[liberationtech] CPJ blog building on EFF, Citizen Lab -- BlackShades Skype Trojan

[frank]

I am grateful to Eff and Morgan, Eva, and Citizen Lab and Seth Hardy for allowing us to build on their fine work and help spread the message. If anyone knows whether any of this information has yet appeared online in Arabic please let us know. Thank you. FShttp://cpj.org/security/2012/06/skype-trojan-targets-syrian-citizen-journalists-ac.php Skype Trojan targets Syrian citizen journalists, activistsBy Frank Smyth/Senior Adviser for Journalist SecurityThe Russian manufacturer promises results. The software can be used to control your own or, say, a customer's computer by making it a remote software client. Or it could be used for spying on others."BlackShades Remote Controller also provides an efficient way of turning your machine into a surveillance/spy-device or to spy on a specific system," reads one line of the online product description. The software sells online for $40 (an additional $12.60 brings premium support) through the Canadian E-Commerce reseller paypro, and it can surreptitiously record keystrokes and screen views while giving the intruder clandestine remote access to the target computer.The terms of service include several disclaimers. Purchasers must be "of legal age to use our services and are not a person barred from receiving services under the laws of Russia or other applicable jurisdiction." Purchasers must further agree to not use BlackShades to "harm people in any way," or "upload, post or otherwise make available any Content that you do not have a right to make available," or "provide material support or resources...to any organization(s) designated by the Russian government as a foreign terrorist organization."The spyware has been embedded into what looks like just one of many .pif video files being circulated by Syrian activists on Skype to help document attacks and human rights abuses by Syrian government and pro-government forces, according to a report posted yesterday by the University of Toronto's Citizen Lab. North American-based forensic experts dissected the Trojan spyware embedded in the video file circulating on Skype, which ends with the extension "new_new.pif."The digital workings of the latest Skype Trojan are similar to those of a prior YouTube video Trojan that also targeted Syrian activists, according to a report yesterday by the San Francisco-based nonprofit Electronic Frontier Foundation. The EFF report includes screen shots to help Syrian activists and other users identify the specific harmful files.Yet merely deleting the files or using anti-virus software "does not guarantee that your computer will be safe or secure," added EFF. The remote control access that BlackShades provides could allow intruders to install other spyware on one's computer. What's the safest bet? EFF suggests re-installing the computer's Operating System and changing all passwords to any accounts that one has logged into since the infection.
Frank Smyth is CPJ's senior adviser for journalist security. He has reported on armed conflicts, organized crime, and human rights from nations including El Salvador, Guatemala, Colombia, Cuba, Rwanda, Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow him on Twitter @JournoSecurity.Tags: Cyberattack, Internet, SkypeJune 20, 2012 3:25 PM ETFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netT.  + 1 202 244 0717C.  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

[liberationtech] Skype Manager Chinese

[frank]

I just got the message below from a colleauge at NPR who discovered emails from "Skype Manager" in Chinese. I presume she should delete them. Anyone have any thoughts? Thank you. FSSubject: Skype messages in Chinese?Hi, ITSupport--I'm at home, trying to get over a bad cold, so I checked my emails today using mail.npr.org and see that I'm getting emails today from "Skype Manager" in Chinese today. Should I delete these messages without opening them?CarolFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netT.  + 1 202 244 0717C.  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] Skype Manager Chinese

[frank]

Indeed. I just asked her to send them to Morgan who volunteered to check them out.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netT.  + 1 202 244 0717C.  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key (please see below) Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.-BEGIN PGP PUBLIC KEY BLOCK-Version: GnuPG/MacGPG2 v2.0.18 (Darwin)mQENBE/jPYcBCAC+D6JG9jk2mL0zV/v9ApDvz9GnsPe6HfL7Hf+8Jh56fmpCyh0mmbSHBTVBP3L8IL7/fLzeHXWV6BbFd5SAtmoA/fM9xvcvuuf/7Nm1IDrX+0IfdqIM3IVXN5XpPU8uZfKJEbJTNvPkJLInuK1DcZHzKvDmgtLBsm5jxWc/nGz8oaTvcpkChG+pmrCThKKe5Ici/Zpz63lDpRiblnzOA2Cpk8U6/KK3QXtRbEd24x4n1mh3uFGj4+ZI+b+/vWCpAOpScQPZK4Gao4MWu8JD3WEoqj0Vbz+KdBxuyeLZdIO/hq/eNi6BswWrsIFRTjV7sIjyyLrCv1H2BB2kwl8igaBpABEBAAG0KkZyYW5rIFNteXRoIDxmcmFua0Bqb3VybmFsaXN0c2VjdXJpdHkubmV0PokBPwQTAQIAKQUCT+M9hwIbLwUJB4YfgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEKsg4ZyShh5rgAYIAJiNfY6VK3+yoB2+fscuMgnyxMKhG1NNhcBNYg1un7iDE9N0zQLWHweG9l8ESqUNOMd7vbeRWbFxwoPSljFLDzZEZiY2HwFoBxGdQRKI33oI6FGWnWJ3WcUJhgsUO48fg6BgPC3K5+k3nRpQO88NO7VkPdrou/8E+Pk4lZk0JUFe4F47r4Lu8XWPFjPFsr6OoOCzy680TekA5/mtpPFI8fA9JqdEPYi5iXNqffZMgkHSXWjPVOy/t2/O1oNlq9l7CZ0Oc9pHHTL5fCDKUBMk3O4LjUz4DS1BoTYHpHjJm61BM5NXJV3tWyPbG866hcEwgUcf4B1brcCT4uL0wICyJee5AQ0ET+M9hwEIALUgpTZBC1UgzilzFGXGQf9mCeIMqifI2+OvxGQDS9SyA3xs283ZdfVcB8pWYJSY2LUriX5/pcqzf8PjMQ7roML/wiKT/uoT9o+JDz1XMkKI9UMJ5x22qNnjwamfDI+888V+s/VoEgf/c4A7HpzGTBmoKX0OEdDB6be6O7rRdwgi6VWjDiLclRfge3nMdbb/6iZXHmlZmEPOqO9QR+G1JpZTfsMLLRRq8IuiROmL201ijm86uae0v6oIdEqA82AH2M7AXXbc/cSKalbp3BdVlePgX7NMrnLeeqVHz1hLs4XXkzugjwVWOH12M7Bta0Tadr3j7j9MoeK4thODKkolY8EAEQEAAYkCQwQYAQIADwUCT+M9hwIbLgUJB4YfgAEpCRCrIOGckoYea8BdIAQZAQIABgUCT+M9hwAKCRBW7w9D+gmTHx93CACNTeWhlSizwHOHigweNspk6BNkxfo7/Y2wG6P/H1UIM5oGVrVusxP1R9mB2A8hOFAlSLU40EyzWwc+75dnht5c3ThsOh3iq9giyCb5DQIGytWOx5zYso6/W7Ym4dIvjRFFg+Edzby2pDiq5wE0UWy2FSbqAVOpkhk8V57WPQQqKryDCj4pJl3he6ESL9hzHwpcH+qpwlMnIoqtL83KOKJPIUyz6jXGPf6e6S9yKH7vtYtl0JCIzJ2dQdOzyDLMsynQyl796pAaUPIXBJuOCXGLhLkyVeeNeh3M2nrAbm506NcDPAlRcfGAaWpkqTJWtFp0v4QR5TkDEv2xiOf+Zm+3Qn0H+IsCeflJdnwTklXYHSDjXPfc5nyyGiD5Obv1rgv75bboDprcLqGXZJI/xQ94V28kk4cNbWnMB8N6cncICHDQHvAHD4mTKlu5j4onkjFPASWSMkR+KiXaTG8a2h5xO7jJw3ZvVwy7YBjgbRPtI5nWmzEb6zqQakFk5MQ5zxQYFgiJwetUBbFpQ4QTu2a0md7VkAiHZu2O5wTUJmgi09j/fRSCTBZK7c3sYAC2ZBa2jMQi106g+45FuGGtZJQJy5mzBs/d+SSqJVhyilEWGw8Bb6VHnOMnoIBEMWdvZ+/ZFCZbQyEfE6cUrBMa0cE49UqJMgMEbtMo3VnmO+W6Gy9vlA===W+Lv-END PGP PUBLIC KEY BLOCK- 


 Original Message 
Subject: Re: [liberationtech] Skype Manager Chinese
From: Douglas Lucas 
Date: Thu, June 21, 2012 11:49 am
To: liberationtech@lists.stanford.edu
Cc: fr...@journalistsecurity.net

And by save them I mean not saving them to a drive but as in not deleting them. 


___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

[liberationtech] Arabic-speaking digital safety trainers

[frank]

We are looking for a few Arabic-speaking digital safety trainers to help teach basic concepts and some tool usage to citizen journalists operating in critical nations. Training will occur remotely using VPNs to reach select users. (Some training in third-party nations may also be possible.) Potential trainers could be technologists who can speak "human" to non-techies, or journalists or activists who have a basic sense of concepts and tools.We are also interesting in training trainers, so we are prepared to work to bring potential trainers up to speed.We also want to make sure that any possible trainers have bona fide netfreedom credentials, thus we are posting here. And we plan to vet, too. Any suggestions would be welcome. Thanx! FSFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

[liberationtech] Adium w/ Facebook, or Google Talk

[frank]

I wonder if people here recommend the open source freeware Chat tool Adium?http://adium.im/about/ And whether they would recommend using it with Facebook?Or, if not, Google Talk?Thanks! FSFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] Adium w/ Facebook, or Google Talk

[frank]

Check that. I am a MAC user, so Google Talk will apparently not work.I am open to suggestions...Thanks!Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: [liberationtech] Adium w/ Facebook, or Google Talk
From: <fr...@journalistsecurity.net>
Date: Mon, July 02, 2012 9:42 am
To: liberationtech@lists.stanford.edu

I wonder if people here recommend the open source freeware Chat tool Adium?http://adium.im/about/ And whether they would recommend using it with Facebook?Or, if not, Google Talk?Thanks! FSFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] Adium w/ Facebook, or Google Talk

[frank]

Thanks Katrin!Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] Adium w/ Facebook, or Google Talk
From: Katrin Verclas <kat...@mobileactive.org>
Date: Mon, July 02, 2012 11:06 am
To: Robert Guerra <rgue...@privaterra.org>
Cc: liberationtech Technologies <liberationtech@lists.stanford.edu>

The secure instant messaging client for Android from Guardian Project is Gibberbot, Robert:   https://guardianproject.info/apps/gibber/

Katrin 


On Jul 2, 2012, at 10:51 AM, Robert Guerra wrote:

> On 2012-07-02, at 9:45 AM, <fr...@journalistsecurity.net> wrote:
> 
>> Check that. I am a MAC user, so Google Talk will apparently not work.
>> 
>> I am open to suggestions...Thanks!
>> 
> 
> Frank,
> 
> Adium is  a a good Mac multi-protocol chat client. It's source code is available and generally well recieved by the community.
> 
> Adium has OTR (off the record functionality) which will enable for secure chatting regardless of the chat system (google chat, yahoo, etc) that is used. I highly recommend you turn on OTR functionality and make sure the party you are chatting with has an OTR enabled client (jitsi, pidgin, or adium).
> 
> If you want secure voice functionality, then i'd recommend a ZRTP enabled client such as Jitsi. Again, like Adium - the secure features, OTR (for secure chat) and ZRTP (for secure voice) need to be activated on both sides for the conversation to be secured with encryption.
> 
> ZRTP clients for mobile devices also exist. Groundwire for iOS has a ZRTP functionality. csipsimple is the one suggested by the folks at the Guardian project for Android <https://guardianproject.info/2012/05/26/ostn-secure-voip-wizard-now-built-into-csipsimple-for-android/>;
> 
> 
> Groundwire
> http://www.acrobits.cz/11/acrobits-groundwire-for-iphone
> 
> csipsimple
> https://code.google.com/p/csipsimple/
> 
> regards
> 
> Robert
> 
> --
> R. Guerra
> Phone/Cell: +1 202-905-2081
> Twitter: twitter.com/netfreedom 
> Email: rgue...@privaterra.org
> 
> ___
> liberationtech mailing list
> liberationtech@lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech


Katrin Verclas
MobileActive.org
kat...@mobileactive.org

skype/twitter: katrinskaya
(347) 281-7191

Check out SaferMobile.org 
Using Mobile Technology More Securely. For Activists, Rights Defenders, and Journalists.
https://safermobile.org

MobileActive.org: A global network of people using mobile technology for social impact
http://mobileactive.org

___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech


___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to re

Re: [liberationtech] What I've learned from Cryptocat

[frank]

Hey guys,I appreciate the importance and depth of this discussion. But I also wish to underscore that most of the people who are at risk are not using any tools whether they be CrytoCat, PGP, GChat or others for the simple reason that they either cannot figure them out, or don't have time to figure them out, or both. And I am talking about people at risk in many different nations.No doubt the functional security of tools is an indispensable, essential concern. Ignoring any vulnerabilities is dangerous, indeed. But the usability of the same tools and making them accessible to non-technologists is just as big a concern, in my view. I know you guys think that many such users including Western journalists are simply lazy. But many, if not most of the available tools are simply not intuitive, or not as much as most technologists who already know how to use them seem to think.How many people on this list have spent time asking non-technologists and other users who have tried, but have since given up even trying to use tools like PGP? Or have examined how new users interact with such tools? I have a great deal of respect for this community. But to be honest it seems to me that neither the technologists nor the donors have spent much time asking such questions.If a novice user make a mistake in PGP, for example, it's over. Options are not intuitive if you don't already know them. And if you hit the wrong button, you can end up at a deadend with no guidance how to get back on track. Trust me. I know. And I am not trashing PGP. I know well and fully appreciate it's value and I have used it and continue to use it hostile environments. And I also know that users and only users can make crucial choices during use for their own security. I get that, too. But most digital security tools still do not do a good job of laying out, let alone explaining the options. And I say that with respect for the value of the tools and options themselves.Cryptocat is one of the most user-friendly tools out there, and I think Nadim deserves credit for the effort. Of course, the vulnerabilities must be fixed before anyone should use it in a hostile environment. Although the level of vulnerability might also depend on the nature of the threat in any particular environment. But I also think we need to spend as much time making tools accessible as we do making them secure if we are going to reach the people who really need them. And right now few if any of these tools are having the reach that we all agree is needed. And that is an issue largely of usability.I think with more constructive collaboration we would achieve both. We need to. Thanks.Best, FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] What I've learned from Cryptocat
From: Moxie Marlinspike 
Date: Mon, August 06, 2012 10:29 pm
To: liberationtech@lists.stanford.edu




On 08/06/2012 06:59 PM, Eleanor Saitta wrote:
> Except that with your harm mitigation, you push many potential users
> back to plaintext, where they are guaranteed to be owned.  What
> percentage of potential cryptocat users would the plugin version have to
> stop from using the tool for you to accept that there was a place for
> the non-plugin version?

Let's stop using the word "plaintext," because my understanding is that
none of the chat services we're speaking of transmit data in the clear.
 As I see it, there are currently three possible vectors for attack with
"existing" web-based chat services:

1) SSL interception.
2) Server compromise.
3) Server operator.

The technology in CryptoCat v1 does not address any of these three
vectors, and all of them remain possible.  My position is that it's
actually more susceptible to attack via #1 and #2 than existing
web-based chat solutions.  I believe your position is that it improves
on vector #3 by virtue of being not-Facebook.  (I'm curious how you
measure #3 in comparison to GChat.)

If we postulate that CryptoCat does improve vector #3 by virtue of being
not-Facebook, it isn't a result of the technology, but simply that we've
agreed Nadim has a better monitoring/interception track record than
Facebook.  If that's something you think is valuable, it actually seems
like it'd potentially be better served by having someone like the EFF or
Riseup host a web-based and SSL-protected chat service, wit

Re: [liberationtech] What I've learned from Cryptocat

[frank]

That's a very good point, Michael. The challenge is to help people understand that no having perfect solution does not mean simply ignore all electronic risks. As people are still using technology, as you also note.I also think we all have a tendancy to develop narratives that are consistent with what we think is convenient rather than what may be at a deeper level true. And I think improving user access must also involve explaining the fluid nature of digital risks. And the evidence of risks is also beginning to mount at least among journalists, too.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] What I've learned from Cryptocat
From: Michael Rogers <mich...@briarproject.org>
Date: Wed, August 08, 2012 1:22 pm
To: fr...@journalistsecurity.net
Cc: Moxie Marlinspike <mo...@thoughtcrime.org>, 
liberationtech@lists.stanford.edu


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/08/12 06:19, fr...@journalistsecurity.net wrote:
> How many people on this list have spent time asking
> non-technologists and other users who have tried, but have since
> given up even trying to use tools like PGP? Or have examined how
> new users interact with such tools? I have a great deal of respect
> for this community. But to be honest it seems to me that neither
> the technologists nor the donors have spent much time asking such
> questions.

Hi Frank,

I'd just like to make an anecdotal point here. A few months ago I
spent an interesting afternoon talking to some activists in the UK
about what communication tools they use for what tasks.

None of them regularly used PGP, Tor, or disk encryption software, but
the reasons they gave had nothing to do with usability. They were
aware of the tools and knew how to use them, but they didn't believe
that doing so provided any practical security benefits. They believed
that encryption software probably contained backdoors and could be
defeated by keyloggers. They'd seen evidence trails from computers and
phones produced in court, and rather than relying on technology to
solve technology's problems, some of them preferred to avoid
electronic communication altogether for secret work.

It's tempting to say they were right and leave it at that. Keep your
secrets away from your gadgets and your gadgets away from your
secrets. But that wasn't what they were actually doing. They all
carried phones, even though they knew they were being tracked and
possibly bugged. They all had email accounts, and some of them used
mailing lists and forums for planning, even though they knew that if a
keylogger could get their encryption passwords it could get everything
else they typed. Why the apparent inconsistency?

One possible interpretation is that they were assessing encryption
tools with a typical information security mindset: if there's any weak
point, the adversary will exploit it, so the strong points are
irrelevant. But they were assessing other techniques with a more
balanced mindset: weigh up the risks and potential benefits, compare
the available alternatives, and choose the best (or the least bad).

That's only speculation on my part, of course. But if it's right, it
raises a difficult question: how do we maintain rigorous standards of
critique within the information security community, without giving
potential users of our tools the counterproductive impression that
nothing works and you might as well give up?

