Sensible combination of cryptography, privacy tools and OPSEC practices that could help investigative journalists protect their information souces in the age of mass-surveillance and metadata retention
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Help! I am an Investigative Journalist in 2017
1. Help! I am an Investigative
Journalist in 2017
Whistleblowers Australia Annual Conference
2016-11-20
2. About me
Gabor Szathmari
@gszathmari
• Information security
professional
• Privacy, free speech and
open gov’t advocate
• CryptoParty organiser
• CryptoAUSTRALIA
founder (coming soon)
5. Investigative journalism
• Cornerstone of democracy
• Social control over gov’t and private sector
• When the formal channels fail to address
the problem
• Relies on information sources
13. Recent Abuses
• The Guardian: Federal police admit seeking
access to reporter's metadata without warrant !
• The Intercept: Secret Rules Makes it Pretty Easy
for the FBI to Spy on Journalists "
• CBC News: La Presse columnist says he was
put under police surveillance as part of 'attempt
to intimidate’ #
15. Brief History of Interception
First cases:
• Postal Service - Black Chambers 1700s
• Telegraph - American Civil War 1860s
• Telephone - 1890s
• Short wave radio -1940s / 50s
• Satellite (international calls) - ECHELON 1970s
16. Recent Programs (2000s - )
• Text messages, mobile phone - DISHFIRE, DCSNET,
Stingray
• Internet - Carnivore, NarusInsight, Tempora
• Services (e.g. Google, Yahoo) - PRISM, MUSCULAR
• Metadata: MYSTIC, ADVISE, FAIRVIEW, STORMBREW
• Data visualisation: XKEYSCORE, BOUNDLESSINFORMANT
• End user device exploitation: HAVOK, FOXACID
21. Modern Uses
• PGP (1991), PGPfone
(1995)
• HTTPS (1994)
• OpenVPN (2001), IPSEC
(1995)
• Tor (2002)
• Skype (2003, early days)
• Disk encryption:
TrueCrypt (2004), BitLocker
• End-to-end encryption
(2010s)
• Signal, ChatSecure
• Messenger, WhatsApp,
Google Allo
22. How all this applies to an
investigative journalist?
23. Data Protection 101
• Encrypt sensitive data* in transit
• Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc.
24. Encrypt the Data in Transit
• Web: HTTPS,
DuckDuckGo
• Email: PGP
• Text and voice
calls (e2ee):
Signal, Threema
• Group chat (e2ee):
Semaphor,
ClearChat,
Crypho
• Video calls (e2ee):
Wire, Tox.im
25. Encrypt the Data at Rest
• Local hard-disks and USB drives
• macOS: FileVault, Windows: BitLocker,
Linux: LUKS
• Cloud file storage
• Zero-knowledge services:
Sync.com, TresorIt, SpiderOak
26. Data Protection 101
•Encrypt sensitive data* in transit
•Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc.
32. What about gov’t hacking?
Tailored Access Operations (TAO)
• Backdooring routers, switches, and firewalls
• Backdooring laptops purchased online
• Backdooring your laptop by phishing
• Backdooring your laptop by exploits (“FOXACID”)
34. How all this applies to an
investigative journalist?
Round 2
35. Data Protection 101 (for journalists!)
• Encrypt sensitive data in transit
• Encrypt sensitive data at rest
• Work in a secure environment
(i.e write articles and communicate with info sources)
• Hide the metadata
• Compartmentalise your work
• Solve the first contact problem
36. Secure environment
Work on a device that is free of backdoors:
• Anonymity: Tails operating system
• Security: Qubes OS
• Security & Anonymity: Qubes OS + Whonix
39. Compartmentalise (cont’d)
• Separate laptop for research & comms
• One email address per source
• One USB drive per source
• Unique password on any website
40. First contact problem
• Allow information sources contact you
anonymously
• SecureDrop
• GlobaLeaks
46. Security and privacy is hard…
• Surveillance is very sophisticated as
technology has advanced
• Metadata retention practices and data mining
technologies will link you to the info source
• The Peeping Toms are on your smartphone
and laptop
47. …but not hopeless
• Encrypt everything
• Use a secure
operating system
• Use pen and paper
• Hide the metadata
• Compartmentalise
• Leave your
smartphone home
• Solve the first contact
problem
48. Further info
• Tweet me on @gszathmari
• CryptoAUSTRALIA (soon): https://cryptoaustralia.org.au
• Join a CryptoParty: https://cryptoparty.in/sydney
• https://www.privacytools.io
• https://prism-break.org
• https://privacyforjournalists.org.au