You may be brave. You may be willing to take your life into your own hands. But your co-workers, contacts, and especially your sources may not feel that way. You can make an informed decision about the risks you’re taking, but you cannot ethically make that decision on behalf of your sources. As a journalist, you have a moral obligation to protect your sources, and that means protecting your data, because once you are compromised, your entire web of trust is compromised.Privacy and security do not work retroactively. You have to take precautions ahead of time. Failure to do so will put your sources at risk.
So, now that we know that the stakes are high and that inadvertent mistakes can get journalists and their sources into trouble, what do you do about it? Security and privacy are a series of tradeoffs, and usually the value at the end of that trade-off is convenience. In short, trying to protect yourself from everyone all the time is a pain in the ass. This is why it’s important to work out a threat model: know what you want to protect and who you want to protect it from. Threat modeling is a term activists have stolen shamelessly from the tech industry, where it usually entails working out what assets are worth protecting, determining vulnerabilities, identifying internal or external threats that may exploit these vulnerabilities in order to cause damage to the assets, and determining what appropriate security countermeasures exist that mitigate the threats.
Now that we’ve talked about threat modeling, I’m going to recommend some tools and practices with which it is probably a good idea for most people to familiarize themselves.
If, for example, you are a Syrian activist living in Damascus trying to decide on an appropriate webmail provider, using Gmail with the Chrome browser might be a good choice for you. You want something that is fast, simple, and easy to use. You want it to be secure from Syrian government spying. The Assad regime controls all of the ISPs in Syria and engages in active surveillance of Internet traffic using Bluecoat devices built right here in Silicon Valley. Gmail uses HTTPS by default (which we will discuss later) to encrypt your webmail traffic at the transport layer so that the ISP can’t read it. You might be worried about the Syrian government using a Man in the Middle Attack and issuing a fake SSL certificate in order to read your encrypted web traffic—they tried this against Facebook in 2011—but the Chrome Browser has certificate pinning for Gmail and all Google products in order to protect against MITM. We’ve talked a little bit about HTTPS earlier and now we’re going to get down into it. If you look at the URL bar at the top of your browser, you’ll notice that the URL begins with the letters HTTP. This stands for hyper text transfer protocol, is an application protocol for distributed, collaborative, hypermedia information systems.HTTP is the foundation of data communication for the World Wide Web. A web browser, for example, may be the client and an application running on a computer hosting a web site may be the server. The client submits an HTTP request message to the server. The server, which provides resources such as HTML files and other content, or performs other functions on behalf of the client, returns a response message to the client. The response contains completion status information about the request and may also contain requested content in its message body.When the web was young, all of this data was sent over the network in cleartext, meaning that anyone on the network could intercept your HTTP traffic and see what web pages you were going to, what data you had entered into them, and what those pages look like. Then people wanted to be able to buy things online using credit cards and they did not want their credit card numbers going out over the network where anyone could read them, so the powers that be invented HTTPS, which encrypted your web traffic while it went out over the network. For a long time, web pages only used HTTPS to protect credit card transactions. Anyone listening in on your network, like the US government or your employer or your ISP or that guy on the other side of the café, could see your web traffic, including the websites you go to, the photos you’re looking at, and the emails you’re reading and writing. Sensitive stuff. Google will have full access to your email. Google bots will read it in order to determine what ads to serve you on your Gmail page. If Google receives a valid court order or subpoena, they will hand over meta-data about your email (the IP addresses you’ve logged in from, your contact list, who you’re sending mail to and when) or even the contents of your email to law enforcement. But if you take a look at Google’s transparency report…
In 2010, EFF put a browser extension called HTTPS Everywhere, which makes sure that if you are using a website that has HTTPS as an option that you are always using it. Encrypting the web is an ongoing process. Who here uses a Yahoo! Webmail account? My condolences. Yahoo! Just announced that it had made HTTPS available as an option for its webmail clients last week. You can enable it by selecting the option in your privacy settings, or it is automatically enabled if you are using HTTPS Everywhere on your browser, but as recently as two weeks ago, all that anyone needed to do in order to read your email was sit on your network with a packet sniffer.
