[liberationtech] was: Forbes recommends tools for journalist; is now: depressing realities

Hi, frank@journalistsecurity.net:

But if

...

you're getting information security advice from a Forbes blog, that will be the least of your worries.

Where would you suggest we get information security advice from?

This is an interesting question and I admit, I feel like it leaves a bad ring in my ears... What kind of security advice? Who is following the advice? Does their context change while they follow this advice? Do they have resources of a user without more than a casual interest or are they well funded and dedicated? What are their requirements? What are their temporal tolerances? Do they understand safety plan or threat model without further explanation? What are the stakes for failure? The answer to each of those questions would shift my answers to subsequent questions around, I guess. If I were to change that question a bit to be something that many people are familiar with - I'd say - Where do we get good health advice from? When I go to a general practice doctor, they might refer me to a specialist. But where do I find that doctor? And what if I have issues that are really expensive to solve? It leads us in a similar direction - we look for common certifications, credentials, ratings, feedback, word of mouth, etc. We get a general sense of things, hopefully if we're seeing a terrible doctor, we know before they cut us up or send us home when we really need a different kind of care. It seems that some groups who do practical training are trying to be the specialist and the generalist. Sadly, because many of us are motivated by non-technical goals, say social justice, a real core background in many overlapping fields is simply missing. There isn't an advertised set of unified goals or principles stated where we try to work toward a set of solutions, nor is there a common set of agreed upon threat models that we're working with openly, and so on. The Forbes article is junk for my threat model(s) and frankly, I think it is junk for everyone else on a long enough time line. An open question is mostly if anyone will ever do anything noteworthy enough to learn that it was junk at the time. If it had been written about biology and safe sex, I'd say it was offering sheep skin condoms as a partial solution; we'd all get a pretty bad feeling about it and commonly understand the problem with such solutions, right? The technical details are so poorly understood by journalists that their ethics generally mean nothing; who cares if a journalist promises to keep a secret if they even have Skype *installed* on their laptop with confidential documents, emails or an OTR enable chat client? Their operational security is lower than the bar of the commercial market, we don't even have to begin to discuss intelligence agencies. In almost any other topic, it is simply intolerable to let a person write complete nonsense advice as an authority. Such authors get a reputation for being worth ignoring and sometimes, they're the topic of the next article. Yet in the field of journalism, we see journalists who even proudly boast of their illiteracy, without realizing the recklessness of their choices, sometimes even the choice of straight up ignorance because security is simply too hard. Or refusing to even offer anything resembling a secure way to reach them, let alone actually something they try to use regularly. I've rarely met journalists that encourage people to secure their communications - it does happen but wow, it is rare rare rare. Some journalists at least claim that they will go to jail before they'll give up sources, some won't make such claims or will even make the opposite claims. The signs of such journalists are easy to spot and still hard to confirm in any meaningful manner. When push comes to shove, even the best intentioned journalists still roll over when the might of the state crushes them under a pair of boots. At least with a proper idea of how journalism is being undermined by the Surveillance State, such a journalist might get a clue about the level of help, protection and transitive risk they pose to sources. Such an understanding is largely missing from the dialog and the Forbes piece really obviously shows that the advice is the product of an extremely lacking study of the threat landscape. What am I getting at? When journalism was two people meeting in person, the people were the main piece that mattered, when research on who to contact was ephemeral, even a failed meeting wasn't a pin pointed event to be followed up on later. The (communications, crypto, electricity, etc) systems illiteracy means that otherwise core competencies of a solid journalist are undermined. Where should 'we' get our information? From people who have a clue, I think, in whatever field where we're barely scratching the surface with our questions. When I wonder about specific cryptography issues, I don't go to Forbes, I'd take a class from Dan Boneh or Moxie. When I wonder about a pain in my chest, I go to a doctor for triage. When I want to solve those problems myself, I invest in my own education. It seems to follow that if you're building a knowledge base for journalist security, it might make sense to build a collection of threat models, a collection of unified threats (eg: calls you make will be wiretapped, your location will be recorded, your email will be intercepted) you hope to address, and so on. It might also make sense to define who receives the advice; after all, if the trainers are simply middle (hu)man, why would someone at risk want to talk to them? It seems that if the goal is simply to benefit from the surplus of the labor of others, adding something to the mix might be a useful contribution to the community. We all bring different things to the table, right? To put this a different way: I'm not a lawyer and while I doubt I'll ever be a lawyer, I accept that I do not need to have a law degree to have a clue. I also trust a number of people with law degrees to advise me but it took a lot of study, reading and frankly, rational self-interest in the self-survival department to even slightly *understand* their great advice. I've had the privilege of lawyers friends who didn't tolerate a lack of understanding while also making legal choices. My ability to make decisions was simply not up to snuff without a clue. So at least in a few of my own legal cases, I've done a lot of research to understand the core ground rules of the system that I inhabit, even if the system is made up of things I don't fully like or even really understand in an intuitive sense. While I'm *certainly* not a lawyer, I might have enough of a clue to know who to call or how badly I don't know something. So I wonder, what do journalists need to do? It seems to me that they should talk to the experts in the fields that are required for their specific operations. It also seems to me that they might want to work on not collaborating with the Surveillance State so much. As their lack of knowledge on the topic has basically made their job and their ethical commitments impossible unless they become full time security/privacy/anonymity/computer/network/telephone/etc experts. So on the one hand, I feel for journalists that don't understand technology. But on the other hand, I think without understanding the way that the world works, they're calling themselves journalists without understanding that technology is as important as having credible sources - it isn't like photography, it isn't a value add skill, it is a core and fundamental part of the job.

Many here are quick to point out what people should not rely upon. But relatively few seem to want to assume the responsibility to suggestt what people should use. We are gleaning material including on concepts from the Information Security chapter written by Danny in CPJ's Journalist Security Guide (full disclosure: I wrote the chapters on physical safety). We are looking for guidance on tools from Security-in-a-Box by Tactical Tech. And we are reviewing and closely following the discussion over the new Internews guide which covers both concepts and tools. We are also looking at relevant guides by Small World News by Brian and others, and Mobile Active by Katrin and Alix.

Security is a process and not simply a product that people use. I'm loathe to repeat that but that concept is worthy of deep thought. It isn't unlike asking which travel visa company we should call about entering Syria. Surely we wouldn't accept a guide that told us to simply call up the local tour company for advice. Rather, we'd want specifics, right? But to have specific, we need grounding in reality - languages help, having street smarts helps and so on. I look at all of the above guides and I think that they're interesting as an awareness and philosophy metric for the respective community that created it. Lots of unequal threat models, lots of varying capacities, lots of graphic design budgets and often very little scientific referencing for *positive* security claims.

It seems to me that the above comprise the best available sources out there. Would you agree? Of course, if you or anyone has any other suggestions, we are all ears. The discussion itself over the Forbes blog and other material is all helpful. But backhanded snipes without the benefit of positive alternative suggestions are not.

No, I wouldn't agree. They're all nice efforts but frankly, all of them are lacking because they don't really explain the social stuff - the reality of the world stuff or the deep factual stuff - and are mostly about tools. There are parts that come close and are then not detailed about the technology, or they simply give up - where is the phone security guide that explains how to buy discrete SIMS for Satellite phones anonymously? Where is the IMEI changing guide for people using cell phones in Syria? Where are the threat modeling discussions that model real situations that actually exist, say for Egypt having a copy of FinFisher? I would suggest reading the (yearly) proceedings from Blackhat, DefCon, NDSS, USENIX Security, Hack-in-The-Box, and others. I would suggest trying to understand the fundamental human assumptions at play by studying behavior of people. Those guys who have generally hung out in the foreign corespondents club - they had a lot going for them but if you wanted to compromise them, how would their skills hold up in the modern world? Now do it to yourself, how would you embody that in a guide? We wouldn't do a life critical bioassay with advice from the DIY bio community, right? Why is security that is also a life line different here? I guess it isn't so simple and that is why it takes time - so I would suggest trying to find ways to encourage people to engage in intense self-study, in things that destroy apathy for the ills of the world with regard to personal liberty - so they can find resources that are otherwise seemingly unconnected on the surface that might otherwise go unnoticed. Sorry for the shameless plug here but I feel it is contextually appropriate: http://www.orbooks.com/catalog/cypherpunks/ ( I make no money from this book; you can easily find it on bittorrent - please do! )

Most people on this list and in conferences seem to be agreeing, at least lately if not also before, that if people who need to use the tools don't use them, then that becomes a security problem in and of itself. And that the overwhelming majority of people in places like Syria really do not understand the risks or practice best measures. Would you agree? Getting over these obstacles requires training, and also more transparency within this "Open Source" community about what we should be teaching people.