Cheers,
Michael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQIqBNAAoJEBEET9GfxSfMRLEH/04+ESJyNH9S6NYEwno1BvKe
J8kMLCmR6OpolJ15nu3K7GkE4wQnhTmZVIrHApjWGz+8TACGiIQg7rOBl19r4MvA
o/7tANsoUEgLRAO2hHQzA5tg+ZRtS+9oDe6LBVE3arHTCt9dYMW711ToOkgQwdoD
ekNWbC4Ba2aKm3t8JmSUF+goDiadF+nSP0HByvNhKHCjzP/2SLBxDOQqeOMF/kpK
Zej+0BZPCUGLaN6XaqoWw7DxgYfa9uUgx3E2ljwYnZZqcXr41kJp2uHQTZlExyxN
TfiI+2P4bQfJtkK7KcOZtp/QWCAz3whmqV6F5y3tjfcHiEywzByInnKFr3tT5D0=
=mHhw
-END PGP SIGNATURE-


___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would 

[liberationtech] American Journalism Review on digital security

[frank]

on Twitter under the name "La Nena de Laredo" - The Girl from Laredo. How the killers tracked her remains a mystery. Was it traditional shoe-leather stalking or did they use electronic surveillance to find her?"It's possible they could have gotten an electronic footprint that led them to her," says Frank Smyth, CPJ's senior adviser for journalist security. "It's also possible they pegged her due to her behavior in a small town in Northern Mexico. Without evidence, there's no way to know." Castro's murder was the first CPJ has documented in direct retaliation for journalism posted on social media.If she was being tracked electronically, what could Castro have done to reduce the danger? "She could have used Tor," says Smyth, main author of the CPJ guide. Tor is described on its Web site as free software that "prevents anyone from learning your location or browsing habits." It also is known as a censorship circumvention tool.Similar questions surfaced when a rocket-propelled grenade made a direct hit on a makeshift press center in the war-torn town of Homs, Syria, on February 22, killing American-born war correspondent Marie Colvin, 56, and French photographer Rémi Ochlik, 28.After the attack, the Telegraph in London reported that journalists in Homs had worried "that Syrian forces had 'locked on' to their satellite phone signals and attacked the buildings from which they were coming."Colvin filed stories via a satellite uplink and had been vocal about the Syrian government's human rights violations during interviews on CNN and other news outlets just before the attack. Without precautions, the journalists could have been easy targets, Smyth says. CPJ advises against multiple parties transmitting from the same location in a hot zone like Homs."Basically, the paranoia game is what we need to play," says Steve Doig, Knight Chair in Journalism at Arizona State University. Doig has given presentations on "Spycraft: Keeping Your Sources Private" at Investigative Reporters and Editors' conferences and elsewhere.The veteran journalist - he spent 19 years at the Miami Herald - talks about keeping Internet searches private, making and receiving untraceable calls and encryption/decryption programs. Reporters who cover national security and have sources in the intelligence community are aware of these tactics, Doig says, but many journalists still "have their head in the sand.""My goal in doing these talks has been to wave the flag and get people thinking about it," Doig says. "Someday, when a young reporter has a 'Deep Throat' source for the first time in his or her career, they won't start out by leaving a trail of bread crumbs."Some journalists are leading the way.To illustrate how the Associated Press addresses cyber safety issues, Media Relations Director Paul Colford sent a link to an article about the AP's 2012 Pulitzer Prize-winning investigation of the New York Police Department's surveillance of minority and Muslim populations. The story described the security measures the journalists took while reporting the pieces.The AP kept drafts of the series off of its internal content management system "until the 11th hour each time, to ensure security," wrote reporter Joe Pompeo for the online publication Capital New York. Pompeo reported that when one of the journalists on the story, Adam Goldman, was in the Middle East on a separate assignment, he communicated with other team members "via encrypted e-mails on a GPG-enabled loaner laptop." Ted Bridis, who oversees the AP's investigative news team, issued special instructions when reporter Matt Apuzzo attended a meeting with a confidential source in New York."Bridis instructed Apuzzo to remove the battery from his cell phone so it would be harder for anyone to trace either his location or the identity of his informant," Pompeo wrote in his October 2011 story. Encryption is similar to coding a message. A GPG, trade name GNU Privacy Guard, allows users to encrypt data to make it undecipherable. Only those with the password can read it.The AP declined requests for an interview on how reporters secured information during the NYPD investigation. "AP is working across departments to solidify guidelines in this area," Colford wrote in an e-mail.Across the board, news organizations are reluctant to talk about safety protocols. Fox News Channel spokeswoman Dana Klinghoffer says executives there don't feel comfortable discussing security that "could compromise us."Eileen Murphy, vice president for corporate communications at the New York Times, wrote in an e-mail that the paper does "not have written guidelines on this issue but it is something we encourage our journalists to be mindful of." The Washington Post and TV networks

[liberationtech] My CPJ blog: Lessons from the Cryptocat debate

[frank]

Hi everybody,Below is my CPJ blog on the Cryptocat debate. It makes some of the same points that I already made here a few weeks ago. And please know that my intent is to help work toward a solution in terms of bridging invention and usability. I know there are different views, and I have already heard some. Please feel free to respond. (If you wish you may wish to copy me at fr...@journalistsecurity.net to avoid me missing your note among others.)Thank you! Best, Frankhttp://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php In Cryptocat, lessons for technologists and journalistsBy Frank Smyth/Senior Adviser for Journalist Security
Alhamdulillah! Finally, a technologist designed a security tool that everyone could use. A Lebanese-born, Montreal-based computer scientist, college student, and activist named Nadim Kobeissi had developed a cryptography tool, Cryptocat, for the Internet that seemed as easy to use as Facebook Chat but was presumably far more secure.Encrypted communications are hardly a new idea. Technologists wary of government surveillance have been designing free encryption software since the early 1990s. Of course, no tool is completely safe, and much depends on the capabilities of the eavesdropper. But for decades digital safety tools have been so hard to use that few human rights defenders and even fewer journalists (my best guess is one in a 100) employ them.Activist technologists often complain that journalists and human rights defenders are either too lazy or foolish to not consistently use digital safety tools when they are operating in hostile environments. Journalists and many human rights activists, for their part, complain that digital safety tools are too difficult or time-consuming to operate, and, even if one tried to learn them, they often don't work as expected.Cryptocat promised to finally bridge these two distinct cultures. Kobeissi was profiled in The New York Times; Forbes and especially Wired each praised the tool. But Cryptocat's sheen faded fast. Within three months of winning a prize associated with The Wall Street Journal, Cryptocat ended up like a cat caught in storm--wet, dirty, and a little worse for wear. Analyst Christopher Soghoian--who wrote a Times op-ed last fall saying that journalists must learn digital safety skills to protect sources--blogged that Cryptocat had far too many structural flaws for safe use in a repressive environment.An expert writing in Wired agreed. Responding to another Wired piece just weeks before, Patrick Ball said the prior author's admiration of Cryptocat was "inaccurate, misleading andpotentially dangerous." Ball is one of the Silicon Valley-based nonprofit Benetech developers ofMartus, an encrypted database used by groups to secure information like witness testimony of human rights abuses.But unlike Martus, which uses its own software, Cryptocat is a "host-based security" application that relies on servers to log in to its software. And this kind of application makes Cryptocat potentially vulnerable to manipulation through theft of login information--as everyone, including Kobeissi, now seems to agree.So we are back to where we started, to a degree. Other, older digital safety tools are "a little harder to use, but their security is real," Ball added in Wired. Yet, in the real world, fromMexico to Ethiopia, from Syria to Bahrain, how many human rights activists, journalists, and others actually use them? "The tools are just too hard to learn. They take too long to learn. And no one's going to learn them," a journalist for a major U.S. news organization recently told me.Who will help bridge the gap? Information-freedom technologists clearly don't build free, open-source tools to get rich. They're motivated by the recognition one gets from building an exciting, important new tool. (Kind of like journalists breaking a story.) Training people in the use of security tools or making those tools easier to use doesn't bring the same sort of credit.Or financial support. Donors--in good part, U.S. government agencies--tend to back the development of new tools rather than ongoing usability training and development. But in doing so, technologists and donors are avoiding a crucial question: Why aren't more people using security tools? These days--20 years into what we now know as the Internet--usability testing is key to every successful commercial online venture. Yet it is rarely practiced in the Internet freedom community.That may be changing. The anti-censorship circumvention tool Tor has grown progressively easier to use, and donors and technologists are now working to make it easier and faster still. Other tools, like Pretty Good Privacy or its slightly improved German alternative, still seem needlessly difficult to operate. Partly because the emphasis is on open technology built by volunteers, users are rarely if ever redi

Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate

[frank]

Nadim,Toward the end of the piece, I said: some critics are now working with Kobeissi to help clean up and secure Cryptocat.What you are saying is that Cryptocat is now a browser-plugin only application, and that therefore, if I understand your point, the vulnerabilities alluded to by Chris and now Patrick are now all fixed.Are they? If they are, I have not yet read confirmation that they are from others in this community. I'd welcome any input here.And, Nadim, I have and continue to support you for finally building a truly user-friendly tool. We need tools that are both secure and easier-to-use, and that was the point of the piece.FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
debate
From: Nadim Kobeissi <na...@nadim.cc>
Date: Tue, September 11, 2012 1:14 pm
To: liberationtech <liberationtech@lists.stanford.edu>


I can't even-

Frank sent me this article about 15 minutes ago and I answered with the
notion that Cryptocat has been a browser-plugin only app for more than a
month, and that his article is just incredibly ignorant and frustrating
as a result of it ignoring that.

Relevant links:
https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/
https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/

Excuse me while I now go waterboard myself,
NK

On 9/11/2012 1:07 PM, fr...@journalistsecurity.net wrote:
> Hi everybody,
> 
> Below is my CPJ blog on the Cryptocat debate. It makes some of the same
> points that I already made here a few weeks ago. And please know that my
> intent is to help work toward a solution in terms of bridging invention
> and usability. I know there are different views, and I have already
> heard some. Please feel free to respond. (If you wish you may wish to
> copy me at fr...@journalistsecurity.net
> <mailto:fr...@journalistsecurity.net> to avoid me missing your note
> among others.)
> 
> Thank you! Best, Frank
> 
> http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php 
> 
> 
>   *In Cryptocat, lessons for technologists and journalists*
> 
> By Frank Smyth/Senior Adviser for Journalist Security
> <http://www.cpj.org/blog/author/frank-smyth>
> /Alhamdulillah! /Finally, a technologist designed a security tool that
> everyone could use. A Lebanese-born, Montreal-based computer scientist,
> college student, and activist named Nadim Kobeissi had developed a
> cryptography tool, Cryptocat <https://crypto.cat/>, for the Internet
> that seemed as easy to use as Facebook Chat but was presumably far more
> secure.
> Encrypted communications are hardly a new idea. Technologists wary of
> government surveillance have been designing free encryption software
> since the early 1990s <http://www.pgpi.org/doc/overview/>. Of course, no
> tool is completely safe, and much depends on the capabilities of the
> eavesdropper. But for decades digital safety tools have been so hard to
> use that few human rights defenders and even fewer journalists (my best
> guess is one in a 100) employ them.
> Activist technologists often complain that journalists and human rights
> defenders are either too lazy or foolish to not consistently use digital
> safety tools when they are operating in hostile environments.
> Journalists and many human rights activists, for their part, complain
> that digital safety tools are too difficult or time-consuming to
> operate, and, even if one tried to learn them, they often don't work as
> expected.
> Cryptocat promised
> <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
> to finally bridge these two distinct cultures. Kobeissi was profiled
> <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html>
> in /The New York Times/; /Forbes/
> <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/>
> and especially /Wired/
> <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
> each praised the tool. But Cryptocat's sheen faded fast. Within three
> months of winnin

Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate

[frank]

Nadim,I read about the browser plug-in being added nearly two months, as you state, in Forbes on July 30.http://www.forbes.com/sites/jonmatonis/2012/07/30/cryptocat-increases-security-in-move-away-from-_javascript_-encryption/ Yet it was a month and six weeks later, respectively, when Chris and Patrick each wrote their critiques in response to the first Wired piece. I also read your exchange with Patrick some weeks ago, and I have spoken to Patrick, albeit before he wrote his piece in Wired.What I have not read here or elsewhere is anything indicating that there is now a consensus that Crypocat has been fixed. (And that is essential for me and CPJ, as I explain below.) Instead I reflected what I think is accurate; that you are others are still working to make sure it is secure. I think most readers would conclude that I have faith that it is being secured. And this is quite different from what @innonews erroneously tweeted that I and CPJ said that Cryptocat is unsafe. If anything, Nadim, I was responding to Patrick for ending his article and seemingly the conversation by saying that PGP and Pidgin/OTR are harder to user but they are really secure. My point (Patrick and I have been having this discussion for over a decade) is that these tools' relative lack of usability still keeps them out of the reach of people who really do need to use them. And my point in the piece is that everyone who cares about human rights should care more about usability.I also gave you credit here, and I think, in the piece, for finally making a tool that really achieves usability.Please know, too, none of this is abstract for me. In May, as I told you a few weeks later at Google, I trained a group of investigative journalists in El Salvador and from Peru in May in how to use Cryptocat, as I was convinced it was safe. (Also telling them no one tool is ever completely safe.) After Chris' piece, I found myself unexpectedly telling the same journalists that Cryptocat had vulnerabilities that I, for one, as a non-technologist, was not aware of before. I sent them Chris' piece, and told them that, if they wish to continue using Cryptocat, they should do so with caution.For me, and for CPJ, the decision to recommend a tool is a weighty one. It would be irresponsible to recommend a tool to journalists unless there is a clear consensus within this community that the tool is safe. I thought there was a consensus before. I then learned that there was not one. And then I wrote what I think is accurate; there is now a consensus that whatever vulnerabilities Cryptocat did have before are now in the process of being fixed.To be clear where we disagree. I did not say that CPJ is now verifying Cryptocat is fixed and safe to use. As a non-technologist that would never be role.I realize that you see the piece as an attack on Crypocat. It was not meant to be and I do not think most readers, who are not technologists, of CPJ's blog will see it that way, either. It was meant as a call for more usability, using Cryptocat, in fact, as a model.FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
debate
From: Nadim Kobeissi <na...@nadim.cc>
Date: Tue, September 11, 2012 1:34 pm
To: liberationtech <liberationtech@lists.stanford.edu>


Frank,
Please, tell me more about how your allusion at the end of your post
absolves you of the culpability of fact-checking!

Furthermore, I have confirmed with Chris concerning the browser plugin
issue when I met him last week in D.C., while Patrick Ball and I had an
exchange that was posted on libtech weeks ago under the
migraine-inducing "What I learned from Cryptocat" thread.

Did you even ask Chris or Patrick about the browser plugin platform?
I'll eat a shoe if you did. I've been working for weeks on this and it's
people like you who just make me feel like all my effort is completely
worthless.

NK

On 9/11/2012 1:24 PM, fr...@journalistsecurity.net wrote:
> Nadim,
> 
> Toward the end of the piece, I said: some critics are now working with
> Kobeissi to help clean up and secureCryptocat.
> 
> What you are saying is that Cryptocat is now a browser-plugin only
> application, and that therefore, if I understand your point, the
> vulnerabilities alluded to b

Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate

[frank]

that CPJ is now verifying
> Cryptocat is fixed and safe to use. As a non-technologist that would
> never be role.
> 
> I realize that you see the piece as an attack on Crypocat. It was not
> meant to be and I do not think most readers, who are not technologists,
> of CPJ's blog will see it that way, either. It was meant as a call for
> more usability, using Cryptocat, in fact, as a model.
> 
> Frank
> 
> Frank Smyth
> Executive Director
> Global Journalist Security
> fr...@journalistsecurity.net <mailto:fr...@journalistsecurity.net>
> Tel.  + 1 202 244 0717
> Cell  + 1 202 352 1736
> Twitter:  @JournoSecurity
> Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
>  
>  
> Please consider our Earth before printing this email.
> 
> Confidentiality Notice: This email and any files transmitted with it are
> confidential. If you have received this email in error, please notify
> the sender and delete this message and any copies. If you are not the
> intended recipient, you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited.
> 
> 
> 
>  Original Message 
> Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
> debate
> From: Nadim Kobeissi <na...@nadim.cc >na...@nadim.cc>>
> Date: Tue, September 11, 2012 1:34 pm
> To: liberationtech <liberationtech@lists.stanford.edu
> <mailto:liberationtech@lists.stanford.edu>>
> 
> 
> Frank,
> Please, tell me more about how your allusion at the end of your post
> absolves you of the culpability of fact-checking!
> 
> Furthermore, I have confirmed with Chris concerning the browser plugin
> issue when I met him last week in D.C., while Patrick Ball and I had an
> exchange that was posted on libtech weeks ago under the
> migraine-inducing "What I learned from Cryptocat" thread.
> 
> Did you even ask Chris or Patrick about the browser plugin platform?
> I'll eat a shoe if you did. I've been working for weeks on this and it's
> people like you who just make me feel like all my effort is completely
> worthless.
> 
> NK
> 
> On 9/11/2012 1:24 PM, fr...@journalistsecurity.net
> <mailto:fr...@journalistsecurity.net> wrote:
> > Nadim,
> > 
> > Toward the end of the piece, I said: some critics are now working with
> > Kobeissi to help clean up and secureCryptocat.
> > 
> > What you are saying is that Cryptocat is now a browser-plugin only
> > application, and that therefore, if I understand your point, the
> > vulnerabilities alluded to by Chris and now Patrick are now all fixed.
> > 
> > Are they? If they are, I have not yet read confirmation that they are
> > from others in this community. I'd welcome any input here.
> > 
> > And, Nadim, I have and continue to support you for finally building a
> > truly user-friendly tool. We need tools that are both secure and
> > easier-to-use, and that was the point of the piece.
> > 
> > Frank
> > 
> > 
> > 
> > Frank Smyth
> > Executive Director
> > Global Journalist Security
> > fr...@journalistsecurity.net <mailto:fr...@journalistsecurity.net>
> <mailto:fr...@journalistsecurity.net
> mailto:fr...@journalistsecurity.net>>
> > Tel.  + 1 202 244 0717
> > Cell  + 1 202 352 1736
> > Twitter:  @JournoSecurity
> > Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> <http://www.journalistsecurity.net>
> > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
> >  
> >  
> > Please consider our Earth before printing this email.
> > 
> > Confidentiality Notice: This email and any files transmitted with it are
> > confidential. If you have received this email in error, please notify
> > the sender and delete this message and any copies. If you are not the
> > intended recipient, you are notified that disclosing, copying,
>     > distributing or taking any action in reliance on the contents of this
> > information is strictly prohibited.
> > 
> > 
> > 
> >  Original Message 
> > Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
>

Re: [liberationtech] Online Journalists on the Frontlines

[frank]

We could talk about it, Asher. Getting journalists to show up and participate is the challenge.There are events along similar lines from time to time like this one at the NPC in DC later this month. A CryptoParty for journalists would work best at one of many journalist events or conventions.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] Online Journalists on the Frontlines
From: Asher Wolf <asherw...@cryptoparty.org>
Date: Fri, October 12, 2012 8:47 pm
To: liberationtech@lists.stanford.edu


Hi Frank,

Just a thought - would your group be interested in hosting CryptoParties
for journalists?

Regards,

Asher Wolf.

