Pranesh Prakash
Policy Director (and Resident Geek)
Centre for Internet & Society
CC-BY-SA 4.0
(copy, share, adapt: sharing is caring)
no proprietary software or standards were used in the making of this slideshow
Source Confidentiality Matters.
Sources trust you: you owe them a duty
So you need to protect information on who you're communicating with.
Often, no legal protection.
Confidentiality of internal communications matters.
Investigative journalism is impossible otherwise.
Your communications with your editor, with colleagues.
(Imagine the Panama Paper leaks)
Confidentiality of Research Matters.
Again, investigative journalism is impossible otherwise.
But sometimes the information is in the public, so this may not be true in your case.
You requirements may vary with time, with project, with story.
"Threat Model"
(i.e., why asking "Is Gmail/Facebook/WhatsApp secure?" is not a sensible question.)
What are you protecting?
Whom are you protecting yourself against?
What capabilities does the adversary have?
What do you hope to achieve?
(e.g., preventing the snooping or simply to make it tougher?)
(e.g., confidentiality of communications, or anonymity?)
To what lengths are you willing to go?
Trade-offs: Convenience vs. Privacy/Security
Data in Transit vs. Data at Rest
(most of this workshop will focus on former)
Casual vs. Employers vs. Police vs. Intelligence Agency vs. NSA/GCHQ
Access to device vs. Access to network vs.
Access to intermediaries
To what lengths are you willing to go?
Identities
Communicated Information
Secondary Research + Stored Data
It depends. But potentially:
Location + IP Address + E-mail address (& Subject) + Phone number + MAC ID + IMEI, etc. + URLs (DNS + HTTP) + Timestamps + correlation
cleartexts
(from Telco, ISPs, WiFi hotspot/OTA, web service, MITM, etc.)
(usually at the cost of convenience, but sometimes at the cost of security or of privacy too)
No one simple solution!
Think about your security practices.
Encourage at-risk sources, colleagues to be security-conscious (and not just wrt tech!)
Also: Use phone calls and SMS (and your phone, even if just for Internet) as little as possible in sensitive matters. It is much harder to communicate anonymously using your phone.
Realize that security technologies are tools and not solutions.
Good Hygiene
{Traffic, End-to-End, Device-Level} Encryption
Free/Open Source Software
Open Standards
Decentralized Solutions
Federated Networks
For end-to-end encryption (meaning the decryption happens at the your/the source's end, and that intermediary can't read it), the source will also have to be using the same encryption as you, and potentially the same software.
This means, this won't happen. So generally, you'll need to figure out what the source is comfortable doing, what their security risks are, and how best to secure your communications with them. It's always a trade-off.
Security is not only about "ultra-secure" tools, but about applying the best practices to a given circumstance. Many times the tools may not befit the circumstances.
Don't fetishize the tools. They're just tools.
There is no magic bullet!
What's "good"/"secure" depends on your needs.
No way to really secure. (Metadata always leaks.)
Instead use data or use coded language.
Alternative:
Silence (SMS, Android-only - Metadata still leaks)
If you have data connectivity, other alternatives exist: XMPP (Conversations, Android: Play Store + F-Droid), Signal (Android, iPhone), WhatsApp, etc.
For average needs: Use WhatsApp
(since all your non-anonymous sources/correspondents already do)
No way to truly secure. (Metadata always leaks to telco.)
(For 2G, only Airtel & Tata DoCoMo use even weak encryption. Also SS7 attacks!)
Instead use data or coded language.
Alternative:
1. WhatsApp (multi-platform, call quality is good)
or
2. WebRTC
(free providers like meet.jit.si / appear.in)
WhatsApp (since Dec. 2015 supports file transfer)
or:
Other options: XMPP App (w/ OMEMO) + XMPP Provider
Modern apps: Conversations (Android), ChatSecure (iOS), Dino (Windows, Linux), Dino (Mac OS X)
Provider: Jabber.at / Yax.im /
(or ask me for the service I maintain)
Use something other than e-mail (since metadata leaks)
For press orgs: GlobaLeaks / SecureDrop
Else: E-mail Provider + E-mail Client + Autocrypt
Provider: Riseup.net / ProtonMail
(downside: painting-target-on-your-back)
Client: Thunderbird + Enigmail / Claws + Claws GPG plugin / K-9 (Android)
OpenPGP using GnuPG: built-in (Linux), GPG4Win (Windows), GPGTools (Mac OS X), OpenKeychain (Android)
Scrub the "metadata" if the source is sensitive.
Just as you redact a document to protect sources / sensitive information, you need to "redact" metadata too.
Metadata and other embedded data in files (jpg, pdf, mp3, docx, etc.) you upload can lead directly to your source.
NSA whistleblower Reality Winner was doxxed because the Intercept didn't take care to remove printer "microdots"!
OpenNews's guide to removing metadata
Mat2 is a tool that can strip most (not all) metadata.
It just works.
Keep your identities separate!
Compartmentalize using
Weak anonymity is easy. Strong anonymity is difficult. Truly untraceable anonymity if a well-resourced police department or intelligence agency is after you: next to impossible.
For a good guide to paranoia and tradecraft, read the grugq's blog, esp. this presentation.
Against ISP / WiFi
Use a password manager (pass / BitWarden / KeePass / Browser)
Long master password / passphrase using phrases in Hindi/Tamil/etc. / WebPassGen / Diceware
Test password strength using telepathwords & zxcvbn
Use multi-factor authentication wherever available (but don't tie your real identity to a pseudonymous account!). And beware, MFA can cause you to lose access!
Make sure you keep an eye on what you've authorized using your {Google, Facebook, Twitter, etc.} credentials
Never share your passwords, except through secure mechanisms like a group password manager. Don't ever respond to e-mails asking for password.
Use Brave, Firefox, or Chromium
Essential Extensions/Add-ons
Password Manager (inbuilt, or add-on)
uBlock Origin (FF & Chromium & Safari)
HTTPS Everywhere (FF & Chromium & FF for Android)
uMatrix (FF & Chromium, not for beginners)
NoScript (FF-only, I use it w/ default "allow")
"Private Browsing" mode only deletes stuff (browser history, cookies, etc.) once you close the browser.
If anonymity is needed in addition to security, then use the Tor Browser
(and don't use any of your regular usernames, and don't visit HTTP sites since many exit nodes do sniff traffic)
(While Tor Browser is easy to use, I would recommend using TAILS over Tor Browser if at greater risk.)
Anonymity does NOT work without identity segregation.
Attachments
Only ever open attachments using Zoho or Google Docs. Never download it or open it locally on MS Word / Excel, etc.
Scan all attachments using a malware scanner (especially if you use Windows). VirusTotal is a great online scanner.
Links
NEVER click a link in an e-mail that scares you into thinking you need to change your password, etc. The bulk of these are phishing attempts.
ALWAYS check the link (usually it appears in the status bar) BEFORE clicking it.
Requests for Personal Information
Get in touch with me using:
XMPP: pranesh(at)prakash.im + pranesh(at)cis-india.org
E-mail: pranesh(at)prakash.im + pranesh(at)cis-india.org
IRC: the.solipsist/freenode + sol/oftc
Mumble: sol:chats.im
For help, join this XMPP chatroom:
crypto@chat.cis-india.org