Digital Security for Journalists

40 %
60 %
Information about Digital Security for Journalists

Published on February 13, 2014

Author: eschnou



A lecture given during a 2 hours workshop with journalism students to introduce them to Digital Security and OPSEC. The goal of this lecture is not to train them in using these tools but simply to raise awareness on the dangers and potential solutions.

Digital Security for Journalists Laurent Eschenauer Creative Commons Attribution-ShareAlike License (CC BY-SA)

#1 Digital security in 2014

« Each time you pick up the phone, dial a number,  write an email, make a purchase, travel on the bus  carrying a cellphone, swipe a card somewhere, you  leave a trace – and the government has decided  that it’s a good idea to collect it all, everything.  Even if you’ve never been suspected of any crime. » Edward Snowden, ARD Interview, 2014 Source :

Unlimited, massive, dragnet surveillance Everything that can be collected IS collected    Phone calls, SMS, geo-location Emails, chats, social messages Online activities, browsing habits, search queries, ... Data is stored for at least five years   Not accessed today.. but ready for when needed Easily searched based on keywords & other selectors Paralell construction  Used by the DEA, FBI to 'wash' classified leads Source : NSA stores metadata of millions of web users for up to a year, secret files show

An example: XKEYSCORE “A top secret National Security Agency program allows analysts  to search with no prior authorization through vast databases  containing emails, online chats and the browsing histories of  millions of individuals.” “One NSA report from 2007 estimated that there were 850bn  "call events" collected and stored in the NSA databases, and close  to 150bn internet records. Each day, the document says, 1­2bn  records were added.” Source : XKeyscore: NSA tool collects 'nearly everything a user does on the internet'

#2 Why would YOU need security ?

What do you need to protect?  A source identity and/or location  Documents  Conversations  Research topic  You, your identity, your family

Protect from who?  Legal actions (leaks investigation)  A government  An organization (your employer ?)  Competitors  Criminals  .....

Different kinds of Security  Confidentiality Only authorized eyes can read/hear the message  Authentication You can verify who you are talking to or who wrote a message  Integrity The message has not been tampered with  Anonymity Your identity and location can't be discovered  Availability The message/information can't be easily destroyed/shut-off

OPSEC Because digital security is not always enough  Build cover identities  Compartment activities  Keep your mouth shut  Use throw-away phones, sims, laptops,..  Plan for the worst “Be proactively paranoid. Paranoia does not work  retroactively.” The Grugq, OPSEC for Freedom Fighters

Do I really need this ???!!??  What you do today in the clear could haunt you later  You may need it someday, practice now  You help other journalists by making it 'the norm'  You make dragnet surveillance more costly  You are journalists, your job to educate others

#3 Digital Security – the basics

Beware of your mobile phone  A real-time geo-location tracking device  A remote listening device  A gateway to your most intimate secrets  Every action you take (call, message, picture,...) can be monitored, collected and archived

If you really need to use a mobile phone...    Basic security (pin code, key lock, disk encryption) Do not store anything valuable (passwords, documents,..) Turn off & remove the battery to:    Protect your location when meeting a source Avoid remote listening Use open source software  E.g. Replicant on Android  Use crypto to communicate securely  TextSecure, RedPhone Don't use 'burner phones' unless you really know what you are doing, they can easily be correlated back to you   Assume it can be stolen/hacked anytime and you are comfortable with this

Secure your laptop  Use disk encryption and shutdown when travelling  Setup a password and a locked screen saver  Keep your system updated and have an antivirus  Have a firewall, block all incoming traffic  Use open source operating system and software  Avoid storing important documents on your laptop  Assume it can be stolen/hacked anytime and you are comfortable with this

Online Security  Use strong & different passwords A local & secure password manager can help   Beware of what you do, click, execute Use HTTPS as much as possible     Install the HTTPS everywhere extension Install the Do Not Track Me extension Don't use cloud services, or assume everything in there is 'public' (e.g. gmail, dropbox, skype, ...) Assume everything you do online could become public and you are comfortable with that

#4 Digital Security – advanced

!! Warning !! Learn to use these tools before trusting them with your life !

Privacy   Use TrueCrypt or LUKS to encrypt USB sticks Use OTR to encrypt chat conversations     Use PGP to encrypt emails   Same remarks as for OTR, it protects the content of the email, not the meta-data, not the identity Use a VPN to protect your traffic     Only the content is protected, not who you are talking to Don't have logs in clear text on your disk :-) The recipient could well keep logs in the clear E.g. when on public/client/conference wi-fi You must trust your VPN provider VPN provides privacy not anonymity ! Use HTTPS and POP3/IMAP over SSL

Anonymity   Scrub metadata of your documents Use Tor to keep your internet traffic anonymous  Assume all nodes are listening to you (use HTTPS) Note: even with HTTPS, you could be victim of Man-in-the-middle attacks (PKI/CA is broken). For added security, use 'certificate pinning' and TOFU (Trust on First Use).    Be carefull not to contaminate a session Use Tails if you are not sure of what you are doing Use CryptoCat for anonymous & encrypted chat Note: this is a young project which has some issues, keep updated and verify latest news before using

“if you are a journalist and you are not using  Tails, you should probably be using Tails,  unless you really know what you're doing” Jacob Appelbaum (@ioerror)

#5 Paranoia in practice

“Since I started working with the Snowden  documents, I bought a new computer that has never  been connected to the internet. If I want to transfer a  file, I encrypt the file on the secure computer and  walk it over to my internet computer, using a USB  stick. To decrypt something, I reverse the process.  This might not be bulletproof, but it's pretty good.” Bruce Schneier Source : NSA Surveillance: a Guide to Staying Secure

“If you go and look at my inbox from July, probably 3­ 5% of the emails I received were composed of PGP .  That percentage is definitely above 50% today, and  probably well above 50%.  When we talked about forming our new media  company, we barely spent any time on the question. It  was simply assumed that we were all going to use the  most sophisticated encryption that was available to  communicate with one another. “ Source : Glenn Greenwald 30C3 Keynote Glenn Greenwald

#6 What now ?

Let's install this today...  Web browser security  GPG (OSX) (Linux)  Encrypt your documents  Use OTR when Chating    (OSX) (Linux) Download Tails, verify it and burn a CD

References  Computer Security for Journalists, Jennifer Valentino-DeVries, Wall Street Journal  Opsec for Hackers, the Grugq  Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Digital Security | Global Investigative Journalism Network

Global Investigative Journalism Network ... a digital security expert at the ... The Committee to Protect Journalists addresses cyber security as part of ...
Read more

Digital Security | IJNet

Court rules news expires after two years, the worst digital security guide on the web and more in this week's Digital Media Mash Up, produced by the Center ...
Read more

Digital Security for Freelance Journalists | Rory Peck Trust

The Rory Peck Trust maintains this section of our site for freelancers to learn more about protecting their safety by controlling their digital footprint.
Read more

Digital Security For Journalists - GitBook

Digital Security & Source Protection for Journalists. Acknowledgements This paper is the product of countless conversations, encounters, recommendations ...
Read more

Digital Security for Journalists | Ten Tools for Privacy

Journalists today are facing ever-increasing security challenges. With more and more sensitive information being stored or transmitted digitally, the ...
Read more

Digital Security for Journalists -

Title: Digital Security for Journalists Type: Webinar Cost: $24.95 Originally Broadcast On: February 06, 2014 Time Estimate: One hour for the main ...
Read more

Technology Security - Committee to Protect Journalists

Digital attacks on journalists continue to increase in both quantity and sophistication. In China, ... Technology security has some distinct foibles.
Read more

Global Journalist Security

Global Journalist Security is a forward-looking, technology-oriented Hostile Environments training and consulting firm for journalist security & NGO safety.
Read more