Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Help! I am an Investigative Journalist in 2017

708 views

Published on

Sensible combination of cryptography, privacy tools and OPSEC practices that could help investigative journalists protect their information souces in the age of mass-surveillance and metadata retention

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Help! I am an Investigative Journalist in 2017

  1. 1. Help! I am an Investigative Journalist in 2017 Whistleblowers Australia Annual Conference 2016-11-20
  2. 2. About me Gabor Szathmari @gszathmari • Information security professional • Privacy, free speech and open gov’t advocate • CryptoParty organiser • CryptoAUSTRALIA founder (coming soon)
  3. 3. Agenda Investigative journalism: • Why should we care? • Threats and abuses • Surveillance techniques • What can the reporters do?
  4. 4. Why should we care about investigative journalism?
  5. 5. Investigative journalism • Cornerstone of democracy • Social control over gov’t and private sector • When the formal channels fail to address the problem • Relies on information sources
  6. 6. SnowdenManning
  7. 7. Tyler Shultz
  8. 8. Paul Stevenson
  9. 9. Benjamin Koh
  10. 10. Threats and abuses
 against investigative journalism
  11. 11. Threats • Lack of data (opaque gov’t) • Journalists are imprisoned for doing their jobs • Sources are afraid to speak out
  12. 12. Journalists’ Privilege • Evidence Amendment (Journalists’ Privilege) Act 2011 • Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
  13. 13. Recent Abuses • The Guardian: Federal police admit seeking access to reporter's metadata without warrant ! • The Intercept: Secret Rules Makes it Pretty Easy for the FBI to Spy on Journalists " • CBC News: La Presse columnist says he was put under police surveillance as part of 'attempt to intimidate’ #
  14. 14. Surveillance techniques
  15. 15. Brief History of Interception First cases: • Postal Service - Black Chambers 1700s • Telegraph - American Civil War 1860s • Telephone - 1890s • Short wave radio -1940s / 50s • Satellite (international calls) - ECHELON 1970s
  16. 16. Recent Programs (2000s - ) • Text messages, mobile phone - DISHFIRE, DCSNET, Stingray • Internet - Carnivore, NarusInsight, Tempora • Services (e.g. Google, Yahoo) - PRISM, MUSCULAR • Metadata: MYSTIC, ADVISE, FAIRVIEW, STORMBREW • Data visualisation: XKEYSCORE, BOUNDLESSINFORMANT • End user device exploitation: HAVOK, FOXACID
  17. 17. So how I can defend myself?
  18. 18. Data Protection 101 •Encrypt sensitive data* in transit •Encrypt sensitive data* at rest * Documents, text messages, voice calls etc.
  19. 19. Old Times • Ancient history: Caesar cipher, Polybus square, Scytale cipher • 15th century: Vigenére cipher, Cipher disk, Cipher square • 17th century: Jefferson disk cipher • 20th century: One-time pads, Rotor machines (Enigma, Lorenz)
  20. 20. Lorenz SZ42
  21. 21. Modern Uses • PGP (1991), PGPfone (1995) • HTTPS (1994) • OpenVPN (2001), IPSEC (1995) • Tor (2002) • Skype (2003, early days) • Disk encryption: 
 TrueCrypt (2004), BitLocker • End-to-end encryption (2010s) • Signal, ChatSecure • Messenger, WhatsApp, Google Allo
  22. 22. How all this applies to an investigative journalist?
  23. 23. Data Protection 101 • Encrypt sensitive data* in transit • Encrypt sensitive data* at rest * Documents, text messages, voice calls etc.
  24. 24. Encrypt the Data in Transit • Web: HTTPS, DuckDuckGo • Email: PGP • Text and voice calls (e2ee): 
 Signal, Threema • Group chat (e2ee):
 Semaphor, ClearChat, Crypho • Video calls (e2ee):
 Wire, Tox.im
  25. 25. Encrypt the Data at Rest • Local hard-disks and USB drives • macOS: FileVault, Windows: BitLocker,
 Linux: LUKS • Cloud file storage • Zero-knowledge services:
 Sync.com, TresorIt, SpiderOak
