[liberationtech] was: Forbes recommends tools for journalist; is now: depressing realities

Jacob Appelbaum jacob at appelbaum.net
Tue Dec 18 21:26:05 PST 2012


Hi,

frank at journalistsecurity.net:
> But if
>> you're getting information security advice from a Forbes blog, that
>> will be the least of your worries.
> 
> Where would you suggest we get information security advice from?

This is an interesting question and I admit, I feel like it leaves a bad
ring in my ears...

What kind of security advice? Who is following the advice? Does their
context change while they follow this advice? Do they have resources of
a user without more than a casual interest or are they well funded and
dedicated? What are their requirements? What are their temporal
tolerances? Do they understand safety plan or threat model without
further explanation? What are the stakes for failure?

The answer to each of those questions would shift my answers to
subsequent questions around, I guess.

If I were to change that question a bit to be something that many people
are familiar with - I'd say - Where do we get good health advice from?
When I go to a general practice doctor, they might refer me to a
specialist. But where do I find that doctor? And what if I have issues
that are really expensive to solve? It leads us in a similar direction -
we look for common certifications, credentials, ratings, feedback, word
of mouth, etc. We get a general sense of things, hopefully if we're
seeing a terrible doctor, we know before they cut us up or send us home
when we really need a different kind of care.

It seems that some groups who do practical training are trying to be the
specialist and the generalist. Sadly, because many of us are motivated
by non-technical goals, say social justice, a real core background in
many overlapping fields is simply missing. There isn't an advertised set
of unified goals or principles stated where we try to work toward a set
of solutions, nor is there a common set of agreed upon threat models
that we're working with openly, and so on.

The Forbes article is junk for my threat model(s) and frankly, I think
it is junk for everyone else on a long enough time line. An open
question is mostly if anyone will ever do anything noteworthy enough to
learn that it was junk at the time. If it had been written about biology
and safe sex, I'd say it was offering sheep skin condoms as a partial
solution; we'd all get a pretty bad feeling about it and commonly
understand the problem with such solutions, right?

The technical details are so poorly understood by journalists that their
ethics generally mean nothing; who cares if a journalist promises to
keep a secret if they even have Skype *installed* on their laptop with
confidential documents, emails or an OTR enable chat client? Their
operational security is lower than the bar of the commercial market, we
don't even have to begin to discuss intelligence agencies.

In almost any other topic, it is simply intolerable to let a person
write complete nonsense advice as an authority. Such authors get a
reputation for being worth ignoring and sometimes, they're the topic of
the next article. Yet in the field of journalism, we see journalists who
even proudly boast of their illiteracy, without realizing the
recklessness of their choices, sometimes even the choice of straight up
ignorance because security is simply too hard. Or refusing to even offer
anything resembling a secure way to reach them, let alone actually
something they try to use regularly. I've rarely met journalists that
encourage people to secure their communications - it does happen but
wow, it is rare rare rare.

Some journalists at least claim that they will go to jail before they'll
give up sources, some won't make such claims or will even make the
opposite claims. The signs of such journalists are easy to spot and
still hard to confirm in any meaningful manner. When push comes to
shove, even the best intentioned journalists still roll over when the
might of the state crushes them under a pair of boots.

At least with a proper idea of how journalism is being undermined by the
Surveillance State, such a journalist might get a clue about the level
of help, protection and transitive risk they pose to sources. Such an
understanding is largely missing from the dialog and the Forbes piece
really obviously shows that the advice is the product of an extremely
lacking study of the threat landscape.

What am I getting at?

When journalism was two people meeting in person, the people were the
main piece that mattered, when research on who to contact was ephemeral,
even a failed meeting wasn't a pin pointed event to be followed up on later.

The (communications, crypto, electricity, etc) systems illiteracy  means
that otherwise core competencies of a solid journalist are undermined.

Where should 'we' get our information? From people who have a clue, I
think, in whatever field where we're barely scratching the surface with
our questions. When I wonder about specific cryptography issues, I don't
go to Forbes, I'd take a class from Dan Boneh or Moxie. When I wonder
about a pain in my chest, I go to a doctor for triage. When I want to
solve those problems myself, I invest in my own education.

It seems to follow that if you're building a knowledge base for
journalist security, it might make sense to build a collection of threat
models, a collection of unified threats (eg: calls you make will be
wiretapped, your location will be recorded, your email will be
intercepted) you hope to address, and so on.

It might also make sense to define who receives the advice; after all,
if the trainers are simply middle (hu)man, why would someone at risk
want to talk to them? It seems that if the goal is simply to benefit
from the surplus of the labor of others, adding something to the mix
might be a useful contribution to the community. We all bring different
things to the table, right?

To put this a different way: I'm not a lawyer and while I doubt I'll
ever be a lawyer, I accept that I do not need to have a law degree to
have a clue. I also trust a number of people with law degrees to advise
me but it took a lot of study, reading and frankly, rational
self-interest in the self-survival department to even slightly
*understand* their great advice. I've had the privilege of lawyers
friends who didn't tolerate a lack of understanding while also making
legal choices. My ability to make decisions was simply not up to snuff
without a clue. So at least in a few of my own legal cases, I've done a
lot of research to understand the core ground rules of the system that I
inhabit, even if the system is made up of things I don't fully like or
even really understand in an intuitive sense. While I'm *certainly* not
a lawyer, I might have enough of a clue to know who to call or how badly
I don't know something.

So I wonder, what do journalists need to do? It seems to me that they
should talk to the experts in the fields that are required for their
specific operations. It also seems to me that they might want to work on
not collaborating with the Surveillance State so much. As their lack of
knowledge on the topic has basically made their job and their ethical
commitments impossible unless they become full time
security/privacy/anonymity/computer/network/telephone/etc experts.

So on the one hand, I feel for journalists that don't understand
technology. But on the other hand, I think without understanding the way
that the world works, they're calling themselves journalists without
understanding that technology is as important as having credible sources
- it isn't like photography, it isn't a value add skill, it is a core
and fundamental part of the job.

> Many here are quick to point out what people should not rely upon. 
> But relatively few seem to want to assume the responsibility to 
> suggestt what people should use. We are gleaning material including 
> on concepts from the Information Security chapter written by Danny in
> CPJ's Journalist Security Guide (full disclosure: I wrote the 
> chapters on physical safety). We are looking for guidance on tools 
> from Security-in-a-Box by Tactical Tech. And we are reviewing and 
> closely following the discussion over the new Internews guide which 
> covers both concepts and tools. We are also looking at relevant 
> guides by Small World News by Brian and others, and Mobile Active by
>  Katrin and Alix.
> 

Security is a process and not simply a product that people use. I'm
loathe to repeat that but that concept is worthy of deep thought.

It isn't unlike asking which travel visa company we should call about
entering Syria. Surely we wouldn't accept a guide that told us to simply
call up the local tour company for advice. Rather, we'd want specifics,
right? But to have specific, we need grounding in reality - languages
help, having street smarts helps and so on.

I look at all of the above guides and I think that they're interesting
as an awareness and philosophy metric for the respective community that
created it. Lots of unequal threat models, lots of varying capacities,
lots of graphic design budgets and often very little scientific
referencing for *positive* security claims.

> It seems to me that the above comprise the best available sources
> out there. Would you agree? Of course, if you or anyone has any
> other suggestions, we are all ears. The discussion itself over the
> Forbes blog and other material is all helpful. But backhanded snipes
> without the benefit of positive alternative suggestions are not.

No, I wouldn't agree. They're all nice efforts but frankly, all of them
are lacking because they don't really explain the social stuff - the
reality of the world stuff or the deep factual stuff - and are mostly
about tools. There are parts that come close and are then not detailed
about the technology, or they simply give up - where is the phone
security guide that explains how to buy discrete SIMS for Satellite
phones anonymously? Where is the IMEI changing guide for people using
cell phones in Syria? Where are the threat modeling discussions that
model real situations that actually exist, say for Egypt having a copy
of FinFisher?

I would suggest reading the (yearly) proceedings from Blackhat, DefCon,
NDSS, USENIX Security, Hack-in-The-Box, and others. I would suggest
trying to understand the fundamental human assumptions at play by
studying behavior of people. Those guys who have generally hung out in
the foreign corespondents club - they had a lot going for them but if
you wanted to compromise them, how would their skills hold up in the
modern world? Now do it to yourself, how would you embody that in a
guide?  We wouldn't do a life critical bioassay with advice from the DIY
bio community, right? Why is security that is also a life line different
here?

I guess it isn't so simple and that is why it takes time - so I
would suggest trying to find ways to encourage people to engage in
intense self-study, in things that destroy apathy for the ills of the
world with regard to personal liberty - so they can find resources that
are otherwise seemingly unconnected on the surface that might otherwise
go unnoticed.

Sorry for the shameless plug here but I feel it is contextually appropriate:

  http://www.orbooks.com/catalog/cypherpunks/

( I make no money from this book; you can easily find it on bittorrent -
please do! )

> 
> Most people on this list and in conferences seem to be agreeing, at 
> least lately if not also before, that if people who need to use the 
> tools don't use them, then that becomes a security problem in and of 
> itself. And that the overwhelming majority of people in places like 
> Syria really do not understand the risks or practice best measures. 
> Would you agree? Getting over these obstacles requires training, and 
> also more transparency within this "Open Source" community about what
> we should be teaching people.

I think some of the best revolutionaries, journalists, activists and
humans that I've ever met understand these issues quite well. That is to
say - they understand emotional trauma, wiretapping, physical violence,
hacked accounts, torture, legal issues and so on. Many choose to take
action even when the odds are stacked against them, even or often
unprotected because of say, the political gains or the tactical
advantage in the moment.

If I understood a point that Gene Sharp made once - trainings are
ineffective without a larger framework and without specific
understandings of specific words - meaning that is important is
otherwise totally lost. So we need to consider the big picture as well
as many different kinds of small details - to focus entirely on one area
will leave us unbalanced, unprepared and well, less effective. Perhaps
to the point of being worse than when people at least tried to work
outside of the systems they didn't understand...

I think that a long term solution for say, communications security is to
normalize secure solutions and to pick some points of unity as part of
the definition of secure. As an example - Free Software is a hard
requirement for me in a serious situation but being FL/OSS does not mean
that it is secure. Again, we need processes, models, realistic
situational awareness and so on for humans - not just an International
House of Check Boxes with tools, no real desire to do anything more than
scrape the barrel and no actual capacity.

> I am also learning not to take gratuitous snipes here personally. As
>  it seems to be all too common within this group. But I do think we 
> would serve a great many more people if we had more constructive 
> conversations. Isn't that what this list is for?
> 

I don't think Steve was trying to insult you as he later clarified.

That Forbes article really isn't an example of solid and cutting edge
advice. Some of their stuff, such as the stuff by Andy Greenberg, is top
notch. Some of it is not even a notch...

I agree that constructive conversations are useful for the list. If I
were to dive right in - I'd say - could you give us examples of your
operational security?

I'll start and I'm curious to hear your follow ups.

I run almost entirely Free Software for my general computing needs. I
try to use only Forward Secret cryptography for communication and I
assume it only buys me time, rather than totally solves all of my
problems. I use GPG with a hardware token, rather than with keys on my
laptop. I encrypt all of my disks. I create honeypots to mess with
people who mess with me. I use RedPhone, TextSecure, Tor, and so on -
the usual suspects in the Free Software world.

I assume that most things fail open. I buy most of my hardware with
cash. I use different devices in different contexts. I don't believe
that the Fourth Amendment actually protects the equipment I have in my
home (electronically, physically,etc ). I try to understand, extend and
sometimes try to break the systems that I use - I try to only use
systems that people I respect have built, analyzed or use themselves. I
encourage everyone that I meet or talk with to use strong cryptography,
anonymity services and to consider the transitive risk of behavior. I
try to write software to improve this entire field and I try to work
with end users as well as trainers. And so on.

An evil Maid attack would own me in a lot of cases, so I carry my
computers with me to some rather annoying places. I stopped carrying a
cell phone regularly when I realized that it was simply a lost cause on
the privacy front. I do counter-surveillance and surveillance-detection
to try to catch people who try to tamper with my hardware or worse. I
give samples of likely backdoors to better reverse engineers (than me)
when in doubt. I've been working hard for the last few years to show
that these tactics and this kind of strategy isn't paranoia. Rather such
an understanding is required for the *current* Surveillance State, let
alone the coming New and Improved Surveillance State.

How about you?

A good friend jokingly once told me that some people raise their
paranoia to meet their security situation. The joke was of course that I
did the opposite: I raised the seriousness of my situation to match my
paranoia and outlook. If you have to pick between the two - which side
of things seems to have a possible positive outcome?

All the best,
Jacob

> 
>> -------- Original Message -------- Subject: Re: [liberationtech] 
>> Forbes recommends tools for journalists From: Steve Weis 
>> <steveweis at gmail.com> Date: Mon, December 17, 2012 6:10 pm To: 
>> liberationtech <liberationtech at lists.stanford.edu>
>> 
>> 
>> Just to go further down the tech tangent...
>> 
>> There are SSD drives with full-disk encryption, such as the Intel 
>> 520 series. Here's a paper "Reliably Erasing Data From Flash-Based
>>  Solid State Drives" from Usenix 2011 that analyzes disk sanitation
>>  on several SSD drives. Their conclusion was that built in 
>> encryption and sanitization functions were most effective, but were
>> not always implemented correctly: 
>> http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf
>> 
>> Regarding storage for disk-encryption keys, PCs with TPMs can seal
>>  keys such that they can only be unsealed if the machine is booted
>>  to a verifiable state. Then you can leave the sealed key on the 
>> disk, which is how Bitlocker works.
>> 
>> Keep in mind that TPMs can be compromised by physical attacks. They
>> aren't going to protect you from a moderately-funded forensics
>> effort. But if you're getting information security advice from a
>> Forbes blog, that will be the least of your worries.
>> 
>> On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers 
>> <michael at briarproject.org>wrote:
>> 
>>> I'm not aware of any suitable storage on current smartphones or 
>>> personal computers, so we may need to ask device manufacturers to
>>> add (simple, inexpensive) hardware to their devices to support
>>> secure deletion. <hr>--
>> Unsubscribe, change to digest, or change password at: 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> -- Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list