On 13/10/12 7:07 AM, fr...@journalistsecurity.net wrote:
> This is a piece relevant for this group. As always, I'd welcome any thoughts, 
> comments, complaints...
> 
> Every year, for decades, journalists from print, radio, or television media have 
> dominated the ranks of those targeted for murder or otherwise killed on the 
> job--every year, that is, until 2008, when a new era began. The same year that 
> Facebook gained 100 million users 
> <https://blog.facebook.com/blog.php?post=28111272130>and Twitter began seeing 
> exponential growth <http://mashable.com/2009/01/09/twitter-growth-2008/>, online 
> journalists around the world began getting killed and imprisoned at rates never 
> before seen. Today, more than one-third of all journalists being killed, and 
> almost half of all journalists being jailed, were working online when they were 
> targeted.
> 
> http://www.cpj.org/security/2012/10/finding-common-cause-from-first-online-journalist.php 
> 
> 
> 
>   *Finding common cause from first online journalist murder*
> 
> By Frank Smyth/Senior Adviser for Journalist Security 
> <http://www.cpj.org/blog/author/frank-smyth>
> Georgy Gongadze, shown here the summer of 2000, was the first online journalist 
> killed in retaliation for his work. (AFP/Dima Gavrish)
> Georgy Gongadze, shown here the summer of 2000, was the first online journalist 
> killed in retaliation for his work. (AFP/Dima Gavrish)
> The first online journalist killed for his work disappeared one night 12 years 
> ago in the Ukraine. Georgy Gongadze, 31, left a colleague's house to return to 
> his home with his wife and two young children. He never arrived. Seven weeks 
> later, a farmer, a few hours' drive away, discovered the journalist's headless 
> corpse <http://www.cpj.org/killed/2000/georgy-gongadze.php>.
> Gongadze edited the website /Ukrainska Pravda/ and ran stories about corruption 
> and cronyism like no one else in the nation's state-dominated print and 
> broadcast media. Later, the country's then-president was implicated in an 
> audiotape in which he was allegedly heard speaking to aides about the need for 
> Gongadze's murder.
> The latest online journalist to die in retaliation for his work was executed 
> last month in Syria. Government soldiers killed Abdel Karim al-Oqda, 27, and two 
> of his friends before setting fire to the journalist's house. Al-Oqda was 
> preparing <http://www.cpj.org/killed/2012/abdel-karim-al-oqda.php> for a day's 
> work when the soldiers arrived at his home in the city of Hama. He was a 
> cameraman for the Shaam News Network, a Damascus-based citizen news organization 
> that has posted tens of thousands of videos on its website as well as on 
> YouTube, much of which have also run on international news outlets including 
> Al-Jazeera and the BBC.
> Every year, for decades, journalists from print, radio, or television media have 
> dominated the ranks of those targeted for murder or otherwise killed on the 
> job--every year, that is, until 2008, when a new era began. The same year that 
> Facebook gained 100 million users 
> <https://blog.facebook.com/blog.php?post=28111272130> and Twitter began seeing 
> exponential growth <http://mashable.com/2009/01/09/twitter-growth-2008/>, online 
> journalists around the world began getting killed and imprisoned at rates never 
> before seen. Today, more than one-third of all journalists being killed, and 
> almost half of all journalis

Re: [liberationtech] Online Journalists on the Frontlines

[frank]

Oops. Here is the link to the NPC event on "threats to journalists' online security."http://press.org/news-multimedia/news/press-freedom-panel-journalists-online-security-basics Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] Online Journalists on the Frontlines
From: <fr...@journalistsecurity.net>
Date: Sat, October 13, 2012 2:01 pm
To: "liberationtech" <liberationtech@lists.stanford.edu>

We could talk about it, Asher. Getting journalists to show up and participate is the challenge.There are events along similar lines from time to time like this one at the NPC in DC later this month. A CryptoParty for journalists would work best at one of many journalist events or conventions.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.    Original Message  Subject: Re: [liberationtech] Online Journalists on the Frontlines From: Asher Wolf <asherw...@cryptoparty.org> Date: Fri, October 12, 2012 8:47 pm To: liberationtech@lists.stanford.edu   Hi Frank,  Just a thought - would your group be interested in hosting CryptoParties for journalists?  Regards,  Asher Wolf.  On 13/10/12 7:07 AM, fr...@journalistsecurity.net wrote: > This is a piece relevant for this group. As always, I'd welcome any thoughts,  > comments, complaints... >  > Every year, for decades, journalists from print, radio, or television media have  > dominated the ranks of those targeted for murder or otherwise killed on the  > job--every year, that is, until 2008, when a new era began. The same year that  > Facebook gained 100 million users  > <https://blog.facebook.com/blog.php?post=28111272130>and Twitter began seeing  > exponential growth <http://mashable.com/2009/01/09/twitter-growth-2008/>, online  > journalists around the world began getting killed and imprisoned at rates never  > before seen. Today, more than one-third of all journalists being killed, and  > almost half of all journalists being jailed, were working online when they were  > targeted. >  > http://www.cpj.org/security/2012/10/finding-common-cause-from-first-online-journalist.php  >  >  >  > *Finding common cause from first online journalist murder* >  > By Frank Smyth/Senior Adviser for Journalist Security  > <http://www.cpj.org/blog/author/frank-smyth> > Georgy Gongadze, shown here the summer of 2000, was the first online journalist  > killed in retaliation for his work. (AFP/Dima Gavrish) > Georgy Gongadze, shown here the summer of 2000, was the first online journalist  > killed in retaliation for his work. (AFP/Dima Gavrish) > The first online journalist killed for his work disappeared one night 12 years  > ago in the Ukraine. Georgy Gongadze, 31, left a colleague's house to return to  > his home with his wife and two young children. He never arrived. Seven weeks  > later, a farmer, a few hours' drive away, discovered the journalist's headless  > corpse <http://www.cpj.org/killed/2000/georgy-gongadze.php>. > Gongadze edited the website /Ukrainska Pravda/ and ran stories about corruption  > and cronyism like no one else in the nation's state-dominated print and  > broadcast media. Later, the country's then-president was implicated in an  > audiotape in which he was allegedly heard speaking to aides about the need for  > Gongadze's murder. > The latest online journalist to die in retaliation for his work was executed  > last month in Syria. Government soldiers killed Abdel Karim al-Oqda, 27, and two  > of his friends before setting fire to the journalist's house. Al-Oqda was  > preparing <http://www.cpj.org/kille

Re: [liberationtech] Online Journalists on the Frontlines

[frank]

That's a good idea. I'll look out for some upcoming conferences and let
you know. Thanks!

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public KeyPlease consider our Earth before printing this email.
Confidentiality Notice: This email and any files transmitted with it are
confidential. If you have received this email in error, please notify
the sender and delete this message and any copies. If you are not the
intended recipient, you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.


>  Original Message 
> Subject: Re: [liberationtech] Online Journalists on the Frontlines
> From: Asher Wolf 
> Date: Sun, October 14, 2012 3:18 am
> To: liberationtech 
> 
> 
> On 14/10/12 5:01 AM, fr...@journalistsecurity.net wrote:
> > We could talk about it, Asher. Getting journalists to show up and 
> > participate is 
> > the challenge.
> > 
> > There are events along similar lines from time to time like this one at the 
> > NPC 
> > in DC later this month. A CryptoParty for journalists would work best at 
> > one of 
> > many journalist events or conventions.
> 
> If you nominate a particular conference, we could try to arrange to have
> people present who'd be willing to talk about about some crypto-tools
> that may be helpful for journalists.
> 
> Kind Regards,
> 
> Asher Wolf.
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Federal interception of CIA emails to journalists, and journalists emails to legal team

[frank]

This case seems to be of value to the list. Ex-CIA Officer John Kiriakou
on Tuesday pleaded guilty to disclosing the name of a CIA figure to
former ABC News journalist Matthew Cole. The indictment against
Kiraiakou released in April indicated that Federal authorities had
obtained emails between Kiriakou and three journalists including Cole
and another ABC News journalist along with Scott Shane of The New York
Times. The indictment also indicates that authorities intercepted a
subsequent email by Cole (with information from Kiriakou) to a defense
investigator with attorneys for terror suspects being held in
Guantanamo.

http://www.nytimes.com/2012/10/24/us/former-cia-officer-pleads-guilty-in-leak-case.html?_r=0
http://www.politico.com/blogs/under-the-radar/2012/04/more-journalists-linked-to-case-charging-excia-officer-120047.html

No case better underscores the need for U.S. journalists covering
national security to start practicing digital security. More information
may or may not become available. I'd welcome any thoughts here. Thank
you. Frank


Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public KeyPlease consider our Earth before printing this email.
Confidentiality Notice: This email and any files transmitted with it are
confidential. If you have received this email in error, please notify
the sender and delete this message and any copies. If you are not the
intended recipient, you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Cole speaking tomorrow at NPC

[frank]

For anyone in DC, ex-ABC News Investigative Team Matthew Cole is also
speaking tomorrow at 6:30 PM at the National Press Club in Washington,
D.C. The panel was meant to be a tutorial for working journalists, but
it is more likely to become a news event.

Journalists' Digital Security eventEVENT
National Press ClubTechnology & Innovation
Flag this event
DATE / TIME 
Wednesday, October 24  / 6:30pm - 8:00pm  
Register with host
Google CalendariCalOutlook
LOCATION
National Press Club
529 14th St. NW, 13th Floor, Washington, D.C. 20045
Conference Rooms
SPEAKERSMatthew Cole, Joseph Hall, Jonathan Hutcheson
DESCRIPTION 
What would you do if you found your computer had been hacked and
sensitive emails with sources, story research and interview notes were
now exposed? Or what if you learned someone had intercepted your cell
phone conversations and used them to learn the identity your would-be
'Deep Throat?'

Though digital technology has been an enormous boon to journalists, it
also comes with significant security pitfalls and far too few reporters
are aware of these dangers. More so than the general public, journalists
are particularly at risk of being targeted as a result of the unique
role they play in accumulating and disseminating highly sensitive
information.

To raise awareness about just how serious the digital security problem
is, the National Press Club's Press Freedom Committee will hold a panel
discussion on Wednesday, Oct. 24 from 6:30 p.m. -- 8:00 p.m. in the
Murrow Room. This event is free and open to the public. Working and
student journalists are particularly encouraged to come.

Panelists are:

Website:  http://www.press.org/events/journalist...


Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public KeyPlease consider our Earth before printing this email.
Confidentiality Notice: This email and any files transmitted with it are
confidential. If you have received this email in error, please notify
the sender and delete this message and any copies. If you are not the
intended recipient, you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] NPC digital security event video

[frank]

The video of the National Press Club event on Digital Security for
Journalists is now up at the link below. The speakers were:

Matthew Cole: a former producer for ABC News and an investigative
journalist, focusing on national security and intelligence issues who
has firsthand experience being on the receiving end of government
surveillance as a result of his reporting activities.

Joseph Hall: the senior staff technologist at the Center for Democracy &
Technology whose work focuses on policy mechanisms for encouraging
trustworthiness and transparency in information systems.

Jonathan Hutcheson: a public interest lawyer and journalist who designed
and implemented a comprehensive source security platform for 100
Reporters’ Whistleblower Alley that enables the anonymous uploading of
sensitive documents.

http://press.org/news-multimedia/videos/journalists-digital-security-national-press-club-special-event#.UIrQ63ssKDY.twitter

Much of the discussion of tools during the presentations will be
familiar to people on this list, of course. The value for you may be in
hearing, especially during the Q & A, the dialogue involving both
technologists and journalists.


Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public KeyPlease consider our Earth before printing this email.
Confidentiality Notice: This email and any files transmitted with it are
confidential. If you have received this email in error, please notify
the sender and delete this message and any copies. If you are not the
intended recipient, you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Yale Law School Protecting Journalism: Anonymous and Secure Communications

[frank]

Some here may be interested in this event tomorrow at Yale Law School, which will be live streamed. Line-up is an eclectic mix of technologists and journalists including Ella Saitta, Quinn Norton, John Scott-Railton, Meredith Patterson, Brian Krebs, Nabiha Syed and myself. (A number of whom were also at the #CTS this week in Tunis.)http://www.law.yale.edu/intellectuallife/protectingJournalism.htmProtecting Journalism: Anonymous and Secure Communications for Reporters and SourcesAGENDA   SPEAKERS & MODERATORSReporters often find it necessary to protect the identities of their sources. In the past, that secrecy was easier to achieve. Now, although digital technologies provide fast, convenient communications between reporters and sources, they also facilitate greater surveillance of those communications. If source confidentiality remains crucial to journalism, then reporters have a duty to take better precautions. But what measures are available, which ones are being used, and which ones are actually effective? Do anonymizing tools fulfill the promise of secure communications, or do they endanger users by creating false confidence?This conference will bring together journalists and technologists to discuss the security needs of journalism; current practices among reporters; the merits and pitfalls of the available technology; and what more can—or should—be done to protect communications of this nature.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] NYT: For Syria’s Rebel Movement, Skype Is a Useful and Increasingly Dangerous Tool

[frank]

This piece from NYT over the weekend should be of interest here, and,
unless I missed it, I don't think it's been yet posted.

Excerpt: "If the uprisings in Tunisia and Egypt were Twitter
Revolutions, then Syria is becoming the Skype Rebellion. To get around a
near-nationwide Internet shutdown, rebels have armed themselves with
mobile satellite phones and dial-up modems."

Quotes CL and EFF's Eva on risks. Main news here that sticks out for me
is that Syrian activists largely seem aware of the risks, yet many are
still using Skype due to a lack of alternatives.

http://www.nytimes.com/2012/12/01/world/middleeast/syrian-rebels-turn-to-skype-for-communications.html

For Syria’s Rebel Movement, Skype Is a Useful and Increasingly
Dangerous Tool
By AMY CHOZICK
Published: November 30, 2012

In a demonstration of their growing sophistication and organization,
Syrian rebels responded to a nationwide shutdown of the Internet by
turning to satellite technology to coordinate within the country and to
communicate with outside activists.

When Syria’s Internet service disappeared Thursday, government
officials first blamed rebel attacks. Activist groups blamed the
government and viewed the blackout as a sign that troops would violently
clamp down on rebels.

But having dealt with periodic outages for more than a year, the
opposition had anticipated a full shutdown of Syria’s Internet service
providers. To prepare, they have spent months smuggling communications
equipment like mobile handsets and portable satellite phones into the
country.

“We’re very well equipped here,” said Albaraa Abdul Rahman, 27, an
activist in Saqba, a poor suburb 20 minutes outside Damascus. He said he
was in touch with an expert in Homs who helped connect his office and 10
others like it in and around Damascus.

Using the connection, the activists in Saqba talked to rebel fighters on
Skype and relayed to overseas activists details about clashes with
government forces. A video showed the rebels’ bare-bones room, four
battery backups that could power a laptop for eight hours and a
generator set up on a balcony.

For months, rebels fighting to overthrow President Bashar al-Assad have
used Skype, a peer-to-peer Internet communication system, to organize
and talk to outside news organizations and activists. A few days ago,
Jad al-Yamani, an activist in Homs, sent a message to rebel fighters
that tanks were moving toward a government checkpoint.

He notified the other fighters so that they could go observe the
checkpoint. “Through Skype you know how the army moves or can stop
it,” Mr. Yamani said.

On Friday, Dawoud Sleiman, 39, a member of the antigovernment Ahrar
al-Shamal Battalion, part of the Free Syrian Army, reached out to other
members of the rebel group. They were set up at the government’s Wadi
Aldaif military base in Idlib, a province near the Turkish border that
has seen heavy fighting, and connected to Skype via satellite Internet
service.

Mr. Sleiman, who is based in Turkey, said the Free Syrian Army stopped
using cellphone networks and land lines months ago and instead relies
almost entirely on Skype. “Brigade members communicate through the
hand-held devices,” he said.

This week rebels posted an announcement via Skype that called for the
arrest of the head of intelligence in Idlib, who is accused of killing
five rebels. “A big financial prize will be offered to anyone who
brings the head of this guy,” the message read. “One of our brothers
abroad has donated the cash.”

If the uprisings in Tunisia and Egypt were Twitter Revolutions, then
Syria is becoming the Skype Rebellion. To get around a near-nationwide
Internet shutdown, rebels have armed themselves with mobile satellite
phones and dial-up modems.

In many cases, relatives and supporters living outside Syria bought the
equipment and had it smuggled in, mostly through Lebanon and Turkey.

That equipment has allowed the rebels to continue to communicate almost
entirely via Skype with little interruption, despite the blackout.
“How the government used its weapons against the revolution, that is
how activists use Skype,” Mr. Abdul Rahman said.

“We haven’t seen any interruption in the way Skype is being used,”
said David Clinch, an editorial director of Storyful, a group that
verifies social media posts for news organizations, including The New
York Times (Mr. Clinch has served as a consultant for Skype).

Mr. Assad, who once fashioned himself as a reformer and the father of
Syria’s Internet, has largely left the country’s access intact
during the 20-month struggle with rebels. The government appeared to
abandon that strategy on Thursday, when most citizens lost access. Some
Syrians could still get online using service from Turkey. On Friday,
Syrian officials blamed technical problems for the cutoff.

The shutdown is only the latest tactic in the escalating technology war
waged in Arab Spring countries.

But several technology experts warned that the use of the Internet by
rebels 

[liberationtech] NSA security configuration guide for iOS 5 Devices

[frank]

I wonder if anyone here has seen this Security Configuration
Recommendations for Apple iOS 5 Devices, by the U.S. National Security
Agency and dated March 2012. I didn't find any reference to it in the
list archives. A Tweep, M.A. Ho-Kane, just tweeted it. The document is
not classified and reads that it is designed to help U.S. government
officials across agencies handle Sensitive But Unclassified information
on their iPhones. The document seems legitimate to me. And makes sense
since so many people including U.S. agency officials these days carry
iPhones or iPads. The document and its recommendations also seems very
thorough.

I would welcome any thoughts at all including whether people think the
recommendations are sound. Thanks! Frank

http://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf

Frank Smyth
Executive Director
Global Journalist Security
fr...@journalistsecurity.net
Tel. + 1 202 244 0717
Cell + 1 202 352 1736
Twitter: @JournoSecurity
Website: www.journalistsecurity.net
PGP Public Key
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] NSA security configuration guide for iOS 5 Devices

[frank]

Document is also on the NSA.gov website and was publicly posted there on
May 11, 2012.

http://www.nsa.gov/public_info/whats_new/index.shtml

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public Key

>  Original Message 
> Subject: [liberationtech] NSA security configuration guide for iOS 5
> Devices
> From: 
> Date: Mon, December 10, 2012 9:43 pm
> To: "liberationtech" 
> 
> 
> I wonder if anyone here has seen this Security Configuration
> Recommendations for Apple iOS 5 Devices, by the U.S. National Security
> Agency and dated March 2012. I didn't find any reference to it in the
> list archives. A Tweep, M.A. Ho-Kane, just tweeted it. The document is
> not classified and reads that it is designed to help U.S. government
> officials across agencies handle Sensitive But Unclassified information
> on their iPhones. The document seems legitimate to me. And makes sense
> since so many people including U.S. agency officials these days carry
> iPhones or iPads. The document and its recommendations also seems very
> thorough.
> 
> I would welcome any thoughts at all including whether people think the
> recommendations are sound. Thanks! Frank
> 
> http://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf
> 
> Frank Smyth
> Executive Director
> Global Journalist Security
> fr...@journalistsecurity.net
> Tel. + 1 202 244 0717
> Cell + 1 202 352 1736
> Twitter: @JournoSecurity
> Website: www.journalistsecurity.net
> PGP Public Key
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] SpyPhone: Pentagon Spooks Want New Tools for Mobile ‘Exploitation’

[frank]

This piece is from Wired.

http://www.wired.com/dangerroom/2012/12/dia-devices/

SpyPhone: Pentagon Spooks Want New Tools for Mobile ‘Exploitation’
BY SPENCER ACKERMAN12.13.122:56 PM


A U.S. soldier takes a picture with his cellphone, December 2010. The
Pentagon’s spy corps is looking for better tools to collect and sift
through data from mobile devices. Photo: U.S. Army
The Pentagon wants to upgrade its spy corps. And one of its first jobs
will be finding out what’s on your iPhone.

If the Defense Intelligence Agency (DIA) gets its way, it’ll send an
expanded cadre of spies around the world to scope out threats to the
U.S. military. And it won’t just be a larger spy team, it’ll be a
geekier one. The DIA wants “technical exploitation” tools that can
efficiently access the data of people the military believes to be
dangerous once their spies collect it.

That’s according to a request for information the DIA sent to industry
on Wednesday. The agency wants better gear for “triage and automation,
advanced technical exploitation of digital media, advanced areas of
mobile forensics, software reverse engineering, and hardware
exploitation, reverse engineering, and mobile applications development &
engineering.” If DIA runs across digitized information, in other
words, it wants to make rapid use of it.

One of the emphasized cases here is “captured/seized media.” Think,
for instance, of all the flash drives, hard drives and CDs that Navy
SEALs seized during the raid that killed Osama bin Laden. Flynn wants to
understand both the text they’d contain, through “automation support
to enable rapid triage,” and their subtexts or metadata, using
“steganography” tools to decipher coded messages and “deep
analysis of malicious code/executables.” And that’s on top of
“deep hardware exploitation of complex media with storage capacity”
and reverse-engineering tools “to discover firmware artifacts.”


