Well, we seem to agree on two basic things: (And Steve, please see my brief note at the bottom here, too)
It is vital for journalists, activists and anyone who cares about freedom of information, accountability and using information to protect and ensure fundamental rights requires nothing less than a seismic shift to have such individuals learn, embrace, practice and keep themselves informed and updated about how digital surveillance works and about all the footprints and traces they are constantly leaving behind for hostile actors to track and intercept. So they can finally take responsibility for their own digital behavior including protecting sources. And it is mind-boggling how far behind the overwhelming majority of journalists and activists in both most and least developed nations, and in between are from this goal. The issue is how to start at least moving in the right direction. The problem is that even many people who admit they could use training hardly even know where to begin to get it. I would like to begin any such training with the kind of conceptual questions to make people think that Jake poses here. > > What kind of security advice? Who is following the advice? Does their > > context change while they follow this advice? Do they have resources of > > a user without more than a casual interest or are they well funded and > > dedicated? What are their requirements? What are their temporal > > tolerances? Do they understand safety plan or threat model without > > further explanation? What are the stakes for failure? In fact, that should be the way to frame any training. Instead of dumbing down the curriculum, or focusing on tools, let people know how complicated the landscape really is and make it clear that ethics require nothing less than a sustained commitment to learning about technology. But that kind of training has rarely if ever been available to date. Instead most training to date consists of a technologist parachuting in to train a group in one or two or three days. This creates the fire hose effect that allows for little absorption. I get the reasons for this. Technologists are usually volunteers. They are busy people and many also travel a lot. And, well, people should be grateful for whatever they can get. The other approach to training is the long-term, one-on-one mentoring approach. That's great if one has time. But Jake's description of the ever-increasing gap between surveillance capabilities and the lack of knowledge or practices by most journalists and activists shows that we need a more concerted effort if we are going to have any hope of filling the gap. Part of the problem, as Danny notes, is that the security advice is held close by technologists, while it remains a mystery to most other people who need to learn it. Journalists and activists need more transparency and dialogue from technologists. At the same time that journalists, news outlets mainstream and progressive alike, along with J-Schools need to commit on a much greater level than they realize so far. A few J-School professors --the few that are even aware of digital safety- have asked me to help them work digital safety into a single 90-minute class, or at most two classes. What J-schools need is a required 3 credit hour, 15 week course on nothing but digital security. (I am working on that.) I also personally take Jake's advice to heart. > > I would suggest reading the (yearly) proceedings from Blackhat, DefCon, > > NDSS, USENIX Security, Hack-in-The-Box, and others. I would suggest > > trying to understand the fundamental human assumptions at play by > > studying behavior of people. Those guys who have generally hung out in > > the foreign corespondents club - they had a lot going for them but if > > you wanted to compromise them, how would their skills hold up in the > > modern world? Now do it to yourself, how would you embody that in a > > guide? We wouldn't do a life critical bioassay with advice from the DIY > > bio community, right? Why is security that is also a life line different > > here? In fact, that is why I am on this list and going to conferences. It is part of my, to further quote Jake, "intense self-study." But we can also start training with the basics including basic operational security. Journalists need to understand why it is crucial to maintain physical control of their own computers, especially but not only when they travel. Most have no clue. They need to understand the importance of strong pass-phrases. They need to understand how both phishing and spear-fishing work. And journalists from Al Jazeera to Reuters to many others have been targeted with countless attacks all in the past year. They need to have a sense of potential surveillance might work in different settings, say, Russia, or Eritrea, or by organized crime in Mexico, or by the NSA in the US. And have a sense of both the strategies and tactics to help mitigate against that. Journalists need to know that some things are better left not being recorded digitally at all. like a sensitive source's name. And in many places, for journalists and human rights activists, it is not about rolling over in the face of the state, it is about the state or other actors simply gleaning information that can get sources tortured or killed. I know you Jake and others know that. I am just underscoring the point. My own operational security is always to think about the capabilities and personality of the surveillance entity. American-trained foreign intelligence agencies tend to collect much data, while little effective capability how to filter it, in my experience based in less developed, U.S.