Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Notes from Hacks/Hackers NYC workshop on encryption and opsec for journalists. Notes come from talk by Jennifer Valentino.

Hacks/Hackers NYC: Encryption and Operational Security for Journalists (2013-09-16)

Jennifer Valentino, Wall Street Journal (@jenvalentino)

These notes come straight from Jennifer's presentation; slides at https://docs.google.com/file/d/0B2HGtAJEbG8PdzVPdHcwekI2V2M/edit

Background

  • NSA covers 75% of internet traffic; not all is collected or sifted
  • Big issues with suveillance are not the NSA but leak investigations, subpoenas, accidental disclosure and chilling effects on sources
    • James Rosen case; what was accessed: - Rosen's phone call metadata - Building card swipes - His Gmail account, including content
      • Gen. Petraeus case
        • IP address data matches hotel records
        • Drafts in shared Gmail account accessed
      • John McAfee
        • Fugitive found after Vice Magazine published a photo online that still had metadata, including geolocation

There are benefits to everyday crypto

  • Prepare yourself for when you have more sensitive work
  • You protect other jornalists by normalizing crypto, making it less of a red flag

But encryption can be a red flag

  • Security only as good as the weakest link
  • If a government actor really wants into your machine, it will get into it
  • If your life or your source's life is in danger, don't rely on crypto to save you

Operational Security

  • If work is sensitive, operational security is important
  • OpSec is tedious and difficult (sorry)
  • Stop talking about your work
  • Stop taking your phone places; it tracks you
  • Buy burner phones
  • Buy burner computers
  • You're going to have to do a lot more work than can be covered in an evening

Threat modeling

What can you do?

  • Strong encryption is still powerful
  • Experts recommend open-source tools that have been reviewed for many years

The Inventory

  • Tor Browser Bundle
    • Anonymizes internet activities, including browsing and IM
    • Combination of routing software and a specially configured Firefox browser
    • Tunnels traffic through a series of other computers
    • Weaknesses: It's very slow; last link is "in the clear"
    • Not foolproof
  • Encrypted chats
    • Protecting IMs using ciphers
    • Chat programs Adium for Mac, Pidgin for Windows, plus use of an additional feature called OTR (off the record)
    • Makes text you're sending unintelligible to an observer; if used with Tor, metadata is hidden
    • Weaknesses: Vulnerabilities have been found in Pidgin and Adium, though crypto itself appears to be okay; it is useless if you log (ex. Chelsea Manning case); if you use same account over and over, anonymity is compromised
  • PGP, GPG
    • Encoding text and files
    • "Pretty Good Privacy"; a very good encryption tool, GPG is an open alternative
    • Uses a system of keys to lock data; you give a public key out, and this allows people to encode info to send you; only people with private key can decode that information
    • Weaknesses: Requires good passwords; key length is important
  • PGP email
    • More easily send PGP messages
    • Thunderbird, open-source email client, plus Enigmail, add-on to handle PGP
    • Hooks your email to PGP software
    • Does not protect metadata (ex. subject line, to/from lines)
  • TrueCrypt
    • Encoding files stored on your computer
    • Creates a container that can only be unlocked by those with password
    • Weaknesses: Requires good passwords
  • CCleaner
    • Open source tool is BleachBit
    • Cleans data from computer
    • System that allows you to choose areas that you want to delete and overwrite them; harder to recover
  • CryptoCat
    • Encrypted group chat that's easy to use; good for introducing people to crypto and encouraging as norm; for example, internal chat about everyday stories
    • Web app for Firefox, Chrome and app for Mac
    • Uses encryption that is similar to OTR from other encrypted IM, but with a new tool called mpOTR (multi-party)
    • Weaknesses: CryptoCat is very young; anyone with a chatroom name can join; lack of verification in group chat; several examples of cryptography problems discovered (and later fixed)
  • Download links: https://github.com/hackshackers/hhnyc-crypto/blob/master/README.md

Passwords are important

Other tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.