[liberationtech] Forbes recommends tools for journalists
frank at journalistsecurity.net
frank at journalistsecurity.net
Mon Dec 17 09:49:33 PST 2012
If anyone here has any thoughts about the tools recommended in this
Forbes piece, please speak up. The piece gets specific with
recommendations form Ashkan Soltani, a technologist who I do not think
is on this list, about half way down. Again, any thoughts would be
welcome. Thank you! Frank
http://www.forbes.com/sites/kashmirhill/2012/12/07/dear-journalists-at-vice-and-elsewhere-here-are-some-simple-ways-not-to-get-your-source-arrested/
TECH | 12/07/2012 @ 1:33PM |24,858 views
Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To
Get Your Source Arrested
You forgot to scrub the metadata, suckers.
Computer security millionaire John McAfeeb�s surreal flight from
Belizean law enforcement came to an end this week when he was detained
(and then hospitalized) in Guatemala, as has been widely reported. A
piece of the story that hasnb�t been included in much of the reporting
is how authorities figured out that McAfee b� who was wanted for
questioning in the shooting death of his neighbor b� had fled Belize
for Guatemala. McAfeeb�s location was exposed after he agreed to let
two reporters from Vice Magazine tag along with him. Proud to finally be
in the thick of a story rife with vices b� drugs, murder, prostitutes,
guns, vicious dogs, a fugitive millionaire and his inappropriately young
girlfriend b� they proudly posted an iPhone photo to their blog of Vice
editor-in-chief Rocco Castoro standing with the source of the mayhem in
front of a jungly background, saying, b�We are with John McAfee right
now, suckers.b�
With that posting, they went from chroniclers of vices to inadvertent
narcs. They left the metadata in the photo, revealing McAfeeb�s exact
location, down to latitude and longitude. McAfee tried to claim heb�d
manipulated the data b� a claim that Vice photographer backed up on
Facebook in a posting heb�s since deleted b� but then capitulated,
hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan
authorities instead detained McAfee for entering the country illegally.
All of which was dutifully reported by the Vice reporters, with no
mention of their screw-up. Mat Honan at Wired excoriated Vice for its
role in events:
This was deeply stupid. People have been pointing out the dangers of
inadvertently leaving GPS tags in cellphone pictures for years and
years. Vice is the same publication that regularly drops in on
revolutions and all manner of criminals. They should have known better.
And they have the resources to do it better. Vice is a $100 million
operation.
Then, it followed up this egregiously stupid action with a far worse
one. Vice photographer Robert King apparently lied on his Facebook page
and Twitter in order to protect McAfee. Like McAfee, he claimed that the
geodata in the photo had been manipulated to conceal their true
location. b&
But the coverup, as always, is worse than the crime. In claiming the
geodata had been manipulated when it had not, Vice was no longer just
documenting. Now it was actively aiding a fugitive wanted for
questioning in the murder investigation of his neighbor Gregory Faull,
who was shot dead at his own home.
Via How Trusting In Vice Led To John McAfeeb�s Downfall b� Wired.
It was indeed deeply stupid. Journalists are professional dealers in
information but many are terrible about protecting it. While willing to
go to jail to protect their sources, journalists may wind up leaving
them exposed instead through poor data practices. In a New York Times
editorial last year, Chris Soghoian, now chief technologist at the ACLU,
warned that b�secrets arenb�t safe with journalistsb� explaining that
b� the safety of anonymous sources will depend not only on
journalistsb� ethics, but on their computer skills.b�
There are three very basic things journalists should be doing to shield
their sources:
Scrubbing metadata from photos, documents and other files.
Resisting the desire to save copies of everything.
Encrypting communications.
Technologist Ashkan Soltani walked me through some simple tools for
doing this. Theyb�re not foolproof, but theyb�ll make it a little less
likely that your blog post will wind up sending the person youb�re
profiling to jail (unless thatb�s your intent).
1. Scrubbing metadata.
b�All files b� photos, Word docs, PDFs b� include some kind of
metadata: author, location created, device information,b� says Soltani.
If you leave the metadata attached, you run the risk of exposing private
information about the person who gave you the file, or, in the case of
Vice, the location of the person trying to keep his location under
wraps.
Before you share a Word doc with the world that a source sent you, run
it through a scrubber. Otherwise, it may reveal where the doc was
created, who authored it and anyone who has ever made changes to it.
Thereb�s Doc Scrubber for Microsoft Word.
For PDF docs, use a tool like Metadata Assistant. Or use Adobe
Acrobatb�s b�Examine Documentb� tool which will scan the doc for
hidden information.
For photos, think about turning off geotagging on your phone or digital
camera so that the information doesnb�t get included in the first
place. Youb�ll usually do that in your phoneb�s b�Location
Settings.b� Instructions here.
You can run your photos through a metadata scrubber. Or, if you donb�t
care much about the resolution, you can just take a screenshot of the
photo and use that metadata-free version.
Some photo-hosting services do you the favor of scrubbing metadata.
Facebook, Twitter and Instagram all have this privacy-protective measure
in place.
2. Resisting the desire to save copies of everything.
We live in a time when itb�s easy to save everything, meaning web�ve
all become digital hoarders. Why delete an email or chat when you can
just archive it? It could come in handy later. Or it could come back to
bite you later.
b�Disable chat logs in whatever program youb�re using, Gmail or
Skype,b� says Soltani. In Gmail, that means switching chats to b�off
the record.b� In Skype, it means turning off the feature that
automatically saves your chats to anywhere you log in. (Added privacy
bonus: That could keep your boss from winding up getting his hands on a
sexy chat you had on your home computer.)
If you need to keep a record of a chat, save it as a Word file on your
own computer, and encrypt it.
b�Donb�t keep emails around for years and years,b� says Soltani.
b�Practice better data hygiene.b�
Soltani says journalists and sources might consider setting up temporary
email accounts to communicate about a story, and then to delete the
accounts after the storyb�s complete. He compares it to using a burner
cell phone.
3. Encrypting your communications.
This may be the most labor intensive of the recommendations from
computer security professionals, but if itb�s important that your
communications with someone not be compromised, itb�s worth it. This
means your emails will appear as gibberish to anyone you donb�t want
reading them. Had David Petraeus and Paula Broadwell encrypted their
emails to one another rather than saving them in a drafts folder, their
exposing themselves to each other wouldnb�t have been exposed to the
world. b�This allows you to communicate securely and protects your
messages if your account is compromised,b� says Soltani.
For chat, consider using Adiumb�s OTR.
Use a Virtual Private Network or create your own SSL.
Take 30 minutes (more or less, depending on your savvy level) to set up
SMime or PGP for Gmail so that the emails you send from whichever
provider you use are encrypted. The only limitation here: you need to
get the person youb�re communicating with to enable encryption as well.
Rather than calling someone from your landline or cell phone, use Skype
or Silent Circle.
***
A journalistb�s job is to bring information to light. Using these
tools, youb�ll retain some control over which information gets lit.
10 Incredibly Simple Things You Can Do To Protect Your Privacy
Password Protect Your Devices
Choosing not to password protect your devices is the digital equivalent
of leaving your home or car unlocked. If you're lucky, no one will take
advantage of the access. Or maybe the contents will be ravaged and your
favorite speakers and/or secrets stolen.
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list