  26. 26. Data Protection 101 •Encrypt sensitive data* in transit •Encrypt sensitive data* at rest * Documents, text messages, voice calls etc.
  27. 27. ???? What did we miss?
  28. 28. Why? • Metadata retention • State sponsored hacking
  29. 29. What about metadata? • Mass collection • Retained for 2 years • Links you to the information source • Easy to apply link analysis
  30. 30. IBM i2 Analyst's Notebook
  31. 31. What about gov’t hacking? Tailored Access Operations (TAO) • Backdooring routers, switches, and firewalls • Backdooring laptops purchased online • Backdooring your laptop by phishing • Backdooring your laptop by exploits (“FOXACID”)
  32. 32. On a Security Conference
  33. 33. How all this applies to an investigative journalist? Round 2
  34. 34. Data Protection 101 (for journalists!) • Encrypt sensitive data in transit • Encrypt sensitive data at rest • Work in a secure environment
 (i.e write articles and communicate with info sources) • Hide the metadata • Compartmentalise your work • Solve the first contact problem
  35. 35. Secure environment Work on a device that is free of backdoors: • Anonymity: Tails operating system • Security: Qubes OS • Security & Anonymity: Qubes OS + Whonix
  36. 36. Hide that metadata Chat: • Ricochet IM File Exchange: • OnionShare
  37. 37. Compartmentalise Limits the damage done when you are hacked
  38. 38. Compartmentalise (cont’d) • Separate laptop for research & comms • One email address per source • One USB drive per source • Unique password on any website
  39. 39. First contact problem • Allow information sources contact you anonymously • SecureDrop • GlobaLeaks
  40. 40. Two actually …
  41. 41. A word on smartphones Your phone is a spying machine: • Doesn’t matter what model it is • Leave your phone at home
  42. 42. The most secure tool •Pen •Paper
  43. 43. Wrapping it up
  44. 44. Security and privacy is hard… • Surveillance is very sophisticated as technology has advanced • Metadata retention practices and data mining technologies will link you to the info source • The Peeping Toms are on your smartphone and laptop
  45. 45. …but not hopeless • Encrypt everything • Use a secure operating system • Use pen and paper • Hide the metadata • Compartmentalise • Leave your smartphone home • Solve the first contact problem
  46. 46. Further info • Tweet me on @gszathmari • CryptoAUSTRALIA (soon): https://cryptoaustralia.org.au • Join a CryptoParty: https://cryptoparty.in/sydney • https://www.privacytools.io • https://prism-break.org • https://privacyforjournalists.org.au
  47. 47. Questions?
  48. 48. Sources • The History of Information Security: A Comprehensive Handbook • https://en.wikipedia.org/wiki/Cabinet_noir • http://blogs.lse.ac.uk/mediapolicyproject/2016/02/15/a-very-brief-history-of-interception/ • https://inforrm.wordpress.com/2016/02/21/a-very-brief-history-of-interception-in-the-britain-bernard-keenan/ • https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects • http://www.computerworld.com/article/2476515/network-security/the-security-flaws-in-tails-linux-are-not-its-only-problem.html • https://freedom.press/blog/2014/04/operating-system-can-protect-you-even-if-you-get-hacked • https://www.theguardian.com/world/2016/apr/14/federal-police-admit-seeking-access-to-reporters-metadata-without-warrant • https://www.techdirt.com/articles/20160829/06300835377/australian-government-using-data-retention-law-to-seek-out-journalists-sources-hunt-down-whistleblowers.shtml • https://theintercept.com/2016/06/30/secret-rules-make-it-pretty-easy-for-the-fbi-to-spy-on-journalists/ • http://www.cbc.ca/news/canada/montreal/journalist-patrick-lagace-police-surveillance-spying-1.3828832 • https://en.wikipedia.org/wiki/Telephone_tapping • http://www.nytimes.com/2015/03/01/nyregion/a-short-history-of-wiretapping.html

×