Professional Documents
Culture Documents
or, what everyone in the newsroom should know Jonathan Stray Columbia Journalism School ONA 2013
Sources exposed
Vice reveals John McAfee's location AP phone records subpoena Filmmaker's laptop seized in Syria ...
Data leaked
Wikileaks cables archive was not meant to be public ...
Social
maybe you shouldn't have told them that inside jobs
Today's topics
Stuff everyone needs to know. Especially things that might compromise your colleagues!
Passwords Phishing Malware Secure storage Secure communication
Passwords
1. Don't use a common password. Avoid words in the dictionary. 2. Consider passphrases, and password management tools like OnePass 3. If you use the same password for multiple sites, your password is only as strong as the security on the weakest site.
Phishing
By far the most common attack against journalists (or maybe anyone.) Relies on getting the user to visit a site under false premises. Typically directs users to a fake login page to trick them into entering passwords. But: more sophisticated attacks exist that work just by viewing page. Protection: beware suspicious links! Especially those that take you to a login page! Read the URL before clicking a link from a message. Always read the URL before typing a password.
AP phishing email
Malware
If someone can run a program on your computer, all is lost. E.g. they can get all your passwords with a keystroke logger.
Some types can be installed just by visiting a page. Keep your software up to date. Don't run random programs downloaded from the net. Be suspicious when software asks for your admin
password. Protecting against a determined attacker is very hard. In such cases, consider an air gap a computer not on the network.
Secure storage
We're assuming you have some "data" you want to protect. Documents, notes, photos, interviews, video... 1. How many copies are there? 2. Could they get a copy? 3. If I they had a copy, could they read it?
etc. You probably copied it to your laptop Have you ever given it to anyone else? What about backups of your computer or other devices? Consider secure erase products to keep the number of copies down.
pending. MacOS FileVault is ok, but don't let it give your password to Apple! Remember to encrypt all copies. Memory cards and thumb drives too!
The point of the mud-puddle test "trust" is not a substitute for "security"
Well-designed security means trusting as few people as possible.
Secure communication
Two things you might want:
Privacy: get a file from A to B, without C reading it too. Anonymity: get a file from A to B, without C discovering
who A is. Not the same thing at all. Anonymity is much harder than privacy.
. . .
Data trails
When you use an electronic device, what data is created? Who has access to this data? When you communicate electronically, where do the bits physically go? Who can intercept them?
M M ISP
FOO
M Telco
BAR
ISP
Dozens of organizations must process your email in plain text. Many of them store it. There's the possibility of unauthorized access at any point. Also subject to warrants and subpoenas.
Secure communication
Secure email can be done with PGP but not very user friendly. Secure chat is easier. cryptocat.org Chrome plugin. Very easy to use, but still relatively immature. OTR ("off the record") instant messaging. Plugin for popular IM clients. Mature, vetted, professional strength.
Threat modeling
What do I want to keep private? (Messages, locations, identities, networks...) Who wants to know? (story subject, governments, law enforcement, corporations...) What can they do? (eavesdrop, subpoena... or exploit security lapses and accidents) What happens if they succeed? (story's blown, legal problems for a source, someone gets killed...)
In short
Use real passwords Understand and be alert for phishing Keep your software up to date Know where your data and where it goes For sensitive stories, have a plan
If you only learn one thing from this talk, make it phishing
Don't click on suspicious links. This is everyone's responsibility. That means you, even if you never work on sensitive stories. This alone might foil 90% of attacks.
Resources
Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php
Jen Valentino's Encryption and Operational Security for Journalists Hacks/Hackers presentation
https://gist.github.com/vaguity/6594731 http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all