…which shows all of the user data requests Google receives over a given six month period, sorted by country, you will see that Syria is not on that list. It’s never been on that list. Google does not have an office in Syria and is not bound by Syrian law enforcement, which is probably why Syria does not bother to make them and prefers the more pro-active surveillance approach. The chances that Google will give up your email to the Syrian government over the course of the uprising are very, very low. While there are many things that this solution does not protect you from, it does protect your asset (your email) from the threat you have identified (the Assad regime).
How many people here have passwords on their computers? How about your phone? How many people here have a pin number that they use to access an ATM? A password for your email account? A password for your Twitter account? A password for your Facebook account? Now raise your hand if any of those two passwords are the same. Password safes make sure your passwords are strong and protect you from dangers related to password reuse. You don’t want to lose all of your accounts just because your username and password wound up in some hacker’s data dump from Yahoo or LinkedIn or Gawker. In August of 2012, Wired/Gizmodo journalist Matt Honan had all of the content wiped from his iPhone, MacBook, and iPad by hackers in an attack whose effects were magnified by the fact that he used the same password for his Apple and Gmail accounts. Some companies, such as Facebook and Google, offer two-factor authentication. If you log in from a new device, they will send a message to your cell phone with an additional code you must enter for access. Beware of password recovery questions such as What city were you born in? and what is your mother’s maiden name? These facts are available in public databases
This Is terrible if you care about privacy, but it’s great if you’re the US government. Just in case you think that government surveillance is something that only happens elsewhere in authoritarian regimes, here’s a story. The US government, with assistance from major telecommunications carriers including AT&T, has engaged in a massive program of illegal dragnet surveillance of domestic communications and communications records of millions of ordinary Americans since at least 2001.News reports in December 2005 first revealed that the National Security Agency (NSA) has been intercepting Americans’ phone calls and Internet communications. Those news reports, combined with a USA Today story in May 2006 and the statements of several members of Congress, revealed that the NSA is also receiving wholesale copies of American's telephone and other communications records. All of these surveillance activities are in violation of the privacy safeguards established by Congress and the US Constitution.The evidence also shows that the government did not act alone. EFF has obtained whistleblower evidence [PDF] from former AT&T technician Mark Klein showing that AT&T is cooperating with the illegal surveillance. The undisputed documents show that AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco that makes copies of all emails web browsing and other Internet traffic to and from AT&T customers and provides those copies to the NSA. This copying includes both domestic and international Internet activities of AT&T customers. As one expert observed “this isn’t a wiretap, it’s a country-tap.”EFF is fighting these illegal activities in the courts. Currently, EFF is representing victims of the illegal surveillance program in Jewel v. NSA, a lawsuit filed in September 2008 seeking to stop the warrantless wiretapping and hold the government and government officials officials behind the program accountable.
So the US government is spying on all of our Internet traffic and collecting it in secret rooms. That was not enough to get people to change the way they think about Internet security. What convinced them? Firesheep. Firesheep is an extension for the Firefox web browser written by software developer Eric Butler that uses a packet sniffer to intercept unencrypted cookies from websites such as Facebook and Twitter. As cookies are transmitted over networks, packet sniffing is used to discover identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.[The extension was created as a demonstration of the security risk of session hijacking vulnerabilities to users of web sites that only encrypt the login process and not the cookie(s) created during the login process. So now you could sit in a café, and (if they’re not using a VPN) steal people’s Facebook and Twitter accounts. The threat of easily hijackable accounts caused Twitter and Facebook to make their services available over HTTPS. And in the last year or so, both of them have gone over to HTTPS by default, so that you no longer have to make a pro-active decision to go into your privacy settings and turn HTTPS on to get this basic level of security. By 2010, Google had already made Gmail HTTPS by default. Microsoft Hotmail followed suit. The last two years have seen an unprecedented effort to encrypt the web.
The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fiwireless access point, can insert himself as a man-in-the-middle).A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other — it is an attack on mutual authentication (or lack thereof). Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL can authenticate one or both parties using a mutually trusted certification authority.There have been some instances in which Certificate Authorities have been compromised and issued fake certificates, such as the Dutch CA, DigiNotar in September of 2011. Some governments have also tried Man In the Middle attacks against the HTTPS version of websites, such as Syria’s attempt to MITM Facebook in May 2011 and Iran’s attempt to Man in the Middle Google in August 2011. The Iranian latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past fouryears and EFF has voiced concerns that the problem may be even more widespread. But this was the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months before it was noticed, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificatesGoing back to our discussion of threat modeling, if you are concerned about protecting your web traffic from an attacker with this kind of capability, you should probably use a VPN.
A virtual private network (VPN) extends a private network and the resources contained in the network across public networks like the Internet. It enables a host computer to send and receive data across shared or public networks as if it were a private network with all the functionality, security and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. VPNs can be either remote-access (connecting an individual computer to a network) or site-to-site (connecting two networks together). In a corporate setting, remote-access VPNs allow employees to access their company's intranet from home or while traveling outside the office, and site-to-site VPNs allow employees in geographically separated offices to share one cohesive virtual network.In most cases, you may want to use a free VPN service such as Hotspot Shield to secure your internet connection, Hotspot Shield creates a Virtual Private Network (a secure connection, usually abbreviated to VPN) between your computer and the Hotspot Shield developer's website, Anchorfree, based in the USA. This connection encrypts your traffic at the transport layer, meaning that anyone sitting on your network can’t read it. Additionaly, this connection makes websites think that you are based in the US, which is useful for censorship circumvention in some countries.Your VPN provider will see all of your traffic, so the two most important questions when you’re choosing a VPN are 1. Where are they located? 2. How much do you trust them?
Sometimes it’s not enough to protect the content of your message from surveillance. If you need anonymity on the Internet, your best option is Tor. If you need to prevent eavesdroppers from seeing what sites you are going to, or if you need the people running the websites not to be able to deduce your identity or location from your IP address, I recommend Tor.Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol. Their most popular tool is the Tor Browser Bundle,which comes with HTTPS Everywhere, so your traffic will be both anonymous and encrypted.The most common complaint about Tor is that it is sometimes slow. This is fine for most web browsing, but highly frustrating if you are watching streaming video or if you are in a low-bandwidth environment. Because of its usefulness in censorship circumvention, Tor is blocked in some countries, such as China and Iran. Tor developers and Chinese/Iranian government are engaged in an ongoing cat and mouse game in which the countries try to block Tor and Tor finds new ways to get around it.
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographicprivacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a user name and/or an e-mail address.PGP is useful when you need for your email message to only be readable by yourself and your intended recipient. Your mail service provider may still store your mail, but all that they have is the cipher textGetting PGP to work with webmail is a complicated problem outside of the scope of this talk.
Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AESsymmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides perfect forward secrecy and malleable encryption.The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with other cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. In most cases, people using such cryptography software are not aware of this and might be better served by OTR tools instead.Many chat services support OTR out of the box: AdiumJitsi, Gibberbot. Pidgin (Windows) supportsit as a plug-in.Do not confuse OTR with “Off the record” more in AIM or Gchat, which just does not keep logs of your chat. Authenticate fingerprints when using OTR. Transmit the fingerprints over some other service, such as email or Twitter. This is known as “out of band authentication.”
Special topics, if we have time. And thank you.
Security and privacy for journalists
A Brief Overview of Security forJournalistsCreated by:Eva Galperin and Jillian C. YorkElectronic Frontier Foundation
Why is security important?• Once you are compromised, you’vecompromised your entire web of trust• Privacy and security do not workretroactively. You have to take precautionsahead of time.
Threat Modeling• What assets are worth protecting?• What are their vulnerabilities?• What internal or external threats mightexploit those vulnerabilities?• What appropriate securitycountermeasures exist?