2. What will you do if Edward Snowden reaches you?
You may not be currently reporting on sensitive topics involving government leaks. But what if a source
contacts you with the promise of a big story and insists on encrypted communication?
It happened to Glenn Greenwald, Laura Poitras, and Barton Gellman, the team approached by Edward
Snowden
Tor for anonymous browsing, Adium (for Macs) and Pidgin (for PCs) for secure IM conversations, and then a
combination of Thunderbird, Enigmail, and PGP/GPG keys for a good, basic start on sending and receiving
encrypted email.
Cryptocat, for encrypted group chats, TrueCrypt, which encodes and password-protects files on your
computer, and CCleaner, which cleans up your computer by deleting temporary files and overwriting deleted
files to make them harder to recover
https://archives.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php
3. Password
We must also remember not to use the same passwords for different services, as well as to
choose a secure password, which will not be fragments of words, and will be a combination
of letters (large and small), numbers and special characters. Mnemonic technique is a good
example. Select verses from your favorite songs and build password from it, for example:
“My coat of many colors that mama made for me” converts to an easy to remember password
“Mcomctmmfm.” Add a number in the middle and a special character on the end and you
have a reasonable strong password: Mcomc5tmmfm&.
4. VPN virtual private network (VPN).
Everyone must choose the one which suits him (a good price is approx. $ 2–5 per month, but
there’s a variety of factors that influences the price—here list of over a hundred VPN‘s, and
here, in turn, is the best VPN by PCMag for 2016). But you must note that some VPN
services (eg. the popular “Hide My Ass”) are keeping logs in case they need to provide
information to government agencies. We use CactusVPN (due to the combination of price,
the ease of installation, as well as the availability of a mobile phone free of charge). we can
also recommend VyprVPN or PureVPN.
5. Bitlocker (Windows) FileVault (MacOSX)
BitLocker and FileVault are lazy solutions. A better alternative is the free and open-source
program VeraCrypt (for Windows, MacOSX, Linux).
When you’re using external disks, make sure to encrypt them as well. We know security
experts who appreciate a paid Symantec Drive Encryption. For convenient encryption of
individual files, you can use the free AxCrypt. Especially if you do not use encryption, you
should use at least a program for secure deletion of data, for example Eraser. Note on the
phone—iPhone users have enabled encryption by default, Android is doing that only on
some phones (eg. Nexus 6 and later), so you need to check whether the option is enabled in
6. CryptoCat: Plug-in for Chrome, Safari, Firefox, Opera, iOS app. It allows you to transfer files in a secure way, in the future they will also offer
integration with Facebook chat.
SpiderOak: serves as a secure drive that uses cloud computing, but it is, unfortunately, a paid service since last year (60 days free, using 2GB)
Viivo: a program to encrypt the files in the cloud
Signal: This is a chat application similar to Whatsapp for Android and iOS. The app replaces the default program for SMS and enables a safe way for
phone calls. Everything is encrypted on the client side, on your phone itself. In other words, as opposed to a regular phone, one can not easily
overhear conversations or the content of text messages, as long as both parties have installed Signal. Signal is very easy to use, has a clean interface,
the code is open-source and subject to audits—the only drawback is that they have a central server. You can avoid that risk by also using Orbot (see
below) or VPN. The beta version is also available on desktop.
Orbot: This is an app specially for Android. The program allows the channeling of some apps through the network Tor.
7. App Ops: Application for Android which allows you to downgrade rights for specific apps on your phone.
AppLock: The application for Android that allows additional protection by locking apps with a password.
Orfox (Android) or Onion Browser (iOS): This is a browser for android, directing traffic through the Tor network, blocking scripts and forcing https
connection when possible. Definitely recommended, but still in the development phase (so it sometimes has annoying shortcomings). For iPhone
owners: Onion Browser (iOS app paid $ 0.99.)
https://medium.com/thoughts-on-journalism/defense-against-the-dark-arts-385aff5ed2f2
8. The basics
1. Install anti-virus software on your computer. If you have a new computer, install the anti-virus before connecting online to minimise
your chance of catching a virus.
2. Firewall – Installing anti-virus software is not enough. The firewall is a stronger layer of security that you need to protect. Install
software to reinforce your firewall protection.
3. Don’t use pirated software. If you cannot afford licenced software, there is a lot of open-source software out there that you can
download and use safely.
4. If you are using a public computer or cannot gurantee that the computer is virus-free, you can opt for a USB flash drive. You will not
leave any trace of your work on the computer.
5. Use secured password. The longer and more complicated the password, the harder it is for hacker to break in. Use at least 12
figures in your password with letters, symbols and different characters. Don’t use the same password for everything. If you don’t
have an elephant memory, you can use KeePass to store passwords securely. But remember to keep your master password strong
for KeePass.
6. DETEKT who has been spying on you. If you want to know whether you are being spied, you can download the free tool “Detekt” to
scans your Windows computer for traces of (common spywares such as) FinFisher and Hacking Team RCS, commercial
surveillance spyware that has been identified to be also used to target and monitor human rights defenders and journalists around
the world.
9. Data management – How to delete, recover & encrypt your data?
1. Deleting your data – You think by clicking the “delete” button, your file will be deleted forever? The answer is “no”. The file you
deleted can still be recovered even though it may no longer be visible. It is still somewhere in your computer or usb stick. In order to
delete your file permanently, you can download free software (such as CC Cleaner) that allows you to delete your file permanently.
2. Recovering your data – However, journalists can use this to their advantage. If you are ever forced to delete your photograph by
the authority, you can do so with the assurance that you can retrieve your photo when you get back to the office or home. All you
need is the software (such as Recuva) to do that. But if the hard drive is damage severely (by fire), the data inside may not be
recovered.
3. Delete / manage your metadata because it tells people a lot about you and how the file is being created. If you do not want to
remain anonymous or protect your sources, keep the meta data for yourself.
10. Data management – How to delete, recover & encrypt your data?
1. Create a secured data back-up. You should always have a back-up of your important data but use a secured back-up. If you don’t
want to carry sensitive data around when travelling, you should store your data in a secured drive (such as Mega.co.nz) that you can
have access to wherever you go. Before storing your data, take one more security step to encrypt your data before storing them in a
remote drive or cloud.
2. Encrypting your data. You can download free software (such as Boxcryptor) that encrypt data before you send it or store it in a
cloud. To encrypt your file and prevent others to have access to your file on your computer, you can use TrueCrypt to encrypt your
files. This allows you to create a “secret vault” in your computer which is only visible to you who knows the password and location of
the file in your computer. You don’t need to know about encryption or coding, all you need to do is to follow the simple steps of the
software.
3. What if I am forced to give away my password for the encrypted file? If you are ever in an extreme situation in which you have to
reveal your password to the authority, you should take this last but important step to protect your sources or sensitive data. You can
create “a hidden vault” within the “secret vault” in TrueCrypt. So your “secret vault” becomes a disguise in case you ever need to
reveal your password for this “secret vault”. In this case, you can reveal the password to the authority to have access to your “secret
vault”, but the real secret or sensitive data are stored in the “hidden file” within the “secret vault” which you have a different password
to access that. Put the real sensitive content in the “hidden vault” but be aware that you should put the seemingly sensitive
content in the “secret vault” which you will give the access to the authority so that they don’t suspect you and start looking for
something else.
11. Protection measures about communications on the internet…
1. Encrypt your email messages. You can download web-based softwares (such as Mailvelope) to encrypt your emails so that no
one (apart from yourself and your recipient) can read your messages. But this will require the recipient of your email to take the
same measure. This software is only for web-based emails and it cannot encrypt your attached files in the email. For step-by-step
tutorial of how Mailvelope works, please watch the video HERE. To encrypt files, you can use GPG encryption programme.
2. Securing instant messaging and audio/video conversations. Most popular instant messaging and audio/video platforms (such as
Skype, Facebook chat, Google Hangout, etc.) that are owned by big corporations no longer provide the absolute privacy and
anonymity you want. If you want to communicate sensitive information, you should use peer-to-peer online instant messaging and
audio/video conferencing plateforms (such as Cryptocat, meet.jit.si, talky.io, Whispersystems, etc.). If you want to find out more
secure messaging plateform, you can visit the Electronic Frontier Foundation which has enlisted all the latest secure messaging or
audio/video conferencing platforms. (see below list of resources)
3. If you think that it is only in science fiction that you have to put your mobile phone in the fridge in order to prevent prying ears, then
you are wrong. Our mobile devices can be switched on remotely and used as spying tools. We cannot remain anonymous using
our mobile phones because the same network that provides you with internet access also provides you with the mobile
communications. The ISP can locate you even though your mobile phone is not switched on. In many countries, you are required to
provide your ID in order to buy a SIM card. What happen if you want to use your mobile phone and remain anonymous? There are
some devices and applications (see below resources) out there which provide you with certain degree of security for your mobile
commucations. For example, WhisperSystems is an application for smartphone users to make private call without their identities or
location being revealed.
12. 1. How to bypass internet censorship? In countries where internet censorship is a common practice to oppress the media or critical
voices, access to information or communication can be a problem for journalists and human rights activities. There are ways to
bypass internet censorship that come at a very small price. You can rent a virtual private network (VPN) that will encrypt and redirect
all your traffic from your computer to that VPN. However, this does not prevent your ISP or the government from noticing that you are
using a VPN that is located in the other end of the world. But what they cannot do (thus far) is to block the VPN connections.
2. Using temporary email service to remain anonymous.If you want to avoid spam or don’t want to give your real email address to
strangers, you can use temporary email service (such as GuerrillaMail or Mailinator) to remain anonymous. The service provides
you with an unique email address that you can dispose.
3. Private browsing. Cleaning your cookie and internet history is not enough. If you want to minimise the chance for internet
surveillance, you can use Tor Browser so that no one can see what sites you have visited or track down your location. It will also
allows access to websites not available for normal browsers.
13. General guide on cyber security
1. https://securityinabox.org
2. https://www.level-up.cc
3. http://saferjourno.internews.org/pdf/SaferJourno_Guide.pdf
4. https://learn.equalit.ie
5. Passwords storage software http://keepass.info
6. Secured back-up server http://mega.co.nz
7. Email encryption https://www.mailvelope.com/
8. Electronic Frontier Foundation https://www.eff.org (you can check out the EFF secure messaging scorecard with a list of secured
platforms)
9. Secured mobile communications application https://whispersystems.org/
10. https://europeanjournalists.org/blog/2015/01/22/cyber-security-training-for-journalists/
14. Investigative Journalists
Email
● If you travel to a country known for spying on the media, don’t rely on an email provider
based there.
● At home, use a secure provider – you can tell if your email is secured by looking for the
“https” in the address bar. Gmail is secure by default, while Yahoo and Facebook settings can
be adjusted. Why? If you use a free wireless network, anyone can tap into your screen with a
simple and free software program. That’s a problem if you’re communicating with a source.
It’s as if you were in a busy public place having a conversation with a confidential source,
Guerra explained, “but you’re both screaming.”
● Don’t assume your employer is protecting your account. Ask your technology desk about what
precautions it takes, and consider getting a personal account from Google or Yahoo over
which you have control.
15. Passwords and the Two-Factor Login
If you have Gmail, everyone knows your User Name. So a hacker only needs your password. An
obvious first step is using a more complex password. There are guides to creating stronger passwords
listed below. Also, for more sensitive interactions, Gmail, Twitter, and Facebook have added an
additional – optional – layer of protection – the two-factor login. When you activate the two-factor
login, and enter your password, the account sends a text message to your phone, providing you a
unique authentication code you must enter before accessing the account.
16. Log In Settings
Establish multiple user accounts on your computer, including at least one user account in addition to
the default administrator account. Making sure the second account has no administrative privileges,
then use that login for your daily work. Then if malware tries to install automatically, the computer
will alert you with a message requiring the administrator password.
17. MalWare
● Beware of suspicious attachments, keep your programs updated, and install a good antivirus
program. Usually programs you buy will provide greater protection.
● Watch for emails from groups or people you might know, but which seem slightly off – small
grammar changes or odd punctuation.
● Mac users, avoid being lulled into a false sense of security.
● Outdated computers without security patches can put you on greater risk.
Guerra describes some useful specific tools here (English and Spanish).
18. When Something Goes Wrong
Make noise if your computer starts acting wacky. Reach out to one of the nonprofit groups dedicated
to detecting and tracking attacks and training users. They include:
● Access Now runs a 24/7 Digital Security Helpline available in seven languages.
● The Committee to Protect Journalists, based in New York, advocates on behalf of
reporters around the world and fields requests for assistance.
● Reporters Without Borders, based in Paris, does similar advocacy as CPJ.
● The Citizen Lab at the University of Toronto, researches Internet security and human
rights.
● https://gijn.org/digital-security/