it, then add that little bit of password that only you remember, and hit enter. A second screen appears that asks you for a code. You check your smartphone, introduce your code, and you’re in!

Ideally, that code will be a one time use code and change every time, making things a lot safer.

That means that if someone was to get your password, they still wouldn’t be able to access your account without also having that code, which should be in your pocket!

You have already done this before, normally over telephone number. Amazon asks you for a mobile number, they send you a code over text, and then you introduce it in your log in screen to get in. But texts are sent and stored in plain text, and SIM Swapping (an attack where someone manages to acquire your telephone number without you realising) is a very common vector of attack.

Instead of using your telephone number, you can choose to use a hardware token if you feel you need to go the extra mile with your security (like YubiKey, go read about it!) or you can use a software based 2FA authenticator.

Our recommendation for a software based 2FA authenticator would be the open sourced Aegis Authenticator if you’re using Android, as it offers a few extra features like password access and back up options, or TofuAuth if you’re using iOS, also open sourced and designed for iPhones.

The process is simple, you go to your account, find 2FA and enable it. You then grab your phone, scan the QR code that the website offers and it will automatically add it to the account. Now the app and the website will be able to talk to each other and nod in agreement when you give them the right code!

This is an incredibly easy, yet very effective way of keeping your accounts safe. Please head to your accounts and enable 2FA, connect it to your phone software and stick your middle finger to whoever might try to gain access to your accounts!

UA Tech and Sec department.

If you like what we do, consider donating a few coins, we have very little funds left
Paypal: unoffensive_animal(at)


We have talked in the past about how important a passphrase is to unlock your smartphone, instead of a numerical code, or if you’re still not up to date with how law enforcement abuses their powers, especially don’t use biometrics like your fingerprints or FaceID.

If you have not read about smartphone passphrase, you should start here:

Now that you have read that, we MUST talk about all other passwords you use to log in to every other account you own.

Passwords are normally stored in the servers of those accounts (let’s say Facebook for example), as hashes. That means that people cannot simply access your password as plain text. But many tools are able to unhash and find your passwords. 

So how do we protect ourselves from a major data leak, that would release into the internet the key to open every account you own? 

Firstly, we need to visit a few rules: 

  • You should NEVER reuse your password. It doesn’t matter if it is for an account you don’t care about. Just DO NOT reuse your password. If it leaks for one account, it will leak for all accounts!
  • Your passwords should be complicated and should be lengthy. There are many ways of “creating” passwords, but we will explain a very simple one later on in this article.

So once we have learnt those two rules, how can we create, manage and memorise very long, complicated passwords, that are single-use so you do not repeat them in every single account? 

The answer is using a password manager.

A password manager is a vault that keeps all those passwords safe and away from prying eyes. For most of our readers, whose threat level is probably low, we will recommend a cloud-based password manager due to its ease of use, but if you believe you should go a step further, once you’ve read about password managers check KeePass, a completely off-cloud alternative.

Our recommendation for a cloud-based password manager is Bitwarden. Bitwarden is an open-sourced password manager capable of storing all the information you need, but also able to generate new passwords on demand and synchronising within all your devices if so you wish. 

Storing all your passwords in a single drawer sounds like a huge, scary thing doesn’t it? This is why you should think before you even create a new account with Bitwarden.

1- Create a new, never-used-before email address. Only use it to create that password manager account, so it doesn’t leak. That means it is more difficult to try to brut force the password manager credentials if the attacker doesn’t even know what email address you could’ve used.

2- Create a MASTERPHRASSE. Remember how we talked about a passphrase for your smartphone? Follow those rules, but double it, or even triple it in size. Write it down for a few weeks until you are 100% sure you will not forget, and practise using it. Make it the longest, most complicated password you can create whilst being able to remember it because it is the password that will rule all the passwords. 

Now, you can log in to Bitwarden, and start storing all your account’s passwords. And because we know what your like, this is the moment we prompt you to CHANGE THE 6-YEAR-OLD PASSWORD YOU’VE NEVER IN YOUR LIFE CHANGED. Seriously, go on Facebook, change your password. Go on your proton mail, and change your password. Go on your amazon account and CHANGE-YOUR-PASSWORD.

You will find this a very good little tool within Bitwarden. When you’re changing a password in whatever account, you can click on “generate password”, choose the length and how complicated you need it to be, and the software will create the password for you. You copy it, change the password in the account, then save the new credentials in your Bitwarden and voila! You are done! 

But I can imagine more than one person complaining about putting all the vegan eggs in a single, steel basket, and hoping that that does not fuck things up. 

And you people are right. That master passphrase could be broken. All your accounts, compromised. And we also have remedies for those problems.

In a future instalment, we will talk about 2FA and how to use it (not the one where google sends you a text with a code mind you!). but for now, this is a cool little trick you can use to secure your accounts a step beyond the password manager. 

Let’s imagine that the FBI has decided to check out all the nudes you send over Instagram DMs. They try to enter your IG, but they are unsuccessful. Sadly, they find a plaintext of your password manager master passphrase, and they learn that your Instagram login credentials are: 

User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&[email protected] *(a very nice password created by the PW generator within Bitwarden!)

When they try to log in, “username and/or password are invalid” prompts the screen! 

Why? Because you did not put all the vegan eggs in one steel basket. You kept half an egg to yourself.

That metaphorical egg is “something you remember”, an add on to your password, something extra that you don’t forget. 

For example, let’s say that you really like plants, and your favourite plant is a pothos. Maybe that something you remember can be {p0th0%s}, and when you are creating new passwords to all your accounts, you keep adding “{p0th0%s} at the end of the randomly generated password that Bitwarden is giving you.

When you save your passwords, you are not saving {p0th0%s} alongside it, but you simply remember it, so when you need to log in to IG for example, Bitwarden gives you this: 

User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&[email protected]

But you remember that the actual password is:

Password: z3JtBqGT$ZRjWY!cf&[email protected]+{p0th0%s}

And tada! You made your life a little safer by spending a couple of days learning a new tool that will really, really help you in the long run. 

Enjoy, and for the love of bunnies, stop using “password123” as your password, please. 

UA Tech and Sec department.


Most of us have one, most of us benefit from them, we put our lives all over them but should in reality fear them. Smartphones are a tool of the modern world, being able to share data to anybody instantly; a mindblowing concept.

Each year, new devices are released, with new and possibly beneficial features, Authenticating yourself only by looking at the screen, Storing Photos in the cloud, Managing banking transactions with minimal effort. Smartphones are convenient. Yes. They can also be VERY damaging for activists.

A device that knows where you are, where you’re going, when you’re there, the journey you took, and whether you drove, walked or cycled. They know who’s with you, they hold the messages you’ve sent to each other and the pictures and videos you took while you were there.

One small mistake and the device you hold so dearly can get you into some serious ‘legal’ issues. The biggest mistake that you may already be making? Unlocking your phone.

Various reports show that most devices are secured with a 4 Number Passcode, Are you currently doing this? If you are, this should be the first step you take to securing your device. Longer passwords are harder to enter, yes, but are also relatively harder for Law enforcement to break.

Knowing the difference between an Insecure and ‘Secure’ Smartphone can be difficult. With the next few posts, we’ll try to recommend easy to implement changes and tips that ANYBODY can follow, irrelevant to your knowledge of technology.

There’s a constant battle in the tech world with Security vs Convenience, With Smartphones, typically benefit from convenience. As mentioned above, Face, fingerprint, and iris unlocking for your device are very ‘cool’ and convenient methods of authentication but take it from us, there’s nothing stopping Law enforcement from forcing your eyes open, your phone to your face, or by pressing each finger onto your fingerprint scanner. – the only thing they currently cannot do is force you to provide a password to a device. 1*

Most Operating Systems on Phones use the screen lock as a method of Encryption; It’s good to assume that if you’re using a 4 number password or similar, the data on your device is easily recoverable by anybody with very little effort.

Bringing us to the first change for a more secure device.

Your Device password.
If you’re currently using a ‘PIN Code’ or Numerical password, Change it.
If you’re using a Pattern lock, Change it.
If you’re using Biometrics, Fingerprint, FaceID, Iris… Stop… Seriously. Stop it. Stop reading, go disable it now…
If your password is the name of your ‘pet’, child, spouse, town, date of birth, Spring2016, AnimalLiberation, or FuckTheCops, Change it.

Change it to what? Good Question!
How do we as Human beings, Generate a Secure, complex password that’s difficult for a highly-intelligent computer to guess? It’s not difficult, there’s a general rule in the password-cracking industry that longer passwords aren’t typically the most secure.

As the person writing this post, I can suggest the following formula for ‘Secure’ Passwords.

Multiple, DIFFERENT Symbols, Multiple Words in different languages if you’re so lucky to know them and numbers, no phone numbers, bank pins or dates and 1312, 161, etc are also not secure :). It may be easier for you to remember a complex password if it flows easily when you recall it in your head, maybe something that rhymes.

For Example, Looking around me right now, I will try to make a ‘secure’ password, 1 x Aloe Vera Plant… 1 x Bottle of Water… 2 x Skylights… 8 steps to some Stairs…

My Password could be:
!128/[email protected]

Easier to remember, but less Secure:

Now… I understand that you might be thinking “There’s no way I’m going to remember something like that…” This is why it’s important to personalize your password with rules and patterns that make sense to you. Assuming you use your Smartphone every day, That’s a repetitive task for your brain and you will learn to type the password easily, without thought very quickly. It’s just adjusting to it that may take a few days. Sadly, Security is not convenient and will take effort to introduce.

If you’re worried about forgetting the password, I suggest keeping a written copy or reminder of the password until you don’t need it anymore and then destroy it with fire :), it’s better to use a slightly insecure method of security temporarily than it is to only use insecure methods permanently.

This change is possibly the most mentally demanding. It will take time and effort to introduce properly but once you’ve laid the groundwork here, the effectiveness of the other changes will be greatly increased; Banks aren’t made from Cardboard for a reason ;).


Change your Password!
Unoffensive Animal.


1* – Depending on where you are in the world, the Police can press Legal charges for individuals who do not provide access to personal devices. What we mean is they can’t force their way into your brain.

We now accept Bitcoin and Monero as donation methods! Please visit "Support Us" page to find out how.