-backed nations overseas. Israeli-trained foreign intelligence agencies, on the other hand, can be more much more precise, from my experience. And in those environments I am far more careful. With truly sensitive sources I prefer to show up at their home or office, to leave as few footprints or traces as possible. I also once managed a group of investigative journalists all using PGP to communicate. And the burden of being unable to search one's email became a tremendous hassle. Also using PGP in a nation like Colombia where state surveillance is intense is simply a red flag that can put you and sources at risk. So for me my operational security is entirely contextual. I like to think about how intelligence agencies or drug traffickers, or how intelligence agencies colluding with drug traffickers would operate, and adjust both my physical and digital operational security accordingly. And I have been called paranoid. In such environments, I avoid phone calls, use of credit or debit cards, and any Internet use. And practice simple but effective physical counter-surveillance measures before and after approaching sources. In fact, I would much prefer to a source by phone, email or some other conduit to say little more than, "Hey, let's meet up. Remember the place we met last time. Tomorrow noon." I get your point, Jake. The effort must be a total commitment. For me, the most important thing to communicate in any training is exactly that. Never make people think they know enough to be safe. Rightfully show them that even if they ever were to get as proficient in digital safety as most people here on this list, they would still not necessarily be safe. And, to second Danny and others here, this discussion is invaluable. I need help, and journalists and activists of all kinds need help getting up to speed. We need more not less discussion. And, Steve, my apologies for overreacting to your point, too. I very much appreciate the feedback, and I am glad it sparked this thread. And I know the process will take time. Best! Frank > -------- Original Message -------- > Subject: Re: [liberationtech] was: Forbes recommends tools for > journalist; is now: depressing realities > From: "Jillian C. York" <jilliancy...@gmail.com> > Date: Wed, December 19, 2012 7:57 pm > To: liberationtech <liberationtech@lists.stanford.edu> > > > I admittedly haven't read the entirety of Jake's original email yet, but > from what I have, plenty resonates. I'll try to come up with a thoughtful > response later, but I do have one earnest question (for Jake, and for > everyone) that I honestly don't have the answer to. > > If we believe (as I suspect many of us do) that some of the tools we use > should become popularized and used by "ordinary" folks as well as those > with serious security needs, what is the best way to go about ensuring that > happens? > > I ask because, while I agree that the article is junk for most threat > models, I *don't* believe that it's a bad idea to push everyone to encrypt, > whether they think they need it or not. And if we were to try to distill > the author's motivation for writing the piece (aside from money and > pageviews), I suspect that's a big part of it. > > So how do we go about that? > > On Tue, Dec 18, 2012 at 9:26 PM, Jacob Appelbaum <ja...@appelbaum.net>wrote: > > > Hi, > > > > fr...@journalistsecurity.net: > > > But if > > >> you're getting information security advice from a Forbes blog, that > > >> will be the least of your worries. > > > > > > Where would you suggest we get information security advice from? > > > > This is an interesting question and I admit, I feel like it leaves a bad > > ring in my ears... > > > > What kind of security advice? Who is following the advice? Does their > > context change while they follow this advice? Do they have resources of > > a user without more than a casual interest or are they well funded and > > dedicated? What are their requirements? What are their temporal > > tolerances? Do they understand safety plan or threat model without > > further explanation? What are the stakes for failure? > > > > The answer to each of those questions would shift my answers to > > subsequent questions around, I guess. > > > > If I were to change that question a bit to be something that many people > > are familiar with - I'd say - Where do we get good health advice from? > > When I go to a general practice doctor, they might refer me to a > > specialist. But where do I find that doctor? And what if I have issues > > that are really expensive to solve? It leads us in a similar direction - > > we look for common certifications, credentials, ratings, feedback, word > > of mouth, etc. We get a general sense of things, hopefully if we're > > seeing a terrible doctor, we know before they cut us up or send us home > > when we really need a different kind of care. > > > > It seems that some groups who do practical training are trying to be the > > specialist and the generalist. Sadly, because many of us are motivated > > by non-technical goals, say social justice, a real core background in > > many overlapping fields is simply missing. There isn't an advertised set > > of unified goals or principles stated where we try to work toward a set > > of solutions, nor is there a common set of agreed upon threat models > > that we're working with openly, and so on. > > > > The Forbes article is junk for my threat model(s) and frankly, I think > > it is junk for everyone else on a long enough time line. An open > > question is mostly if anyone will ever do anything noteworthy enough to > > learn that it was junk at the time. If it had been written about biology > > and safe sex, I'd say it was offering sheep skin condoms as a partial > > solution; we'd all get a pretty bad feeling about it and commonly > > understand the problem with such solutions, right? > > > > The technical details are so poorly understood by journalists that their > > ethics generally mean nothing; who cares if a journalist promises to > > keep a secret if they even have Skype *installed* on their laptop with > > confidential documents, emails or an OTR enable chat client? Their > > operational security is lower than the bar of the commercial market, we > > don't even have to begin to discuss intelligence agencies. > > > > In almost any other topic, it is simply intolerable to let a person > > write complete nonsense advice as an authority. Such authors get a > > reputation for being worth ignoring and sometimes, they're the topic of > > the next article. Yet in the field of journalism, we see journalists who > > even proudly boast of their illiteracy, without realizing the > > recklessness of their choices, sometimes even the choice of straight up > > ignorance because security is simply too hard. Or refusing to even offer > > anything resembling a secure way to reach them, let alone actually > > something they try to use regularly. I've rarely met journalists that > > encourage people to secure their communications - it does happen but > > wow, it is rare rare rare. > > > > Some journalists at least claim that they will go to jail before they'll > > give up sources, some won't make such claims or will even make the > > opposite claims. The signs of such journalists are easy to spot and > > still hard to confirm in any meaningful manner. When push comes to > > shove, even the best intentioned journalists still roll over when the > > might of the state crushes them under a pair of boots. > > > > At least with a proper idea of how journalism is being undermined by the > > Surveillance State, such a journalist might get a clue about the level > > of help, protection and transitive risk they pose to sources. Such an > > understanding is largely missing from the dialog and the Forbes piece > > really obviously shows that the advice is the product of an extremely > > lacking study of the threat landscape. > > > > What am I getting at? > > > > When journalism was two people meeting in person, the people were the > > main piece that mattered, when research on who to contact was ephemeral, > > even a failed meeting wasn't a pin pointed event to be followed up on > > later. > > > > The (communications, crypto, electricity, etc) systems illiteracy means > > that otherwise core competencies of a solid journalist are undermined. > > > > Where should 'we' get our information? From people who have a clue, I > > think, in whatever field where we're barely scratching the surface with > > our questions. When I wonder about specific cryptography issues, I don't > > go to Forbes, I'd take a class from Dan Boneh or Moxie. When I wonder > > about a pain in my chest, I go to a doctor for triage. When I want to > > solve those problems myself, I invest in my own education. > > > > It seems to follow that if you're building a knowledge base for > > journalist security, it might make sense to build a collection of threat > > models, a collection of unified threats (eg: calls you make will be > > wiretapped, your location will be recorded, your email will be > > intercepted) you hope to address, and so on. > > > > It might also make sense to define who receives the advice; after all, > > if the trainers are simply middle (hu)man, why would someone at risk > > want to talk to them? It seems that if the goal is simply to benefit > > from the surplus of the labor of others, adding something to the mix > > might be a useful contribution to the community. We all bring different > > things to the table, right? > > > > To put this a different way: I'm not a lawyer and while I doubt I'll > > ever be a lawyer, I accept that I do not need to have a law degree to > > have a clue. I also trust a number of people with law degrees to advise > > me but it took a lot of study, reading and frankly, rational > > self-interest in the self-survival department to even slightly > > *understand* their great advice. I've had the privilege of lawyers > > friends who didn't tolerate a lack of understanding while also making > > legal choices. My ability to make decisions was simply not up to snuff > > without a clue. So at least in a few of my own legal cases, I've done a > > lot of research to understand the core ground rules of the system that I > > inhabit, even if the system is made up of things I don't fully like or > > even really understand in an intuitive sense. While I'm *certainly* not > > a lawyer, I might have enough of a clue to know who to call or how badly > > I don't know something. > > > > So I wonder, what do journalists need to do? It seems to me that they > > should talk to the experts in the fields that are required for their > > specific operations. It also seems to me that they might want to work on > > not collaborating with the Surveillance State so much. As their lack of > > knowledge on the topic has basically made their job and their ethical > > commitments impossible unless they become full time > > security/privacy/anonymity/computer/network/telephone/etc experts. > > > > So on the one hand, I feel for journalists that don't understand > > technology. But on the other hand, I think without understanding the way > > that the world works, they're calling themselves journalists without > > understanding that technology is as important as having credible sources > > - it isn't like photography, it isn't a value add skill, it is a core > > and fundamental part of the job. > > > > > Many here are quick to point out what people should not rely upon. > > > But relatively few seem to want to assume the responsibility to > > > suggestt what people should use. We are gleaning material including > > > on concepts from the Information Security chapter written by Danny in > > > CPJ's Journalist Security Guide (full disclosure: I wrote the > > > chapters on physical safety). We are looking for guidance on tools > > > from Security-in-a-Box by Tactical Tech. And we are reviewing and > > > closely following the discussion over the new Internews guide which > > > covers both concepts and tools. We are also looking at relevant > > > guides by Small World News by Brian and others, and Mobile Active by > > > Katrin and Alix. > > > > > > > Security is a process and not simply a product that people use. I'm > > loathe to repeat that but that concept is worthy of deep thought. > > > > It isn't unlike asking which travel visa company we should call about > > entering Syria. Surely we wouldn't accept a guide that told us to simply > > call up the local tour company for advice. Rather, we'd want specifics, > > right? But to have specific, we need grounding in reality - languages > > help, having street smarts helps and so on. > > > > I look at all of the above guides and I think that they're interesting > > as an awareness and philosophy metric for the respective community that > > created it. Lots of unequal threat models, lots of varying capacities, > > lots of graphic design budgets and often very little scientific > > referencing for *positive* security claims. > > > > > It seems to me that the above comprise the best available sources > > > out there. Would you agree? Of course, if you or anyone has any > > > other suggestions, we are all ears. The discussion itself over the > > > Forbes blog and other material is all helpful. But backhanded snipes > > > without the benefit of positive alternative suggestions are not. > > > > No, I wouldn't agree. They're all nice efforts but frankly, all of them > > are lacking because they don't really explain the social stuff - the > > reality of the world stuff or the deep factual stuff - and are mostly > > about tools. There are parts that come close and are then not detailed > > about the technology, or they simply give up - where is the phone > > security guide that explains how to buy discrete SIMS for Satellite > > phones anonymously? Where is the IMEI changing guide for people using > > cell phones in Syria? Where are the threat modeling discussions that > > model real situations that actually exist, say for Egypt having a copy > > of FinFisher? > > > > I would suggest reading the (yearly) proceedings from Blackhat, DefCon, > > NDSS, USENIX Security, Hack-in-The-Box, and others. I would suggest > > trying to understand the fundamental human assumptions at play by > > studying behavior of people. Those guys who have generally hung out in > > the foreign corespondents club - they had a lot going for them but if > > you wanted to compromise them, how would their skills hold up in the > > modern world? Now do it to yourself, how would you embody that in a > > guide? We wouldn't do a life critical bioassay with advice from the DIY > > bio community, right? Why is security that is also a life line different > > here? > > > > I guess it isn't so simple and that is why it takes time - so I > > would suggest trying to find ways to encourage people to engage in > > intense self-study, in things that destroy apathy for the ills of the > > world with regard to personal liberty - so they can find resources that > > are otherwise seemingly unconnected on the surface that might otherwise > > go unnoticed. > > > > Sorry for the shameless plug here but I feel it is contextually > > appropriate: > > > > http://www.orbooks.com/catalog/cypherpunks/ > > > > ( I make no money from this book; you can easily find it on bittorrent - > > please do! ) > > > > > > > > Most people on this list and in conferences seem to be agreeing, at > > > least lately if not also before, that if people who need to use the > > > tools don't use them, then that becomes a security problem in and of > > > itself. And that the overwhelming majority of people in places like > > > Syria really do not understand the risks or practice best measures. > > > Would you agree? Getting over these obstacles requires training, and > > > also more transparency within this "Open Source" community about what > > > we should be teaching people. > > > > I think some of the best revolutionaries, journalists, activists and > > humans that I've ever met understand these issues quite well. That is to > > say - they understand emotional trauma, wiretapping, physical violence, > > hacked accounts, torture, legal issues and so on. Many choose to take > > action even when the odds are stacked against them, even or often > > unprotected because of say, the political gains or the tactical > > advantage in the moment. > > > > If I understood a point that Gene Sharp made once - trainings are > > ineffective without a larger framework and without specific > > understandings of specific words - meaning that is important is > > otherwise totally lost. So we need to consider the big picture as well > > as many different kinds of small details - to focus entirely on one area > > will leave us unbalanced, unprepared and well, less effective. Perhaps > > to the point of being worse than when people at least tried to work > > outside of the systems they didn't understand... > > > > I think that a long term solution for say, communications security is to > > normalize secure solutions and to pick some points of unity as part of > > the definition of secure. As an example - Free Software is a hard > > requirement for me in a serious situation but being FL/OSS does not mean > > that it is secure. Again, we need processes, models, realistic > > situational awareness and so on for humans - not just an International > > House of Check Boxes with tools, no real desire to do anything more than > > scrape the barrel and no actual capacity. > > > > > I am also learning not to take gratuitous snipes here personally. As > > > it seems to be all too common within this group. But I do think we > > > would serve a great many more people if we had more constructive > > > conversations. Isn't that what this list is for? > > > > > > > I don't think Steve was trying to insult you as he later clarified. > > > > That Forbes article really isn't an example of solid and cutting edge > > advice. Some of their stuff, such as the stuff by Andy Greenberg, is top > > notch. Some of it is not even a notch... > > > > I agree that constructive conversations are useful for the list. If I > > were to dive right in - I'd say - could you give us examples of your > > operational security? > > > > I'll start and I'm curious to hear your follow ups. > > > > I run almost entirely Free Software for my general computing needs. I > > try to use only Forward Secret cryptography for communication and I > > assume it only buys me time, rather than totally solves all of my > > problems. I use GPG with a hardware token, rather than with keys on my > > laptop. I encrypt all of my disks. I create honeypots to mess with > > people who mess with me. I use RedPhone, TextSecure, Tor, and so on - > > the usual suspects in the Free Software world. > > > > I assume that most things fail open. I buy most of my hardware with > > cash. I use different devices in different contexts. I don't believe > > that the Fourth Amendment actually protects the equipment I have in my > > home (electronically, physically,etc ). I try to understand, extend and > > sometimes try to break the systems that I use - I try to only use > > systems that people I respect have built, analyzed or use themselves. I > > encourage everyone that I meet or talk with to use strong cryptography, > > anonymity services and to consider the transitive risk of behavior. I > > try to write software to improve this entire field and I try to work > > with end users as well as trainers. And so on. > > > > An evil Maid attack would own me in a lot of cases, so I carry my > > computers with me to some rather annoying places. I stopped carrying a > > cell phone regularly when I realized that it was simply a lost cause on > > the privacy front. I do counter-surveillance and surveillance-detection > > to try to catch people who try to tamper with my hardware or worse. I > > give samples of likely backdoors to better reverse engineers (than me) > > when in doubt. I've been working hard for the last few years to show > > that these tactics and this kind of strategy isn't paranoia. Rather such > > an understanding is required for the *current* Surveillance State, let > > alone the coming New and Improved Surveillance State. > > > > How about you? > > > > A good friend jokingly once told me that some people raise their > > paranoia to meet their security situation. The joke was of course that I > > did the opposite: I raised the seriousness of my situation to match my > > paranoia and outlook. If you have to pick between the two - which side > > of things seems to have a possible positive outcome? > > > > All the best, > > Jacob > > > > > > > >> -------- Original Message -------- Subject: Re: [liberationtech] > > >> Forbes recommends tools for journalists From: Steve Weis > > >> <stevew...@gmail.com> Date: Mon, December 17, 2012 6:10 pm To: > > >> liberationtech <liberationtech@lists.stanford.edu> > > >> > > >> > > >> Just to go further down the tech tangent... > > >> > > >> There are SSD drives with full-disk encryption, such as the Intel > > >> 520 series. Here's a paper "Reliably Erasing Data From Flash-Based > > >> Solid State Drives" from Usenix 2011 that analyzes disk sanitation > > >> on several SSD drives. Their conclusion was that built in > > >> encryption and sanitization functions were most effective, but were > > >> not always implemented correctly: > > >> http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf > > >> > > >> Regarding storage for disk-encryption keys, PCs with TPMs can seal > > >> keys such that they can only be unsealed if the machine is booted > > >> to a verifiable state. Then you can leave the sealed key on the > > >> disk, which is how Bitlocker works. > > >> > > >> Keep in mind that TPMs can be compromised by physical attacks. They > > >> aren't going to protect you from a moderately-funded forensics > > >> effort. But if you're getting information security advice from a > > >> Forbes blog, that will be the least of your worries. > > >> > > >> On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers > > >> <mich...@briarproject.org>wrote: > > >> > > >>> I'm not aware of any suitable storage on current smartphones or > > >>> personal computers, so we may need to ask device manufacturers to > > >>> add (simple, inexpensive) hardware to their devices to support > > >>> secure deletion. <hr>-- > > >> Unsubscribe, change to digest, or change password at: > > >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > -- Unsubscribe, change to digest, or change password at: > > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > > -- > > Unsubscribe, change to digest, or change password at: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > -- > US: +1-857-891-4244 | NL: +31-657086088 > site: jilliancyork.com <http://jilliancyork.com/>* | * > twitter: @jilliancyork* * > > "We must not be afraid of dreaming the seemingly impossible if we want the > seemingly impossible to become a reality" - *Vaclav Havel*<hr>-- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
