digital security for journalists
Post on 08-May-2015
7.908 Views
Preview:
DESCRIPTION
TRANSCRIPT
Digital Securityfor Journalists
Laurent Eschenauerlaurent@eschenauer.behttps://eschnou.com
Creative Commons Attribution-ShareAlike License (CC BY-SA)http://creativecommons.org/licenses/by-sa/2.5/
#1
Digital security in 2014
« Each time you pick up the phone, dial a number, write an email, make a purchase, travel on the bus carrying a cellphone, swipe a card somewhere, you leave a trace – and the government has decided that it’s a good idea to collect it all, everything. Even if you’ve never been suspected of any crime. »
Edward Snowden, ARD Interview, 2014
Source :http://www.freesnowden.is/2014/01/27/video-ard-interview-with-edward-snowden/index.html
Everything that can be collected IS collected Phone calls, SMS, geo-location Emails, chats, social messages Online activities, browsing habits, search queries, ...
Data is stored for at least five years Not accessed today.. but ready for when needed Easily searched based on keywords & other selectors
Paralell construction Used by the DEA, FBI to 'wash' classified leads
Source :NSA stores metadata of millions of web users for up to a year, secret files showhttp://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents
Unlimited, massive, dragnet surveillance
An example: XKEYSCORE
“A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals.”
“One NSA report from 2007 estimated that there were 850bn "call events" collected and stored in the NSA databases, and close to 150bn internet records. Each day, the document says, 12bn records were added.”
Source :XKeyscore: NSA tool collects 'nearly everything a user does on the internet'http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
#2
Why would YOU need security ?
What do you need to protect?
A source identity and/or location Documents Conversations Research topic You, your identity, your family
Protect from who?
Legal actions (leaks investigation) A government An organization (your employer ?) Competitors Criminals .....
Different kinds of Security
ConfidentialityOnly authorized eyes can read/hear the message
AuthenticationYou can verify who you are talking to or who wrote a message
IntegrityThe message has not been tampered with
AnonymityYour identity and location can't be discovered
AvailabilityThe message/information can't be easily destroyed/shut-off
OPSECBecause digital security is not always enough
Build cover identities Compartment activities Keep your mouth shut Use throw-away phones, sims, laptops,.. Plan for the worst
“Be proactively paranoid. Paranoia does not work retroactively.”
The Grugq, OPSEC for Freedom Fighters
Do I really need this ???!!??
What you do today in the clear could haunt you later You may need it someday, practice now You help other journalists by making it 'the norm' You make dragnet surveillance more costly You are journalists, your job to educate others
#3
Digital Security – the basics
Beware of your mobile phone
A real-time geo-location tracking device A remote listening device A gateway to your most intimate secrets Every action you take (call, message, picture,...) can be
monitored, collected and archived
If you really need to use a mobile phone...
Basic security (pin code, key lock, disk encryption) Do not store anything valuable (passwords, documents,..) Turn off & remove the battery to:
Protect your location when meeting a source Avoid remote listening
Use open source software E.g. Replicant on Android
Use crypto to communicate securely TextSecure, RedPhone
Don't use 'burner phones' unless you really know what you are doing, they can easily be correlated back to you
Assume it can be stolen/hacked anytime and you are comfortable with this
Secure your laptop
Use disk encryption and shutdown when travelling Setup a password and a locked screen saver Keep your system updated and have an antivirus Have a firewall, block all incoming traffic Use open source operating system and software Avoid storing important documents on your laptop Assume it can be stolen/hacked anytime and you are
comfortable with this
Online Security
Use strong & different passwordsA local & secure password manager can help
Beware of what you do, click, execute Use HTTPS as much as possible
Install the HTTPS everywhere extension Install the Do Not Track Me extension
Don't use cloud services, or assume everything in there is 'public' (e.g. gmail, dropbox, skype, ...)
Assume everything you do online could become public and you are comfortable with that
#4
Digital Security – advanced
!! Warning !!
Learn to use these tools before trusting them
with your life !
Privacy Use TrueCrypt or LUKS to encrypt USB sticks Use OTR to encrypt chat conversations
Only the content is protected, not who you are talking to Don't have logs in clear text on your disk :-) The recipient could well keep logs in the clear
Use PGP to encrypt emails Same remarks as for OTR, it protects the content of the
email, not the meta-data, not the identity Use a VPN to protect your traffic
E.g. when on public/client/conference wi-fi You must trust your VPN provider VPN provides privacy not anonymity !
Use HTTPS and POP3/IMAP over SSL
Anonymity
Scrub metadata of your documents Use Tor to keep your internet traffic anonymous
Assume all nodes are listening to you (use HTTPS)Note: even with HTTPS, you could be victim of Man-in-the-middle attacks (PKI/CA is broken). For added security, use 'certificate pinning' and TOFU (Trust on First Use).
Be carefull not to contaminate a session Use Tails if you are not sure of what you are doing Use CryptoCat for anonymous & encrypted chat
Note: this is a young project which has some issues, keep updated and verify latest news before using
“if you are a journalist and you are not using Tails, you should probably be using Tails, unless you really know what you're doing”
Jacob Appelbaum (@ioerror)
#5
Paranoia in practice
“Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.”
Bruce SchneierSource :NSA Surveillance: a Guide to Staying Securehttps://www.schneier.com/essay-450.html
“If you go and look at my inbox from July, probably 35% of the emails I received were composed of PGP . That percentage is definitely above 50% today, and probably well above 50%.
When we talked about forming our new media company, we barely spent any time on the question. It was simply assumed that we were all going to use the most sophisticated encryption that was available to communicate with one another. “
Glenn GreenwaldSource :Glenn Greenwald 30C3 Keynotehttps://archive.org/details/Greenwald30C3
#6
What now ?
Web browser securityhttp://fixtracking.com/
GPGhttps://gpgtools.org/ (OSX)https://enigmail.net/ (Linux)
Encrypt your documentshttp://www.truecrypt.org/
Use OTR when Chating https://adium.im/ (OSX) https://pidgin.im/ (Linux)
Download Tails, verify it and burn a CD
Let's install this today...
References
Computer Security for Journalists, Jennifer Valentino-DeVries, Wall Street Journal
https://docs.google.com/file/d/0B2HGtAJEbG8PdzVPdHcwekI2V2M/edit?pli=1 Opsec for Hackers, the Grugq
http://www.slideshare.net/grugq/opsec-for-hackers Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance
https://pressfreedomfoundation.org/encryption-works
top related