[liberationtech] BBC: Tor users may have been unmasked going back 5 months
http://www.bbc.com/news/technology-28573625?ocid=socialflow_twitter 30 July 2014 Last updated at 16:16 ET Share this pagePrint Tor attack may have unmasked dark net users By Leo Kelion Technology desk editor Eye data graphic The ability to unmask Tor's users would undermine the reason people use the service Developers of software used to access Tor - an otherwise hard-to-reach part of the internet - have disclosed that an attack on the network may have unmasked users for five months. The Tor Project said that it believed the assault was designed to de-anonymise the net addresses of people operating or visiting hidden sites. However, it said it was not sure exactly how users had been affected. The project added that it believed it had halted the attack on 4 July. Tor allows people to visit webpages without being tracked and to publish sites whose contents would not show up in search engines. The Tor Project said it believed that the infiltration had been carried out by two university researchers, who claimed at the start of July to have exploited fundamental flaws in Tor's design that allowed them to unmask the so-called dark net's users. The two security experts, Alexander Volynkin and Michael McCord, had been due to give a talk at the Black Hat conference in Las Vegas next week. However, the presentation was cancelled at the insistence of lawyers working for their employer, Carnegie Mellon University. Tor web page The Tor Project offers web browser software that can access the hidden sites on the Tor network We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them... which is how we started looking for the attacks in the wild, wrote Roger Dingledine, one of the network's co-creators, on the Tor Project's blog. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to [whether they were responsible] is yes. In fact, we hope they were the ones doing the attacks, since otherwise it means somebody else was. A spokesman from Carnegie Mellon University declined to comment. Illegal activity Tor attempts to hide a person's location and identity by sending data across the internet via a very circuitous route involving several nodes - which, in this context, means using volunteers' PCs and computer servers as connection points. Encryption applied at each hop along this route makes it very hard to connect a person to any particular activity. To the website that ultimately receives the request it appears as if the data traffic comes from the last computer in the chain - known as an exit relay - rather than the person responsible. Tor graphic Tor hides a user's identity by routing their traffic through a series of other computers Tor's users include the military, law enforcement officers and journalists - who use it as a way of communicating with whistle-blowers - as well as members of the public who wish to keep their browser activity secret. But it has also been associated with illegal activity, allowing people to visit sites offering illegal drugs for sale and access to child abuse images, which do not show up in normal search engine results and would not be available to those who did not know where to look. Two-pronged attack The Tor Project suggests the perpetrator compromised the network via a traffic confirmation attack. This involves the attacker controlling both the first part of the circuit of nodes involved - known as the entry relay - as well as the exit relay. By matching the volumes and timings of the data sent at one end of the circuit to those received at the other end, it becomes possible to reveal the Tor user's identity because the computer used as an entry relay will have logged their internet protocol (IP) address. The project believes the attacker used this to reveal hidden-site visitors by adding a signal to the data sent back from such sites that included the name of the hidden service. Because the sequence of nodes in a Tor network is random, the infiltrator would not be able to track every visit to a dark net site. Onion Tor can be likened to an onion because of the many layers through which it sends data Tor also has a way of protecting itself against such a danger: rather than use a single entry relay, the software uses a few relays chosen at random - what are known as entry guards. So, even if someone has control of a single entry and exit relay, they should only see a fraction of the user's traffic, making it hard to identify them. However, the Tor Project believes the perpetrator countered this safeguard by using a second technique known as a Sybil attack. This involved adding about 115 subverted computer servers to Tor and ensuring they became used as entry guards. As a result, the servers accounted for more than 6% of the network's guard capacity. Black Hat Two researchers had planned to reveal a way to
[liberationtech] Russia offers cash to identify Tor users
Here's something a little unexpected...Wonder what people here may htink. http://www.bbc.com/news/technology-28526021 28 July 2014 Last updated at 08:15 ET Share this pagePrint ShareFacebookTwitter Russia offers $110,000 to crack Tor anonymous network Edward Snowden Tor has been used by the whistleblower Edward Snowden Continue reading the main story Related Stories NSA 'targets' Tor users and servers ISPs take legal action against GCHQ Germany cancels Verizon contract Russia has offered 3.9m roubles ($110,000; £65,000) in a contest seeking a way to crack the identities of users of the Tor network. Tor hides internet users' locations and identities by sending data on random paths through machines on its network, adding encryption at each stage. The Russian interior ministry made the offer, saying the aim was to ensure the country's defence and security. The contest is only open to Russians and proposals are due by 13 August. Applicants must pay 195,000 roubles to enter the competition, which was posted online on 11 July and later reported by the tech news site Ars Technica. Earlier this month, Russia's lower house of parliament passed a law requiring internet companies to store Russian citizens' personal data inside the country. Russia has the fifth-largest number of Tor users with more than 210,000 people making use of it, according to the Guardian. US-funded network Tor was thrust into the spotlight in the wake of controversy resulting from leaks about the National Security Agency and other cyberspy agencies. Edward Snowden, the whistleblower who revealed the internal memos and who now has asylum in Russia, uses a version of Tor software to communicate. Documents released by Mr Snowden allege that the NSA and the UK's GCHQ had repeatedly tried to crack anonymity on the Tor network. Tor was originally set up by the US Naval Research Laboratory and is used be people who want to send information over the internet without being tracked. It is used by journalists and law enforcement officers, but has also been linked to illegal activity including drug deals and the sale of child abuse images. In its 2013 financial statements, the Tor Project - a group of developers that maintain tools used to access Tor - confirmed that the US Department of Defense remained one its biggest backers. The DoD sent $830,000 (£489,000) to the group through SRI International, which describes itself as an independent non-profit research centre, last year. Other parts of the US government contributed a further $1m. Those amounts are roughly the same as in 2012. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Contextual security
This is a very important piece. I just introduced into a thread on Twitter. And this graph by you seem right on point: While by no means the only grounded model for digital security, our contextual security approach attempts to address a gap recognized by researchers and practitioners alike: most digital security training is ineffective. By asking organizers these questions before they start learning about a new tool like GPG or Chatsecure or Tor, we hope organizers and activists will begin to understand that software solutions are only one piece of a larger puzzle in securing political organizers and social movements. Digital security depends on a holistic diagnosis of our communication practices, risks, and opportunities. The activity shared above is one of many, and we hope it can be helpful in your work. Original Message Subject: [liberationtech] Contextual security From: Seeta Peña Gangadharan gangadha...@opentechinstitute.org Date: Mon, June 02, 2014 10:30 am To: Liberation Technologies liberationtech@lists.stanford.edu -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, A couple of us stateside have been thinking about why Johnny can't encrypt in relation to social justice organizing and movements, and here's a blog post that outlines a few thoughts. https://www.alliedmedia.org/news/2014/05/30/put-away-your-tinfoil-hat-security-context It's penned by myself, Emi Kane, and Becky Hurwitz, and we ask U.S.-based organizers and activists to adopt a holistic approach when doing digital security. Inspired by a number of practitioners and thinkers in the space, we call this framework contextual security. Would love to know if there are others thinking along these lines. Warm regards, Seeta - -- Seeta Peña Gangadharan, PhD Senior Research Fellow, Open Technology Institute New America Foundation 199 Lafayette St., #301 New York, NY 10012 o: 212-625-4875 -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTjIp4AAoJEB+73wytBNopzfcH/3PZvuueIt6mTcFw2PykJxEh BCfkh/VGzlobEYnt7wTKbqFxa9wv5TXMazb6nOXqzDxBz0fKzbdhXx7sCr25npFQ WIW/ey5R7KiwaS7adJK3L7Qdobez++uASPsTAF3bWe6DBkedCIImCevbMr8aqilp VJuBGg73WVBwYg/Zhxolwg2sxG9WQxTZR1NxgnJOnX8OAKju+mFZZrb2JhgLPl0j WeSxzSZuWDHwSZW+NQpaNKlPTC5sREIGBt/FACjtpIrnBsfd00tF9Rq80t+BPUaD Owy6hAgj1PBZisdpd1UFfL6rpbu2YieXALGZ/AHGHnRW5AuKIRIEOFIp4wGfS9w= =V2Kg -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Rebel radio expert
Hi Libtech colleagues,This is not a job per se, at least not yet. But we are looking for someone with experience operating either analog or digital radio or both under siege conditions. Someone with experience with say B92 in the Balkans, or with threatened or challenged analog or digital radio in other nations.Please feel free respond directly or to refer anyone with such a background to me at fr...@journalistsecurity.net.Thank you. Best, FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key 92861E6BPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.-- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Hancel: A new tool for journalists in Mexico and beyond
This looks like a great tool. Kudos to Sandra and OpenITP, Knight, Ela Stapley and Diego Mendiburu for making it happen. If anyone here has any thoughts about it please share. Thanks, Frank - http://www.pbs.org/idealab/2014/02/how-technology-could-mean-safer-reporting-for-mexican-journalists/?utm_source=feedburnerutm_medium=feedutm_campaign=Feed%3A+pbs%2Fidealab-feed+%28idealab-feed%29 Being a journalist in Mexico is dangerous. Reporters working in states most affected by drug-related violence have seen their beat change drastically since 2006, when former Mexican President Felipe Calderón launched an offensive against organized crime. For many journalists, local news now involves reporting on turf wars, missing people and mass graves. The type of news being covered is riskier, and having adequate security protocols has become all the more important. As attacks against journalists have increased, with five journalists confirmed as being killed in direct reprisal for their work in the last three years, reporters began thinking up ways of keeping themselves safer. A colleague, from a state in the north of Mexico, explained that every time a reporter leaves the office to cover a story it is common procedure to call a fellow journalist to let them know the route being taken as well as arrival and departure times. Journalists covering the crime beat in a state in the northeast of Mexico now move together to and from events. They say there is greater safety in numbers. Journalists traveling from Mexico City, which has largely been unaffected by the violence, to report on news in other areas of the country, also follow certain security procedures. Some reporters have a check-in system, calling designated contacts at certain hours of the day when out in the field, or they carry a GPS device, making it easier to locate them. But sometimes they travel alone, advising just one or two people. They think about the story, not about safety. Each assignment throws up questions about security. What do I do if there is a road block? Is the route I am taking safe? What is the best way to alert friends and colleagues without drawing attention to myself? In 2011, these were questions that I was asking myself while on reporting trips. I started thinking that there must be an easier and more efficient way to contact people when working in dangerous areas. BUILDING HANCEL When I met fellow journalist Diego Mendiburu, we realized the part technology could play. At the end of 2011, Mendiburu and I had the idea for Hancel, an Android app that links journalists working in high-risk areas to a preselected list of contacts and to NGOs dedicated to defending freedom of expression. The idea was simple, but building the app was not. We were two journalists with no contacts in technology, no idea of how to run a project, and even less an idea about funding. Two years on, Hancel is in beta phase and being piloted in both Mexico and Colombia. The project has the support of both local and international organizations, and in March last year received funding from the Knight Foundation. But there is still much work to be done. Hancel has taught us a lot about what it means to be a journalist trying to figure out the tech world. Over the coming months, I will be outlining the experiences that we have had while building Hancel, from where to find a programmer to explaining what a hack day is. We hope that by talking about this, we will encourage other journalists not only to start their own projects, but to also build long-lasting relationships with the tech community. Ela Stapley is a journalist based in Mexico. She is co-founder of Hancel, a Smartphone app linking journalists working in high-risk areas with a pre-selected list of contacts and NGOs dedicated to defending freedom of speech. In 2013, Ela co-founded Factual_, an organization that provides Latin American journalists with the tools needed to start their own innovation projects. She has an MA in International Journalism from Cardiff University. Contact her @elastapley or e...@factual.com.mx JournoSec is a column aimed at helping journalists better under the security, privacy and anonymity challenges they currently face, and steps they can take to protect themselves. Managed by OpenITP Outreach Manager Sandra Ordonez, it brings together leading voices from the community behind open-source technologies that circumvent censorship and surveillance. For more information, follow @OpenITP. To become more involved, contact sandraordonez AT OpenITP DOT org. Frank Smyth Executive Director Global Journalist Security fr...@journalistsecurity.net Tel. + 1 202 244 0717 Cell + 1 202 352 1736 Twitter: @JournoSecurity Website: www.journalistsecurity.net PGP Public Key 92861E6B -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe
[liberationtech] CPJ: Solidarity in the face of surveillance
people think journalist security involves the use of encrypted files and counter-surveillance techniques--and those practices do have their place, wrote CPJ's Frank Smyth in a piece about the importance of press solidarity within nations . But security is really a way of thinking, a way of approaching your work. And fostering professional solidarity is crucial to that approach. We need a culture shift within journalism that reaches from the individual freelancer to the largest newsroom, from the smallest press club to the biggest journalism school. To get there, we are going to have to work together with not only our closest professional colleagues, but also our broader communities, beyond journalism, whose members are increasingly participants and stakeholders in the newsgathering process. In their report on Post-Industrial Journalism, C.W. Anderson, Emily Bell, and Clay Shirky, argue there is no such thing as the news industry anymore. They suggest that we need a fundamental restructuring that will mean rethinking every organizational aspect of news production. I would argue it also means rethinking how we can organize to make newsgathering resilient and sustainable. As the institutions of journalism evolve and change, so too should press freedom advocacy. We need a global solidarity that reflects our increasingly networked fourth estate, one that can help us build new coalitions and engage our audience as allies. The new challenges we face are epitomized by the story of Sarah Abdurrahman, a producer with NPR's On The Media program, who was detained with her family and friends at the U.S. border for six hours. She was not detained because of her reporting, but because of her race and religion. During her detention, her electronics were searched, and border patrol agents refused to answer her questions. The New York Times has documented how the U.S. government has used borders as a backdoor to seize and search travelers' electronic devices, an issue with particular implications for journalists, but one that concerns everyone. And we know that journalists like Laura Poitras have faced invasive questioning and harassment at U.S. borders for years. This is an issue that unites civil liberties groups like the ACLU, digital rights groups like the Electronic Frontier Foundation, press freedom groups like the Committee to Protect Journalists, and media reform groups like Free Press. However, understanding and defending our rights at the border is also an issue about which we can forge common cause with our communities and our readers. In the last month, more than 75,000 people in the U.S. and U.K. have registered their concern at FreePress.net over the detentions of Abdurrahman, Poitras, and Miranda. Technology has given journalists new tools to cover their communities, connect with their sources, and collaborate on their reporting. Technology has also helped empower government institutions that are organized in opposition to journalism, transparency, and accountability. Challenging these institutions, and defending our right to gather and disseminate news, will increasingly call us into new kinds of collaborations and demand new networks of solidarity. Josh Stearns is the Journalism and Public Media Campaign Director of Free Press and a board director of the Freedom of the Press Foundation, an advocacy group whose other directors include the journalists Glenn Greenwald and Laura Poitras and the actor John Cusack. Tags: Alan Rusbridger, David Miranda, Edward Snowden, Glenn Greenwald, Laura Poitras,Sarah Abdurrahman October 11, 2013 12:37 PM ET Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key 92861E6B -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] CPJ: Knowing How Law Technology Meet at US borders
Piece below on crossing US borders may be of interest here. Thanks to Josh Stearns at Free Press, Dan Auberbach at EFF, among others. I'm also pasting the link to the Canadian Bar Association's guidance to Canadian lawyers crossing US borders. http://www.cba.org/cba/practicelink/tayp/laptopborder.aspx http://www.cpj.org/security/2013/10/knowing-how-law-and-technology-meet-at-us-borders.php Knowing how law and technology meet at U.S. borders By Frank Smyth/CPJ Senior Adviser for Journalist Security Border crossings have long posed a risk for journalists. In many nations, reporters and photographers alike have been subjected to questioning and having their electronic devices searched, if not also copied. But more recently, protecting electronically stored data has become a greater concern for journalists, including those who are U.S. citizens, upon entering or leaving the United States. This is an issue in the U.S., but it is just a fraction of what journalists are facing in countries around the world, Josh Stearns, journalism and public media campaign director of Free Press, a U.S.-based media reform organization, told CPJ. Last month a National Public Radio producer, Sarah Abdurraham, along with members of her family and friends, all of whom are U.S. citizens, were on their way home from a wedding in Ontario when they were detained for six hours at the Niagara Falls border crossing while each of their electronic devices were searched. I generally came out of the experience wondering what our rights are, Abdurraham later said in an interview with NPR's On the Media program, where she works. Abdurraham did not specify whether she meant the rights of journalists or U.S. citizens generally. But, according to Michael Price, counsel at New York University Law School and the Brennan Center for Justice's Liberty and National Security Program, it doesn't make any difference. He told CPJ that to date, there are no court rulings providing U.S. journalists with any added protection against having their electronic devices searched when crossing a U.S. border. But a few federal courts have ruled that U.S. citizens crossing U.S. borders have certain rights. Last year in Boston, a judge denied a government motion to dismiss a lawsuit challenging a border search of electronic devices, before the case was settled, after hearing arguments from the American Civil Liberties Union including on First Amendment grounds. This year in San Francisco, a panel of appellate judges ruled that U.S. border agents must at least have reasonable suspicion before searching the data stored on U.S. citizens' electronic devices. If you are flying into the West Coast you have one rule, into the East Coast you have another, said Price, referring to the San Francisco court ruling for the 9th Circuit. All the same, U.S. journalists flying in or out of any part of the United States should expect the possibility that their electronic devices could be searched, copied, or even seized, he and other experts told CPJ. Meanwhile, citizens of other nations, including journalists, enjoy no effective protections from having their data searched upon entering or leaving the United States. The safest option is to not travel with any sensitive data and instead store it in a cloud, Dan Auerbach, staff technologist at the San Francisco-based Electronic Frontier Foundation told CPJ. He noted, however, that safely uploading and downloading sensitive data to any independently hosted platform raises practical challenges, including whether one trusts the firm or group hosting the cloud, and whether the uploads and downloads to the cloud could be intercepted. Another option would be to openly encrypt one's entire hard drive or other device. But journalists who do so should use open-source software, as opposed to proprietary commercial software, as the manufacturer could have built the software with a back door to allow secret government access, said Auerbach. Only a judge can make you give up a password, he said. But he also noted that defying agents of U.S. Immigration and Customs Enforcement, a division of the Department of Homeland Security, could also lead agents to seize one's equipment. What they generally do is make a mirror image of the hard drive, Price told CPJ. Authorities could then try to crack the password later. A third option for journalists would be to try and encrypt sensitive files surreptitiously. One digital safety tool called TrueCrypt allows users to create hidden volumes or unseen partitions on their hard drive to load with encrypted data that may look like something else, such as a corrupted video file. But Auerbach warns that successfully hiding data on a disk may only work if one also lies about it to keep it secret. Lying to border agents is not advisable, because it can be a serious crime, reads EFF's online guide. Although now nearly two years old, the EFF guide still provides timely advice for anyone carrying electronic
[liberationtech] Lavabit, Silent Circle both shut down
, including the agency's wide-ranging digital dragnet that captures and stores the everyday communications of millions of Americans. That state of massive surveillance is aided by a secretive Foreign Intelligence Surveillance Court that in recent years has apparently compelled technology providers -- including Facebook, Google and Microsoft -- to provide the NSA with easy access to their users' communications. The Interop New York Conference and Expo -- Sept 30-Oct 4, 2013 -- provides the knowledge and insight to help IT and corporate decision-makers bridge the divide between technology and business value. Through three days of educational conference sessions, two days of workshops, real-world demonstrations on the Expo Floor and live technology implementations in its unique InteropNet program, Interop provides the forum for the most powerful innovations and solutions the industry has to offer. Save $200 off Conference All Access Passes or get a Free Expo Pass when you register with discount code MPIWK for Interop New York today. Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Medill online Digital Safety Guide
I appreciate your feedback and your bluntness, Rich. But you are providing far more guidance about what to avoid than what to use. If journalists and other users should avoid all commercial based operating systems including Macs, or any system requiring anti-virus software, then what operating system should they use? Linux maybe? Or something else? Similarly, if they shouldn't use GUI-based email clients, what email should they use? The practical gist of your message to journalists seems to be: don't trust digital information or communications at all. That may well be a very wise point. Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net Original Message Subject: Re: [liberationtech] Medill online Digital Safety Guide From: Rich Kulawiec r...@gsp.org Date: Wed, May 29, 2013 7:45 am To: liberationtech liberationt...@mailman.stanford.edu I see a number of major problems with this guide -- I'm not going to go into all of them, I'm just going to highlight a few to give the sense of where I'm coming from. You're probably not going to like this. Sorry, but strong criticism from me is not nearly so bad as having a hotel room door kicked in at 3 AM and being dragged off to a dark hole. 1. Use only licensed software and keep it updated. There's nothing wrong with the concept of keeping your software updated. (Although I would recommend judiciously choosing where and how you update it. An adversary monitoring your connection and observing that you're pulling down updates for FrozzleBlah 1.7 now knows that you're running FrozzleBlah and may find that piece of information highly useful. Another adversary may have the capability and willingness to substitute their update to FrozzleBlah for the one you think you're getting.) But I'd replace this with: use only open-source software. Closed-source software is not and can not be secure, period, full stop. Anyone choosing closed-source software is choosing insecurity -- which, for a journalist in a hostile environment, is very self-destructive. That's not an artifact of any particular piece of software or any particular vendor; it's an unavoidable consequence of the closed development process. Please see: https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007504.html Moreover: anyone who has been paying any attention at all over the past 10, 20, 30 years knows that in addition to the plethora of accidental gaping security holes we know about, there are clearly plenty of accidental gaping security holes that we don't know about -- which are being discovered, hoarded, sold, and used by vulnerability researchers and governments and other parties unknown. And then there are the deliberate gaping security holes: see most recently: Skype. And *then* there the deliberate gaping security holes which various governments are demanding be created for their convenience, not realizing in their ignorance and hubris that what is convenient for Government A is very likely convenient for Government B for many values of (A,B). See for example this particularly assinine proposal: http://www.electronista.com/articles/13/05/27/us.government.sponsored.report.claims.china.biggest.offender/ Of course there are security holes in open source software as well: using it is NOT a panacea. But it at least gives you a fighting chance, whereas with closed-source software, you have none at all. YES, this means no Windows, no IE, no Outlook, no Acrobat, no PhotoShop, and so on. Don't tell it me it can't be done. Of course it can. People do it every day. 2. Use good anti-virus and anti-spyware software [...] No. This is completely the wrong approach, for two reasons: First, if you're using a software platform that's architected such that you think you need these, you have chosen your software platform poorly. Poorly, as in: https://www.youtube.com/watch?v=xCUwQIn3GrU Trying to remedy that poor choice by slapping on AV/AS software after the fact might make you feel better about it, but that's all it does. Second, AV/AS software is GUARANTEED to fail when you'll need it most. (A bold statement? Heck no. Quite conservative, actually, given that the observed failure rate to date under those circumstances is 100%. What would be highly speculative is predicting any outcome *other* than failure.) 3. Use passwords or, better yet, passphrases that are both at least eight keyboard characters long and that include multiple types of characters. I don't think that's nearly long enough for someone whose freedom and/or life might depend on password strength. Advances in GPU-based password crackers (for example, see: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows
[liberationtech] Medill online Digital Safety Guide
Hi everyone, Over a year ago Jake asked me to post any curriculum my group may come up with here on the list for review by anyone who may be so inclined. If you are so inclined, please take a look at the guide just posted here: http://nationalsecurityzone.org/site/digital-security-basics-for-journalists/ I would welcome any comments at all. (I'd prefer constructive comments, but, most importantly, I want to know if you think something is wrong, misleading or off-point and/or should be redirected.) We will make changes as needed, with full attribution as appropriate to groups or individuals as anyone here may wish. As a non-technologist, I very much appreciate this community and the many truly amazing people in it. And that ain't smoke, it's true. This guide is posted on the Northwestern University Medill School of Journalism National Security Zone online, which also includes many other guides for reporters like, also of interest to some here, Covering Military Trials. In writing this digital guide, I have not tried to reinvent the wheel, and focus more on concepts and what journalists need to think about learn, rather than get into how to use tools or even thinking about trying to rate them. Instead the guide relies heavily on other resources already providing such information like Security-in-a-Box, along with Danny's Information Security chapter in CPJ's Journalist Security Guide. I have also relied on information, all with full attribution, from Movements.org, The Engine Room and others. Much of what is written also reflects what I have managed to glean over the years as a non-technologist from this group and list. If you wish to take issue with any one point, please do. Or the whole parts of it, or the entire guide for that matter, if you wish. Part of the idea behind putting this up at all is to advance a broader dialogue. And it is not mean to be exhaustive, but merely an introduction. The main goal is to alert journalists to how much they don't know, and need to learn, which, if recent news is any indication, more journalists at least in this nation are realizing every day. So please go ahead and dive in if you wish, and direct your comments back to the list or to my email also copied, as you wish. (I don't always check this list, so if you want to make sure I see your note in a timely matter, please copy me at fr...@journalistsecurity.net.) And here is a nice juicy tidbit from the guide to get you started. Pretty Good Privacy or PGP along with the newer, German government-funded version of the same software model, GPG, is encryption software for emails and files. Both PGP and GPG use cryptographic algorithms that are stronger than what Internet Freedom activists believe even the U.S. National Security Agency (under most circumstances) is capable of decoding. Although even the best digital software is still subject to spyware programs on infected computers that allow eavesdroppers to learn the passwords to access even encrypted emails and files. Disagree on this or any point, please say so. Thank you, everyone! Best, Frank Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Medill online Digital Safety Guide
Thank you, Tom. I'll try to address all your points. On GPG being German government funded, point was not to sow distrust. But to be accurate and also show that Western governments have played a positive role in funding some Internet Freedom tools, besides just the US. Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net Original Message Subject: Re: [liberationtech] Medill online Digital Safety Guide From: Tom Ritter t...@ritter.vg Date: Wed, May 22, 2013 5:03 pm To: liberationtech liberationtech@lists.stanford.edu Without opinion on the entirety, here are some random thoughts. I think the password section is missing the most important piece of advice: don't use the same password for different services. Every one should have it's own, and they shouldn't be algorithmic (e.g. myp4ssw0rdisF4C3B00K and myp4ssw0rdisG00GL3, etc). This pretty much necessitates a password manager. I don't think mentioning German government funded is relevant for GPG. What's the point of that, to sow distrust? Whatever your thoughts are about Werner or the code quality of GPG, from a Do I trust this project to do the best it can and follow proper open source principles and not backdoor me intentionally I think it's well above the level. Whereas PGPi.org is more than 10 years out of date. Typo: Both PGP and GPG, however, are relatively to use. Thunderbird: it is designed to interact with GPG encryption software to make it easier to encrypt email messages and files - no it's not, that's enigmail, an extension. It's not built in. truecrypt - they can also be made to look –at least at first glance—like large audio or video files that for some reason will not open as if the files were for one reason or another corrupted. I think that's misleading. Even with the caveat it implies something that is not at all true. I'd take it out. Encrypted SMS omits TextSecure If you have an Android phone, download and install Tor from the Android Marketplace - you mean Orbot and OrWeb? I would name them by name, with links. -tom On 22 May 2013 16:41, fr...@journalistsecurity.net wrote: Hi everyone, Over a year ago Jake asked me to post any curriculum my group may come up with here on the list for review by anyone who may be so inclined. If you are so inclined, please take a look at the guide just posted here: http://nationalsecurityzone.org/site/digital-security-basics-for-journalists/ I would welcome any comments at all. (I'd prefer constructive comments, but, most importantly, I want to know if you think something is wrong, misleading or off-point and/or should be redirected.) We will make changes as needed, with full attribution as appropriate to groups or individuals as anyone here may wish. As a non-technologist, I very much appreciate this community and the many truly amazing people in it. And that ain't smoke, it's true. This guide is posted on the Northwestern University Medill School of Journalism National Security Zone online, which also includes many other guides for reporters like, also of interest to some here, Covering Military Trials. In writing this digital guide, I have not tried to reinvent the wheel, and focus more on concepts and what journalists need to think about learn, rather than get into how to use tools or even thinking about trying to rate them. Instead the guide relies heavily on other resources already providing such information like Security-in-a-Box, along with Danny's Information Security chapter in CPJ's Journalist Security Guide. I have also relied on information, all with full attribution, from Movements.org, The Engine Room and others. Much of what is written also reflects what I have managed to glean over the years as a non-technologist from this group and list. If you wish to take issue with any one point, please do. Or the whole parts of it, or the entire guide for that matter, if you wish. Part of the idea behind putting this up at all is to advance a broader dialogue. And it is not mean to be exhaustive, but merely an introduction. The main goal is to alert journalists to how much they don't know, and need to learn, which, if recent news is any indication, more journalists at least in this nation are realizing every day. So please go ahead and dive in if you wish, and direct your comments back to the list or to my email also copied, as you wish. (I don't always check this list, so if you want to make sure I see your note in a timely matter, please copy me at fr...@journalistsecurity.net.) And here is a nice juicy tidbit from the guide to get you started. Pretty Good Privacy or PGP along with the newer, German government-funded version of the same software model, GPG, is encryption software
[liberationtech] Article 19 Digital Security YouTube video
The Paris-based NGO Article 19 has put some digital security videos on YouTube that may be of interest to anyone involved or interested in training. At the very least it shows an attempt to try and meet the need for such information that has long gone unmet. Any comments or thoughts one way or another about the video and its content would be helpful as other groups including my organization begin moving in the same direction. https://www.youtube.com/watch?v=kb4Ior64IEAfeature=youtu.be Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Article 19 Digital Security YouTube video
Pleasure to meet you, Dirk. I think the videos are a good idea, and an effective way to introduce basic and more elaborate concepts and some basic training. There may well different opinions on this list, of course. And I do hope they weigh in to help us improve guidance and training. But one way or another we need to find ways like you and Article 19 are doing to make digital security more accessible. So thank you for beginning the effort. See you in San Jose for the UNESCO conference around WPFD, if you will be there, as I hope you are. Frank Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key Original Message Subject: Re: [liberationtech] Article 19 Digital Security YouTube video From: Dirk Slater d...@fabriders.net Date: Tue, April 09, 2013 5:19 pm To: liberationtech liberationtech@lists.stanford.edu Cc: liberationtech liberationtech@lists.stanford.edu Hi Frank, Thought it might be a good time to out myself. I've been lurking a bit on the list here as I've recently subscribed. I appear in a couple of those videos, so would also be happy to hear any comments or thoughts. You can view the full videos with their interactive content here: http://www.article19.org/online-protection/ Dirk Slater Lead Consultant/Founder Fabriders www.fabriders.net twitter: fabrider skype: dirkslater On 9 Apr 2013, at 21:20, fr...@journalistsecurity.net wrote: The Paris-based NGO Article 19 has put some digital security videos on YouTube that may be of interest to anyone involved or interested in training. At the very least it shows an attempt to try and meet the need for such information that has long gone unmet. Any comments or thoughts one way or another about the video and its content would be helpful as other groups including my organization begin moving in the same direction. https://www.youtube.com/watch?v=kb4Ior64IEAfeature=youtu.be Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtechhr-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Cloud encryption
