Help! I am an Investigative Journalist in 2017
Whistleblowers Australia Annual Conference2016-11-20
About me
Gabor Szathmari@gszathmari
• Information security professional
• Privacy, free speech and open gov’t advocate
• CryptoParty organiser
• CryptoAUSTRALIA founder (coming soon)
AgendaInvestigative journalism:
• Why should we care?
• Threats and abuses
• Surveillance techniques
• What can the reporters do?
Why should we care about investigative journalism?
Investigative journalism• Cornerstone of democracy • Social control over gov’t and private sector • When the formal channels fail to address
the problem • Relies on information sources
SnowdenManning
Tyler Shultz
Paul Stevenson
Benjamin Koh
Threats and abuses against investigative journalism
Threats
• Lack of data (opaque gov’t) • Journalists are imprisoned for doing
their jobs • Sources are afraid to speak out
Journalists’ Privilege• Evidence Amendment (Journalists’
Privilege) Act 2011 • Telecommunications (Interception and
Access) Amendment (Data Retention) Act 2015
Recent Abuses• The Guardian: Federal police admit seeking
access to reporter's metadata without warrant !
• The Intercept: Secret Rules Makes it Pretty Easy for the FBI to Spy on Journalists "
• CBC News: La Presse columnist says he was put under police surveillance as part of 'attempt to intimidate’ #
Surveillance techniques
Brief History of InterceptionFirst cases:
• Postal Service - Black Chambers 1700s
• Telegraph - American Civil War 1860s
• Telephone - 1890s
• Short wave radio -1940s / 50s
• Satellite (international calls) - ECHELON 1970s
Recent Programs (2000s - )• Text messages, mobile phone - DISHFIRE, DCSNET,
Stingray
• Internet - Carnivore, NarusInsight, Tempora
• Services (e.g. Google, Yahoo) - PRISM, MUSCULAR
• Metadata: MYSTIC, ADVISE, FAIRVIEW, STORMBREW
• Data visualisation: XKEYSCORE, BOUNDLESSINFORMANT
• End user device exploitation: HAVOK, FOXACID
So how I can defend myself?
Data Protection 101
•Encrypt sensitive data* in transit •Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc.
Old Times• Ancient history: Caesar cipher, Polybus square,
Scytale cipher
• 15th century: Vigenére cipher, Cipher disk, Cipher square
• 17th century: Jefferson disk cipher
• 20th century: One-time pads, Rotor machines (Enigma, Lorenz)
Lorenz SZ42
Modern Uses• PGP (1991), PGPfone
(1995)
• HTTPS (1994)
• OpenVPN (2001), IPSEC (1995)
• Tor (2002)
• Skype (2003, early days)
• Disk encryption: TrueCrypt (2004), BitLocker
• End-to-end encryption (2010s)
• Signal, ChatSecure
• Messenger, WhatsApp, Google Allo
How all this applies to an investigative journalist?
Data Protection 101• Encrypt sensitive data* in transit
• Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc.
Encrypt the Data in Transit• Web: HTTPS,
DuckDuckGo
• Email: PGP
• Text and voice calls (e2ee): Signal, Threema
• Group chat (e2ee):Semaphor, ClearChat, Crypho
• Video calls (e2ee): Wire, Tox.im
Encrypt the Data at Rest• Local hard-disks and USB drives
• macOS: FileVault, Windows: BitLocker,Linux: LUKS
• Cloud file storage
• Zero-knowledge services:Sync.com, TresorIt, SpiderOak
Data Protection 101
•Encrypt sensitive data* in transit •Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc.
????
What did we miss?
Why?
• Metadata retention • State sponsored hacking
What about metadata?• Mass collection • Retained for 2 years • Links you to the information source • Easy to apply link analysis
IBM i2 Analyst's Notebook
What about gov’t hacking?Tailored Access Operations (TAO)
• Backdooring routers, switches, and firewalls
• Backdooring laptops purchased online
• Backdooring your laptop by phishing
• Backdooring your laptop by exploits (“FOXACID”)
On a Security Conference
How all this applies to an investigative journalist?
Round 2
Data Protection 101 (for journalists!)• Encrypt sensitive data in transit
• Encrypt sensitive data at rest
• Work in a secure environment(i.e write articles and communicate with info sources)
• Hide the metadata
• Compartmentalise your work
• Solve the first contact problem
Secure environment
Work on a device that is free of backdoors:
• Anonymity: Tails operating system
• Security: Qubes OS
• Security & Anonymity: Qubes OS + Whonix
Hide that metadata
Chat:• Ricochet IM
File Exchange:• OnionShare
Compartmentalise
Limits the damage done when you are hacked
Compartmentalise (cont’d)
• Separate laptop for research & comms
• One email address per source
• One USB drive per source
• Unique password on any website
First contact problem
• Allow information sources contact you anonymously
• SecureDrop
• GlobaLeaks
Two actually …
A word on smartphones
Your phone is a spying machine: • Doesn’t matter what model it is • Leave your phone at home
The most secure tool
•Pen •Paper
Wrapping it up
Security and privacy is hard…• Surveillance is very sophisticated as
technology has advanced
• Metadata retention practices and data mining technologies will link you to the info source
• The Peeping Toms are on your smartphone and laptop
…but not hopeless• Encrypt everything
• Use a secure operating system
• Use pen and paper
• Hide the metadata
• Compartmentalise
• Leave your smartphone home
• Solve the first contact problem
Further info• Tweet me on @gszathmari
• CryptoAUSTRALIA (soon): https://cryptoaustralia.org.au
• Join a CryptoParty: https://cryptoparty.in/sydney
• https://www.privacytools.io
• https://prism-break.org
• https://privacyforjournalists.org.au
Questions?
Sources• The History of Information Security: A Comprehensive Handbook
• https://en.wikipedia.org/wiki/Cabinet_noir
• http://blogs.lse.ac.uk/mediapolicyproject/2016/02/15/a-very-brief-history-of-interception/
• https://inforrm.wordpress.com/2016/02/21/a-very-brief-history-of-interception-in-the-britain-bernard-keenan/
• https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects
• http://www.computerworld.com/article/2476515/network-security/the-security-flaws-in-tails-linux-are-not-its-only-problem.html
• https://freedom.press/blog/2014/04/operating-system-can-protect-you-even-if-you-get-hacked
• https://www.theguardian.com/world/2016/apr/14/federal-police-admit-seeking-access-to-reporters-metadata-without-warrant
• https://www.techdirt.com/articles/20160829/06300835377/australian-government-using-data-retention-law-to-seek-out-journalists-sources-hunt-down-whistleblowers.shtml
• https://theintercept.com/2016/06/30/secret-rules-make-it-pretty-easy-for-the-fbi-to-spy-on-journalists/
• http://www.cbc.ca/news/canada/montreal/journalist-patrick-lagace-police-surveillance-spying-1.3828832
• https://en.wikipedia.org/wiki/Telephone_tapping
• http://www.nytimes.com/2015/03/01/nyregion/a-short-history-of-wiretapping.html
Top Related