Help! I am an Investigative Journalist in 2017
Whistleblowers Australia Annual Conference 2016-11-20 About me
• Information security professional
Gabor Szathmari • Privacy, free speech and open gov’t advocate @gszathmari • CryptoParty organiser
• CryptoAUSTRALIA founder (coming soon) Agenda Investigative journalism:
• Why should we care?
• Threats and abuses
• Surveillance techniques
• What can the reporters do? Why should we care about investigative journalism? Investigative journalism
• Cornerstone of democracy • Social control over gov’t and private sector • When the formal channels fail to address the problem • Relies on information sources Manning Snowden Tyler Shultz Paul Stevenson Benjamin Koh Threats and abuses against investigative journalism Threats
• Lack of data (opaque gov’t)
• Journalists are imprisoned for doing their jobs
• Sources are afraid to speak out Journalists’ Privilege
• Evidence Amendment (Journalists’ Privilege) Act 2011
• Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 Recent Abuses
• The Guardian: Federal police admit seeking access to reporter's metadata without warrant !
• The Intercept: Secret Rules Makes it Pretty Easy for the FBI to Spy on Journalists "
• CBC News: La Presse columnist says he was put under police surveillance as part of 'attempt to intimidate’ # Surveillance techniques Brief History of Interception
First cases:
• Postal Service - Black Chambers 1700s
• Telegraph - American Civil War 1860s
• Telephone - 1890s
• Short wave radio -1940s / 50s
• Satellite (international calls) - ECHELON 1970s Recent Programs (2000s - )
• Text messages, mobile phone - DISHFIRE, DCSNET, Stingray
• Internet - Carnivore, NarusInsight, Tempora
• Services (e.g. Google, Yahoo) - PRISM, MUSCULAR
• Metadata: MYSTIC, ADVISE, FAIRVIEW, STORMBREW
• Data visualisation: XKEYSCORE, BOUNDLESSINFORMANT
• End user device exploitation: HAVOK, FOXACID So how I can defend myself? Data Protection 101
•Encrypt sensitive data* in transit •Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc. Old Times
• Ancient history: Caesar cipher, Polybus square, Scytale cipher
• 15th century: Vigenére cipher, Cipher disk, Cipher square
• 17th century: Jefferson disk cipher
• 20th century: One-time pads, Rotor machines (Enigma, Lorenz) Lorenz SZ42 Modern Uses
• PGP (1991), PGPfone • Disk encryption: (1995) TrueCrypt (2004), BitLocker
• HTTPS (1994) • End-to-end encryption (2010s) • OpenVPN (2001), IPSEC (1995) • Signal, ChatSecure
• Tor (2002) • Messenger, WhatsApp, Google Allo • Skype (2003, early days) How all this applies to an investigative journalist? Data Protection 101
• Encrypt sensitive data* in transit
• Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc. Encrypt the Data in Transit
• Web: HTTPS, • Group chat (e2ee): DuckDuckGo Semaphor, • Email: PGP ClearChat, Crypho • Text and voice calls (e2ee): • Video calls (e2ee): Signal, Threema Wire, Tox.im Encrypt the Data at Rest
• Local hard-disks and USB drives
• macOS: FileVault, Windows: BitLocker, Linux: LUKS
• Cloud file storage
• Zero-knowledge services: Sync.com, TresorIt, SpiderOak Data Protection 101
•Encrypt sensitive data* in transit •Encrypt sensitive data* at rest
* Documents, text messages, voice calls etc.
????
What did we miss? Why?
• Metadata retention • State sponsored hacking What about metadata?
• Mass collection
• Retained for 2 years
• Links you to the information source
• Easy to apply link analysis IBM i2 Analyst's Notebook What about gov’t hacking?
Tailored Access Operations (TAO)
• Backdooring routers, switches, and firewalls
• Backdooring laptops purchased online
• Backdooring your laptop by phishing
• Backdooring your laptop by exploits (“FOXACID”) On a Security Conference How all this applies to an investigative journalist? Round 2 Data Protection 101 (for journalists!)
• Encrypt sensitive data in transit
• Encrypt sensitive data at rest
• Work in a secure environment (i.e write articles and communicate with info sources)
• Hide the metadata
• Compartmentalise your work
• Solve the first contact problem Secure environment
Work on a device that is free of backdoors:
• Anonymity: Tails operating system
• Security: Qubes OS
• Security & Anonymity: Qubes OS + Whonix Hide that metadata Chat: • Ricochet IM File Exchange: • OnionShare Compartmentalise
Limits the damage done when you are hacked Compartmentalise (cont’d)
• Separate laptop for research & comms
• One email address per source
• One USB drive per source
• Unique password on any website First contact problem
• Allow information sources contact you anonymously
• SecureDrop
• GlobaLeaks
Two actually … A word on smartphones
Your phone is a spying machine: • Doesn’t matter what model it is • Leave your phone at home The most secure tool
•Pen •Paper Wrapping it up Security and privacy is hard…
• Surveillance is very sophisticated as technology has advanced
• Metadata retention practices and data mining technologies will link you to the info source
• The Peeping Toms are on your smartphone and laptop …but not hopeless
• Encrypt everything • Compartmentalise • Use a secure • Leave your operating system smartphone home • Use pen and paper • Solve the first contact • Hide the metadata problem Further info
• Tweet me on @gszathmari
• CryptoAUSTRALIA (soon): https://cryptoaustralia.org.au
• Join a CryptoParty: https://cryptoparty.in/sydney
• https://www.privacytools.io
• https://prism-break.org
• https://privacyforjournalists.org.au Questions? Sources
• The History of Information Security: A Comprehensive Handbook
• https://en.wikipedia.org/wiki/Cabinet_noir
• http://blogs.lse.ac.uk/mediapolicyproject/2016/02/15/a-very-brief-history-of-interception/
• https://inforrm.wordpress.com/2016/02/21/a-very-brief-history-of-interception-in-the-britain-bernard-keenan/
• https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects
• http://www.computerworld.com/article/2476515/network-security/the-security-flaws-in-tails-linux-are-not-its-only-problem.html
• https://freedom.press/blog/2014/04/operating-system-can-protect-you-even-if-you-get-hacked
• https://www.theguardian.com/world/2016/apr/14/federal-police-admit-seeking-access-to-reporters-metadata-without-warrant
• https://www.techdirt.com/articles/20160829/06300835377/australian-government-using-data-retention-law-to-seek-out-journalists-sources-hunt-down-whistleblowers.shtml
• https://theintercept.com/2016/06/30/secret-rules-make-it-pretty-easy-for-the-fbi-to-spy-on-journalists/
• http://www.cbc.ca/news/canada/montreal/journalist-patrick-lagace-police-surveillance-spying-1.3828832
• https://en.wikipedia.org/wiki/Telephone_tapping
• http://www.nytimes.com/2015/03/01/nyregion/a-short-history-of-wiretapping.html