On Mon, Dec 17, 2012 at 10:49:33AM -0700, frank@journalistsecurity.net wrote:

If anyone here has any thoughts about the tools recommended in this Forbes piece, please speak up. The piece gets specific with recommendations form Ashkan Soltani, a technologist who I do not think is on this list, about half way down. Again, any thoughts would be welcome. Thank you! Frank

The reference to Glenn's "Create your own SSL certiiate" article is weird; what he talks about in that Ars Technica piece not a replacement for a VPN by any means, and I think the reference would just confuse anyone who was not technical. I think these days you have to tie Forbes' (good) advice not to save everything with an encouragement to use full disk encryption. We're in an awkward space right now where we can't fully guarantee that data gets deleted off a modern flash (SSD) drive, even with previously strong deletion tools. And forensics software is good enough to pick up a lot of local clues about what you've used your own computer for, even if you think you've turned off all logs and removed the saving of sensitive data. Minimize what you record, but also encrypt. I'd be cautious about explicitly recommending Word's encryption as they do -- if you save encrypted docs in 97/2000 mode, they're instantly breakable, and there are dedicated tools out there to break later versions. I don't know whether they exploit later weaknesses, or are just fancy password crackers. http://www.elcomsoft.com/aopr.html?r1=Openwall Usual provisos about Skype (and Silent Circle to a certain extent). It's *really* hard to permanently recommend particular products, without at least making the statement "Keep an eye for news that the tools you use are vulnerable, and keep the software updated." We really need to stop making this exclusively about the tools, and make it more about the practices, and tools that can reinforce those practices. This article isn't that bad at all about that -- but you want to be able to get people to a point where they can tell themselves whether a package looks like snake oil or not. d.

http://www.forbes.com/sites/kashmirhill/2012/12/07/dear-journalists-at-vice-...

TECH | 12/07/2012 @ 1:33PM |24,858 views Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To Get Your Source Arrested

You forgot to scrub the metadata, suckers.

Computer security millionaire John McAfeebs surreal flight from Belizean law enforcement came to an end this week when he was detained (and then hospitalized) in Guatemala, as has been widely reported. A piece of the story that hasnbt been included in much of the reporting is how authorities figured out that McAfee b who was wanted for questioning in the shooting death of his neighbor b had fled Belize for Guatemala. McAfeebs location was exposed after he agreed to let two reporters from Vice Magazine tag along with him. Proud to finally be in the thick of a story rife with vices b drugs, murder, prostitutes, guns, vicious dogs, a fugitive millionaire and his inappropriately young girlfriend b they proudly posted an iPhone photo to their blog of Vice editor-in-chief Rocco Castoro standing with the source of the mayhem in front of a jungly background, saying, b We are with John McAfee right now, suckers.b

With that posting, they went from chroniclers of vices to inadvertent narcs. They left the metadata in the photo, revealing McAfeebs exact location, down to latitude and longitude. McAfee tried to claim hebd manipulated the data b a claim that Vice photographer backed up on Facebook in a posting hebs since deleted b but then capitulated, hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan authorities instead detained McAfee for entering the country illegally. All of which was dutifully reported by the Vice reporters, with no mention of their screw-up. Mat Honan at Wired excoriated Vice for its role in events:

This was deeply stupid. People have been pointing out the dangers of inadvertently leaving GPS tags in cellphone pictures for years and years. Vice is the same publication that regularly drops in on revolutions and all manner of criminals. They should have known better.

And they have the resources to do it better. Vice is a $100 million operation.

Then, it followed up this egregiously stupid action with a far worse one. Vice photographer Robert King apparently lied on his Facebook page and Twitter in order to protect McAfee. Like McAfee, he claimed that the geodata in the photo had been manipulated to conceal their true location. b&

But the coverup, as always, is worse than the crime. In claiming the geodata had been manipulated when it had not, Vice was no longer just documenting. Now it was actively aiding a fugitive wanted for questioning in the murder investigation of his neighbor Gregory Faull, who was shot dead at his own home.

Via How Trusting In Vice Led To John McAfeebs Downfall b Wired.