I think some of the best revolutionaries, journalists, activists and humans that I've ever met understand these issues quite well. That is to say - they understand emotional trauma, wiretapping, physical violence, hacked accounts, torture, legal issues and so on. Many choose to take action even when the odds are stacked against them, even or often unprotected because of say, the political gains or the tactical advantage in the moment. If I understood a point that Gene Sharp made once - trainings are ineffective without a larger framework and without specific understandings of specific words - meaning that is important is otherwise totally lost. So we need to consider the big picture as well as many different kinds of small details - to focus entirely on one area will leave us unbalanced, unprepared and well, less effective. Perhaps to the point of being worse than when people at least tried to work outside of the systems they didn't understand... I think that a long term solution for say, communications security is to normalize secure solutions and to pick some points of unity as part of the definition of secure. As an example - Free Software is a hard requirement for me in a serious situation but being FL/OSS does not mean that it is secure. Again, we need processes, models, realistic situational awareness and so on for humans - not just an International House of Check Boxes with tools, no real desire to do anything more than scrape the barrel and no actual capacity.

I am also learning not to take gratuitous snipes here personally. As it seems to be all too common within this group. But I do think we would serve a great many more people if we had more constructive conversations. Isn't that what this list is for?

I don't think Steve was trying to insult you as he later clarified. That Forbes article really isn't an example of solid and cutting edge advice. Some of their stuff, such as the stuff by Andy Greenberg, is top notch. Some of it is not even a notch... I agree that constructive conversations are useful for the list. If I were to dive right in - I'd say - could you give us examples of your operational security? I'll start and I'm curious to hear your follow ups. I run almost entirely Free Software for my general computing needs. I try to use only Forward Secret cryptography for communication and I assume it only buys me time, rather than totally solves all of my problems. I use GPG with a hardware token, rather than with keys on my laptop. I encrypt all of my disks. I create honeypots to mess with people who mess with me. I use RedPhone, TextSecure, Tor, and so on - the usual suspects in the Free Software world. I assume that most things fail open. I buy most of my hardware with cash. I use different devices in different contexts. I don't believe that the Fourth Amendment actually protects the equipment I have in my home (electronically, physically,etc ). I try to understand, extend and sometimes try to break the systems that I use - I try to only use systems that people I respect have built, analyzed or use themselves. I encourage everyone that I meet or talk with to use strong cryptography, anonymity services and to consider the transitive risk of behavior. I try to write software to improve this entire field and I try to work with end users as well as trainers. And so on. An evil Maid attack would own me in a lot of cases, so I carry my computers with me to some rather annoying places. I stopped carrying a cell phone regularly when I realized that it was simply a lost cause on the privacy front. I do counter-surveillance and surveillance-detection to try to catch people who try to tamper with my hardware or worse. I give samples of likely backdoors to better reverse engineers (than me) when in doubt. I've been working hard for the last few years to show that these tactics and this kind of strategy isn't paranoia. Rather such an understanding is required for the *current* Surveillance State, let alone the coming New and Improved Surveillance State. How about you? A good friend jokingly once told me that some people raise their paranoia to meet their security situation. The joke was of course that I did the opposite: I raised the seriousness of my situation to match my paranoia and outlook. If you have to pick between the two - which side of things seems to have a possible positive outcome? All the best, Jacob

...

-------- Original Message -------- Subject: Re: [liberationtech] Forbes recommends tools for journalists From: Steve Weis Date: Mon, December 17, 2012 6:10 pm To: liberationtech

Just to go further down the tech tangent...

There are SSD drives with full-disk encryption, such as the Intel 520 series. Here's a paper "Reliably Erasing Data From Flash-Based Solid State Drives" from Usenix 2011 that analyzes disk sanitation on several SSD drives. Their conclusion was that built in encryption and sanitization functions were most effective, but were not always implemented correctly: http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf

Regarding storage for disk-encryption keys, PCs with TPMs can seal keys such that they can only be unsealed if the machine is booted to a verifiable state. Then you can leave the sealed key on the disk, which is how Bitlocker works.

Keep in mind that TPMs can be compromised by physical attacks. They aren't going to protect you from a moderately-funded forensics effort. But if you're getting information security advice from a Forbes blog, that will be the least of your worries.

On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers wrote:

...

I'm not aware of any suitable storage on current smartphones or personal computers, so we may need to ask device manufacturers to add (simple, inexpensive) hardware to their devices to support secure deletion. <hr>-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE