Help I Am an Investigative Journalist in 2017

Home , Carnivore (software), GlobaLeaks, The Intercept

Help! I am an Investigative Journalist in 2017

Whistleblowers Australia Annual Conference 2016-11-20 About me

• Information security professional

Gabor Szathmari • Privacy, free speech and open gov’t advocate @gszathmari • CryptoParty organiser

• CryptoAUSTRALIA founder (coming soon) Agenda Investigative journalism:

• Why should we care?

• Threats and abuses

• Surveillance techniques

• What can the reporters do? Why should we care about investigative journalism? Investigative journalism

• Cornerstone of democracy • Social control over gov’t and private sector • When the formal channels fail to address the problem • Relies on information sources Manning Snowden Tyler Shultz Paul Stevenson Benjamin Koh Threats and abuses against investigative journalism Threats

• Lack of data (opaque gov’t)

• Journalists are imprisoned for doing their jobs

• Sources are afraid to speak out Journalists’ Privilege

• Evidence Amendment (Journalists’ Privilege) Act 2011

• Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 Recent Abuses

• The Guardian: Federal police admit seeking access to reporter's metadata without warrant !

• The Intercept: Secret Rules Makes it Pretty Easy for the FBI to Spy on Journalists "

• CBC News: La Presse columnist says he was put under police surveillance as part of 'attempt to intimidate’ # Surveillance techniques Brief History of Interception

First cases:

• Postal Service - Black Chambers 1700s

• Telegraph - American Civil War 1860s

• Telephone - 1890s

• Short wave radio -1940s / 50s

• Satellite (international calls) - ECHELON 1970s Recent Programs (2000s - )

• Text messages, mobile phone - DISHFIRE, DCSNET, Stingray

• Internet - Carnivore, NarusInsight, Tempora

• Services (e.g. Google, Yahoo) - PRISM, MUSCULAR

• Metadata: MYSTIC, ADVISE, FAIRVIEW, STORMBREW

• Data visualisation: XKEYSCORE, BOUNDLESSINFORMANT

• End user device exploitation: HAVOK, FOXACID So how I can defend myself? Data Protection 101

•Encrypt sensitive data* in transit •Encrypt sensitive data* at rest

* Documents, text messages, voice calls etc. Old Times

• Ancient history: Caesar cipher, Polybus square, Scytale cipher

• 15th century: Vigenére cipher, Cipher disk, Cipher square

• 17th century: Jefferson disk cipher

• 20th century: One-time pads, Rotor machines (Enigma, Lorenz) Lorenz SZ42 Modern Uses

• PGP (1991), PGPfone • Disk encryption: (1995) TrueCrypt (2004), BitLocker

• HTTPS (1994) • End-to-end encryption (2010s) • OpenVPN (2001), IPSEC (1995) • Signal, ChatSecure

• Tor (2002) • Messenger, WhatsApp, Google Allo • Skype (2003, early days) How all this applies to an investigative journalist? Data Protection 101

• Encrypt sensitive data* in transit

• Encrypt sensitive data* at rest

* Documents, text messages, voice calls etc. Encrypt the Data in Transit

• Web: HTTPS, • Group chat (e2ee): DuckDuckGo Semaphor, • Email: PGP ClearChat, Crypho • Text and voice calls (e2ee): • Video calls (e2ee): Signal, Threema Wire, Tox.im Encrypt the Data at Rest

• Local hard-disks and USB drives

• macOS: FileVault, Windows: BitLocker, Linux: LUKS

• Cloud ﬁle storage

• Zero-knowledge services: Sync.com, TresorIt, SpiderOak Data Protection 101

•Encrypt sensitive data* in transit •Encrypt sensitive data* at rest

* Documents, text messages, voice calls etc.

????

What did we miss? Why?

• Metadata retention • State sponsored hacking What about metadata?

• Mass collection

• Retained for 2 years

• Links you to the information source

• Easy to apply link analysis IBM i2 Analyst's Notebook What about gov’t hacking?

Tailored Access Operations (TAO)

• Backdooring routers, switches, and ﬁrewalls

• Backdooring laptops purchased online

• Backdooring your laptop by phishing

• Backdooring your laptop by exploits (“FOXACID”) On a Security Conference How all this applies to an investigative journalist? Round 2 Data Protection 101 (for journalists!)

• Encrypt sensitive data in transit

• Encrypt sensitive data at rest

• Work in a secure environment (i.e write articles and communicate with info sources)

• Hide the metadata

• Compartmentalise your work

• Solve the ﬁrst contact problem Secure environment

Work on a device that is free of backdoors:

• Anonymity: Tails operating system

• Security: Qubes OS

• Security & Anonymity: Qubes OS + Whonix Hide that metadata Chat: • Ricochet IM File Exchange: • OnionShare Compartmentalise

Limits the damage done when you are hacked Compartmentalise (cont’d)

• Separate laptop for research & comms

• One email address per source

• One USB drive per source

• Unique password on any website First contact problem

• Allow information sources contact you anonymously

• SecureDrop

• GlobaLeaks

Two actually … A word on smartphones

Your phone is a spying machine: • Doesn’t matter what model it is • Leave your phone at home The most secure tool

•Pen •Paper Wrapping it up Security and privacy is hard…

• Surveillance is very sophisticated as technology has advanced

• Metadata retention practices and data mining technologies will link you to the info source

• The Peeping Toms are on your smartphone and laptop …but not hopeless

• Encrypt everything • Compartmentalise • Use a secure • Leave your operating system smartphone home • Use pen and paper • Solve the ﬁrst contact • Hide the metadata problem Further info

• Tweet me on @gszathmari

• CryptoAUSTRALIA (soon): https://cryptoaustralia.org.au

• Join a CryptoParty: https://cryptoparty.in/sydney

• https://www.privacytools.io

• https://prism-break.org

• https://privacyforjournalists.org.au Questions? Sources

• The History of Information Security: A Comprehensive Handbook

• https://en.wikipedia.org/wiki/Cabinet_noir

• http://blogs.lse.ac.uk/mediapolicyproject/2016/02/15/a-very-brief-history-of-interception/

• https://inforrm.wordpress.com/2016/02/21/a-very-brief-history-of-interception-in-the-britain-bernard-keenan/

• https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects

• http://www.computerworld.com/article/2476515/network-security/the-security-ﬂaws-in-tails-linux-are-not-its-only-problem.html

• https://freedom.press/blog/2014/04/operating-system-can-protect-you-even-if-you-get-hacked

• https://www.theguardian.com/world/2016/apr/14/federal-police-admit-seeking-access-to-reporters-metadata-without-warrant

• https://www.techdirt.com/articles/20160829/06300835377/australian-government-using-data-retention-law-to-seek-out-journalists-sources-hunt-down-whistleblowers.shtml

• https://theintercept.com/2016/06/30/secret-rules-make-it-pretty-easy-for-the-fbi-to-spy-on-journalists/

• http://www.cbc.ca/news/canada/montreal/journalist-patrick-lagace-police-surveillance-spying-1.3828832

• https://en.wikipedia.org/wiki/Telephone_tapping

• http://www.nytimes.com/2015/03/01/nyregion/a-short-history-of-wiretapping.html