It was indeed deeply stupid. Journalists are professional dealers in information but many are terrible about protecting it. While willing to go to jail to protect their sources, journalists may wind up leaving them exposed instead through poor data practices. In a New York Times editorial last year, Chris Soghoian, now chief technologist at the ACLU, warned that b secrets arenbt safe with journalistsb explaining that b the safety of anonymous sources will depend not only on journalistsb ethics, but on their computer skills.b

There are three very basic things journalists should be doing to shield their sources:

Scrubbing metadata from photos, documents and other files. Resisting the desire to save copies of everything. Encrypting communications.

Technologist Ashkan Soltani walked me through some simple tools for doing this. Theybre not foolproof, but theybll make it a little less likely that your blog post will wind up sending the person youbre profiling to jail (unless thatbs your intent).

1. Scrubbing metadata.

b All files b photos, Word docs, PDFs b include some kind of metadata: author, location created, device information,b says Soltani. If you leave the metadata attached, you run the risk of exposing private information about the person who gave you the file, or, in the case of Vice, the location of the person trying to keep his location under wraps.

Before you share a Word doc with the world that a source sent you, run it through a scrubber. Otherwise, it may reveal where the doc was created, who authored it and anyone who has ever made changes to it. Therebs Doc Scrubber for Microsoft Word. For PDF docs, use a tool like Metadata Assistant. Or use Adobe Acrobatbs b Examine Documentb tool which will scan the doc for hidden information. For photos, think about turning off geotagging on your phone or digital camera so that the information doesnbt get included in the first place. Youbll usually do that in your phonebs b Location Settings.b Instructions here. You can run your photos through a metadata scrubber. Or, if you donbt care much about the resolution, you can just take a screenshot of the photo and use that metadata-free version. Some photo-hosting services do you the favor of scrubbing metadata. Facebook, Twitter and Instagram all have this privacy-protective measure in place.

2. Resisting the desire to save copies of everything.

We live in a time when itbs easy to save everything, meaning webve all become digital hoarders. Why delete an email or chat when you can just archive it? It could come in handy later. Or it could come back to bite you later.

b Disable chat logs in whatever program youbre using, Gmail or Skype,b says Soltani. In Gmail, that means switching chats to b off the record.b In Skype, it means turning off the feature that automatically saves your chats to anywhere you log in. (Added privacy bonus: That could keep your boss from winding up getting his hands on a sexy chat you had on your home computer.) If you need to keep a record of a chat, save it as a Word file on your own computer, and encrypt it. b Donbt keep emails around for years and years,b says Soltani. b Practice better data hygiene.b Soltani says journalists and sources might consider setting up temporary email accounts to communicate about a story, and then to delete the accounts after the storybs complete. He compares it to using a burner cell phone. 3. Encrypting your communications.

This may be the most labor intensive of the recommendations from computer security professionals, but if itbs important that your communications with someone not be compromised, itbs worth it. This means your emails will appear as gibberish to anyone you donbt want reading them. Had David Petraeus and Paula Broadwell encrypted their emails to one another rather than saving them in a drafts folder, their exposing themselves to each other wouldnbt have been exposed to the world. b This allows you to communicate securely and protects your messages if your account is compromised,b says Soltani.

For chat, consider using Adiumbs OTR. Use a Virtual Private Network or create your own SSL. Take 30 minutes (more or less, depending on your savvy level) to set up SMime or PGP for Gmail so that the emails you send from whichever provider you use are encrypted. The only limitation here: you need to get the person youbre communicating with to enable encryption as well. Rather than calling someone from your landline or cell phone, use Skype or Silent Circle. ***

A journalistbs job is to bring information to light. Using these tools, youbll retain some control over which information gets lit.

10 Incredibly Simple Things You Can Do To Protect Your Privacy

Password Protect Your Devices Choosing not to password protect your devices is the digital equivalent of leaving your home or car unlocked. If you're lucky, no one will take advantage of the access. Or maybe the contents will be ravaged and your favorite speakers and/or secrets stolen.

-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE