A lecture given during a 2 hours workshop with journalism students to introduce them to Digital Security and OPSEC. The goal of this lecture is not to train them in using these tools but simply to raise awareness on the dangers and potential solutions.
4. Unlimited, massive, dragnet surveillance
Everything that can be collected IS collected
Phone calls, SMS, geo-location
Emails, chats, social messages
Online activities, browsing habits, search queries, ...
Data is stored for at least five years
Not accessed today.. but ready for when needed
Easily searched based on keywords & other selectors
Paralell construction
Used by the DEA, FBI to 'wash' classified leads
Source :
NSA stores metadata of millions of web users for up to a year, secret files show
http://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents
7. What do you need to protect?
A source identity and/or location
Documents
Conversations
Research topic
You, your identity, your family
8. Protect from who?
Legal actions (leaks investigation)
A government
An organization (your employer ?)
Competitors
Criminals
.....
9. Different kinds of Security
Confidentiality
Only authorized eyes can read/hear the message
Authentication
You can verify who you are talking to or who wrote a message
Integrity
The message has not been tampered with
Anonymity
Your identity and location can't be discovered
Availability
The message/information can't be easily destroyed/shut-off
10. OPSEC
Because digital security is not always enough
Build cover identities
Compartment activities
Keep your mouth shut
Use throw-away phones, sims, laptops,..
Plan for the worst
“Be proactively paranoid. Paranoia does not work
retroactively.”
The Grugq, OPSEC for Freedom Fighters
11. Do I really need this ???!!??
What you do today in the clear could haunt you later
You may need it someday, practice now
You help other journalists by making it 'the norm'
You make dragnet surveillance more costly
You are journalists, your job to educate others
13. Beware of your mobile phone
A real-time geo-location tracking device
A remote listening device
A gateway to your most intimate secrets
Every action you take (call, message, picture,...) can be
monitored, collected and archived
14. If you really need to use a mobile phone...
Basic security (pin code, key lock, disk encryption)
Do not store anything valuable (passwords, documents,..)
Turn off & remove the battery to:
Protect your location when meeting a source
Avoid remote listening
Use open source software
E.g. Replicant on Android
Use crypto to communicate securely
TextSecure, RedPhone
Don't use 'burner phones' unless you really know what you are
doing, they can easily be correlated back to you
Assume it can be stolen/hacked anytime and you are
comfortable with this
15. Secure your laptop
Use disk encryption and shutdown when travelling
Setup a password and a locked screen saver
Keep your system updated and have an antivirus
Have a firewall, block all incoming traffic
Use open source operating system and software
Avoid storing important documents on your laptop
Assume it can be stolen/hacked anytime and you are
comfortable with this
16. Online Security
Use strong & different passwords
A local & secure password manager can help
Beware of what you do, click, execute
Use HTTPS as much as possible
Install the HTTPS everywhere extension
Install the Do Not Track Me extension
Don't use cloud services, or assume everything in
there is 'public' (e.g. gmail, dropbox, skype, ...)
Assume everything you do online could become
public and you are comfortable with that
18. !! Warning !!
Learn to use these tools
before trusting them
with your life !
19. Privacy
Use TrueCrypt or LUKS to encrypt USB sticks
Use OTR to encrypt chat conversations
Use PGP to encrypt emails
Same remarks as for OTR, it protects the content of the
email, not the meta-data, not the identity
Use a VPN to protect your traffic
Only the content is protected, not who you are talking to
Don't have logs in clear text on your disk :-)
The recipient could well keep logs in the clear
E.g. when on public/client/conference wi-fi
You must trust your VPN provider
VPN provides privacy not anonymity !
Use HTTPS and POP3/IMAP over SSL
20. Anonymity
Scrub metadata of your documents
Use Tor to keep your internet traffic anonymous
Assume all nodes are listening to you (use HTTPS)
Note: even with HTTPS, you could be victim of Man-in-the-middle attacks (PKI/CA is broken). For added security, use
'certificate pinning' and TOFU (Trust on First Use).
Be carefull not to contaminate a session
Use Tails if you are not sure of what you are doing
Use CryptoCat for anonymous & encrypted chat
Note: this is a young project which has some issues, keep updated and verify latest news before using
26. Let's install this today...
Web browser security
http://fixtracking.com/
GPG
https://gpgtools.org/ (OSX)
https://enigmail.net/ (Linux)
Encrypt your documents
http://www.truecrypt.org/
Use OTR when Chating
https://adium.im/ (OSX)
https://pidgin.im/ (Linux)
Download Tails, verify it and burn a CD
27. References
Computer Security for Journalists, Jennifer Valentino-DeVries, Wall Street Journal
https://docs.google.com/file/d/0B2HGtAJEbG8PdzVPdHcwekI2V2M/edit?pli=1
Opsec for Hackers, the Grugq
http://www.slideshare.net/grugq/opsec-for-hackers
Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance
https://pressfreedomfoundation.org/encryption-works