Notes from Hacks/Hackers NYC workshop on encryption and opsec for journalists. Notes come from talk by Jennifer Valentino.

Hacks-Hackers NYC: Encryption and Operational Security for Journalists (2013-09-16).md

Hacks/Hackers NYC: Encryption and Operational Security for Journalists (2013-09-16)

Jennifer Valentino, Wall Street Journal (@jenvalentino)

These notes come straight from Jennifer's presentation; slides at https://docs.google.com/file/d/0B2HGtAJEbG8PdzVPdHcwekI2V2M/edit

Background

• NSA covers 75% of internet traffic; not all is collected or sifted
• Big issues with suveillance are not the NSA but leak investigations, subpoenas, accidental disclosure and chilling effects on sources
  • James Rosen case; what was accessed: - Rosen's phone call metadata - Building card swipes - His Gmail account, including content
    • Gen. Petraeus case
      • IP address data matches hotel records
      • Drafts in shared Gmail account accessed
    • John McAfee
      • Fugitive found after Vice Magazine published a photo online that still had metadata, including geolocation

There are benefits to everyday crypto

• Prepare yourself for when you have more sensitive work
• You protect other jornalists by normalizing crypto, making it less of a red flag

But encryption can be a red flag

• Security only as good as the weakest link
• If a government actor really wants into your machine, it will get into it
• If your life or your source's life is in danger, don't rely on crypto to save you

Operational Security

• If work is sensitive, operational security is important
• OpSec is tedious and difficult (sorry)
• Stop talking about your work
• Stop taking your phone places; it tracks you
• Buy burner phones
• Buy burner computers
• You're going to have to do a lot more work than can be covered in an evening

Threat modeling

• Know your adversary
• Are you more worried about subpoenas, phone tracking, your own employer?
• More on threat modeling for journalists — class assignment on threat modeling: http://courses.jmsc.hku.hk/jmsc6041spring2013/2013/02/08/assignment-6-threat-modeling-and-security-planning/

What can you do?

• Strong encryption is still powerful
• Experts recommend open-source tools that have been reviewed for many years

The Inventory

• Tor Browser Bundle
  • Anonymizes internet activities, including browsing and IM
  • Combination of routing software and a specially configured Firefox browser
  • Tunnels traffic through a series of other computers
  • Weaknesses: It's very slow; last link is "in the clear"
  • Not foolproof
• Encrypted chats
  • Protecting IMs using ciphers
  • Chat programs Adium for Mac, Pidgin for Windows, plus use of an additional feature called OTR (off the record)
  • Makes text you're sending unintelligible to an observer; if used with Tor, metadata is hidden
  • Weaknesses: Vulnerabilities have been found in Pidgin and Adium, though crypto itself appears to be okay; it is useless if you log (ex. Chelsea Manning case); if you use same account over and over, anonymity is compromised
• PGP, GPG
  • Encoding text and files
  • "Pretty Good Privacy"; a very good encryption tool, GPG is an open alternative
  • Uses a system of keys to lock data; you give a public key out, and this allows people to encode info to send you; only people with private key can decode that information
  • Weaknesses: Requires good passwords; key length is important
• PGP email
  • More easily send PGP messages
  • Thunderbird, open-source email client, plus Enigmail, add-on to handle PGP
  • Hooks your email to PGP software
  • Does not protect metadata (ex. subject line, to/from lines)
• TrueCrypt
  • Encoding files stored on your computer
  • Creates a container that can only be unlocked by those with password
  • Weaknesses: Requires good passwords
• CCleaner
  • Open source tool is BleachBit
  • Cleans data from computer
  • System that allows you to choose areas that you want to delete and overwrite them; harder to recover
• CryptoCat
  • Encrypted group chat that's easy to use; good for introducing people to crypto and encouraging as norm; for example, internal chat about everyday stories
  • Web app for Firefox, Chrome and app for Mac
  • Uses encryption that is similar to OTR from other encrypted IM, but with a new tool called mpOTR (multi-party)
  • Weaknesses: CryptoCat is very young; anyone with a chatroom name can join; lack of verification in group chat; several examples of cryptography problems discovered (and later fixed)
• Download links: https://github.com/hackshackers/hhnyc-crypto/blob/master/README.md

Passwords are important

• Relevant xkcd http://xkcd.com/936/

Other tools

• HTTPS everywhere https://www.eff.org/https-everywhere
• WhisperSystems https://whispersystems.org/
• Guardian Project https://guardianproject.info/
• Silent Circle https://silentcircle.com/
• Tails https://tails.boum.org/
• 1Password or LastPass