As data goes mobile, in people’s pockets and backpacks, so goes the
DIA’s focus. The agency wants “custom solutions that allo[w]
exploitation of mobile devices” like cellphones and tablets “not
commonly seen or devices not supported by commercial kits or tools.”

All this is part of an overhaul the DIA is experiencing under the new
leadership of Army Lt. Gen. Michael Flynn. Flynn spearheaded a similar
push when he was the chief intelligence officer for the Joint Special
Operations Command, pushing its operatives to focus as much on snatching
a dead terrorist’s hard drive as on killing him in the first place. At
DIA, Flynn’s part of the creation of an enlarged spy corps called the
Defense Clandestine Service, which is supposed to work alongside the CIA
to cultivate networks of snitches. It’s already meeting some
resistance.

Internally, the DIA is heavily bureaucratic: About half of its 17,500
employees aren’t out in the dangerous parts of the world, they’re
based in and around Washington. Flynn’s hired six private security
contractors to train his employees in self-defense, rugged living and
other necessities of an expeditionary lifestyle, an effort worth $20
million. Just as substantially, Flynn’s congressional overseers are
dubious. The Senate version of next year’s defense bill, approved last
week, prohibits the Pentagon from hiring any additional spies until it
can “demonstrate that it can improve the management of clandestine
HUMINT,” a term for human intelligence.

But the technical exploitation tools DIA wants don’t have to wait for
any such demonstration. The current Defense spy corps can use them just
fine. And in keeping with Flynn’s history of rapidly pushing
information from the special operators who collect it to the analysts
who make sense of it, the wish list seeks tools to integrate all this
data “into local and national databases… and made readily available
to analysts from the tactical to national levels.”

If all of this sounds broad, that may be the point. The wide net DIA is
casting pertains to “collection, transmission, prioritization,
analysis, and dissemination of collected/captured materiel, and advanced
technical exploitation tools application, configuration support, and
training functions to units worldwide.” Even if the Pentagon can’t
yet hire more spies, it can make the ones it’s already got much
geekier.


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Forbes recommends tools for journalists

[frank]

If anyone here has any thoughts about the tools recommended in this
Forbes piece, please speak up. The piece gets specific with
recommendations form Ashkan Soltani, a technologist who I do not think
is on this list, about half way down. Again, any thoughts would be
welcome. Thank you! Frank

http://www.forbes.com/sites/kashmirhill/2012/12/07/dear-journalists-at-vice-and-elsewhere-here-are-some-simple-ways-not-to-get-your-source-arrested/

TECH | 12/07/2012 @ 1:33PM |24,858 views
Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To
Get Your Source Arrested

You forgot to scrub the metadata, suckers.

Computer security millionaire John McAfee’s surreal flight from
Belizean law enforcement came to an end this week when he was detained
(and then hospitalized) in Guatemala, as has been widely reported. A
piece of the story that hasn’t been included in much of the reporting
is how authorities figured out that McAfee — who was wanted for
questioning in the shooting death of his neighbor — had fled Belize
for Guatemala. McAfee’s location was exposed after he agreed to let
two reporters from Vice Magazine tag along with him. Proud to finally be
in the thick of a story rife with vices — drugs, murder, prostitutes,
guns, vicious dogs, a fugitive millionaire and his inappropriately young
girlfriend — they proudly posted an iPhone photo to their blog of Vice
editor-in-chief Rocco Castoro standing with the source of the mayhem in
front of a jungly background, saying, “We are with John McAfee right
now, suckers.”

With that posting, they went from chroniclers of vices to inadvertent
narcs. They left the metadata in the photo, revealing McAfee’s exact
location, down to latitude and longitude. McAfee tried to claim he’d
manipulated the data — a claim that Vice photographer backed up on
Facebook in a posting he’s since deleted — but then capitulated,
hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan
authorities instead detained McAfee for entering the country illegally.
All of which was dutifully reported by the Vice reporters, with no
mention of their screw-up. Mat Honan at Wired excoriated Vice for its
role in events:
 
This was deeply stupid. People have been pointing out the dangers of
inadvertently leaving GPS tags in cellphone pictures for years and
years. Vice is the same publication that regularly drops in on
revolutions and all manner of criminals. They should have known better.

And they have the resources to do it better. Vice is a $100 million
operation.

Then, it followed up this egregiously stupid action with a far worse
one. Vice photographer Robert King apparently lied on his Facebook page
and Twitter in order to protect McAfee. Like McAfee, he claimed that the
geodata in the photo had been manipulated to conceal their true
location. …

But the coverup, as always, is worse than the crime. In claiming the
geodata had been manipulated when it had not, Vice was no longer just
documenting. Now it was actively aiding a fugitive wanted for
questioning in the murder investigation of his neighbor Gregory Faull,
who was shot dead at his own home.

Via How Trusting In Vice Led To John McAfee’s Downfall – Wired.

It was indeed deeply stupid. Journalists are professional dealers in
information but many are terrible about protecting it. While willing to
go to jail to protect their sources, journalists may wind up leaving
them exposed instead through poor data practices. In a New York Times
editorial last year, Chris Soghoian, now chief technologist at the ACLU,
warned that “secrets aren’t safe with journalists” explaining that
“ the safety of anonymous sources will depend not only on
journalists’ ethics, but on their computer skills.”

There are three very basic things journalists should be doing to shield
their sources:

Scrubbing metadata from photos, documents and other files.
Resisting the desire to save copies of everything.
Encrypting communications.

Technologist Ashkan Soltani walked me through some simple tools for
doing this. They’re not foolproof, but they’ll make it a little less
likely that your blog post will wind up sending the person you’re
profiling to jail (unless that’s your intent).


1. Scrubbing metadata.

“All files — photos, Word docs, PDFs — include some kind of
metadata: author, location created, device information,” says Soltani.
If you leave the metadata attached, you run the risk of exposing private
information about the person who gave you the file, or, in the case of
Vice, the location of the person trying to keep his location under
wraps.

Before you share a Word doc with the world that a source sent you, run
it through a scrubber. Otherwise, it may reveal where the doc was
created, who authored it and anyone who has ever made changes to it.
There’s Doc Scrubber for Microsoft Word.
For PDF docs, use a tool like Metadata Assistant. Or use Adobe
Acrobat’s “Examine Document” tool which will scan the doc for
hidden information.
For photos, think about

Re: [liberationtech] Forbes recommends tools for journalists

[frank]

Appreciate the feedback, guys.We'll check out, MAT.boum.org, Oli. And we'll look at turning off geo-tagging and ObsuraCam app, too, Nathan. Brian and Michael, appreciate your input, too.And Danny, apart from your suggestions on full disk encryption and other points which are well taken, we also very much understand the importance of stressing concepts, giving people of sense of threats and options, and underscoring the importance of staying informed about changes including vulnerabilities and updates. In fact, we are avoiding the firehouse training approach, and instead developing four-week classes, in order to make sure that everyone gets concepts instead of just learning tools. The idea is to give people a foundation so they can then take responsibility and make informed choices for their own digital safety. Or so they can trust their own instincts, as I have heard you say.Thanks! FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


 Original Message 
Subject: Re: [liberationtech] Forbes recommends tools for journalists
From: Michael Rogers 
Date: Mon, December 17, 2012 4:42 pm
To: Danny O'Brien ,  liberationtech



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17/12/12 20:12, Danny O'Brien wrote:
> I think these days you have to tie Forbes' (good) advice not to
> save everything with an encouragement to use full disk encryption.
> We're in an awkward space right now where we can't fully guarantee
> that data gets deleted off a modern flash (SSD) drive, even with
> previously strong deletion tools. And forensics software is good
> enough to pick up a lot of local clues about what you've used your
> own computer for, even if you think you've turned off all logs and
> removed the saving of sensitive data. Minimize what you record, but
> also encrypt.

Sorry to go off on a tech tangent after you've rightly pointed out
that this isn't simply a matter of choosing the right tech, but I'd
like to ask the list for a bit of advice regarding secure deletion
from SSDs.

Secure deletion is a problem we could solve in software, by encrypting
the data and then destroying the key to render the data unrecoverable,
*if* we had a few bytes of persistent, erasable storage in which to
store the key. (Storing the key on the SSD itself doesn't work,
because then we can't securely delete the key.)

I'm not aware of any suitable storage on current smartphones or
personal computers, so we may need to ask device manufacturers to add
(simple, inexpensive) hardware to their devices to support secure
deletion.

So I have two questions for the list: who should we try to persuade,
and how should we persuade them?

Cheers,
Michael

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQz5G1AAoJEBEET9GfxSfMFSoH/jQ0HtBhP2bDhYLGGXk7ESU1
onC5tMBFUvvQzsqmVeV/HmEciW+WPeJ942Oek7r0DEWiBseFF3tMzquG/Yc4pURn
hYaRNlEjIzPFyZ+9kXiU7cUwGozoThKw+CxwBB4LKSEOSlqn28EmPGsKG59seDrS
3PJtqPcYKCWqKXmhIu3Hzc3Zn5dsRKeWZYmv9nQm40kj3YrR4OPoz/roCT72OUDu
E/SRCmd/zgDSy556OJ8U0xu3KNU9JLebWxYV+HRfAyctbjCnDP63LD+ABjKr+lTn
lQnvXB9rJtB/yzyewiG++ZlT7bpzLZ5L5hI1UkHv8Udqyfnp463Azq88Plbi5MY=
=9K1+
-END PGP SIGNATURE-
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Forbes recommends tools for journalists

[frank]

And my bad for sending that HTML instead of text.


>  Original Message 
> Subject: Re: [liberationtech] Forbes recommends tools for journalists
> From: 
> Date: Mon, December 17, 2012 6:06 pm
> To: "liberationtech" , "Danny
> O'Brien" 
> 
> 
> Appreciate the feedback, guys.
> 
> 
> We'll check out, MAT.boum.org, Oli. And we'll look at turning off geo-tagging 
> and ObsuraCam app, too, Nathan. Brian and Michael, appreciate your input, too.
> 
> 
> And Danny, apart from your suggestions on full disk encryption and other 
> points which are well taken, we also very much understand the importance of 
> stressing concepts, giving people of sense of threats and options, and 
> underscoring the importance of staying informed about changes including 
> vulnerabilities and updates. In fact, we are avoiding the firehouse training 
> approach, and instead developing four-week classes, in order to make sure 
> that everyone gets concepts instead of just learning tools. The idea is to 
> give people a foundation so they can then take responsibility and make 
> informed choices for their own digital safety. Or so they can trust their own 
> instincts, as I have heard you say.
> 
> 
> Thanks! Frank
> 
> 
> Frank Smyth
> Executive Director
> Global Journalist Security
> fr...@journalistsecurity.net
> Tel.  + 1 202 244 0717
> Cell  + 1 202 352 1736
> Twitter:  @JournoSecurity
> Website: www.journalistsecurity.net
> PGP Public Key
>  
> 
>  
> Please consider our Earth before printing this email.
> 
> 
> Confidentiality Notice: This email and any files transmitted with it are 
> confidential. If you have received this email in error, please notify the 
> sender and delete this message and any copies. If you are not the intended 
> recipient, you are notified that disclosing, copying, distributing or taking 
> any action in reliance on the contents of this information is strictly 
> prohibited.
> 
> 
> 
> 
> 
>    Original Message 
>  Subject: Re: [liberationtech] Forbes recommends tools for journalists
>  From: Michael Rogers 
>  Date: Mon, December 17, 2012 4:42 pm
>  To: Danny O'Brien , liberationtech
>  
>  
>  
>  -BEGIN PGP SIGNED MESSAGE-
>  Hash: SHA1
>  
>  On 17/12/12 20:12, Danny O'Brien wrote:
>  > I think these days you have to tie Forbes' (good) advice not to
>  > save everything with an encouragement to use full disk encryption.
>  > We're in an awkward space right now where we can't fully guarantee
>  > that data gets deleted off a modern flash (SSD) drive, even with
>  > previously strong deletion tools. And forensics software is good
>  > enough to pick up a lot of local clues about what you've used your
>  > own computer for, even if you think you've turned off all logs and
>  > removed the saving of sensitive data. Minimize what you record, but
>  > also encrypt.
>  
>  Sorry to go off on a tech tangent after you've rightly pointed out
>  that this isn't simply a matter of choosing the right tech, but I'd
>  like to ask the list for a bit of advice regarding secure deletion
>  from SSDs.
>  
>  Secure deletion is a problem we could solve in software, by encrypting
>  the data and then destroying the key to render the data unrecoverable,
>  *if* we had a few bytes of persistent, erasable storage in which to
>  store the key. (Storing the key on the SSD itself doesn't work,
>  because then we can't securely delete the key.)
>  
>  I'm not aware of any suitable storage on current smartphones or
>  personal computers, so we may need to ask device manufacturers to add
>  (simple, inexpensive) hardware to their devices to support secure
>  deletion.
>  
>  So I have two questions for the list: who should we try to persuade,
>  and how should we persuade them?
>  
>  Cheers,
>  Michael
>  
>  -BEGIN PGP SIGNATURE-
>  Version: GnuPG v1.4.10 (GNU/Linux)
>  
>  iQEcBAEBAgAGBQJQz5G1AAoJEBEET9GfxSfMFSoH/jQ0HtBhP2bDhYLGGXk7ESU1
>  onC5tMBFUvvQzsqmVeV/HmEciW+WPeJ942Oek7r0DEWiBseFF3tMzquG/Yc4pURn
>  hYaRNlEjIzPFyZ+9kXiU7cUwGozoThKw+CxwBB4LKSEOSlqn28EmPGsKG59seDrS
>  3PJtqPcYKCWqKXmhIu3Hzc3Zn5dsRKeWZYmv9nQm40kj3YrR4OPoz/roCT72OUDu
>  E/SRCmd/zgDSy556OJ8U0xu3KNU9JLebWxYV+HRfAyctbjCnDP63LD+ABjKr+lTn
>  lQnvXB9rJtB/yzyewiG++ZlT7bpzLZ5L5hI1UkHv8Udqyfnp463Azq88Plbi5MY=
>  =9K1+
>  -END PGP SIGNATURE-
>  --
>  Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech--
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Forbes recommends tools for journalists

[frank]

 But if
> you're getting information security advice from a Forbes blog, that will be
> the least of your worries.

Where would you suggest we get information security advice from? Many
here are quick to point out what people should not rely upon. But
relatively few seem to want to assume the responsibility to suggest what
people should use. We are gleaning material including on concepts from
the Information Security chapter written by Danny in CPJ's Journalist
Security Guide (full disclosure: I wrote the chapters on physical
safety). We are looking for guidance on tools from Security-in-a-Box by
Tactical Tech. And we are reviewing and closely following the discussion
over the new Internews guide which covers both concepts and tools. We
are also looking at relevant guides by Small World News by Brian and
others, and Mobile Active by Katrin and Alix.

It seems to me that the above comprise the best available sources out
there. Would you agree? Of course, if you or anyone has any other
suggestions, we are all ears. The discussion itself over the Forbes blog
and other material is all helpful. But backhanded snipes without the
benefit of positive alternative suggestions are not.

Most people on this list and in conferences seem to be agreeing, at
least lately if not also before, that if people who need to use the
tools don't use them, then that becomes a security problem in and of
itself. And that the overwhelming majority of people in places like
Syria really do not understand the risks or practice best measures.
Would you agree? Getting over these obstacles requires training, and
also more transparency within this "Open Source" community about what we
should be teaching people.

I am also learning not to take gratuitous snipes here personally. As it
seems to be all too common within this group. But I do think we would
serve a great many more people if we had more constructive
conversations. Isn't that what this list is for?


>  Original Message 
> Subject: Re: [liberationtech] Forbes recommends tools for journalists
> From: Steve Weis 
> Date: Mon, December 17, 2012 6:10 pm
> To: liberationtech 
> 
> 
> Just to go further down the tech tangent...
> 
> There are SSD drives with full-disk encryption, such as the Intel 520
> series. Here's a paper "Reliably Erasing Data From Flash-Based Solid State
> Drives" from Usenix 2011 that analyzes disk sanitation on several SSD
> drives. Their conclusion was that built in encryption and sanitization
> functions were most effective, but were not always implemented correctly:
> http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf
> 
> Regarding storage for disk-encryption keys, PCs with TPMs can seal keys
> such that they can only be unsealed if the machine is booted to a
> verifiable state. Then you can leave the sealed key on the disk, which is
> how Bitlocker works.
> 
> Keep in mind that TPMs can be compromised by physical attacks. They aren't
> going to protect you from a moderately-funded forensics effort. But if
> you're getting information security advice from a Forbes blog, that will be
> the least of your worries.
> 
> On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers 
> wrote:
> 
> > I'm not aware of any suitable storage on current smartphones or
> > personal computers, so we may need to ask device manufacturers to add
> > (simple, inexpensive) hardware to their devices to support secure
> > deletion.
> >--
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Forbes recommends tools for journalists

[frank]

Thank you Julian and Andrew.

>  Original Message 
> Subject: Re: [liberationtech] Forbes recommends tools for journalists
> From: liberationt...@lewman.us
> Date: Tue, December 18, 2012 7:44 am
> To: liberationtech 
> 
> 
> On Mon, Dec 17, 2012 at 03:28:31PM -0800, bri...@smallworldnews.tv wrote 2.9K 
> bytes in 0 lines about:
> : Its SSD so its still not a secure wipe, no?
> 
> Only use fully encrypted disks/filesystems with SSD. Otherwise, assume
> your data is saved for posterity and forensic recovery on an SSD. This
> is likely true for any flash memory-based storage medium, like sdcards,
> USB drives, etc.
> 
> See
> http://www.forensicswiki.org/wiki/Solid_State_Drive_%28SSD%29_Forensics
> for some more information.
> 
> -- 
> Andrew
> http://tpo.is/contact
> pgp 0x6B4D6475
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Online journalist fatalities, deaths in combat both hit record highs

[frank]

Speaking of the need, today CPJ released its journalist killed figures
for 2012.

Two records: A record number of online journalists killed in 2012. And
more journalists killed in combat situations in 2012 than in any
previous year that CPJ has been keeping records. 

Syria is the main reason behind both trends, as Syrian citizen
journalists filing to online outlets like Shaam News Network dominated
this year's fatalities.

http://www.cpj.org/security/2012/12/combat-deaths-high-journalist-risk.php

Combat deaths at a high, risks shift for journalists
By Frank Smyth/Senior Adviser for Journalist Security
 
Ambulances carry the bodies of Marie Colvin and Rémi Ochlik, who were
killed in government shelling in Syria. (Reuters/Khaled al-Hariri)

Murder is the leading cause of work-related deaths among journalists
worldwide--and this year was no exception. But the death toll in 2012
continued a recent shift in the nature of journalist fatalities
worldwide. More journalists were killed in combat situations in 2012
than in any year since 1992, when CPJ began keeping detailed records.

CPJ Special Report
• Journalist deaths
spike in 2012

The 23 journalists killed in combat-related crossfire make up 34 percent
of the worldwide death toll this year, about twice the historical
average. And beginning in 2010, the number of journalists killed while
covering street protests or similar dangerous assignments has risen well
above the rates recorded since 1992. Journalists carrying cameras--still
photographers, television cameramen, and videographers--paid an
unusually heavy price in recent years. Freelancers and online
journalists have also composed an increasing proportion of fatalities
during this timeframe. Many of those killed during combat and dangerous
assignments were relatively inexperienced, with some of the victims in
Syria still in their teens.

So what does this say? It's worth keeping in mind that the risks to
journalists change with the news, and the conditions of 2012 won't
necessarily be replicated in 2013 or in the future. But a few things
stand out from the recent death tolls that demand the attention of the
profession.

Technology has allowed individuals to cover and disseminate news on
their own, without having an affiliation with a news organization. The
proportion of online journalists in CPJ's annual death tolls has been
rising since 2008, but the 25 online journalists killed worldwide in
2012 represent a record. In Syria, the government worked hard to block
the international press, prompting numerous Syrians to pick up cameras
to document the violence and upload hours of their footage to online
collectives such as Shaam News Network. During the political uprisings
that swept the Arab world, domestic and international freelancers were
similarly called to action. Individuals with cameras were more likely to
be in harm's way as they sought to cover the tumult--and they were also
more obvious targets for violence.

"I think we have to differentiate between local citizen journalists who
report on what is happening in their own country and to their own
people, and Western freelancers who go to places like Syria to report on
the conflict," said Peter N. Bouckaert, emergencies director at Human
Rights Watch who leads a Facebook group composed of conflict journalists
and others.

Citizen journalists "are part of a seismic shift in the media business,
and we are just beginning to understand how we can use the materials
they collect, and how we can work together to report better," Bouckaert
said. "The role of Western freelancers is totally different. In a
shrinking, increasingly risk-adverse media environment, it is all too
often freelancers who end up going to the places where the big media
won't send their reporters."

Many inexperienced, young freelancers can be "lulled" into "a sense of
false comfort," Bouckaert noted. "The smartest ones who went through
Libya took a step back, and went to take a first-aid course and hostile
environment training." But many media organizations that rely on
stringers for news also need to step up, he added. "If we want to talk
seriously about safety, we need to start getting the media organizations
to start contributing more toward safety training and safety gear for
freelancers."

The annual death tolls in Iraq during the peak of that nation's violence
still exceed that of Syria: 32 journalists were killed in Iraq in both
2006 and 2007. But the large majority of deaths in Iraq, especially in
the later years of the war, were not combat-related. They were murders.
Local journalists working for Western news organizations and those
working for local news outlets with perceived sectarian viewpoints were
targeted for their affiliation, hunted down, and murdered by the dozen
in Iraq. Murder has been the leading cause of death in Afghanistan as
well.

Any conflict, including th

Re: [liberationtech] was: Forbes recommends tools for journalist; is now: depressing realities

[frank]

A in the US. And have a sense of both the
strategies and tactics to help mitigate against that.

Journalists need to know that some things are better left not being
recorded digitally at all. like a sensitive source's name. And in many
places, for journalists and human rights activists, it is not about
rolling over in the face of the state, it is about the state or other
actors simply gleaning information that can get sources tortured or
killed. I know you Jake and others know that. I am just underscoring the
point. 

My own operational security is always to think about the capabilities
and personality of the surveillance entity. American-trained foreign
intelligence agencies tend to collect much data, while little effective
capability how to filter it, in my experience based in less developed,
U.S.-backed nations overseas. Israeli-trained foreign intelligence
agencies, on the other hand, can be more much more precise, from my
experience. And in those environments I am far more careful. With truly
sensitive sources I prefer to show up at their home or office, to leave
as few footprints or traces as possible. I also once managed a group of
investigative journalists all using PGP to communicate. And the burden
of being unable to search one's email became a tremendous hassle. Also
using PGP in a nation like Colombia where state surveillance is intense
is simply a red flag that can put you and sources at risk. So for me my
operational security is entirely contextual. I like to think about how
intelligence agencies or drug traffickers, or how intelligence agencies
colluding with drug traffickers would operate, and adjust both my
physical and digital operational security accordingly. And I have been
called paranoid. In such environments, I avoid phone calls, use of
credit or debit cards, and any Internet use. And practice simple but
effective physical counter-surveillance measures before and after
approaching sources.

In fact, I would much prefer to a source by phone, email or some other
conduit to say little more than, "Hey, let's meet up. Remember the place
we met last time. Tomorrow noon."

I get your point, Jake. The effort must be a total commitment. For me,
the most important thing to communicate in any training is exactly that.
Never make people think they know enough to be safe. Rightfully show
them that even if they ever were to get as proficient in digital safety
as most people here on this list, they would still not necessarily be
safe.

And, to second Danny and others here, this discussion is invaluable. I
need help, and journalists and activists of all kinds need help getting
up to speed. We need more not less discussion.

And, Steve, my apologies for overreacting to your point, too. I very
much appreciate the feedback, and I am glad it sparked this thread. And
I know the process will take time.

Best! Frank

>  Original Message 
> Subject: Re: [liberationtech] was: Forbes recommends tools for
> journalist; is now: depressing realities
> From: "Jillian C. York" 
> Date: Wed, December 19, 2012 7:57 pm
> To: liberationtech 
> 
> 
> I admittedly haven't read the entirety of Jake's original email yet, but
> from what I have, plenty resonates.  I'll try to come up with a thoughtful
> response later, but I do have one earnest question (for Jake, and for
> everyone) that I honestly don't have the answer to.
> 
> If we believe (as I suspect many of us do) that some of the tools we use
> should become popularized and used by "ordinary" folks as well as those
> with serious security needs, what is the best way to go about ensuring that
> happens?
> 
> I ask because, while I agree that the article is junk for most threat
> models, I *don't* believe that it's a bad idea to push everyone to encrypt,
> whether they think they need it or not.  And if we were to try to distill
> the author's motivation for writing the piece (aside from money and
> pageviews), I suspect that's a big part of it.
> 
> So how do we go about that?
> 
> On Tue, Dec 18, 2012 at 9:26 PM, Jacob Appelbaum wrote:
> 
> > Hi,
> >
> > fr...@journalistsecurity.net:
> > > But if
> > >> you're getting information security advice from a Forbes blog, that
> > >> will be the least of your worries.
> > >
> > > Where would you suggest we get information security advice from?
> >
> > This is an interesting question and I admit, I feel like it leaves a bad
> > ring in my ears...
> >
> > What kind of security advice? Who is following the advice? Does their
> > context change while they follow this advice? Do they have resources of
> > a user without more than a casual interest or are they well funded and
> > dedicated? What are their requirements? What

Re: [liberationtech] Skype redux

[frank]

That's helpful to have it spelled out so clearly. Thanks for posting it,
Jake. Frank


>  Original Message 
> Subject: [liberationtech] Skype redux
> From: Jacob Appelbaum 
> Date: Fri, December 21, 2012 2:49 am
> To: "liberationtech@lists.stanford.edu"
> 
> 
> 
> Hi,
> 
> In light of the recent thread on journalism, I wanted to share this link
> about Skype:
> 
> 
> https://en.greatfire.org/blog/2012/dec/china-listening-skype-microsoft-assumes-you-approve
> 
> "With 250 million monthly connected users, Skype is one of the most
> popular services for making phone calls as well as chatting over the
> Internet. If you have friends, family or business contacts abroad,
> chances are you are using Skype to keep in contact. Having said that,
> you are probably not aware that all your phone calls and text chats can
> be monitored by the censorship authorities in China. And if you are
> aware, chances are that you do not consent to such surveillence.
> Microsoft, however, assumes that you do consent, as expressed in their
> Privacy Policy:
> 
> "Skype, Skype's local partner, or the operator or company facilitating
> your communication may provide personal data, communications content
> and/or traffic data to an appropriate judicial, law enforcement or
> government authority lawfully requesting such information. Skype will
> provide reasonable assistance and information to fulfill this request
> and you hereby consent to such disclosure.
> 
> All the best,
> Jacob
> --
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Bloomberg: Spies Fail to Escape Spyware...

[frank]

Spies Fail to Escape Spyware in $5 Billion Bazaar for Cyber Arms -
Bloomberg
http://www.bloomberg.com/news/2011-12-22/spies-fail-to-escape-spyware-in-5-billion-bazaar-for-cyber-arms.html

The intelligence operative sits in a leather club chair, laptop open,
one floor below the Hilton Kuala Lumpur’s convention rooms, scanning
the airwaves for spies.

In the salons above him, merchants of electronic interception
demonstrate their gear to government agents who have descended on the
Malaysian capital in early December for the Wiretapper’s Ball, as this
surveillance industry trade show is called.

As he tries to detect hacker threats lurking in the wireless networks,
the man who helps manage a Southeast Asian country’s Internet security
says there’s reason for paranoia. The wares on offer include products
that secretly access your Web cam, turn your cell phone into a
location-tracking device, recognize your voice, mine your e-mail for
anti-government sentiment and listen to supposedly secure Skype calls.

He isn’t alone watching his back at this cyber-arms bazaar, whose real
name is ISS World.

For three days, attendees digging into dim sum fret about losing trade
secrets to hackers, or falling prey to phone interception by rival
spies. They also get a tiny taste of what they’ve unleashed on the
outside world, where their products have become weapons in the hands of
regimes that use the gear to track and torture dissidents.

“I’m concerned about my calls or Internet being monitored, because
that’s what they sell,” says Meling Mudin, 35, a Kuala Lumpur-based
information-technology security consultant who takes defensive measures
as he roams the exhibits. “When I make phone calls, I step out of the
hotel, I don’t use my computer and I also don’t use the wireless
services provided.”

‘We Meet Again’

ISS, which convenes every few months in cities from Dubai to Brasilia,
is the hub of the surveillance trade. In recent years, countries such as
Syria, Iran and Tunisia bulked up their monitoring by turning to some of
ISS’s corporate sponsors, such as Italy’s Area SpA and Germany’s
Utimaco Safeware AG (USA) and Trovicor GmbH, a Bloomberg News
investigation showed.

Business is booming, with annual revenue of $3 billion to $5 billion
growing as much as 20 percent a year, ISS organizer Jerry Lucas
estimates.

Lucas, 68, an American with a PhD in physics, is perfectly cast for the
part of spyware convention mastermind. With sweeping eyebrows and a bare
pate that make him a look-alike of Democratic strategist James Carville,
he greets an uninvited journalist at his Prague event in June with,
“We’ve been expecting you.”

On the second encounter, in Kuala Lumpur this month, he descends an
escalator from the convention floor and intones: “We meet again.”

Warning Attendees

Lucas, whose conference company TeleStrategies, Inc., is based in
McLean, Virginia, makes the point that his marketplace serves police who
conduct criminal investigations and intelligence services that prevent
terror attacks. Virtually every communications network in the world
includes wiretapping for prosecutors, or location tracking to rescue
people in emergencies. And customers at ISS also include phone company
executives.

Still, Lucas describes Spy vs. Spy intrigue that emerges when he
convenes ISS (short for Intelligence Support Systems). The potential for
hacking has led him to warn attendees to comply with the law of host
countries.

“We tell them, ‘Do not bring in radio equipment that is not allowed
by the government,’” says Lucas, who started ISS nine years ago.

Some gear can intercept mobile-phone or Internet transmissions,
impersonating legitimate networks by sitting in the middle of the data
flow.

“These guys can be your base station,” Lucas says.

‘Hide Your Laptop’

Attendees routinely guard against hacking, says Nikhil Gyamlani, a
Munich-based developer of monitoring systems who has attended several
ISS events. He says being in close contact with competitors versed in
the dark arts gives them a chance to secretly copy documents saved on
hard drives or sent via e-mail. He advises preventive measures.

“Absolutely no use of wireless networks, and hide your laptop in a
safe,” says Gyamlani, 34, the founder of a new surveillance company,
GlassCube. “The fear is very justified.”

Some who haven’t taken such precautions have learned to be more
careful.

At ISS in Prague this year, an employee of an African telecommunications
regulator was cruising Facebook on his Archos (JXR) tablet computer when
he found his every click being projected on a screen at the front of the
room, he recalled afterwards in the lobby. He’d been using the
hotel’s wireless Internet.

Watching The Detectives

While ISS is closed to journalists, a Bloomberg News reporter dropped in
on two 2011 installments, walking hotel corridors, sitting in bars and
haunting lounges.

In Prague, at a hotel connected to a shopping mall food court, potential
buyers included Thailand’s Depa

[liberationtech] Vietnam jails activists over Digital Safety training

[frank]

Sometimes training itself can land people in jail.http://www.google.com/hostednews/ap/article/ALeqM5hd7cjg_LVU6bEwF9JYVLgrOC4n4w?docId=9e59403959734202ae0c86fca912a95e Vietnam sentences 14 democracy activists to prison(AP) –  Jan 9, 2013   HANOI, Vietnam (AP) — A Vietnamese court found 14 democracy activists guilty of subversion and sentenced them to jail terms ranging from three to 13 years, verdicts which drew immediate criticism from the United States.The long prison terms imposed Wednesday suggest that the Communist government is intent on stepping up its ongoing crackdown on people who publicly challenge its authoritarian, one-party rule. In recent years, the Internet has emerged as a powerful tool for dissidents, alarming many in the ruling elite at a time of economic uncertainty.The defendants are linked to Viet Tan, a Vietnamese dissident group based in the United States. Vietnam's government has labeled it a terrorist group, but the U.S. government has said it has seen no evidence that it advocates violence.The People's Court in central Nghe An province sentenced three defendants to 13 years during the two-day trial, defense lawyer Nguyen Thi Hue said. She said 11 others received jail terms ranging from three to eight years. One of the three-year terms was suspended.The defendants, including 12 Catholics, were arrested in late 2011.Another defense lawyer, Tran Thu Nam, said they were found guilty of attending Viet Tan's overseas training courses on nonviolent struggle and computer and Internet security. Some also protested against China's territorial claims in the disputed South China Sea, a sensitive issue for Vietnam because of the nationalist passion the issue provokes and Hanoi's ideological ties with Beijing.The United States wants closer ties with Vietnam because it sees it as a foil against China, but Hanoi's human rights record is a barrier. In December, human rights lawyer and blogger Le Quoc Quan was arrested. Last year, more than a dozen activists were sentenced to long jail terms.In Washington, the State Department said it was "deeply troubled" by Wednesday's verdicts and was raising these and other cases with the Vietnamese government."These convictions along with recent other detentions of a human rights lawyer and other bloggers since December 27 are part of a very disturbing human rights trend in Vietnam," spokeswoman Victoria Nuland said.Earlier, the U.S. Embassy in Hanoi called for immediate release of the 14 activists and all other prisoners of conscience.Viet Tan said citizen journalists in the town had been restricted by police to their hotel rooms during the trial."These activists have tirelessly advocated for social justice, engaged in citizen journalism and participated in peaceful demonstrations against Chinese territorial encroachment," it said in a statement. "The Hanoi regime has shown once again its fear of civil society. "Copyright © 2013 The Associated Press. All rights reserved.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Vietnam jails activists over Digital Safety training

[frank]

my apologies for sending that as HTML



>  Original Message 
> Subject: [liberationtech] Vietnam jails activists over Digital Safety
> training
> From: 
> Date: Thu, January 24, 2013 4:29 pm
> To: "liberationtech" 
> 
> 
> Sometimes training itself can land people in jail.
> 
> 
> http://www.google.com/hostednews/ap/article/ALeqM5hd7cjg_LVU6bEwF9JYVLgrOC4n4w?docId=9e59403959734202ae0c86fca912a95e
>  
> 
> 
> 
> Vietnam sentences 14 democracy activists to prison
> (AP) –  Jan 9, 2013   
> HANOI, Vietnam (AP) — A Vietnamese court found 14 democracy activists guilty 
> of subversion and sentenced them to jail terms ranging from three to 13 
> years, verdicts which drew immediate criticism from the United States.
> The long prison terms imposed Wednesday suggest that the Communist government 
> is intent on stepping up its ongoing crackdown on people who publicly 
> challenge its authoritarian, one-party rule. In recent years, the Internet 
> has emerged as a powerful tool for dissidents, alarming many in the ruling 
> elite at a time of economic uncertainty.
> The defendants are linked to Viet Tan, a Vietnamese dissident group based in 
> the United States. Vietnam's government has labeled it a terrorist group, but 
> the U.S. government has said it has seen no evidence that it advocates 
> violence.
> The People's Court in central Nghe An province sentenced three defendants to 
> 13 years during the two-day trial, defense lawyer Nguyen Thi Hue said. She 
> said 11 others received jail terms ranging from three to eight years. One of 
> the three-year terms was suspended.
> The defendants, including 12 Catholics, were arrested in late 2011.
> Another defense lawyer, Tran Thu Nam, said they were found guilty of 
> attending Viet Tan's overseas training courses on nonviolent struggle and 
> computer and Internet security. Some also protested against China's 
> territorial claims in the disputed South China Sea, a sensitive issue for 
> Vietnam because of the nationalist passion the issue provokes and Hanoi's 
> ideological ties with Beijing.
> The United States wants closer ties with Vietnam because it sees it as a foil 
> against China, but Hanoi's human rights record is a barrier. In December, 
> human rights lawyer and blogger Le Quoc Quan was arrested. Last year, more 
> than a dozen activists were sentenced to long jail terms.
> In Washington, the State Department said it was "deeply troubled" by 
> Wednesday's verdicts and was raising these and other cases with the 
> Vietnamese government.
> "These convictions along with recent other detentions of a human rights 
> lawyer and other bloggers since December 27 are part of a very disturbing 
> human rights trend in Vietnam," spokeswoman Victoria Nuland said.
> Earlier, the U.S. Embassy in Hanoi called for immediate release of the 14 
> activists and all other prisoners of conscience.
> Viet Tan said citizen journalists in the town had been restricted by police 
> to their hotel rooms during the trial.
> "These activists have tirelessly advocated for social justice, engaged in 
> citizen journalism and participated in peaceful demonstrations against 
> Chinese territorial encroachment," it said in a statement. "The Hanoi regime 
> has shown once again its fear of civil society. "
> Copyright © 2013 The Associated Press. All rights reserved.--
> Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] CPJ: Attacks on Knight Center sites reflect digital dangers

[frank]

Appreciate the help on this one from Masashi and others at Citizen Lab and from Eva at EFF. FShttps://www.cpj.org/security/2013/04/attacks-on-knight-center-sites-reflect-digital-dan.phpAttacks on Knight Center sites reflect digital dangersBy Frank Smyth/Senior Adviser for Journalist SecurityThe two websites at the University of Texas at Austin, at first blush, seemed to have been unlikely targets for attack. The Knight Center for Journalism in the Americas and its blog cover news about journalism, press freedom and journalist safety throughout the Western hemisphere, with an emphasis on trends in Latin America. The website of the International Symposium for Online Journalism provides information about meetings and other professional issues. Both websites were shut down for two weeks last month in a targeted cyber-attack.Attacks targeting news, human rights, and free _expression_ organizations "are very common," Eva Galperin, global policy analyst at the San Francisco-based Electronic Frontier Foundation, told CPJ.  In fact, CPJ's own website briefly came under attack on February 8, although the hacking did not take the site down. "Many groups encounter such threats on a near-daily basis, and civil society must exercise constant vigilance to protect against these threats," said Masashi Crete-Nishihata, research manager at the University of Toronto-based Citizen Lab, in an email to CPJ.The hackers of the two UT websites used a method called cross-site scripting to plant malicious code in the sites' hosting computers, according to a Knight Center researcher. The university's information technology researchers tracked the origin of the attacks to IP addresses in Russia. The IT team at UT put the two websites under quarantine while it repaired the damage and addressed vulnerabilities.The Knight Center deftly moved to other platforms while it addressed the problem. "The malicious cyber-attack was enough to shut our websites down, but not enough to shut us up," Rosental Alves, founder and director of the Knight Center for Journalism in the Americas,said in a posting. The Knight Center put up two temporary WordPress blogs to keep news and information flowing while the websites were down.The motive for the attack on the UT websites is not known. In the days and weeks before the attack, the Knight Center's Americas blog reported on matters such as an attack on a northern Mexican newspaper, a number of newspapers' opposition to a defamation law in the Dominican Republic, an Ecuador-based non-governmental organization's protest against the "arbitrary" suspension of its Twitter account by the U.S.-based firm of the same name, and the murder of a radio host in Brazil who spoke out against organized crime.In the strike against the CPJ website, the attacker exploited a vulnerability in the site's Movable Type publishing system to install code that redirected visitors to a third-party site capable of downloading malware to computers running Internet Explorer, and then on to Google.com. CPJ spotted and removed the redirect code within seven minutes and, in the aftermath, took a number of measures to harden its system. CPJ's investigation into the attack, which is continuing, preliminarily traced the attack to a Turkish web server. Hackers use a number of tactics, noted Crete-Nishihata of Citizen Lab. A common method is the denial-of-service attack, which prevents a website from functioning normally by overloading its host server with external communications requests. In December 2011, a denial-of-service attack took the Mexican website Ríodoce offline for six days. Ríodoce was one of the few publications in the Mexican state of Sinaloa to cover the narco-traffickers operating with impunity in the region, including the powerful Zetas cartel. Defacement attacks are yet another tactic. An entity called the Iranian Cyber Army has defaced the websites of Iranian opposition activists and journalists.Perhaps more insidious is the infiltration of computer networks, including email systems. In many dozens of documented cases--affecting such major news organizations as The New York Times, The Washington Post, and The Wall Street Journal--hackers have quietly infiltrated computers to monitor sensitive email and other digital communications. In January, technologists at Citizen Lab revealed that hackers, most likely working on behalf of the government in Syria, had been using software made by the California-based developer Blue Coat Systems to gather information about Syrian activists and citizen journalists. Spyware doesn't even need to be expensive. A Russian software maker produces effective spyware called BlackShades for just $40.So what can journalists, human rights defenders, and others do to protect themselves? Education and awareness go a long way to helping keep individuals and groups safe, both Crete-Nishihata and Galperin told CPJ