I imagine people here might have thoughts about this. Comes from a Texas-based, civil liberties-oriented blog. Encryption for cloud communications may best protect Fourth Amendment rights via Grits for Breakfast by Gritsforbreakfast on 4/6/13 http://gritsforbreakfast.blogspot.com/2013/04/encryption-for-cloud-communications-may.html Says readwrite mobile: With government requests for personal data on the rise, there are few guarantees in place that you or I won't have our private communications snooped through. Since the Fourth Amendment hasn't yet caught up with the lightning fast pace of technological change, some of the best privacy protections are often the ones implemented by tech companies themselves. Well put. The comment comes in response to a DEA complaint that encryption on the Apple iPhone's chat services made them indecipherable, even with a warrant. Continued writer John Paul Titlow: By architecting iMessage the way it did, Apple created a messaging protocol more secure and private than standard text messages, which is how millions of people communicate every day. As we fire those texts back and forth, we're all creating a digital trail that can be snooped upon or hacked more easily than we care to think about. But if they're being and sent and received from iPhones running iOS 5 or later, those messages are invisible to wiretaps by law enforcement or other prying eyes. Apple didn't have to build iMessage with end-to-end encryption. Gmail isn't encrypted this way, nor are the Facebook messages that are increasingly used like texts on mobile devices. Clearly, SMS text messages aren't particularly well-secured either. Whether winning privacy points was its motivation or not, Apple definitely racks up a few for this. Legislation like Texas Rep. Jon Stickland's HB 3164 to require warrants to access electronic communications is one way to protect privacy for third-party facilitated communications, but a far more effective one would be if Gmail, Facebook, and other major providers encrypted user messages. Those companies may or may not have an economic incentive to do so, but they're arguably in a better position in many cases than legislatures or the courts to protect privacy and Fourth Amendment rights. Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] CPJ: Attacks on Knight Center sites reflect digital dangers
Appreciate the help on this one from Masashi and others at Citizen Lab and from Eva at EFF. FShttps://www.cpj.org/security/2013/04/attacks-on-knight-center-sites-reflect-digital-dan.phpAttacks on Knight Center sites reflect digital dangersByFrank Smyth/Senior Adviser for Journalist SecurityThe two websites at the University of Texas at Austin, at first blush, seemed to have been unlikely targets for attack. TheKnight Center for Journalism in the Americasand itsblogcover news about journalism, press freedom and journalist safety throughout the Western hemisphere, with an emphasis on trends in Latin America. The website of theInternational Symposium for Online Journalismprovides information about meetings and other professional issues. Both websites wereshut downfor two weeks last month in a targeted cyber-attack.Attacks targeting news, human rights, and free _expression_ organizations "are very common," Eva Galperin, global policy analyst at the San Francisco-based Electronic Frontier Foundation, told CPJ. In fact, CPJ's own website briefly came under attack on February 8, although the hacking did not take the site down. "Many groups encounter such threats on a near-daily basis, and civil society must exercise constant vigilance to protect against these threats," said Masashi Crete-Nishihata, research manager at the University of Toronto-based Citizen Lab, in an email to CPJ.The hackers of the two UT websites used a method called cross-site scripting to plant malicious code in the sites' hosting computers, according to a Knight Center researcher. The university's information technology researchers tracked the origin of the attacks to IP addresses in Russia. The IT team at UT put the two websites under quarantine while it repaired the damage and addressed vulnerabilities.The Knight Center deftly moved to other platforms while it addressed the problem. "The malicious cyber-attack was enough to shut our websites down, but not enough to shut us up," Rosental Alves, founder and director of the Knight Center for Journalism in the Americas,saidin a posting. The Knight Center put up two temporary WordPress blogs to keep news and information flowing while the websites were down.The motive for the attack on the UT websites is not known. In the days and weeks before the attack, the Knight Center'sAmericas blogreported on matters such asan attackon a northern Mexican newspaper, a number of newspapers'opposition to a defamation lawin the Dominican Republic, an Ecuador-based non-governmental organization's protest against the "arbitrary"suspension of its Twitter accountby the U.S.-based firm of the same name, and themurder of a radio hostin Brazil who spoke out against organized crime.In the strike against the CPJ website, the attacker exploited a vulnerability in the site's Movable Type publishing system to install code that redirected visitors to a third-party site capable of downloading malware to computers running Internet Explorer, and then on to Google.com. CPJ spotted and removed the redirect code within seven minutes and, in the aftermath, took a number of measures to harden its system. CPJ's investigation into the attack, which is continuing, preliminarily traced the attack to a Turkish web server.Hackers use a number of tactics, noted Crete-Nishihata of Citizen Lab. A common method is the denial-of-service attack, which prevents a website from functioning normally by overloading its host server with external communications requests. In December 2011, a denial-of-service attack took the Mexican websiteRíodoceofflinefor six days.Ríodocewas one of the few publications in the Mexican state of Sinaloa to cover the narco-traffickers operating with impunity in the region, including the powerful Zetas cartel. Defacement attacks are yet another tactic. An entity called the Iranian Cyber Army hasdefacedthe websites of Iranian opposition activists and journalists.Perhaps more insidious is the infiltration of computer networks, including email systems. In many dozens of documented cases--affecting such major news organizations asThe New York Times,The Washington Post,andTheWall Street Journal--hackers have quietly infiltrated computers to monitor sensitive email and other digital communications. In January, technologists at Citizen Lab revealed that hackers, most likely working on behalf of the government in Syria, had been using software made by the California-based developerBlue Coat Systemsto gather information about Syrian activists and citizen journalists. Spyware doesn't even need to be expensive. A Russian software maker produces effective spyware calledBlackShadesfor just $40.So what can journalists, human rights defenders, and others do to protect themselves? Education and awareness go a long way to helping keep individuals and groups safe, both Crete-Nishihata and Galperin told CPJ. Open-source tools such as those offered byMetasploitallow groups to test potential vulnerabilities in their digital systems.
[liberationtech] Bloomberg: Spies Fail to Escape Spyware...
Spies Fail to Escape Spyware in $5 Billion Bazaar for Cyber Arms - Bloomberg http://www.bloomberg.com/news/2011-12-22/spies-fail-to-escape-spyware-in-5-billion-bazaar-for-cyber-arms.html The intelligence operative sits in a leather club chair, laptop open, one floor below the Hilton Kuala Lumpur’s convention rooms, scanning the airwaves for spies. In the salons above him, merchants of electronic interception demonstrate their gear to government agents who have descended on the Malaysian capital in early December for the Wiretapper’s Ball, as this surveillance industry trade show is called. As he tries to detect hacker threats lurking in the wireless networks, the man who helps manage a Southeast Asian country’s Internet security says there’s reason for paranoia. The wares on offer include products that secretly access your Web cam, turn your cell phone into a location-tracking device, recognize your voice, mine your e-mail for anti-government sentiment and listen to supposedly secure Skype calls. He isn’t alone watching his back at this cyber-arms bazaar, whose real name is ISS World. For three days, attendees digging into dim sum fret about losing trade secrets to hackers, or falling prey to phone interception by rival spies. They also get a tiny taste of what they’ve unleashed on the outside world, where their products have become weapons in the hands of regimes that use the gear to track and torture dissidents. “I’m concerned about my calls or Internet being monitored, because that’s what they sell,” says Meling Mudin, 35, a Kuala Lumpur-based information-technology security consultant who takes defensive measures as he roams the exhibits. “When I make phone calls, I step out of the hotel, I don’t use my computer and I also don’t use the wireless services provided.” ‘We Meet Again’ ISS, which convenes every few months in cities from Dubai to Brasilia, is the hub of the surveillance trade. In recent years, countries such as Syria, Iran and Tunisia bulked up their monitoring by turning to some of ISS’s corporate sponsors, such as Italy’s Area SpA and Germany’s Utimaco Safeware AG (USA) and Trovicor GmbH, a Bloomberg News investigation showed. Business is booming, with annual revenue of $3 billion to $5 billion growing as much as 20 percent a year, ISS organizer Jerry Lucas estimates. Lucas, 68, an American with a PhD in physics, is perfectly cast for the part of spyware convention mastermind. With sweeping eyebrows and a bare pate that make him a look-alike of Democratic strategist James Carville, he greets an uninvited journalist at his Prague event in June with, “We’ve been expecting you.” On the second encounter, in Kuala Lumpur this month, he descends an escalator from the convention floor and intones: “We meet again.” Warning Attendees Lucas, whose conference company TeleStrategies, Inc., is based in McLean, Virginia, makes the point that his marketplace serves police who conduct criminal investigations and intelligence services that prevent terror attacks. Virtually every communications network in the world includes wiretapping for prosecutors, or location tracking to rescue people in emergencies. And customers at ISS also include phone company executives. Still, Lucas describes Spy vs. Spy intrigue that emerges when he convenes ISS (short for Intelligence Support Systems). The potential for hacking has led him to warn attendees to comply with the law of host countries. “We tell them, ‘Do not bring in radio equipment that is not allowed by the government,’” says Lucas, who started ISS nine years ago. Some gear can intercept mobile-phone or Internet transmissions, impersonating legitimate networks by sitting in the middle of the data flow. “These guys can be your base station,” Lucas says. ‘Hide Your Laptop’ Attendees routinely guard against hacking, says Nikhil Gyamlani, a Munich-based developer of monitoring systems who has attended several ISS events. He says being in close contact with competitors versed in the dark arts gives them a chance to secretly copy documents saved on hard drives or sent via e-mail. He advises preventive measures. “Absolutely no use of wireless networks, and hide your laptop in a safe,” says Gyamlani, 34, the founder of a new surveillance company, GlassCube. “The fear is very justified.” Some who haven’t taken such precautions have learned to be more careful. At ISS in Prague this year, an employee of an African telecommunications regulator was cruising Facebook on his Archos (JXR) tablet computer when he found his every click being projected on a screen at the front of the room, he recalled afterwards in the lobby. He’d been using the hotel’s wireless Internet. Watching The Detectives While ISS is closed to journalists, a Bloomberg News reporter dropped in on two 2011 installments, walking hotel corridors, sitting in bars and haunting lounges. In Prague, at a hotel connected to a shopping mall food court, potential buyers included Thailand’s
[liberationtech] Online journalist fatalities, deaths in combat both hit record highs
Speaking of the need, today CPJ released its journalist killed figures for 2012. Two records: A record number of online journalists killed in 2012. And more journalists killed in combat situations in 2012 than in any previous year that CPJ has been keeping records. Syria is the main reason behind both trends, as Syrian citizen journalists filing to online outlets like Shaam News Network dominated this year's fatalities. http://www.cpj.org/security/2012/12/combat-deaths-high-journalist-risk.php Combat deaths at a high, risks shift for journalists By Frank Smyth/Senior Adviser for Journalist Security Ambulances carry the bodies of Marie Colvin and Rémi Ochlik, who were killed in government shelling in Syria. (Reuters/Khaled al-Hariri) Murder is the leading cause of work-related deaths among journalists worldwide--and this year was no exception. But the death toll in 2012 continued a recent shift in the nature of journalist fatalities worldwide. More journalists were killed in combat situations in 2012 than in any year since 1992, when CPJ began keeping detailed records. CPJ Special Report • Journalist deaths spike in 2012 The 23 journalists killed in combat-related crossfire make up 34 percent of the worldwide death toll this year, about twice the historical average. And beginning in 2010, the number of journalists killed while covering street protests or similar dangerous assignments has risen well above the rates recorded since 1992. Journalists carrying cameras--still photographers, television cameramen, and videographers--paid an unusually heavy price in recent years. Freelancers and online journalists have also composed an increasing proportion of fatalities during this timeframe. Many of those killed during combat and dangerous assignments were relatively inexperienced, with some of the victims in Syria still in their teens. So what does this say? It's worth keeping in mind that the risks to journalists change with the news, and the conditions of 2012 won't necessarily be replicated in 2013 or in the future. But a few things stand out from the recent death tolls that demand the attention of the profession. Technology has allowed individuals to cover and disseminate news on their own, without having an affiliation with a news organization. The proportion of online journalists in CPJ's annual death tolls has been rising since 2008, but the 25 online journalists killed worldwide in 2012 represent a record. In Syria, the government worked hard to block the international press, prompting numerous Syrians to pick up cameras to document the violence and upload hours of their footage to online collectives such as Shaam News Network. During the political uprisings that swept the Arab world, domestic and international freelancers were similarly called to action. Individuals with cameras were more likely to be in harm's way as they sought to cover the tumult--and they were also more obvious targets for violence. I think we have to differentiate between local citizen journalists who report on what is happening in their own country and to their own people, and Western freelancers who go to places like Syria to report on the conflict, said Peter N. Bouckaert, emergencies director at Human Rights Watch who leads a Facebook group composed of conflict journalists and others. Citizen journalists are part of a seismic shift in the media business, and we are just beginning to understand how we can use the materials they collect, and how we can work together to report better, Bouckaert said. The role of Western freelancers is totally different. In a shrinking, increasingly risk-adverse media environment, it is all too often freelancers who end up going to the places where the big media won't send their reporters. Many inexperienced, young freelancers can be lulled into a sense of false comfort, Bouckaert noted. The smartest ones who went through Libya took a step back, and went to take a first-aid course and hostile environment training. But many media organizations that rely on stringers for news also need to step up, he added. If we want to talk seriously about safety, we need to start getting the media organizations to start contributing more toward safety training and safety gear for freelancers. The annual death tolls in Iraq during the peak of that nation's violence still exceed that of Syria: 32 journalists were killed in Iraq in both 2006 and 2007. But the large majority of deaths in Iraq, especially in the later years of the war, were not combat-related. They were murders. Local journalists working for Western news organizations and those working for local news outlets with perceived sectarian viewpoints were targeted for their affiliation, hunted down, and murdered by the dozen in Iraq. Murder has been the leading cause of death in Afghanistan as well. Any conflict, including the war in Syria, could evolve in ways that would make journalists more vulnerable to targeted attacks than crossfire
[liberationtech] Forbes recommends tools for journalists
If anyone here has any thoughts about the tools recommended in this Forbes piece, please speak up. The piece gets specific with recommendations form Ashkan Soltani, a technologist who I do not think is on this list, about half way down. Again, any thoughts would be welcome. Thank you! Frank http://www.forbes.com/sites/kashmirhill/2012/12/07/dear-journalists-at-vice-and-elsewhere-here-are-some-simple-ways-not-to-get-your-source-arrested/ TECH | 12/07/2012 @ 1:33PM |24,858 views Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To Get Your Source Arrested You forgot to scrub the metadata, suckers. Computer security millionaire John McAfee’s surreal flight from Belizean law enforcement came to an end this week when he was detained (and then hospitalized) in Guatemala, as has been widely reported. A piece of the story that hasn’t been included in much of the reporting is how authorities figured out that McAfee — who was wanted for questioning in the shooting death of his neighbor — had fled Belize for Guatemala. McAfee’s location was exposed after he agreed to let two reporters from Vice Magazine tag along with him. Proud to finally be in the thick of a story rife with vices — drugs, murder, prostitutes, guns, vicious dogs, a fugitive millionaire and his inappropriately young girlfriend — they proudly posted an iPhone photo to their blog of Vice editor-in-chief Rocco Castoro standing with the source of the mayhem in front of a jungly background, saying, “We are with John McAfee right now, suckers.” With that posting, they went from chroniclers of vices to inadvertent narcs. They left the metadata in the photo, revealing McAfee’s exact location, down to latitude and longitude. McAfee tried to claim he’d manipulated the data — a claim that Vice photographer backed up on Facebook in a posting he’s since deleted — but then capitulated, hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan authorities instead detained McAfee for entering the country illegally. All of which was dutifully reported by the Vice reporters, with no mention of their screw-up. Mat Honan at Wired excoriated Vice for its role in events: This was deeply stupid. People have been pointing out the dangers of inadvertently leaving GPS tags in cellphone pictures for years and years. Vice is the same publication that regularly drops in on revolutions and all manner of criminals. They should have known better. And they have the resources to do it better. Vice is a $100 million operation. Then, it followed up this egregiously stupid action with a far worse one. Vice photographer Robert King apparently lied on his Facebook page and Twitter in order to protect McAfee. Like McAfee, he claimed that the geodata in the photo had been manipulated to conceal their true location. … But the coverup, as always, is worse than the crime. In claiming the geodata had been manipulated when it had not, Vice was no longer just documenting. Now it was actively aiding a fugitive wanted for questioning in the murder investigation of his neighbor Gregory Faull, who was shot dead at his own home. Via How Trusting In Vice Led To John McAfee’s Downfall – Wired. It was indeed deeply stupid. Journalists are professional dealers in information but many are terrible about protecting it. While willing to go to jail to protect their sources, journalists may wind up leaving them exposed instead through poor data practices. In a New York Times editorial last year, Chris Soghoian, now chief technologist at the ACLU, warned that “secrets aren’t safe with journalists” explaining that “ the safety of anonymous sources will depend not only on journalists’ ethics, but on their computer skills.” There are three very basic things journalists should be doing to shield their sources: Scrubbing metadata from photos, documents and other files. Resisting the desire to save copies of everything. Encrypting communications. Technologist Ashkan Soltani walked me through some simple tools for doing this. They’re not foolproof, but they’ll make it a little less likely that your blog post will wind up sending the person you’re profiling to jail (unless that’s your intent). 1. Scrubbing metadata. “All files — photos, Word docs, PDFs — include some kind of metadata: author, location created, device information,” says Soltani. If you leave the metadata attached, you run the risk of exposing private information about the person who gave you the file, or, in the case of Vice, the location of the person trying to keep his location under wraps. Before you share a Word doc with the world that a source sent you, run it through a scrubber. Otherwise, it may reveal where the doc was created, who authored it and anyone who has ever made changes to it. There’s Doc Scrubber for Microsoft Word. For PDF docs, use a tool like Metadata Assistant. Or use Adobe Acrobat’s “Examine Document” tool which will scan the doc for hidden information. For photos, think about
Re: [liberationtech] Forbes recommends tools for journalists
Appreciate the feedback, guys.We'll check out, MAT.boum.org, Oli. And we'll look at turning off geo-tagging and ObsuraCam app, too, Nathan. Brian and Michael, appreciate your input, too.And Danny, apart from your suggestions on full disk encryption and other points which are well taken, we also very much understand the importance of stressing concepts, giving people of sense of threats and options, and underscoring the importance of staying informed about changes including vulnerabilities and updates. In fact, we are avoiding the firehouse training approach, and instead developing four-week classes, in order to make sure that everyone gets concepts instead of just learning tools. The idea is to give people a foundation so they can then take responsibility and make informed choices for their own digital safety. Or so they can trust their own instincts, as I have heard you say.Thanks! FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: Re: [liberationtech] Forbes recommends tools for journalists From: Michael Rogers mich...@briarproject.org Date: Mon, December 17, 2012 4:42 pm To: Danny O'Brien dobr...@cpj.org, liberationtech liberationtech@lists.stanford.edu -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/12/12 20:12, Danny O'Brien wrote: I think these days you have to tie Forbes' (good) advice not to save everything with an encouragement to use full disk encryption. We're in an awkward space right now where we can't fully guarantee that data gets deleted off a modern flash (SSD) drive, even with previously strong deletion tools. And forensics software is good enough to pick up a lot of local clues about what you've used your own computer for, even if you think you've turned off all logs and removed the saving of sensitive data. Minimize what you record, but also encrypt. Sorry to go off on a tech tangent after you've rightly pointed out that this isn't simply a matter of choosing the right tech, but I'd like to ask the list for a bit of advice regarding secure deletion from SSDs. Secure deletion is a problem we could solve in software, by encrypting the data and then destroying the key to render the data unrecoverable, *if* we had a few bytes of persistent, erasable storage in which to store the key. (Storing the key on the SSD itself doesn't work, because then we can't securely delete the key.) I'm not aware of any suitable storage on current smartphones or personal computers, so we may need to ask device manufacturers to add (simple, inexpensive) hardware to their devices to support secure deletion. So I have two questions for the list: who should we try to persuade, and how should we persuade them? Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQz5G1AAoJEBEET9GfxSfMFSoH/jQ0HtBhP2bDhYLGGXk7ESU1 onC5tMBFUvvQzsqmVeV/HmEciW+WPeJ942Oek7r0DEWiBseFF3tMzquG/Yc4pURn hYaRNlEjIzPFyZ+9kXiU7cUwGozoThKw+CxwBB4LKSEOSlqn28EmPGsKG59seDrS 3PJtqPcYKCWqKXmhIu3Hzc3Zn5dsRKeWZYmv9nQm40kj3YrR4OPoz/roCT72OUDu E/SRCmd/zgDSy556OJ8U0xu3KNU9JLebWxYV+HRfAyctbjCnDP63LD+ABjKr+lTn lQnvXB9rJtB/yzyewiG++ZlT7bpzLZ5L5hI1UkHv8Udqyfnp463Azq88Plbi5MY= =9K1+ -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Forbes recommends tools for journalists
And my bad for sending that HTML instead of text. Original Message Subject: Re: [liberationtech] Forbes recommends tools for journalists From: fr...@journalistsecurity.net Date: Mon, December 17, 2012 6:06 pm To: liberationtech liberationtech@lists.stanford.edu, Danny O'Brien dobr...@cpj.org Appreciate the feedback, guys. We'll check out, MAT.boum.org, Oli. And we'll look at turning off geo-tagging and ObsuraCam app, too, Nathan. Brian and Michael, appreciate your input, too. And Danny, apart from your suggestions on full disk encryption and other points which are well taken, we also very much understand the importance of stressing concepts, giving people of sense of threats and options, and underscoring the importance of staying informed about changes including vulnerabilities and updates. In fact, we are avoiding the firehouse training approach, and instead developing four-week classes, in order to make sure that everyone gets concepts instead of just learning tools. The idea is to give people a foundation so they can then take responsibility and make informed choices for their own digital safety. Or so they can trust their own instincts, as I have heard you say. Thanks! Frank Frank Smyth Executive Director Global Journalist Security fr...@journalistsecurity.net Tel. + 1 202 244 0717 Cell + 1 202 352 1736 Twitter: @JournoSecurity Website: www.journalistsecurity.net PGP Public Key Please consider our Earth before printing this email. Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: Re: [liberationtech] Forbes recommends tools for journalists From: Michael Rogers mich...@briarproject.org Date: Mon, December 17, 2012 4:42 pm To: Danny O'Brien dobr...@cpj.org, liberationtech liberationtech@lists.stanford.edu -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/12/12 20:12, Danny O'Brien wrote: I think these days you have to tie Forbes' (good) advice not to save everything with an encouragement to use full disk encryption. We're in an awkward space right now where we can't fully guarantee that data gets deleted off a modern flash (SSD) drive, even with previously strong deletion tools. And forensics software is good enough to pick up a lot of local clues about what you've used your own computer for, even if you think you've turned off all logs and removed the saving of sensitive data. Minimize what you record, but also encrypt. Sorry to go off on a tech tangent after you've rightly pointed out that this isn't simply a matter of choosing the right tech, but I'd like to ask the list for a bit of advice regarding secure deletion from SSDs. Secure deletion is a problem we could solve in software, by encrypting the data and then destroying the key to render the data unrecoverable, *if* we had a few bytes of persistent, erasable storage in which to store the key. (Storing the key on the SSD itself doesn't work, because then we can't securely delete the key.) I'm not aware of any suitable storage on current smartphones or personal computers, so we may need to ask device manufacturers to add (simple, inexpensive) hardware to their devices to support secure deletion. So I have two questions for the list: who should we try to persuade, and how should we persuade them? Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQz5G1AAoJEBEET9GfxSfMFSoH/jQ0HtBhP2bDhYLGGXk7ESU1 onC5tMBFUvvQzsqmVeV/HmEciW+WPeJ942Oek7r0DEWiBseFF3tMzquG/Yc4pURn hYaRNlEjIzPFyZ+9kXiU7cUwGozoThKw+CxwBB4LKSEOSlqn28EmPGsKG59seDrS 3PJtqPcYKCWqKXmhIu3Hzc3Zn5dsRKeWZYmv9nQm40kj3YrR4OPoz/roCT72OUDu E/SRCmd/zgDSy556OJ8U0xu3KNU9JLebWxYV+HRfAyctbjCnDP63LD+ABjKr+lTn lQnvXB9rJtB/yzyewiG++ZlT7bpzLZ5L5hI1UkHv8Udqyfnp463Azq88Plbi5MY= =9K1+ -END PGP SIGNATURE- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtechhr-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Forbes recommends tools for journalists
But if you're getting information security advice from a Forbes blog, that will be the least of your worries. Where would you suggest we get information security advice from? Many here are quick to point out what people should not rely upon. But relatively few seem to want to assume the responsibility to suggest what people should use. We are gleaning material including on concepts from the Information Security chapter written by Danny in CPJ's Journalist Security Guide (full disclosure: I wrote the chapters on physical safety). We are looking for guidance on tools from Security-in-a-Box by Tactical Tech. And we are reviewing and closely following the discussion over the new Internews guide which covers both concepts and tools. We are also looking at relevant guides by Small World News by Brian and others, and Mobile Active by Katrin and Alix. It seems to me that the above comprise the best available sources out there. Would you agree? Of course, if you or anyone has any other suggestions, we are all ears. The discussion itself over the Forbes blog and other material is all helpful. But backhanded snipes without the benefit of positive alternative suggestions are not. Most people on this list and in conferences seem to be agreeing, at least lately if not also before, that if people who need to use the tools don't use them, then that becomes a security problem in and of itself. And that the overwhelming majority of people in places like Syria really do not understand the risks or practice best measures. Would you agree? Getting over these obstacles requires training, and also more transparency within this Open Source community about what we should be teaching people. I am also learning not to take gratuitous snipes here personally. As it seems to be all too common within this group. But I do think we would serve a great many more people if we had more constructive conversations. Isn't that what this list is for? Original Message Subject: Re: [liberationtech] Forbes recommends tools for journalists From: Steve Weis stevew...@gmail.com Date: Mon, December 17, 2012 6:10 pm To: liberationtech liberationtech@lists.stanford.edu Just to go further down the tech tangent... There are SSD drives with full-disk encryption, such as the Intel 520 series. Here's a paper Reliably Erasing Data From Flash-Based Solid State Drives from Usenix 2011 that analyzes disk sanitation on several SSD drives. Their conclusion was that built in encryption and sanitization functions were most effective, but were not always implemented correctly: http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf Regarding storage for disk-encryption keys, PCs with TPMs can seal keys such that they can only be unsealed if the machine is booted to a verifiable state. Then you can leave the sealed key on the disk, which is how Bitlocker works. Keep in mind that TPMs can be compromised by physical attacks. They aren't going to protect you from a moderately-funded forensics effort. But if you're getting information security advice from a Forbes blog, that will be the least of your worries. On Mon, Dec 17, 2012 at 1:42 PM, Michael Rogers mich...@briarproject.orgwrote: I'm not aware of any suitable storage on current smartphones or personal computers, so we may need to ask device manufacturers to add (simple, inexpensive) hardware to their devices to support secure deletion. hr-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] NSA security configuration guide for iOS 5 Devices
I wonder if anyone here has seen this Security Configuration Recommendations for Apple iOS 5 Devices, by the U.S. National Security Agency and dated March 2012. I didn't find any reference to it in the list archives. A Tweep, M.A. Ho-Kane, just tweeted it. The document is not classified and reads that it is designed to help U.S. government officials across agencies handle Sensitive But Unclassified information on their iPhones. The document seems legitimate to me. And makes sense since so many people including U.S. agency officials these days carry iPhones or iPads. The document and its recommendations also seems very thorough. I would welcome any thoughts at all including whether people think the recommendations are sound. Thanks! Frank http://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf Frank Smyth Executive Director Global Journalist Security fr...@journalistsecurity.net Tel. + 1 202 244 0717 Cell + 1 202 352 1736 Twitter: @JournoSecurity Website: www.journalistsecurity.net PGP Public Key -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA security configuration guide for iOS 5 Devices
Document is also on the NSA.gov website and was publicly posted there on May 11, 2012. http://www.nsa.gov/public_info/whats_new/index.shtml Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key Original Message Subject: [liberationtech] NSA security configuration guide for iOS 5 Devices From: fr...@journalistsecurity.net Date: Mon, December 10, 2012 9:43 pm To: liberationtech liberationtech@lists.stanford.edu I wonder if anyone here has seen this Security Configuration Recommendations for Apple iOS 5 Devices, by the U.S. National Security Agency and dated March 2012. I didn't find any reference to it in the list archives. A Tweep, M.A. Ho-Kane, just tweeted it. The document is not classified and reads that it is designed to help U.S. government officials across agencies handle Sensitive But Unclassified information on their iPhones. The document seems legitimate to me. And makes sense since so many people including U.S. agency officials these days carry iPhones or iPads. The document and its recommendations also seems very thorough. I would welcome any thoughts at all including whether people think the recommendations are sound. Thanks! Frank http://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf Frank Smyth Executive Director Global Journalist Security fr...@journalistsecurity.net Tel. + 1 202 244 0717 Cell + 1 202 352 1736 Twitter: @JournoSecurity Website: www.journalistsecurity.net PGP Public Key -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] NYT: For Syria’s Rebel Movement, Skype Is a Useful and Increasingly Dangerous Tool
This piece from NYT over the weekend should be of interest here, and, unless I missed it, I don't think it's been yet posted. Excerpt: If the uprisings in Tunisia and Egypt were Twitter Revolutions, then Syria is becoming the Skype Rebellion. To get around a near-nationwide Internet shutdown, rebels have armed themselves with mobile satellite phones and dial-up modems. Quotes CL and EFF's Eva on risks. Main news here that sticks out for me is that Syrian activists largely seem aware of the risks, yet many are still using Skype due to a lack of alternatives. http://www.nytimes.com/2012/12/01/world/middleeast/syrian-rebels-turn-to-skype-for-communications.html For Syria’s Rebel Movement, Skype Is a Useful and Increasingly Dangerous Tool By AMY CHOZICK Published: November 30, 2012 In a demonstration of their growing sophistication and organization, Syrian rebels responded to a nationwide shutdown of the Internet by turning to satellite technology to coordinate within the country and to communicate with outside activists. When Syria’s Internet service disappeared Thursday, government officials first blamed rebel attacks. Activist groups blamed the government and viewed the blackout as a sign that troops would violently clamp down on rebels. But having dealt with periodic outages for more than a year, the opposition had anticipated a full shutdown of Syria’s Internet service providers. To prepare, they have spent months smuggling communications equipment like mobile handsets and portable satellite phones into the country. “We’re very well equipped here,” said Albaraa Abdul Rahman, 27, an activist in Saqba, a poor suburb 20 minutes outside Damascus. He said he was in touch with an expert in Homs who helped connect his office and 10 others like it in and around Damascus. Using the connection, the activists in Saqba talked to rebel fighters on Skype and relayed to overseas activists details about clashes with government forces. A video showed the rebels’ bare-bones room, four battery backups that could power a laptop for eight hours and a generator set up on a balcony. For months, rebels fighting to overthrow President Bashar al-Assad have used Skype, a peer-to-peer Internet communication system, to organize and talk to outside news organizations and activists. A few days ago, Jad al-Yamani, an activist in Homs, sent a message to rebel fighters that tanks were moving toward a government checkpoint. He notified the other fighters so that they could go observe the checkpoint. “Through Skype you know how the army moves or can stop it,” Mr. Yamani said. On Friday, Dawoud Sleiman, 39, a member of the antigovernment Ahrar al-Shamal Battalion, part of the Free Syrian Army, reached out to other members of the rebel group. They were set up at the government’s Wadi Aldaif military base in Idlib, a province near the Turkish border that has seen heavy fighting, and connected to Skype via satellite Internet service. Mr. Sleiman, who is based in Turkey, said the Free Syrian Army stopped using cellphone networks and land lines months ago and instead relies almost entirely on Skype. “Brigade members communicate through the hand-held devices,” he said. This week rebels posted an announcement via Skype that called for the arrest of the head of intelligence in Idlib, who is accused of killing five rebels. “A big financial prize will be offered to anyone who brings the head of this guy,” the message read. “One of our brothers abroad has donated the cash.” If the uprisings in Tunisia and Egypt were Twitter Revolutions, then Syria is becoming the Skype Rebellion. To get around a near-nationwide Internet shutdown, rebels have armed themselves with mobile satellite phones and dial-up modems. In many cases, relatives and supporters living outside Syria bought the equipment and had it smuggled in, mostly through Lebanon and Turkey. That equipment has allowed the rebels to continue to communicate almost entirely via Skype with little interruption, despite the blackout. “How the government used its weapons against the revolution, that is how activists use Skype,” Mr. Abdul Rahman said. “We haven’t seen any interruption in the way Skype is being used,” said David Clinch, an editorial director of Storyful, a group that verifies social media posts for news organizations, including The New York Times (Mr. Clinch has served as a consultant for Skype). Mr. Assad, who once fashioned himself as a reformer and the father of Syria’s Internet, has largely left the country’s access intact during the 20-month struggle with rebels. The government appeared to abandon that strategy on Thursday, when most citizens lost access. Some Syrians could still get online using service from Turkey. On Friday, Syrian officials blamed technical problems for the cutoff. The shutdown is only the latest tactic in the escalating technology war waged in Arab Spring countries. But several technology experts warned that the use of the Internet by rebels
[liberationtech] Yale Law School Protecting Journalism: Anonymous and Secure Communications
Some here may be interested in this event tomorrow at Yale Law School, which will be live streamed. Line-up is an eclectic mix of technologists and journalists including Ella Saitta, Quinn Norton, John Scott-Railton, Meredith Patterson, Brian Krebs, Nabiha Syed and myself. (A number of whom were also at the #CTS this week in Tunis.)http://www.law.yale.edu/intellectuallife/protectingJournalism.htmProtecting Journalism: Anonymous and Secure Communications for Reporters and SourcesAGENDA SPEAKERS MODERATORSReporters often find it necessary to protect the identities of their sources. In the past, that secrecy was easier to achieve.Now, although digital technologies provide fast, convenient communications between reporters and sources, they also facilitate greater surveillance of those communications. If source confidentiality remains crucial to journalism, then reporters have a duty to take better precautions. But what measures are available, which ones are being used, and which ones are actually effective? Do anonymizing tools fulfill the promise of secure communications, or do they endanger users by creating false confidence?This conference will bring together journalists and technologists to discuss the security needs of journalism; current practices among reporters; the merits and pitfalls of the available technology; and what more can—or should—be done to protect communications of this nature.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] NPC digital security event video
The video of the National Press Club event on Digital Security for Journalists is now up at the link below. The speakers were: Matthew Cole: a former producer for ABC News and an investigative journalist, focusing on national security and intelligence issues who has firsthand experience being on the receiving end of government surveillance as a result of his reporting activities. Joseph Hall: the senior staff technologist at the Center for Democracy Technology whose work focuses on policy mechanisms for encouraging trustworthiness and transparency in information systems. Jonathan Hutcheson: a public interest lawyer and journalist who designed and implemented a comprehensive source security platform for 100 Reporters’ Whistleblower Alley that enables the anonymous uploading of sensitive documents. http://press.org/news-multimedia/videos/journalists-digital-security-national-press-club-special-event#.UIrQ63ssKDY.twitter Much of the discussion of tools during the presentations will be familiar to people on this list, of course. The value for you may be in hearing, especially during the Q A, the dialogue involving both technologists and journalists. Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email. Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Cole speaking tomorrow at NPC
For anyone in DC, ex-ABC News Investigative Team Matthew Cole is also speaking tomorrow at 6:30 PM at the National Press Club in Washington, D.C. The panel was meant to be a tutorial for working journalists, but it is more likely to become a news event. Journalists' Digital Security eventEVENT National Press ClubTechnology Innovation Flag this event DATE / TIME Wednesday, October 24 / 6:30pm - 8:00pm Register with host Google CalendariCalOutlook LOCATION National Press Club 529 14th St. NW, 13th Floor, Washington, D.C. 20045 Conference Rooms SPEAKERSMatthew Cole, Joseph Hall, Jonathan Hutcheson DESCRIPTION What would you do if you found your computer had been hacked and sensitive emails with sources, story research and interview notes were now exposed? Or what if you learned someone had intercepted your cell phone conversations and used them to learn the identity your would-be 'Deep Throat?' Though digital technology has been an enormous boon to journalists, it also comes with significant security pitfalls and far too few reporters are aware of these dangers. More so than the general public, journalists are particularly at risk of being targeted as a result of the unique role they play in accumulating and disseminating highly sensitive information. To raise awareness about just how serious the digital security problem is, the National Press Club's Press Freedom Committee will hold a panel discussion on Wednesday, Oct. 24 from 6:30 p.m. -- 8:00 p.m. in the Murrow Room. This event is free and open to the public. Working and student journalists are particularly encouraged to come. Panelists are: Website: http://www.press.org/events/journalist... Frank SmythExecutive DirectorGlobal Journalist Securityfrank@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email. Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Online Journalists on the Frontlines
We could talk about it, Asher. Getting journalists to show up and participate is the challenge.There are events along similar lines from time to time like this one at the NPC in DC later this month. A CryptoParty for journalists would work best at one of many journalist events or conventions.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: Re: [liberationtech] Online Journalists on the Frontlines From: Asher Wolf asherw...@cryptoparty.org Date: Fri, October 12, 2012 8:47 pm To: liberationtech@lists.stanford.edu Hi Frank, Just a thought - would your group be interested in hosting CryptoParties for journalists? Regards, Asher Wolf. On 13/10/12 7:07 AM, fr...@journalistsecurity.net wrote: This is a piece relevant for this group. As always, I'd welcome any thoughts, comments, complaints... Every year, for decades, journalists from print, radio, or television media have dominated the ranks of those targeted for murder or otherwise killed on the job--every year, that is, until 2008, when a new era began. The same year that Facebook gained 100 million users https://blog.facebook.com/blog.php?post=28111272130and Twitter began seeing exponential growth http://mashable.com/2009/01/09/twitter-growth-2008/, online journalists around the world began getting killed and imprisoned at rates never before seen. Today, more than one-third of all journalists being killed, and almost half of all journalists being jailed, were working online when they were targeted. http://www.cpj.org/security/2012/10/finding-common-cause-from-first-online-journalist.php *Finding common cause from first online journalist murder* By Frank Smyth/Senior Adviser for Journalist Security http://www.cpj.org/blog/author/frank-smyth Georgy Gongadze, shown here the summer of 2000, was the first online journalist killed in retaliation for his work. (AFP/Dima Gavrish) Georgy Gongadze, shown here the summer of 2000, was the first online journalist killed in retaliation for his work. (AFP/Dima Gavrish) The first online journalist killed for his work disappeared one night 12 years ago in the Ukraine. Georgy Gongadze, 31, left a colleague's house to return to his home with his wife and two young children. He never arrived. Seven weeks later, a farmer, a few hours' drive away, discovered the journalist's headless corpse http://www.cpj.org/killed/2000/georgy-gongadze.php. Gongadze edited the website /Ukrainska Pravda/ and ran stories about corruption and cronyism like no one else in the nation's state-dominated print and broadcast media. Later, the country's then-president was implicated in an audiotape in which he was allegedly heard speaking to aides about the need for Gongadze's murder. The latest online journalist to die in retaliation for his work was executed last month in Syria. Government soldiers killed Abdel Karim al-Oqda, 27, and two of his friends before setting fire to the journalist's house. Al-Oqda was preparing http://www.cpj.org/killed/2012/abdel-karim-al-oqda.php for a day's work when the soldiers arrived at his home in the city of Hama. He was a cameraman for the Shaam News Network, a Damascus-based citizen news organization that has posted tens of thousands of videos on its website as well as on YouTube, much of which have also run on international news outlets including Al-Jazeera and the BBC. Every year, for decades, journalists from print, radio, or television media have dominated the ranks of those targeted for murder or otherwise killed on the job--every year, that is, until 2008, when a new era began. The same year that Facebook gained 100 million users https://blog.facebook.com/blog.php?post=28111272130 and Twitter began seeing exponential growth http://mashable.com/2009/01/09/twitter-growth-2008/, online journalists around the world began getting killed and imprisoned at rates never before seen. Today, more than one-third of all journalists being killed, and almost half of all journalists being jailed, were working online when they were targeted. Through the 2000s, anywhere from 24 to 74 journalists were killed http://www.cpj.org/killed/ every year, according to CPJ research, but only one or, at most, two online journalists were among them until 2008. Five online journalists were killed that year
Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate
Nadim,Toward the end of the piece, I said: some critics are now working with Kobeissi to help clean up and secure Cryptocat.What you are saying is that Cryptocat is now a browser-plugin only application, and that therefore, if I understand your point, the vulnerabilities alluded to by Chris and now Patrick are now all fixed.Are they? If they are, I have not yet read confirmation that they are from others in this community. I'd welcome any input here.And, Nadim, I have and continue to support you for finally building a truly user-friendly tool. We need tools that are both secure and easier-to-use, and that was the point of the piece.FrankFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate From: Nadim Kobeissi na...@nadim.cc Date: Tue, September 11, 2012 1:14 pm To: liberationtech liberationtech@lists.stanford.edu I can't even- Frank sent me this article about 15 minutes ago and I answered with the notion that Cryptocat has been a browser-plugin only app for more than a month, and that his article is just incredibly ignorant and frustrating as a result of it ignoring that. Relevant links: https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/ https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/ Excuse me while I now go waterboard myself, NK On 9/11/2012 1:07 PM, fr...@journalistsecurity.net wrote: Hi everybody, Below is my CPJ blog on the Cryptocat debate. It makes some of the same points that I already made here a few weeks ago. And please know that my intent is to help work toward a solution in terms of bridging invention and usability. I know there are different views, and I have already heard some. Please feel free to respond. (If you wish you may wish to copy me at fr...@journalistsecurity.net mailto:fr...@journalistsecurity.net to avoid me missing your note among others.) Thank you! Best, Frank http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php *In Cryptocat, lessons for technologists and journalists* By Frank Smyth/Senior Adviser for Journalist Security http://www.cpj.org/blog/author/frank-smyth /Alhamdulillah! /Finally, a technologist designed a security tool that everyone could use. A Lebanese-born, Montreal-based computer scientist, college student, and activist named Nadim Kobeissi had developed a cryptography tool, Cryptocat https://crypto.cat/, for the Internet that seemed as easy to use as Facebook Chat but was presumably far more secure. Encrypted communications are hardly a new idea. Technologists wary of government surveillance have been designing free encryption software since the early 1990s http://www.pgpi.org/doc/overview/. Of course, no tool is completely safe, and much depends on the capabilities of the eavesdropper. But for decades digital safety tools have been so hard to use that few human rights defenders and even fewer journalists (my best guess is one in a 100) employ them. Activist technologists often complain that journalists and human rights defenders are either too lazy or foolish to not consistently use digital safety tools when they are operating in hostile environments. Journalists and many human rights activists, for their part, complain that digital safety tools are too difficult or time-consuming to operate, and, even if one tried to learn them, they often don't work as expected. Cryptocat promised http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all to finally bridge these two distinct cultures. Kobeissi was profiled http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html in /The New York Times/; /Forbes/ http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/ and especially /Wired/ http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all each praised the tool. But Cryptocat's sheen faded fast. Within three months of winning a prize associated with /The Wall Street Journal/ http://datatransparency.wsj.com/, Cryptocat ended up like a cat caught in storm--wet, dirty, and a little worse for wear. Analyst Christopher Soghoian--who wrote a /Times/ op-ed last fall http://www.nytimes.com/2011/10/27/opinion/without-computer
Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate
of CPJ's blog will see it that way, either. It was meant as a call for more usability, using Cryptocat, in fact, as a model. Frank Frank Smyth Executive Director Global Journalist Security fr...@journalistsecurity.net mailto:fr...@journalistsecurity.net Tel. + 1 202 244 0717 Cell + 1 202 352 1736 Twitter: @JournoSecurity Website: www.journalistsecurity.net http://www.journalistsecurity.net PGP Public Key http://www.journalistsecurity.net/franks-pgp-public-key Please consider our Earth before printing this email. Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate From: Nadim Kobeissi na...@nadim.cc mailto:na...@nadim.cc Date: Tue, September 11, 2012 1:34 pm To: liberationtech liberationtech@lists.stanford.edu mailto:liberationtech@lists.stanford.edu Frank, Please, tell me more about how your allusion at the end of your post absolves you of the culpability of fact-checking! Furthermore, I have confirmed with Chris concerning the browser plugin issue when I met him last week in D.C., while Patrick Ball and I had an exchange that was posted on libtech weeks ago under the migraine-inducing "What I learned from Cryptocat" thread. Did you even ask Chris or Patrick about the browser plugin platform? I'll eat a shoe if you did. I've been working for weeks on this and it's people like you who just make me feel like all my effort is completely worthless. NK On 9/11/2012 1:24 PM, fr...@journalistsecurity.net mailto:fr...@journalistsecurity.net wrote: Nadim, Toward the end of the piece, I said: some critics are now working with Kobeissi to help clean up and secureCryptocat. What you are saying is that Cryptocat is now a browser-plugin only application, and that therefore, if I understand your point, the vulnerabilities alluded to by Chris and now Patrick are now all fixed. Are they? If they are, I have not yet read confirmation that they are from others in this community. I'd welcome any input here. And, Nadim, I have and continue to support you for finally building a truly user-friendly tool. We need tools that are both secure and easier-to-use, and that was the point of the piece. Frank Frank Smyth Executive Director Global Journalist Security fr...@journalistsecurity.net mailto:fr...@journalistsecurity.net mailto:fr...@journalistsecurity.net http://mailto:fr...@journalistsecurity.net Tel. + 1 202 244 0717 Cell + 1 202 352 1736 Twitter: @JournoSecurity Website: www.journalistsecurity.net http://www.journalistsecurity.net http://www.journalistsecurity.net PGP Public Key http://www.journalistsecurity.net/franks-pgp-public-key Please consider our Earth before printing this email. Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat debate From: Nadim Kobeissi na...@nadim.cc http://na...@nadim.cc mailto:na...@nadim.cc http://na...@nadim.cc Date: Tue, September 11, 2012 1:14 pm To: liberationtech liberationtech@lists.stanford.edu mailto:liberationtech@lists.stanford.edu mailto:liberationtech@lists.stanford.edu http://mailto:liberationtech@lists.stanford.edu I can't even- Frank sent me this article about 15 minutes ago and I answered with the notion that Cryptocat has been a browser-plugin only app for more than a month, and that his article is just incredibly ignorant and frustrating as a result of it ignoring that. Relevant links: https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/ https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/ Excuse me while I now go waterboard myself, NK
[liberationtech] American Journalism Review on digital security
emains a mystery. Was it traditional shoe-leather stalking or did they use electronic surveillance to find her?"It's possible they could have gotten an electronic footprint that led them to her," says Frank Smyth, CPJ's senior adviser for journalist security. "It's also possible they pegged her due to her behavior in a small town in Northern Mexico. Without evidence, there's no way to know." Castro's murder was the first CPJ has documented in direct retaliation for journalism posted on social media.If she was being tracked electronically, what could Castro have done to reduce the danger? "She could have used Tor," says Smyth, main author of the CPJ guide. Tor is described on its Web site as free software that "prevents anyone from learning your location or browsing habits." It also is known as a censorship circumvention tool.Similar questions surfaced when a rocket-propelled grenade made a direct hit on a makeshift press center in the war-torn town of Homs, Syria, on February 22, killing American-born war correspondent Marie Colvin, 56, and French photographer Rémi Ochlik, 28.After the attack, the Telegraph in London reported that journalists in Homs had worried "that Syrian forces had 'locked on' to their satellite phone signals and attacked the buildings from which they were coming."Colvin filed stories via a satellite uplink and had been vocal about the Syrian government's human rights violations during interviews on CNN and other news outlets just before the attack. Without precautions, the journalists could have been easy targets, Smyth says. CPJ advises against multiple parties transmitting from the same location in a hot zone like Homs."Basically, the paranoia game is what we need to play," says Steve Doig, Knight Chair in Journalism at Arizona State University. Doig has given presentations on "Spycraft: Keeping Your Sources Private" at Investigative Reporters and Editors' conferences and elsewhere.The veteran journalist - he spent 19 years at the Miami Herald - talks about keeping Internet searches private, making and receiving untraceable calls and encryption/decryption programs. Reporters who cover national security and have sources in the intelligence community are aware of these tactics, Doig says, but many journalists still "have their head in the sand.""My goal in doing these talks has been to wave the flag and get people thinking about it," Doig says. "Someday, when a young reporter has a 'Deep Throat' source for the first time in his or her career, they won't start out by leaving a trail of bread crumbs."Some journalists are leading the way.To illustrate how the Associated Press addresses cyber safety issues, Media Relations Director Paul Colford sent a link to an article about the AP's 2012 Pulitzer Prize-winning investigation of the New York Police Department's surveillance of minority and Muslim populations. The story described the security measures the journalists took while reporting the pieces.The AP kept drafts of the series off of its internal content management system "until the 11th hour each time, to ensure security," wrote reporter Joe Pompeo for the online publication Capital New York. Pompeo reported that when one of the journalists on the story, Adam Goldman, was in the Middle East on a separate assignment, he communicated with other team members "via encrypted e-mails on a GPG-enabled loaner laptop." Ted Bridis, who oversees the AP's investigative news team, issued special instructions when reporter Matt Apuzzo attended a meeting with a confidential source in New York."Bridis instructed Apuzzo to remove the battery from his cell phone so it would be harder for anyone to trace either his location or the identity of his informant," Pompeo wrote in his October 2011 story. Encryption is similar to coding a message. A GPG, trade name GNU Privacy Guard, allows users to encrypt data to make it undecipherable. Only those with the password can read it.The AP declined requests for an interview on how reporters secured information during the NYPD investigation. "AP is working across departments to solidify guidelines in this area," Colford wrote in an e-mail.Across the board, news organizations are reluctant to talk about safety protocols. Fox News Channel spokeswoman Dana Klinghoffer says executives there don't feel comfortable discussing security that "could compromise us."Eileen Murphy, vice president for corporate communications at the New York Times, wrote in an e-mail that the paper does "not have written guidelines on this issue but it is something we encourage our journalists to be mindful of." The Washington Post and TV networks did not respond to requests for information about their policies.Some media outlets have posted guidelines on their Web sites. In the Thomson Reuters Code of Conduct, for example, employees a
Re: [liberationtech] What I've learned from Cryptocat
That's a very good point, Michael. The challenge is to help people understand that no having perfect solution does not mean simply ignore all electronic risks. As people are still using technology, as you also note.I also think we all have a tendancy to develop narratives that are consistent with what we think is convenient rather than what may be at a deeper level true.And I think improving user access must also involve explaining the fluid nature of digital risks. And the evidence of risks is also beginning to mount at least among journalists, too.Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: Re: [liberationtech] What I've learned from Cryptocat From: Michael Rogers mich...@briarproject.org Date: Wed, August 08, 2012 1:22 pm To: fr...@journalistsecurity.net Cc: Moxie Marlinspike mo...@thoughtcrime.org, liberationtech@lists.stanford.edu -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/08/12 06:19, fr...@journalistsecurity.net wrote: How many people on this list have spent time asking non-technologists and other users who have tried, but have since given up even trying to use tools like PGP? Or have examined how new users interact with such tools? I have a great deal of respect for this community. But to be honest it seems to me that neither the technologists nor the donors have spent much time asking such questions. Hi Frank, I'd just like to make an anecdotal point here. A few months ago I spent an interesting afternoon talking to some activists in the UK about what communication tools they use for what tasks. None of them regularly used PGP, Tor, or disk encryption software, but the reasons they gave had nothing to do with usability. They were aware of the tools and knew how to use them, but they didn't believe that doing so provided any practical security benefits. They believed that encryption software probably contained backdoors and could be defeated by keyloggers. They'd seen evidence trails from computers and phones produced in court, and rather than relying on technology to solve technology's problems, some of them preferred to avoid electronic communication altogether for secret work. It's tempting to say they were right and leave it at that. Keep your secrets away from your gadgets and your gadgets away from your secrets. But that wasn't what they were actually doing. They all carried phones, even though they knew they were being tracked and possibly bugged. They all had email accounts, and some of them used mailing lists and forums for planning, even though they knew that if a keylogger could get their encryption passwords it could get everything else they typed. Why the apparent inconsistency? One possible interpretation is that they were assessing encryption tools with a typical information security mindset: if there's any weak point, the adversary will exploit it, so the strong points are irrelevant. But they were assessing other techniques with a more balanced mindset: weigh up the risks and potential benefits, compare the available alternatives, and choose the best (or the least bad). That's only speculation on my part, of course. But if it's right, it raises a difficult question: how do we maintain rigorous standards of critique within the information security community, without giving potential users of our tools the counterproductive impression that nothing works and you might as well give up? Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQIqBNAAoJEBEET9GfxSfMRLEH/04+ESJyNH9S6NYEwno1BvKe J8kMLCmR6OpolJ15nu3K7GkE4wQnhTmZVIrHApjWGz+8TACGiIQg7rOBl19r4MvA o/7tANsoUEgLRAO2hHQzA5tg+ZRtS+9oDe6LBVE3arHTCt9dYMW711ToOkgQwdoD ekNWbC4Ba2aKm3t8JmSUF+goDiadF+nSP0HByvNhKHCjzP/2SLBxDOQqeOMF/kpK Zej+0BZPCUGLaN6XaqoWw7DxgYfa9uUgx3E2ljwYnZZqcXr41kJp2uHQTZlExyxN TfiI+2P4bQfJtkK7KcOZtp/QWCAz3whmqV6F5y3tjfcHiEywzByInnKFr3tT5D0= =mHhw -END PGP SIGNATURE- ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list
[liberationtech] Adium w/ Facebook, or Google Talk
I wonder if people here recommend the open source freeware Chat tool Adium?http://adium.im/about/And whether they would recommend using it with Facebook?Or, if not, Google Talk?Thanks! FSFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Adium w/ Facebook, or Google Talk
Check that. I am a MAC user, so Google Talk will apparently not work.I am open to suggestions...Thanks!Frank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Original Message Subject: [liberationtech] Adium w/ Facebook, or Google Talk From: fr...@journalistsecurity.net Date: Mon, July 02, 2012 9:42 am To: liberationtech@lists.stanford.edu I wonder if people here recommend the open source freeware Chat tool Adium?http://adium.im/about/And whether they would recommend using it with Facebook?Or, if not, Google Talk?Thanks! FSFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
[liberationtech] Arabic-speaking digital safety trainers
We are looking for a few Arabic-speaking digital safety trainers to help teach basic concepts and some tool usage to citizen journalists operating in critical nations. Training will occur remotely using VPNs to reach select users. (Some training in third-party nations may also be possible.) Potential trainers could be technologists who can speak "human" to non-techies, or journalists or activists who have a basic sense of concepts and tools.We are also interesting in training trainers, so we are prepared to work to bring potential trainers up to speed.We also want to make sure that any possible trainers have bona fide netfreedom credentials, thus we are posting here.And we plan to vet, too. Any suggestions would be welcome. Thanx! FSFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public KeyPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
[liberationtech] Skype Manager Chinese
I just got the message below from a colleauge at NPR who discovered emails from "Skype Manager" in Chinese. I presume she should delete them. Anyone have any thoughts? Thank you. FSSubject: Skype messages in Chinese?Hi, ITSupport--I'm at home, trying to get over a bad cold, so I checked my emails today using mail.npr.org and see that I'm getting emails today from "Skype Manager" in Chinese today. Should I delete these messages without opening them?CarolFrank SmythExecutive DirectorGlobal Journalist Securityfr...@journalistsecurity.netT. + 1 202 244 0717C. + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPlease consider our Earth before printing this email.Confidentiality Notice: This email and any files transmitted with it are confidential. If you have received this email in error, please notify the sender and delete this message and any copies. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech