Digital Security

for Journalists
(and Activists, Govt. Officials, etc.)

Pranesh Prakash

Policy Director (and Resident Geek)

Centre for Internet & Society

 

 

 

 

CC-BY-SA 4.0
(copy, share, adapt: sharing is caring)

no proprietary software or standards were used in the making of this slideshow

Journalists & Activists

Source Confidentiality Matters.

 

Sources trust you: you owe them a duty

So you need to protect information on who you're communicating with.

Often, no legal protection.

Journalists & Activists

Confidentiality of internal communications matters.

 

Investigative journalism is impossible otherwise.

Your communications with your editor, with colleagues.

(Imagine the Panama Paper leaks)

Journalists & Activists

Confidentiality of Research Matters.

 

Again, investigative journalism is impossible otherwise.

But sometimes the information is in the public, so this may not be true in your case.

 

You requirements may vary with time, with project, with story.

Digital Security (OPSEC)

"Threat Model"

(i.e., why asking "Is Gmail/Facebook/WhatsApp secure?" is not a sensible question.)

 

What are you protecting?

Whom are you protecting yourself against?

What capabilities does the adversary have?

What do you hope to achieve?

(e.g., preventing the snooping or simply to make it tougher?)
(e.g., confidentiality of communications, or anonymity?)

To what lengths are you willing to go?

Trade-offs: Convenience vs. Privacy/Security

Threats

Data in Transit vs. Data at Rest
(most of this workshop will focus on former)
 

Casual vs. Employers vs. Police vs. Intelligence Agency vs. NSA/GCHQ
 

Access to device vs. Access to network vs.
Access to intermediaries
 

To what lengths are you willing to go?

At Stake

Identities

 

 

Communicated Information

 

 

Secondary Research + Stored Data

It depends. But potentially:

Location + IP Address + E-mail address (& Subject) + Phone number + MAC ID + IMEI, etc. + URLs (DNS + HTTP) + Timestamps + correlation

 

cleartexts

 

(from Telco, ISPs, WiFi hotspot/OTA, web service, MITM, etc.)

What all can they have access to?

Your phone is a surveillance device

 

Your ISP is a surveillance provider

 

FB/Google are spyware

Privacy comes at a cost

(usually at the cost of convenience, but sometimes at the cost of security or of privacy too)

Solution?

No one simple solution!

 

Think about your security practices.

 

Encourage at-risk sources, colleagues to be security-conscious (and not just wrt tech!)

 

Also: Use phone calls and SMS (and your phone, even if just for Internet) as little as possible in sensitive matters. It is much harder to communicate anonymously using your phone.

 

Realize that security technologies are tools and not solutions.

Tech Solution?

Good Hygiene

 

{Traffic, End-to-End, Device-Level} Encryption

 

Free/Open Source Software

 

Open Standards

 

Decentralized Solutions

 

Federated Networks

Non-Solution?

For end-to-end encryption (meaning the decryption happens at the your/the source's end, and that intermediary can't read it), the source will also have to be using the same encryption as you, and potentially the same software.  

This means, this won't happen.  So generally, you'll need to figure out what the source is comfortable doing, what their security risks are, and how best to secure your communications with them. It's always a trade-off.

 

Security is not only about "ultra-secure" tools, but about applying the best practices to a given circumstance. Many times the tools may not befit the circumstances.

 

Don't fetishize the tools. They're just tools.

Commonly Used + Insecure

Communication Protocols / Apps

  1. Mobile + Landline Calls (v. weak)
     
  2. SMS (v. weak)
     
  3. Email (from v. weak to not strong)
     
  4. Signal + WhatsApp +  Wechat + Skype + Twitter + FB Messenger, etc. (from okay to not v. strong)

 

There is no magic bullet!
What's "good"/"secure" depends on your needs.

SMS

No way to really secure.  (Metadata always leaks.)

Instead use data or use coded language.

 

Alternative:

Silence (SMS, Android-only - Metadata still leaks)

 

If you have data connectivity, other alternatives exist: XMPP (Conversations, Android: Play Store + F-Droid), Signal (Android, iPhone), WhatsApp, etc.

 

For average needs: Use WhatsApp
(since all your non-anonymous sources/correspondents already do)

Phone Calls

No way to truly secure.  (Metadata always leaks to telco.)

(For 2G, only Airtel & Tata DoCoMo use even weak encryption. Also SS7 attacks!)

Instead use data or coded language.

 

Alternative:

1. WhatsApp (multi-platform, call quality is good)

or

2. WebRTC
(free providers like meet.jit.si / appear.in)

IM/Chat + Files

WhatsApp (since Dec. 2015 supports file transfer)

or:

Signal

 

Other options: XMPP App (w/ OMEMO) + XMPP Provider

Modern apps: Conversations (Android), ChatSecure (iOS), Dino (Windows, Linux), Dino (Mac OS X)

Provider: Jabber.at / Yax.im /

(or ask me for the service I maintain)

E-mail + Attachments

Use something other than e-mail (since metadata leaks)


For press orgs: GlobaLeaks / SecureDrop

 

Else: E-mail Provider + E-mail Client + Autocrypt

Provider: Riseup.net / ProtonMail

(downside: painting-target-on-your-back)

 

Client: Thunderbird + Enigmail / Claws + Claws GPG plugin / K-9 (Android)

 

OpenPGP using GnuPG: built-in (Linux), GPG4Win (Windows), GPGTools (Mac OS X), OpenKeychain (Android)

Sharing/Publishing Files

Scrub the "metadata" if the source is sensitive.

Just as you redact a document to protect sources / sensitive information, you need to "redact" metadata too.

 

Metadata and other embedded data in files (jpg, pdf, mp3, docx, etc.) you upload can lead directly to your source.

 

NSA whistleblower Reality Winner was doxxed because the Intercept didn't take care to remove printer "microdots"!

 

OpenNews's guide to removing metadata

 

Mat2 is a tool that can strip most (not all) metadata.

Skype (video/voice/desktop)

WebRTC (using browser/phone app)

1. Jitsi Meet (https://meet.jit.si)

2. Signal / WhatsApp / etc.

 

 

 

 

WebRTC

It just works.

 

  

Anonymity

Keep your identities separate! 

Compartmentalize using

 

Weak anonymity is easy. Strong anonymity is difficult.  Truly untraceable anonymity if a well-resourced police department or intelligence agency is after you: next to impossible.

 

For a good guide to paranoia and tradecraft, read the grugq's blog, esp. this presentation.

Transport Security + Anonymity

Against ISP / WiFi

  • Encrypted Proxy Service ("VPN") (weak anonymity, security till VPN, so hides content from ISP but is not end-to-end)
    • RiseUp VPN, ProtonVPN, etc.
    • Complex / software-only, i.e., not a service:
      • WireGuard (Linux-only, using your own provider),
        Tailscale, etc.
  • Anonymizing Networks (Tor / I2P) (very strong anonymity, hides content from ISP, but security is not end-to-end & traffic data is transparent)

General Hygiene

  • Set a lock-screen with a passcode!
  • Use Free and Open Source Software
    • Linux (even my parents find Ubuntu easy to use)
      • If need be, use TAILS /
        QubesOS / Whonix
    • Android (e.g., LineageOS, GrapheneOS, etc.)
    • FOSS on Mac/Windows
  • Physically secure your devices!
  • Use full-disk encryption
    • Linux (dm-crypt), MacOS (FileVault), Windows (BitLocker).
    • Android (v5+), iOS (v8+).

Passphrase Hygiene

Use a password manager (pass / BitWarden / KeePass / Browser)

Long master password / passphrase using phrases in Hindi/Tamil/etc. / WebPassGen / Diceware

Don't reuse passwords!

Test password strength using telepathwords & zxcvbn

Use multi-factor authentication wherever available (but don't tie your real identity to a pseudonymous account!). And beware, MFA can cause you to lose access!

Make sure you keep an eye on what you've authorized using your {Google, Facebook, Twitter, etc.} credentials

Never share your passwords, except through secure mechanisms like a group password manager. Don't ever respond to e-mails asking for password.

 

Browser Hygiene

Use Brave, Firefox, or Chromium


Essential Extensions/Add-ons

Password Manager (inbuilt, or add-on)

uBlock Origin (FF & Chromium & Safari)

HTTPS Everywhere (FF & Chromium & FF for Android)

uMatrix (FF & Chromium, not for beginners)

NoScript (FF-only, I use it w/ default "allow")


"Private Browsing" mode only deletes stuff (browser history, cookies, etc.) once you close the browser.

Browser Hygiene

 

If anonymity is needed in addition to security, then use the Tor Browser
(and don't use any of your regular usernames, and don't visit HTTP sites since many exit nodes do sniff traffic)
 

(While Tor Browser is easy to use, I would recommend using TAILS over Tor Browser if at greater risk.)

 

Anonymity does NOT work without identity segregation.

E-mail Hygiene

 

Attachments

 

Only ever open attachments using Zoho or Google Docs. Never download it or open it locally on MS Word / Excel, etc.

 

Scan all attachments using a malware scanner (especially if you use Windows). VirusTotal is a great online scanner.

 

E-mail Hygiene

Links

 

NEVER click a link in an e-mail that scares you into thinking you need to change your password, etc.  The bulk of these are phishing attempts.

 

ALWAYS check the link (usually it appears in the status bar) BEFORE clicking it.

E-mail Hygiene

Requests for Personal Information

 

  • Howsoever authentic looking, never reply to an e-mail asking you for personal information like your password, bank account details, etc.

Temporary Accounts

Disposable e-mail
(Mailinator)

 

Disposable SMS

(ReceiveSMSOnline)

 

Disposable identities & CC numbers

(FakeNameGenerator)

 

Contact Details

Get in touch with me using:

XMPP: pranesh(at)prakash.im + pranesh(at)cis-india.org

E-mail: pranesh(at)prakash.im + pranesh(at)cis-india.org

IRC: the.solipsist/freenode + sol/oftc

Mumble: sol:chats.im

 

For help, join this XMPP chatroom:

crypto@chat.cis-india.org

Digital Security for Journalists

By Pranesh Prakash

Digital Security for Journalists

  • 10,388