Re: [liberationtech] CPJ: Attacks on Knight Center sites reflect digital dangers

[frank]

FYI...We corrected the language in the graph below about the discoveries and findings about Blue Coat technology in use in Syria. Thanks again to Citizen Lab. FSPerhaps more insidious is the infiltration of computer networks, including email systems. In many dozens of documented cases--affecting such major news organizations as The New York Times, The Washington Post, and The Wall Street Journal--hackers have quietly infiltrated computers to monitor sensitive email and other digital communications. In 2011, technologists at Citizen Lab and other groups revealed that that Internet filtering software made by the California-based developer Blue Coat Systems was being used in Syria. The Syrian government is known to be using technology to gather information about activists and citizen journalists. Spyware doesn't even need to be expensive. A Russian software maker produces effective spyware called BlackShades for just $40.Original here:https://www.cpj.org/security/2013/04/attacks-on-knight-center-sites-reflect-digital-dan.phpFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key  


 Original Message 
Subject: [liberationtech] CPJ: Attacks on Knight Center sites reflect
digital dangers
From: <fr...@journalistsecurity.net>
Date: Fri, April 05, 2013 3:57 pm
To: "liberationtech" <liberationtech@lists.stanford.edu>

Appreciate the help on this one from Masashi and others at Citizen Lab and from Eva at EFF. FShttps://www.cpj.org/security/2013/04/attacks-on-knight-center-sites-reflect-digital-dan.phpAttacks on Knight Center sites reflect digital dangersBy Frank Smyth/Senior Adviser for Journalist SecurityThe two websites at the University of Texas at Austin, at first blush, seemed to have been unlikely targets for attack. The Knight Center for Journalism in the Americas and its blog cover news about journalism, press freedom and journalist safety throughout the Western hemisphere, with an emphasis on trends in Latin America. The website of the International Symposium for Online Journalism provides information about meetings and other professional issues. Both websites were shut down for two weeks last month in a targeted cyber-attack.Attacks targeting news, human rights, and free _expression_ organizations "are very common," Eva Galperin, global policy analyst at the San Francisco-based Electronic Frontier Foundation, told CPJ.  In fact, CPJ's own website briefly came under attack on February 8, although the hacking did not take the site down. "Many groups encounter such threats on a near-daily basis, and civil society must exercise constant vigilance to protect against these threats," said Masashi Crete-Nishihata, research manager at the University of Toronto-based Citizen Lab, in an email to CPJ.The hackers of the two UT websites used a method called cross-site scripting to plant malicious code in the sites' hosting computers, according to a Knight Center researcher. The university's information technology researchers tracked the origin of the attacks to IP addresses in Russia. The IT team at UT put the two websites under quarantine while it repaired the damage and addressed vulnerabilities.The Knight Center deftly moved to other platforms while it addressed the problem. "The malicious cyber-attack was enough to shut our websites down, but not enough to shut us up," Rosental Alves, founder and director of the Knight Center for Journalism in the Americas,said in a posting. The Knight Center put up two temporary WordPress blogs to keep news and information flowing while the websites were down.The motive for the attack on the UT websites is not known. In the days and weeks before the attack, the Knight Center's Americas blog reported on matters such as an attack on a northern Mexican newspaper, a number of newspapers' opposition to a defamation law in the Dominican Republic, an Ecuador-based non-governmental organization's protest against the "arbitrary" suspension of its Twitter account by the U.S.-based firm of the same name, and the murder of a radio host in Brazil who spoke out against organized crime.In the strike against the CPJ website, the attacker exploited a vulnerability in the site's Movable Type publishing system to install code that redirected visitors to a third-party site capable of downloading malware to computers running Internet Explorer, and then on to Google.com. CPJ spotted and removed the redirect code within seven minutes and, in the aftermath, took a number of measures to harden its system. CPJ's investigation into the attack, which is continuing, preliminarily traced the attack to a Turkish web server. Hackers use a number of tactics, noted Crete-Nishihata of Citizen Lab. A common method is the denial-of-service attack, whi

[liberationtech] Cloud encryption

[frank]

I imagine people here might have thoughts about this. Comes from a
Texas-based, civil liberties-oriented blog.

Encryption for cloud communications may best protect Fourth Amendment
rights
via Grits for Breakfast by Gritsforbreakfast on 4/6/13

http://gritsforbreakfast.blogspot.com/2013/04/encryption-for-cloud-communications-may.html

Says readwrite mobile:
With government requests for personal data on the rise, there are few
guarantees in place that you or I won't have our private communications
snooped through. Since the Fourth Amendment hasn't yet caught up with
the lightning fast pace of technological change, some of the best
privacy protections are often the ones implemented by tech companies
themselves.
Well put. The comment comes in response to a DEA complaint that
encryption on the Apple iPhone's chat services made them indecipherable,
even with a warrant. Continued writer John Paul Titlow:
By architecting iMessage the way it did, Apple created a messaging
protocol more secure and private than standard text messages, which is
how millions of people communicate every day. As we fire those texts
back and forth, we're all creating a digital trail that can be snooped
upon or hacked more easily than we care to think about. But if they're
being and sent and received from iPhones running iOS 5 or later, those
messages are invisible to wiretaps by law enforcement or other prying
eyes.

Apple didn't have to build iMessage with end-to-end encryption. Gmail
isn't encrypted this way, nor are the Facebook messages that are
increasingly used like texts on mobile devices. Clearly, SMS text
messages aren't particularly well-secured either. Whether winning
privacy points was its motivation or not, Apple definitely racks up a
few for this.
Legislation like Texas Rep. Jon Stickland's HB 3164 to require warrants
to access electronic communications is one way to protect privacy for
third-party facilitated communications, but a far more effective one
would be if Gmail, Facebook, and other major providers encrypted user
messages. Those companies may or may not have an economic incentive to
do so, but they're arguably in a better position in many cases than
legislatures or the courts to protect privacy and Fourth Amendment
rights.

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public Key
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Article 19 Digital Security YouTube video

[frank]

The Paris-based NGO Article 19 has put some digital security videos on
YouTube that may be of interest to anyone involved or interested in
training. At the very least it shows an attempt to try and meet the need
for such information that has long gone unmet. Any comments or thoughts
one way or another about the video and its content would be helpful as
other groups including my organization begin moving in the same
direction.

https://www.youtube.com/watch?v=kb4Ior64IEA&feature=youtu.be

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public Key
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Article 19 Digital Security YouTube video

[frank]

Pleasure to meet you, Dirk. I think the videos are a good idea, and an
effective way to introduce basic and more elaborate concepts and some
basic training. There may well different opinions on this list, of
course. And I do hope they weigh in to help us improve guidance and
training. But one way or another we need to find ways like you and
Article 19 are doing to make digital security more accessible. So thank
you for beginning the effort. 

See you in San Jose for the UNESCO conference around WPFD, if you will
be there, as I hope you are. Frank


Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public Key

>  Original Message 
> Subject: Re: [liberationtech] Article 19 Digital Security YouTube video
> From: Dirk Slater 
> Date: Tue, April 09, 2013 5:19 pm
> To: liberationtech 
> Cc: liberationtech 
> 
> 
> Hi Frank,
> 
> Thought it might be a good time to out myself.  I've been lurking a bit on 
> the list here as I've recently subscribed.  I appear in a couple of those 
> videos, so would also be happy to hear any comments or thoughts.  
> 
> You can view the full videos with their interactive content here:
> 
> http://www.article19.org/online-protection/
> 
> Dirk Slater
> Lead Consultant/Founder
> Fabriders
> www.fabriders.net
> twitter: fabrider
> skype: dirkslater
> 
> On 9 Apr 2013, at 21:20,  wrote:
> 
> > The Paris-based NGO Article 19 has put some digital security videos on
> > YouTube that may be of interest to anyone involved or interested in
> > training. At the very least it shows an attempt to try and meet the need
> > for such information that has long gone unmet. Any comments or thoughts
> > one way or another about the video and its content would be helpful as
> > other groups including my organization begin moving in the same
> > direction.
> > 
> > https://www.youtube.com/watch?v=kb4Ior64IEA&feature=youtu.be
> > 
> > Frank SmythExecutive DirectorGlobal Journalist
> > Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
> > 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
> > Public Key
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by 
> > emailing moderator at compa...@stanford.edu or changing your settings at 
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech--
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Medill online Digital Safety Guide

[frank]

Hi everyone,

Over a year ago Jake asked me to post any curriculum my group may come
up with here on the list for review by anyone who may be so inclined. If
you are so inclined, please take a look at the guide just posted here:

http://nationalsecurityzone.org/site/digital-security-basics-for-journalists/

I would welcome any comments at all. (I'd prefer constructive comments,
but, most importantly, I want to know if you think something is wrong,
misleading or off-point and/or should be redirected.)

We will make changes as needed, with full attribution as appropriate to
groups or individuals as anyone here may wish. As a non-technologist, I
very much appreciate this community and the many truly amazing people in
it. And that ain't smoke, it's true.

This guide is posted on the Northwestern University Medill School of
Journalism National Security Zone online, which also includes many other
guides for reporters like, also of interest to some here, Covering
Military Trials. In writing this digital guide, I have not tried to
reinvent the wheel, and focus more on concepts and what journalists need
to think about learn, rather than get into how to use tools or even
thinking about trying to rate them. Instead the guide relies heavily on
other resources already providing such information like
Security-in-a-Box, along with Danny's Information Security chapter in
CPJ's Journalist Security Guide. 

I have also relied on information, all with full attribution, from
Movements.org, The Engine Room and others.

Much of what is written also reflects what I have managed to glean over
the years as a non-technologist from this group and list. If you wish to
take issue with any one point, please do. Or the whole parts of it, or
the entire guide for that matter, if you wish. Part of the idea behind
putting this up at all is to advance a broader dialogue. And it is not
mean to be exhaustive, but merely an introduction. The main goal is to
alert journalists to how much they don't know, and need to learn, which,
if recent news is any indication, more journalists at least in this
nation are realizing every day.

So please go ahead and dive in if you wish, and direct your comments
back to the list or to my email also copied, as you wish. (I don't
always check this list, so if you want to make sure I see your note in a
timely matter, please copy me at fr...@journalistsecurity.net.)

And here is a nice juicy tidbit from the guide to get you started.

Pretty Good Privacy or PGP along with the newer, German
government-funded version of the same software model, GPG, is encryption
software for emails and files. Both PGP and GPG use cryptographic
algorithms that are stronger than what Internet Freedom activists
believe even the U.S. National Security Agency (under most
circumstances) is capable of decoding. Although even the best digital
software is still subject to spyware programs on infected computers that
allow eavesdroppers to learn the passwords to access even encrypted
emails and files.

Disagree on this or any point, please say so.

Thank you, everyone!

Best, Frank

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Medill online Digital Safety Guide

[frank]

Thank you, Tom.

I'll try to address all your points.

On GPG being German government funded, point was not to sow distrust.
But to be accurate and also show that Western governments have played a
positive role in funding some Internet Freedom tools, besides just the
US.

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net

>  Original Message 
> Subject: Re: [liberationtech] Medill online Digital Safety Guide
> From: Tom Ritter 
> Date: Wed, May 22, 2013 5:03 pm
> To: liberationtech 
> 
> 
> Without opinion on the entirety, here are some random thoughts.
> 
> I think the password section is missing the most important piece of
> advice: don't use the same password for different services.  Every one
> should have it's own, and they shouldn't be algorithmic (e.g.
> "myp4ssw0rdisF4C3B00K" and "myp4ssw0rdisG00GL3", etc).  This pretty
> much necessitates a password manager.
> 
> I don't think mentioning "German government funded" is relevant for
> GPG.  What's the point of that, to sow distrust?  Whatever your
> thoughts are about Werner or the code quality of GPG, from a "Do I
> trust this project to do the best it can and follow proper open source
> principles and not backdoor me intentionally" I think it's well above
> the level.  Whereas PGPi.org is more than 10 years out of date.
> 
> Typo: "Both PGP and GPG, however, are relatively to use."
> 
> Thunderbird: "it is designed to interact with GPG encryption software
> to make it easier to encrypt email messages and files" - no it's not,
> that's enigmail, an extension.  It's not built in.
> 
> truecrypt - "they can also be made to look –at least at first
> glance—like large audio or video files that for some reason will not
> open as if the files were for one reason or another corrupted."  I
> think that's misleading.  Even with the caveat it implies something
> that is not at all true.  I'd take it out.
> 
> Encrypted SMS omits TextSecure
> 
> "If you have an Android phone, download and install Tor from the
> Android Marketplace" - you mean Orbot and OrWeb?  I would name them by
> name, with links.
> 
> -tom
> 
> On 22 May 2013 16:41,   wrote:
> > Hi everyone,
> >
> > Over a year ago Jake asked me to post any curriculum my group may come
> > up with here on the list for review by anyone who may be so inclined. If
> > you are so inclined, please take a look at the guide just posted here:
> >
> > http://nationalsecurityzone.org/site/digital-security-basics-for-journalists/
> >
> > I would welcome any comments at all. (I'd prefer constructive comments,
> > but, most importantly, I want to know if you think something is wrong,
> > misleading or off-point and/or should be redirected.)
> >
> > We will make changes as needed, with full attribution as appropriate to
> > groups or individuals as anyone here may wish. As a non-technologist, I
> > very much appreciate this community and the many truly amazing people in
> > it. And that ain't smoke, it's true.
> >
> > This guide is posted on the Northwestern University Medill School of
> > Journalism National Security Zone online, which also includes many other
> > guides for reporters like, also of interest to some here, Covering
> > Military Trials. In writing this digital guide, I have not tried to
> > reinvent the wheel, and focus more on concepts and what journalists need
> > to think about learn, rather than get into how to use tools or even
> > thinking about trying to rate them. Instead the guide relies heavily on
> > other resources already providing such information like
> > Security-in-a-Box, along with Danny's Information Security chapter in
> > CPJ's Journalist Security Guide.
> >
> > I have also relied on information, all with full attribution, from
> > Movements.org, The Engine Room and others.
> >
> > Much of what is written also reflects what I have managed to glean over
> > the years as a non-technologist from this group and list. If you wish to
> > take issue with any one point, please do. Or the whole parts of it, or
> > the entire guide for that matter, if you wish. Part of the idea behind
> > putting this up at all is to advance a broader dialogue. And it is not
> > mean to be exhaustive, but merely an introduction. The main goal is to
> > alert journalists to how much they don't know, and need to learn, which,
> > if

Re: [liberationtech] Medill online Digital Safety Guide

[frank]

I appreciate your feedback and your bluntness, Rich.

But you are providing far more guidance about what to avoid than what to
use. If journalists and other users should avoid all commercial based
operating systems including Macs, or any system requiring anti-virus
software, then what operating system should they use? Linux maybe? Or
something else?

Similarly, if they shouldn't use GUI-based email clients, what email
should they use?

The practical gist of your message to journalists seems to be: don't
trust digital information or communications at all. That may well be a
very wise point.

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net

>  Original Message 
> Subject: Re: [liberationtech] Medill online Digital Safety Guide
> From: Rich Kulawiec 
> Date: Wed, May 29, 2013 7:45 am
> To: liberationtech 
> 
> 
> I see a number of major problems with this guide -- I'm not going to go
> into all of them, I'm just going to highlight a few to give the sense of
> where I'm coming from.  You're probably not going to like this.
> Sorry, but strong criticism from me is not nearly so bad as having a hotel
> room door kicked in at 3 AM and being dragged off to a dark hole.
> 
> 1. "Use only licensed software and keep it updated."
> 
> There's nothing wrong with the concept of keeping your software updated.
> (Although I would recommend judiciously choosing where and how you update it.
> An adversary monitoring your connection and observing that you're
> pulling down updates for FrozzleBlah 1.7 now knows that you're running
> FrozzleBlah and may find that piece of information highly useful.
> Another adversary may have the capability and willingness to substitute
> their update to FrozzleBlah for the one you think you're getting.)
> 
> But I'd replace this with: "use only open-source software."  Closed-source
> software is not and can not be secure, period, full stop.  Anyone choosing
> closed-source software is choosing insecurity -- which, for a journalist in
> a hostile environment, is very self-destructive.  That's not an artifact of
> any particular piece of software or any particular vendor; it's an
> unavoidable consequence of the closed development process.  Please see:
> 
>   
> https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007504.html
> 
> Moreover: anyone who has been paying any attention at all over the
> past 10, 20, 30 years knows that in addition to the plethora
> of accidental gaping security holes we know about, there are clearly
> plenty of accidental gaping security holes that we don't know about --
> which are being discovered, hoarded, sold, and used by vulnerability
> researchers and governments and other parties unknown.  And then there
> are the deliberate gaping security holes: see most recently: Skype.
> And *then* there the deliberate gaping security holes which various
> governments are demanding be created for their convenience, not realizing
> in their ignorance and hubris that what is convenient for Government A
> is very likely convenient for Government B for many values of (A,B).
> See for example this particularly assinine proposal:
> 
>   
> http://www.electronista.com/articles/13/05/27/us.government.sponsored.report.claims.china.biggest.offender/
> 
> Of course there are security holes in open source software as well:
> using it is NOT a panacea.  But it at least gives you a fighting chance,
> whereas with closed-source software, you have none at all.
> 
> YES, this means no Windows, no IE, no Outlook, no Acrobat, no PhotoShop,
> and so on.  Don't tell it me "it can't be done".  Of course it can.  People
> do it every day.
> 
> 
> 2. "Use good anti-virus and anti-spyware software [...]"
> 
> No.  This is completely the wrong approach, for two reasons:
> 
> First, if you're using a software platform that's architected such that
> you think you need these, you have chosen your software platform poorly.
> 
> Poorly, as in:
> 
>   https://www.youtube.com/watch?v=xCUwQIn3GrU 
> 
> Trying to remedy that poor choice by slapping on AV/AS software after
> the fact might make you feel better about it, but that's all it does.
> 
> Second, AV/AS software is GUARANTEED to fail when you'll need it most.
> 
> (A bold statement?  Heck no.  Quite conservative, actually, given that
> the observed failure rate to date under those circumstances is 100%.  What
> would be highly speculative is predicting any outcome *other* than failure.)
> 
> 
&g

Re: [liberationtech] Medill online Digital Safety Guide

[frank]

Rich,

I appreciate you taking the time to lay out your recommendations. If I
understood you correctly, you are suggesting that journalists should use
only open-source operating systems and other carefully selected
open-source software, and that the operating systems and software they
use should also be partly, if not largely customized and also modified
as required on an ongoing basis to suit their specific operational
needs. 

That certainly provides much food for thought, and it raises more
questions for me than it answers, especially in the long-run, which is
always good. I have also heard of at least one project that may be
moving in that direction.

But I also wholeheartedly agree with Ella that users, not least of all
journalists, need to be met where they are, and, to quote Ella, that is
ok. No journalists anywhere that I know --from activists operating in
Internet Repressive environments, to U.S.  national security
correspondents-- would even consider the kind of
personal-custom-tech-heavy approach suggested above. Instead, imperfect
solutions are better than none, although at the very least journalists
and their sources should know the risks of storing and communicating any
information.

One thing that journalists are learning is to limit what they store or
communicate digitally, and to use technology in a more limited way, too.
Like perhaps finding a safe (or safer) way to ping or signal a source to
not necessarily communicate information but facilitate switching to
another (maybe safer) form of communication or meeting face-to-face, all
depending, of course, upon the suspected threat model in play.

Ella, I know you have spent a great deal of time looking at operational
security issues for journalists and other high-risk users from the
perspective of the security community.

This kind of dialogue involving people coming from different
perspectives is invaluable.

Best, Frank


>  Original Message 
> Subject: Re: [liberationtech] Medill online Digital Safety Guide
> From: Eleanor Saitta 
> Date: Sat, June 01, 2013 10:42 am
> To: liberationtech 
> Cc: Rich Kulawiec 
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> I'm going to step into this thread just once (and try to stick to
> that); apologies for top-posting this.
> 
> I come from the security community.  I understand very well many of
> the arguments you're making and even agree at a technical level with
> most of them.  However, let's talk about human outcomes.
> 
> Human outcomes are the only thing that matter even a little bit in
> security -- not "could you be owned", but "were you actually owned,
> and did that mean you didn't get out in time/accomplish your
> objective".  Nothing else matters.
> 
> You cannot force people to adopt "proper" security procedures.  You
> cannot scare people into adopting them -- you can't scare people into
> doing anything.  It's useful for us to understand where we'd like
> people to end up, but we have to start with where people are and deal
> with the fact that they have limited time, limited capability to
> adapt, and limited resources.
> 
> This means that many people will be owned, and many people will get
> hurt.  Our goal, our only real goal, in doing security work in this
> context, can be to *statistically* reduce the number of people who get
> hurt and *statistically* increase the number of people who achieve
> their objectives.
> 
> Yes, I don't like the current set of trends we're seeing in computer
> architectures, and I've got my own projects that are fighting them,
> but we also have to work within those trends, because computing is a
> social practice and if you aren't were the users are, you're crying
> alone in a corner.
> 
> Asking people whose job is to be a professional journalist to go use a
> text-based mail client means you lose, because they're not going to.
> You *might* get them to give up the power and convenience of gmail to
> switch to a thick-client, but more than that?  Forget it.  You might
> get someone who's a writer to switch to a linux box, but asking a
> professional photographer to ditch Lightroom and switch their whole
> workflow around?  Forget it.  You might even get your journalists to
> adopt a nice hardened workflow for document intake that keeps them
> safe from almost all of the malware that people try to pass them, but
> you have to understand that they will jump around the edge of that
> system sometimes when things are blowing up, and *THIS IS FINE*.
> Their job isn't to be secure, it's to get the story out.  Sometimes
> this means they go to jail.  It's ok.  They signed up for it.  It
> sucks, and we want to help them reduce the chances, we want

Re: [liberationtech] Stop promoting Skype

[frank]

Rich,

I must say that the news over the past few days has cast your
recommendations for journalists into an entirely new light.

Frank

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net

>  Original Message 
> Subject: Re: [liberationtech] Stop promoting Skype
> From: Rich Kulawiec 
> Date: Fri, June 07, 2013 8:32 am
> To: liberationtech 
> 
> 
> These revelations constitute an existence proof that the number
> of backdoors in various services is nonzero.
> 
> There's no reason to believe that this nonzero value is 1.
> 
> After, if the NSA could backdoor them (with or without their cooperation)
> then why couldn't MI6?  Or Mossad?  Or some other entity, which may or
> may not be a national intelligence service?
> 
> There's also no reason to believe that this practice is limited to the US.
> 
> ---rsk
> --
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at compa...@stanford.edu or changing your settings at 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] Lavabit, Silent Circle both shut down

[frank]

d crypto email services is the latest
chapter in the ongoing saga kicked off by Snowden's leaking of documents
-- not all of which have been published -- that detail secret NSA
programs, including the agency's wide-ranging digital dragnet that
captures and stores the everyday communications of millions of
Americans. That state of massive surveillance is aided by a secretive
Foreign Intelligence Surveillance Court that in recent years has
apparently compelled technology providers -- including Facebook, Google
and Microsoft -- to provide the NSA with easy access to their users'
communications.

The Interop New York Conference and Expo -- Sept 30-Oct 4, 2013 --
provides the knowledge and insight to help IT and corporate
decision-makers bridge the divide between technology and business value.
Through three days of educational conference sessions, two days of
workshops, real-world demonstrations on the Expo Floor and live
technology implementations in its unique InteropNet program, Interop
provides the forum for the most powerful innovations and solutions the
industry has to offer. Save $200 off Conference & All Access Passes or
get a Free Expo Pass when you register with discount code MPIWK for
Interop New York today. 

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net.

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

[liberationtech] CPJ: Knowing How Law & Technology Meet at US borders

[frank]

Piece below on crossing US borders may be of interest here. Thanks to
Josh Stearns at Free Press, Dan Auberbach at EFF, among others. I'm also
pasting the link to the Canadian Bar Association's guidance to Canadian
lawyers crossing US borders.

http://www.cba.org/cba/practicelink/tayp/laptopborder.aspx

http://www.cpj.org/security/2013/10/knowing-how-law-and-technology-meet-at-us-borders.php
Knowing how law and technology meet at U.S. borders
By Frank Smyth/CPJ Senior Adviser for Journalist Security

Border crossings have long posed a risk for journalists. In many
nations, reporters and photographers alike have been subjected to
questioning and having their electronic devices searched, if not also
copied. But more recently, protecting electronically stored data has
become a greater concern for journalists, including those who are U.S.
citizens, upon entering or leaving the United States.

"This is an issue in the U.S., but it is just a fraction of what
journalists are facing in countries around the world," Josh Stearns,
journalism and public media campaign director of Free Press, a
U.S.-based media reform organization, told CPJ.

Last month a National Public Radio producer, Sarah Abdurraham, along
with members of her family and friends, all of whom are U.S. citizens,
were on their way home from a wedding in Ontario when they were detained
for six hours at the Niagara Falls border crossing while each of their
electronic devices were searched.

"I generally came out of the experience wondering what our rights are,"
Abdurraham later said in an interview with NPR's "On the Media" program,
where she works.

Abdurraham did not specify whether she meant the rights of journalists
or U.S. citizens generally. But, according to Michael Price, counsel at
New York University Law School and the Brennan Center for Justice's
Liberty and National Security Program, it doesn't make any difference.
He told CPJ that to date, there are no court rulings providing U.S.
journalists with any added protection against having their electronic
devices searched when crossing a U.S. border.

But a few federal courts have ruled that U.S. citizens crossing U.S.
borders have certain rights. Last year in Boston, a judge denied a
government motion to dismiss a lawsuit challenging a border search of
electronic devices, before the case was settled, after hearing arguments
from the American Civil Liberties Union including on First Amendment
grounds. This year in San Francisco, a panel of appellate judges ruled
that U.S. border agents must at least have "reasonable suspicion" before
searching the data stored on U.S. citizens' electronic devices.

"If you are flying into the West Coast you have one rule, into the East
Coast you have another," said Price, referring to the San Francisco
court ruling for the 9th Circuit.

All the same, U.S. journalists flying in or out of any part of the
United States should expect the possibility that their electronic
devices could be searched, copied, or even seized, he and other experts
told CPJ. Meanwhile, citizens of other nations, including journalists,
enjoy no effective protections from having their data searched upon
entering or leaving the United States.

"The safest option is to not travel with any sensitive data and instead
store it in a cloud," Dan Auerbach, staff technologist at the San
Francisco-based Electronic Frontier Foundation told CPJ. He noted,
however, that safely uploading and downloading sensitive data to any
independently hosted platform raises "practical challenges," including
whether one trusts the firm or group hosting the cloud, and whether the
uploads and downloads to the cloud could be intercepted.

Another option would be to openly encrypt one's entire hard drive or
other device. But journalists who do so should use open-source software,
as opposed to proprietary commercial software, as the manufacturer could
have built the software with a "back door" to allow secret government
access, said Auerbach.

"Only a judge can make you give up a password," he said. But he also
noted that defying agents of U.S. Immigration and Customs Enforcement, a
division of the Department of Homeland Security, could also lead agents
to seize one's equipment.

"What they generally do is make a mirror image of the hard drive," Price
told CPJ. Authorities could then try to crack the password later.

A third option for journalists would be to try and encrypt sensitive
files surreptitiously. One digital safety tool called TrueCrypt allows
users to create "hidden volumes" or unseen partitions on their hard
drive to load with encrypted data that may look like something else,
such as a corrupted video file. But Auerbach warns that successfully
hiding data on a disk may only work if one also lies about it to keep it
secret.

"Lying to border agents is not advisa

[liberationtech] CPJ: Solidarity in the face of surveillance

[frank]

 threats facing journalists in a digital age, it
is not enough to have a few passionate journalism nerds preaching the
benefits of encryption.

"Many people think journalist security involves the use of encrypted
files and counter-surveillance techniques--and those practices do have
their place," wrote CPJ's Frank Smyth in a piece about the importance of
 press solidarity within nations  . "But security is really a way of
thinking, a way of approaching your work. And fostering professional
solidarity is crucial to that approach."

We need a culture shift within journalism that reaches from the
individual freelancer to the largest newsroom, from the smallest press
club to the biggest journalism school. To get there, we are going to
have to work together with not only our closest professional colleagues,
but also our broader communities, beyond journalism, whose members are
increasingly participants and stakeholders in the newsgathering process.

In their report on "Post-Industrial Journalism," C.W. Anderson, Emily
Bell, and Clay Shirky, argue "there is no such thing as the news
industry anymore." They suggest that we need a fundamental restructuring
that will mean "rethinking every organizational aspect of news
production."

I would argue it also means rethinking how we can organize to make
newsgathering resilient and sustainable. As the institutions of
journalism evolve and change, so too should press freedom advocacy. We
need a global solidarity that reflects our increasingly networked fourth
estate, one that can help us build new coalitions and engage our 
audience as allies.

The new challenges we face are epitomized by  the story of Sarah
Abdurrahman, a producer with NPR's "On The Media" program, who was
detained with her family and friends at the U.S. border for six hours.
She was not detained because of her reporting, but because of her race
and religion. During her detention, her electronics were searched, and
border patrol agents refused to answer her questions.  The New York
Times  has  documented  how the U.S. government has used borders as a
"backdoor" to seize and search travelers' electronic devices, an issue
with particular implications for journalists, but one that concerns
everyone. And we know that journalists like Laura Poitras have faced 
invasive questioning and harassment at U.S. borders  for years.

This is an issue that unites civil liberties groups like the ACLU,
digital rights groups like the Electronic Frontier Foundation, press
freedom groups like the Committee to Protect Journalists, and media
reform groups like Free Press. However, understanding and defending our
rights at the border is also an issue about which we can forge common
cause with our communities and our readers. In the last month,  more
than 75,000 people in the U.S. and U.K. have registered their concern 
at FreePress.net over the detentions of Abdurrahman, Poitras, and
Miranda.

Technology has given journalists new tools to cover their communities,
connect with their sources, and collaborate on their reporting.
Technology has also helped empower government institutions that are
organized in opposition to journalism, transparency, and accountability.
Challenging these institutions, and defending our right to gather and
disseminate news, will increasingly call us into new kinds of
collaborations and demand new networks of solidarity.

Josh Stearns is the Journalism and Public Media Campaign Director of 
Free Press  and a board director of the  Freedom of the Press
Foundation, an advocacy group whose other directors include the
journalists Glenn Greenwald and Laura Poitras and the actor John Cusack.

Tags:  Alan Rusbridger,  David Miranda,  Edward Snowden,  Glenn
Greenwald,  Laura Poitras,Sarah Abdurrahman
October 11, 2013 12:37 PM ET  

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP
Public Key 92861E6B

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Hacking Team and the Targeting of Ethiopian Journalists

[frank]

Ron, Bill, Claudio, Morgan and John,

Congratulations. This is an invaluable report for Ethiopia and beyond.
We'll put in to good use. Thank you!

Best, Frank

Frank Smyth
Executive Director
Global Journalist Security
fr...@journalistsecurity.net
Tel. + 1 202 244 0717Cell + 1 202 352 1736
Twitter: @JournoSecurity
Website: www.journalistsecurity.net
PGP Public Key 92861E6B


>  Original Message 
> Subject: [liberationtech] Hacking Team and the Targeting of Ethiopian
> Journalists
> From: Ronald Deibert 
> Date: Wed, February 12, 2014 12:01 pm
> To: Liberation Technologies 
> 
> 
> Hello LibTech
> 
> On behalf of the Citizen Lab, I am pleased to announce a new publication, 
> details for which are below.  This report is the first in a series that focus
> on the global proliferation and use of Hacking Team's RCS spyware, sold 
> exclusively to governments.  More posts will follow in the next week.
> 
> The report is authored by Bill Marczak, Claudio Guarnieri, Morgan 
> Marquis-Boire, and John Scott-Railton. I'd like to draw attention to the 
> innovative
> mixed scanning methods developed in this post, around which a new field of 
> research is emerging which I believe is going to be critical to the 
> type of distributed civil controls on the global spyware market.
> 
> Regards
> Ron
> 
> https://citizenlab.org/2014/02/hackingteam-targeting-ethiopian-journalists/
> 
> 
> Hacking Team and the Targeting of Ethiopian Journalists
> 
> February 12, 2014
> 
> Tagged: Ethiopia, Hacking Team
> 
> Categories: News and Announcements, Reports and Briefings, Research News
> Authors: Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John 
> Scott-Railton.
> 
> This post is the first in a series of posts that focus on the global 
> proliferation and use of Hacking Team’s RCS spyware, sold exclusively to 
> governments.
> 
> Summary
> 
> Ethiopian Satellite Television Service1 (ESAT) is an independent satellite 
> television, radio, and online news media outlet run by members of the 
> Ethiopian diaspora.  The service has operations in Alexandria, Virginia, as 
> well as several other countries.2  ESAT’s broadcasts are frequently critical 
> of the Ethiopian Government.  Available in Ethiopia and around the world, 
> ESAT has been subjected to jamming from within Ethiopia several times in the 
> past few years.3  A recent documentary shown on Ethiopian state media warned 
> opposition parties against participating in ESAT programming.4
> In the space of two hours on 20 December 2013, an attacker made three 
> separate attempts to target two ESAT employees with sophisticated computer 
> spyware, designed to steal files and passwords, and intercept Skype calls and 
> instant messages.  The spyware communicated with an IP address belonging to 
> Ariave Satcom, a satellite provider that services Africa, Europe, and Asia.5  
> In each case, the spyware appeared to be Remote Control System (RCS), sold 
> exclusively to governments by Milan-based Hacking Team.6
> Hacking Team states that they do not sell RCS to “repressive regimes”,7 and 
> that RCS is not sold through “independent agents”.8  Hacking Team also says 
> that all sales are reviewed by a board that includes outside engineers and 
> lawyers.  The board has veto power over any sale.9  Before authorizing a 
> sale, the company states that it considers “credible government or 
> non-government reports reflecting that a potential customer could use 
> surveillance technologies to facilitate human rights abuses,” as well as “due 
> process requirements” for surveillance.10
> The Committee to Protect Journalists (CPJ) reports that Ethiopia jails more 
> journalists than any other African country besides Eritrea, and says that the 
> Ethiopian government has shut down more than 75 media outlets since 1993.11  
> CPJ statistics also show that 79 journalists have been forced to flee 
> Ethiopia due to threats and intimidation over the past decade, more than any 
> other country in the world.12  A 2013 Human Rights Watch (HRW) report 
> detailed ongoing torture at Ethiopia’s Maekelawi detention center, the first 
> stop for arrested journalists and protests organizers.  Former detainees 
> described how they were: “repeatedly slapped, kicked, punched, and beaten,” 
> and hung from the ceiling by their wrists.  Information extracted in 
> confession has been used to obtain conviction at trial, and to compel former 
> detainees to work with the government.13  HRW also indicated abuses committed 
> by the army, including the use of torture and rape to compel information from 
> villagers near the site of an attack on a farm.14  HRW noted “insufficient 
> respect for … due process” in Ethiopia.15

[liberationtech] Hancel: A new tool for journalists in Mexico and beyond

[frank]

This looks like a great tool. Kudos to Sandra and OpenITP, Knight, Ela
Stapley and Diego Mendiburu for making it happen. If anyone here has any
thoughts about it please share. Thanks, Frank

-

http://www.pbs.org/idealab/2014/02/how-technology-could-mean-safer-reporting-for-mexican-journalists/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+pbs%2Fidealab-feed+%28idealab-feed%29

Being a journalist in Mexico is dangerous. Reporters working in states
most affected by drug-related violence have seen their beat change
drastically since 2006, when former Mexican President Felipe Calderón
launched an offensive against organized crime. For many journalists,
local news now involves reporting on turf wars, missing people and mass
graves. The type of news being covered is riskier, and having adequate
security protocols has become all the more important.

As attacks against journalists have increased, with five journalists
confirmed as being killed in direct reprisal for their work in the last
three years, reporters began thinking up ways of keeping themselves
safer. A colleague, from a state in the north of Mexico, explained that
every time a reporter leaves the office to cover a story it is common
procedure to call a fellow journalist to let them know the route being
taken as well as arrival and departure times. Journalists covering the
crime beat in a state in the northeast of Mexico now move together to
and from events. They say there is greater safety in numbers.

Journalists traveling from Mexico City, which has largely been
unaffected by the violence, to report on news in other areas of the
country, also follow certain security procedures. Some reporters have a
check-in system, calling designated contacts at certain hours of the day
when out in the field, or they carry a GPS device, making it easier to
locate them. But sometimes they travel alone, advising just one or two
people. They think about the story, not about safety.

Each assignment throws up questions about security. What do I do if
there is a road block? Is the route I am taking safe? What is the best
way to alert friends and colleagues without drawing attention to myself?
In 2011, these were questions that I was asking myself while on
reporting trips. I started thinking that there must be an easier and
more efficient way to contact people when working in dangerous areas.

BUILDING HANCEL
When I met fellow journalist Diego Mendiburu, we realized the part
technology could play. At the end of 2011, Mendiburu and I had the idea
for Hancel, an Android app that links journalists working in high-risk
areas to a preselected list of contacts and to NGOs dedicated to
defending freedom of expression.

The idea was simple, but building the app was not. We were two
journalists with no contacts in technology, no idea of how to run a
project, and even less an idea about funding. Two years on, Hancel is in
beta phase and being piloted in both Mexico and Colombia. The project
has the support of both local and international organizations, and in
March last year received funding from the Knight Foundation. But there
is still much work to be done.

Hancel has taught us a lot about what it means to be a journalist trying
to figure out the tech world. Over the coming months, I will be
outlining the experiences that we have had while building Hancel, from
where to find a programmer to explaining what a hack day is. We hope
that by talking about this, we will encourage other journalists not only
to start their own projects, but to also build long-lasting
relationships with the tech community.

Ela Stapley is a journalist based in Mexico. She is co-founder of
Hancel, a Smartphone app linking journalists working in high-risk areas
with a pre-selected list of contacts and NGOs dedicated to defending
freedom of speech. In 2013, Ela co-founded Factual_, an organization
that provides Latin American journalists with the tools needed to start
their own innovation projects. She has an MA in International Journalism
from Cardiff University. Contact her @elastapley or e...@factual.com.mx

JournoSec is a column aimed at helping journalists better under the
security, privacy and anonymity challenges they currently face, and
steps they can take to protect themselves. Managed by OpenITP Outreach
Manager Sandra Ordonez, it brings together leading voices from the
community behind open-source technologies that circumvent censorship and
surveillance. For more information, follow @OpenITP. To become more
involved, contact sandraordonez AT OpenITP DOT org.


Frank Smyth
Executive Director
Global Journalist Security
fr...@journalistsecurity.net
Tel. + 1 202 244 0717
Cell + 1 202 352 1736
Twitter: @JournoSecurity
Website: www.journalistsecurity.net
PGP Public Key 92861E6B


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech.

[liberationtech] Rebel radio expert

[frank]

Hi Libtech colleagues,This is not a job per se, at least not yet. But we are looking for someone with experience operating either analog or digital radio or both under siege conditions. Someone with experience with say B92 in the Balkans, or with threatened or challenged analog or digital radio in other nations.Please feel free respond directly or to refer anyone with such a background to me at fr...@journalistsecurity.net.Thank you. Best, FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel.  + 1 202 244 0717Cell  + 1 202 352 1736Twitter:  @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key 92861E6B Please consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Contextual security

[frank]

This is a very important piece. I just introduced into a thread on
Twitter. And this graph by you seem right on point:

While by no means the only grounded model for digital security, our
contextual security approach attempts to address a gap recognized by
researchers and practitioners alike: most digital security training is
ineffective. By asking organizers these questions before they start
learning about a new tool like GPG or Chatsecure or Tor, we hope
organizers and activists will begin to understand that software
solutions are only one piece of a larger puzzle in securing political
organizers and social movements. Digital security depends on a holistic
diagnosis of our communication practices, risks, and opportunities. The
activity shared above is one of many, and we hope it can be helpful in
your work.


>  Original Message 
> Subject: [liberationtech] Contextual security
> From: Seeta Peña Gangadharan 
> Date: Mon, June 02, 2014 10:30 am
> To: Liberation Technologies 
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi all,
> 
> A couple of us stateside have been thinking about why "Johnny can't
> encrypt" in relation to social justice organizing and movements, and
> here's a blog post that outlines a few thoughts.
> 
> https://www.alliedmedia.org/news/2014/05/30/put-away-your-tinfoil-hat-security-context
> 
> It's penned by myself, Emi Kane, and Becky Hurwitz, and we ask
> U.S.-based organizers and activists to adopt a holistic approach when
> doing digital security. Inspired by a number of practitioners and
> thinkers in the space, we call this framework "contextual security."
> 
> Would love to know if there are others thinking along these lines.
> 
> Warm regards,
> Seeta
> 
> 
> 
> 
> 
> 
> 
> 
> 
> - -- 
> Seeta Peña Gangadharan, PhD
> Senior Research Fellow, Open Technology Institute
> New America Foundation
> 199 Lafayette St., #301
> New York, NY 10012
> o: 212-625-4875
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJTjIp4AAoJEB+73wytBNopzfcH/3PZvuueIt6mTcFw2PykJxEh
> BCfkh/VGzlobEYnt7wTKbqFxa9wv5TXMazb6nOXqzDxBz0fKzbdhXx7sCr25npFQ
> WIW/ey5R7KiwaS7adJK3L7Qdobez++uASPsTAF3bWe6DBkedCIImCevbMr8aqilp
> VJuBGg73WVBwYg/Zhxolwg2sxG9WQxTZR1NxgnJOnX8OAKju+mFZZrb2JhgLPl0j
> WeSxzSZuWDHwSZW+NQpaNKlPTC5sREIGBt/FACjtpIrnBsfd00tF9Rq80t+BPUaD
> Owy6hAgj1PBZisdpd1UFfL6rpbu2YieXALGZ/AHGHnRW5AuKIRIEOFIp4wGfS9w=
> =V2Kg
> -END PGP SIGNATURE-
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of 
> list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Russia offers cash to identify Tor users

[frank]

Here's something a little unexpected...Wonder what people here may
htink.

http://www.bbc.com/news/technology-28526021

28 July 2014 Last updated at 08:15 ET Share this pagePrint
ShareFacebookTwitter

Russia offers $110,000 to crack Tor anonymous network

Edward Snowden
Tor has been used by the whistleblower Edward Snowden

Continue reading the main story
Related Stories

NSA 'targets' Tor users and servers
ISPs take legal action against GCHQ
Germany cancels Verizon contract
Russia has offered 3.9m roubles ($110,000; £65,000) in a contest
seeking a way to crack the identities of users of the Tor network.

Tor hides internet users' locations and identities by sending data on
random paths through machines on its network, adding encryption at each
stage.

The Russian interior ministry made the offer, saying the aim was "to
ensure the country's defence and security".

The contest is only open to Russians and proposals are due by 13 August.

Applicants must pay 195,000 roubles to enter the competition, which was
posted online on 11 July and later reported by the tech news site Ars
Technica.

Earlier this month, Russia's lower house of parliament passed a law
requiring internet companies to store Russian citizens' personal data
inside the country.

Russia has the fifth-largest number of Tor users with more than 210,000
people making use of it, according to the Guardian.

US-funded network
Tor was thrust into the spotlight in the wake of controversy resulting
from leaks about the National Security Agency and other cyberspy
agencies. Edward Snowden, the whistleblower who revealed the internal
memos and who now has asylum in Russia, uses a version of Tor software
to communicate.

Documents released by Mr Snowden allege that the NSA and the UK's GCHQ
had repeatedly tried to crack anonymity on the Tor network.

Tor was originally set up by the US Naval Research Laboratory and is
used be people who want to send information over the internet without
being tracked.

It is used by journalists and law enforcement officers, but has also
been linked to illegal activity including drug deals and the sale of
child abuse images.

In its 2013 financial statements, the Tor Project - a group of
developers that maintain tools used to access Tor - confirmed that the
US Department of Defense remained one its biggest backers.

The DoD sent $830,000 (£489,000) to the group through SRI
International, which describes itself as an independent non-profit
research centre, last year.

Other parts of the US government contributed a further $1m.

Those amounts are roughly the same as in 2012.


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] BBC: Tor users may have been unmasked going back 5 months

[frank]

http://www.bbc.com/news/technology-28573625?ocid=socialflow_twitter
30 July 2014 Last updated at 16:16 ET Share this pagePrint

Tor attack may have unmasked dark net users
By Leo Kelion
Technology desk editor
Eye data graphic
The ability to unmask Tor's users would undermine the reason people use
the service

Developers of software used to access Tor - an otherwise hard-to-reach
part of the internet - have disclosed that an attack on the network may
have unmasked users for five months.

The Tor Project said that it believed the assault was designed to
de-anonymise the net addresses of people operating or visiting hidden
sites.

However, it said it was not sure exactly how users had been "affected".

The project added that it believed it had halted the attack on 4 July.

Tor allows people to visit webpages without being tracked and to publish
sites whose contents would not show up in search engines.

The Tor Project said it believed that the infiltration had been carried
out by two university researchers, who claimed at the start of July to
have exploited "fundamental flaws" in Tor's design that allowed them to
unmask the so-called dark net's users.

The two security experts, Alexander Volynkin and Michael McCord, had
been due to give a talk at the Black Hat conference in Las Vegas next
week. However, the presentation was cancelled at the insistence of
lawyers working for their employer, Carnegie Mellon University.

Tor web page
The Tor Project offers web browser software that can access the hidden
sites on the Tor network
"We spent several months trying to extract information from the
researchers who were going to give the Black Hat talk, and eventually we
did get some hints from them... which is how we started looking for the
attacks in the wild," wrote Roger Dingledine, one of the network's
co-creators, on the Tor Project's blog.

"They haven't answered our emails lately, so we don't know for sure, but
it seems likely that the answer to [whether they were responsible] is
yes.

"In fact, we hope they were the ones doing the attacks, since otherwise
it means somebody else was."

A spokesman from Carnegie Mellon University declined to comment.

Illegal activity
Tor attempts to hide a person's location and identity by sending data
across the internet via a very circuitous route involving several
"nodes" - which, in this context, means using volunteers' PCs and
computer servers as connection points.

Encryption applied at each hop along this route makes it very hard to
connect a person to any particular activity.

To the website that ultimately receives the request it appears as if the
data traffic comes from the last computer in the chain - known as an
"exit relay" - rather than the person responsible.

Tor graphic
Tor hides a user's identity by routing their traffic through a series of
other computers
Tor's users include the military, law enforcement officers and
journalists - who use it as a way of communicating with whistle-blowers
- as well as members of the public who wish to keep their browser
activity secret.

But it has also been associated with illegal activity, allowing people
to visit sites offering illegal drugs for sale and access to child abuse
images, which do not show up in normal search engine results and would
not be available to those who did not know where to look.

Two-pronged attack
The Tor Project suggests the perpetrator compromised the network via a
"traffic confirmation attack".

This involves the attacker controlling both the first part of the
circuit of nodes involved - known as the "entry relay" - as well as the
exit relay.

By matching the volumes and timings of the data sent at one end of the
circuit to those received at the other end, it becomes possible to
reveal the Tor user's identity because the computer used as an entry
relay will have logged their internet protocol (IP) address.

The project believes the attacker used this to reveal hidden-site
visitors by adding a signal to the data sent back from such sites that
included the name of the hidden service.

Because the sequence of nodes in a Tor network is random, the
infiltrator would not be able to track every visit to a dark net site.

Onion
Tor can be likened to an onion because of the many layers through which
it sends data
Tor also has a way of protecting itself against such a danger: rather
than use a single entry relay, the software uses a few relays chosen at
random - what are known as "entry guards".

So, even if someone has control of a single entry and exit relay, they
should only see a fraction of the user's traffic, making it hard to
identify them.

However, the Tor Project believes the perpetrator countered this
safeguard by using a second technique known as a "Sybil attack".

This involved adding about 115 subverted computer servers to Tor and
ensuring they became used as entry guards. As a result, the servers
accounted for more than 6% of the network's guard capacity.

Black Hat
Two researchers had planned

Re: [liberationtech] First World Internet freedom problem

[Frank Corrigan]

So long as one remembers the origin of 'third world' meant non aligned
to communism or capitalism. IE: Independent

 Where is the 2nd world?

School dinners in the UK is a political hot potato :-)...

So whilst the subject matter may seem trivial, it is about the health
and well being of children and clearly lots of children around the
UK/World starting to share photo's of School dinners may have wider
implications to the food monopolies, that blight the Globe, than
initially thought.


The Men Who Made Us Fat
http://www.bbc.co.uk/mediacentre/proginfo/2012/24/Men-Who-Made-Us-Fat.html

http://www.jamieoliver.com/school-dinners
http://www.foodmanufacture.co.uk/Food-Safety/Food-and-drink-manufacturers-braced-for-critical-BBC-TV-obesity-series

Frank

- Original message -
From: Katy Pearce ucsb 
To: Doug Schuler 
Cc: Liberation Technologies
liberationtech@lists">liberationtech@lists">liberationtech@lists.stanford.edu>
Subject: Re: [liberationtech] First World Internet freedom problem
Date: Fri, 15 Jun 2012 12:55:59 -0400

Can we please not use the phrase first world?

Thanks.


On Fri, Jun 15, 2012 at 12:44 PM, Doug Schuler <
doug...@publicsphereproject.org> wrote:

>
> FUN FACT!
>
> British school lunches were the origin of the "yellow matter custard
> dripping from a dead dog's eye" line in the "I am the Walrus" song (by the
> Beatles, of course).
>
> I was delighted to find fact in one of the Opie books.
>
> -- Doug
>
>
>
> On Jun 15, 2012, at 8:34 AM, James Losey wrote:
>
> Ban has been lifted:
> http://www.bbc.co.uk/news/uk-scotland-glasgow-west-18454800";>uk-scotland-glasgow-west-18454800">uk-scotland-glasgow-west-18454800">uk-scotland-glasgow-west-18454800
>
> J
>
> On Fri, Jun 15, 2012 at 11:33 AM, Bill Woodcock  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>>
>> http://www.guardian.co.uk/uk/2012/jun/15/girl-photos-school-meals-blog?CMP=twt_gu
>>
>>
>>-Bill
>>
>>
>>
>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJP21W9AAoJEG+kcEsoi3+HAzgP/1GcgCSITPybES8m0QNgZubk
>> epIep9mOl29km90FPrVB9FME6uoHJHxr8NDhQfGkyciEzVOQ65ESCyc2qtQlXrlU
>> BcTFtCHBSVdjEpU4meMqTWzfXEZJ50C2RdhBKFc82PSI+RZJD5A5XWil0W3Zdn6N
>> WElKJNcD6su72Oke+w8QUcYmstMAJcstgNNYvaPpU6hnk60E8NkUmdGpDiI/1VD2
>> 1WSEJ9ijMA0qNzNgYP76pY+AberhzbKE82c6+cCMwytTJSG90cY197pdGwaILvji
>> OMu5h5tlHISZaRWMIAy+wzI0OqtzlSWe6TE/2L6RE210vU7H4H7OwjftVPlBs7sE
>> WPM5s9gS0k4VLjjk58RiI928pwlvxNqgU7/JphSeU2HKVpPJEYFxrrc/EDAliRyo
>> KYz6mCkJww1yRasfSE0AuQm6ZgTBqDiKWY3WpQZ+82+3XIv2uDDKCgnHz/gyyByt
>> z32iO3V8SgmyUTxdCgiQGdc5mDObvXWUrpdJVIhoKh0EqI/PW7PdM76NT3eU//Em
>> PmivhQV/mgui4+ioLUWFYj2Ao9dm3AZJz3Rp+w0psOy0yi1S2DcfrzchyrZeBgnJ
>> IguYva32hwBizVLcb1iOBBlswgDDue5IyzOEmW1X8pTufOtCWsVLEauTVwF23zP2
>> KtPG/0Xrda7Ct2WsYAbX
>> =t/tb
>> -END PGP SIGNATURE-
>>
>> ___
>> liberationtech mailing list
>> liberationtech@lists">liberationtech@lists">liberationtech@lists">liberationtech@lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you click
>> above) next to "would you like to receive list mail batched in a daily
>> digest?"
>>
>> You will need the user name and password you receive from the list
>> moderator in monthly reminders. You may ask for a reminder here:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>
>
> ___
> liberationtech mailing list
> liberationtech@lists">liberationtech@lists">liberationtech@lists">liberationtech@lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman

[liberationtech] Silent Circle? Re: AES-encyrpted telephony in Iran?

[Frank Corrigan]

This seems relevant, building on Phil Zimmerman's Zfone/ZRTP & PGP.

Open Standards?

Claim total security for phone, text, email, and more
Absolutely NO Backdoors???
http://www.theregister.co.uk/2012/06/14/pgp_seal_encrypted_communications/

- Original message -
From: Jacob Appelbaum 
To: Naiz Mudin 
Cc: "liberationtech@lists.stanford.edu"

Subject: Re: [liberationtech] AES-encyrpted telephony in Iran?
Date: Tue, 12 Jun 2012 22:07:00 -0700

On 06/12/2012 09:29 PM, Naiz Mudin wrote:
> Ladies & Gentlemen,
> 
> I have discovered, by serendipity, an iOS application that is evidently
> also available for Windows Phone and Symbian (soon to be replaced with
> Windows Phone 8). It is called, "SafeSession" and claims 256-bit AES
> encryption between known and trusted users.

I'd suggest PrivateGSM. The people who created it are on this list, it's
based on open standards, it isn't insanely expensive (it's free, even),
and in theory, it has modes of obfuscate to evade traffic analysis of
sorts. It also has support for Android, iPhone, and a ton of other
platforms.

All the best,
Jacob
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click
above) next to "would you like to receive list mail batched in a daily
digest?"

You will need the user name and password you receive from the list
moderator in monthly reminders. You may ask for a reminder here:
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

[liberationtech] Julian Assange is seeking asylum

[Frank Corrigan]

"Wikileaks founder Julian Assange is seeking asylum at Ecuador's embassy
in London, says Ecuador foreign minister."
http://www.bbc.co.uk/news/uk-18514726

___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

[liberationtech] Single board mini computers as circumvention tools

[Frank Corrigan]

Does anyone know of any research being done on the use of low-cost
single board mini computers to run the likes of online circumvention
tools like VPN, Tor, Gibberbot etc

Whilst these boards have been around for sometime, since the
introduction of Rasberry Pi, interest has grown and now there are many
boards are being created like:

ARM Mini PCs
http://www.reghardware.com/2012/05/10/product_round_up_arm_mini_computers_the_best_and_the_rest/
http://liliputing.com/2012/06/74-mk802-android-4-0-mini-pc-first-impressions-video.html

Android OS and other Linux OS appears to run easily on these boards and
allows for use of software from the likes of:
https://guardianproject.info/apps/ and http://www.whispersys.com/ (sadly
now defunct) 

Some of these boards are also so cheap as to be disposable single use,
or at least simple reuse after OS/Data erase.

I am looking at how easy it would be to develop and use a Linux OS  that
only runs from the board's ram (LiveCD/USB/SDcard), such as TAILs
<http://tails.boum.org>

Frank




___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Re: [liberationtech] Single board mini computers as circumvention tools

[Frank Corrigan]

Thanks, in essence these single board computers are neutral. Hopefully
by making then more accessible in terms of relative cost creative uses
will be developed from uncommon sources, including school children.

On a simple level these mini devices may also be easier to audit, in
terms of components used, whilst taking account of some closed-source
elements like boot software.

With regards the DJ Palombo's video presentation view that it would not
be plausible that each Ras Pi's unique serial number would not be allied
to a purchaser, I would urge caution, as the device is a still a
developmental model and it would take little effort to record such info
for quality control and basic shipping. 

Frank


- Original message -
From: The Doctor 
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Single board mini computers as
circumvention tools
Date: Mon, 25 Jun 2012 13:48:53 -0400

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/23/2012 07:21 AM, Frank Corrigan wrote:
> Does anyone know of any research being done on the use of low-cost 
> single board mini computers to run the likes of online
> circumvention tools like VPN, Tor, Gibberbot etc

DJ Palombo touched on a few of these issues in his presentation at
CarolinaCon earlier this year.

https://blip.tv/carolinacon/episode-6158272

- -- 
The Doctor [412/724/301/703] [ZS]

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Learning is its own reward.  Nothing I can say is better than that."
- --Michael Hart

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/opIUACgkQO9j/K4B7F8FCYwCgyFQPVlL0aedT3p+vAdz4CoUm
rGgAoMGFQPbWS6Xd2AIXmbijQRwv/tba
=JmrE
-END PGP SIGNATURE-
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click
above) next to "would you like to receive list mail batched in a daily
digest?"

You will need the user name and password you receive from the list
moderator in monthly reminders. You may ask for a reminder here:
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech
___
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) 
next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in 
monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech