Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vaguity/6594731 to your computer and use it in GitHub Desktop.
Save vaguity/6594731 to your computer and use it in GitHub Desktop.
Notes from Hacks/Hackers NYC workshop on encryption and opsec for journalists. Notes come from talk by Jennifer Valentino.

Hacks/Hackers NYC: Encryption and Operational Security for Journalists (2013-09-16)

Jennifer Valentino, Wall Street Journal (@jenvalentino)

These notes come straight from Jennifer's presentation; slides at https://docs.google.com/file/d/0B2HGtAJEbG8PdzVPdHcwekI2V2M/edit

Background

  • NSA covers 75% of internet traffic; not all is collected or sifted
  • Big issues with suveillance are not the NSA but leak investigations, subpoenas, accidental disclosure and chilling effects on sources
    • James Rosen case; what was accessed: - Rosen's phone call metadata - Building card swipes - His Gmail account, including content
      • Gen. Petraeus case
        • IP address data matches hotel records
        • Drafts in shared Gmail account accessed
      • John McAfee
        • Fugitive found after Vice Magazine published a photo online that still had metadata, including geolocation

There are benefits to everyday crypto

  • Prepare yourself for when you have more sensitive work
  • You protect other jornalists by normalizing crypto, making it less of a red flag

But encryption can be a red flag

  • Security only as good as the weakest link
  • If a government actor really wants into your machine, it will get into it
  • If your life or your source's life is in danger, don't rely on crypto to save you

Operational Security

  • If work is sensitive, operational security is important
  • OpSec is tedious and difficult (sorry)
  • Stop talking about your work
  • Stop taking your phone places; it tracks you
  • Buy burner phones
  • Buy burner computers
  • You're going to have to do a lot more work than can be covered in an evening

Threat modeling

What can you do?

  • Strong encryption is still powerful
  • Experts recommend open-source tools that have been reviewed for many years

The Inventory

  • Tor Browser Bundle
    • Anonymizes internet activities, including browsing and IM
    • Combination of routing software and a specially configured Firefox browser
    • Tunnels traffic through a series of other computers
    • Weaknesses: It's very slow; last link is "in the clear"
    • Not foolproof
  • Encrypted chats
    • Protecting IMs using ciphers
    • Chat programs Adium for Mac, Pidgin for Windows, plus use of an additional feature called OTR (off the record)
    • Makes text you're sending unintelligible to an observer; if used with Tor, metadata is hidden
    • Weaknesses: Vulnerabilities have been found in Pidgin and Adium, though crypto itself appears to be okay; it is useless if you log (ex. Chelsea Manning case); if you use same account over and over, anonymity is compromised
  • PGP, GPG
    • Encoding text and files
    • "Pretty Good Privacy"; a very good encryption tool, GPG is an open alternative
    • Uses a system of keys to lock data; you give a public key out, and this allows people to encode info to send you; only people with private key can decode that information
    • Weaknesses: Requires good passwords; key length is important
  • PGP email
    • More easily send PGP messages
    • Thunderbird, open-source email client, plus Enigmail, add-on to handle PGP
    • Hooks your email to PGP software
    • Does not protect metadata (ex. subject line, to/from lines)
  • TrueCrypt
    • Encoding files stored on your computer
    • Creates a container that can only be unlocked by those with password
    • Weaknesses: Requires good passwords
  • CCleaner
    • Open source tool is BleachBit
    • Cleans data from computer
    • System that allows you to choose areas that you want to delete and overwrite them; harder to recover
  • CryptoCat
    • Encrypted group chat that's easy to use; good for introducing people to crypto and encouraging as norm; for example, internal chat about everyday stories
    • Web app for Firefox, Chrome and app for Mac
    • Uses encryption that is similar to OTR from other encrypted IM, but with a new tool called mpOTR (multi-party)
    • Weaknesses: CryptoCat is very young; anyone with a chatroom name can join; lack of verification in group chat; several examples of cryptography problems discovered (and later fixed)
  • Download links: https://github.com/hackshackers/hhnyc-crypto/blob/master/README.md

Passwords are important

Other tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment