Help! I am an Investigative Journalist in 2017 Whistleblowers Australia Annual Conference 2016-11-20 About me • Information security professional Gabor Szathmari • Privacy, free speech and open gov’t advocate @gszathmari • CryptoParty organiser • CryptoAUSTRALIA founder (coming soon) Agenda Investigative journalism: • Why should we care? • Threats and abuses • Surveillance techniques • What can the reporters do? Why should we care about investigative journalism? Investigative journalism • Cornerstone of democracy • Social control over gov’t and private sector • When the formal channels fail to address the problem • Relies on information sources Manning Snowden Tyler Shultz Paul Stevenson Benjamin Koh Threats and abuses against investigative journalism Threats • Lack of data (opaque gov’t) • Journalists are imprisoned for doing their jobs • Sources are afraid to speak out Journalists’ Privilege • Evidence Amendment (Journalists’ Privilege) Act 2011 • Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 Recent Abuses • The Guardian: Federal police admit seeking access to reporter's metadata without warrant ! • The Intercept: Secret Rules Makes it Pretty Easy for the FBI to Spy on Journalists " • CBC News: La Presse columnist says he was put under police surveillance as part of 'attempt to intimidate’ # Surveillance techniques Brief History of Interception First cases: • Postal Service - Black Chambers 1700s • Telegraph - American Civil War 1860s • Telephone - 1890s • Short wave radio -1940s / 50s • Satellite (international calls) - ECHELON 1970s Recent Programs (2000s - ) • Text messages, mobile phone - DISHFIRE, DCSNET, Stingray • Internet - Carnivore, NarusInsight, Tempora • Services (e.g. Google, Yahoo) - PRISM, MUSCULAR • Metadata: MYSTIC, ADVISE, FAIRVIEW, STORMBREW • Data visualisation: XKEYSCORE, BOUNDLESSINFORMANT • End user device exploitation: HAVOK, FOXACID So how I can defend myself? Data Protection 101 •Encrypt sensitive data* in transit •Encrypt sensitive data* at rest * Documents, text messages, voice calls etc. Old Times • Ancient history: Caesar cipher, Polybus square, Scytale cipher • 15th century: Vigenére cipher, Cipher disk, Cipher square • 17th century: Jefferson disk cipher • 20th century: One-time pads, Rotor machines (Enigma, Lorenz) Lorenz SZ42 Modern Uses • PGP (1991), PGPfone • Disk encryption: (1995) TrueCrypt (2004), BitLocker • HTTPS (1994) • End-to-end encryption (2010s) • OpenVPN (2001), IPSEC (1995) • Signal, ChatSecure • Tor (2002) • Messenger, WhatsApp, Google Allo • Skype (2003, early days) How all this applies to an investigative journalist? Data Protection 101 • Encrypt sensitive data* in transit • Encrypt sensitive data* at rest * Documents, text messages, voice calls etc. Encrypt the Data in Transit • Web: HTTPS, • Group chat (e2ee): DuckDuckGo Semaphor, • Email: PGP ClearChat, Crypho • Text and voice calls (e2ee): • Video calls (e2ee): Signal, Threema Wire, Tox.im Encrypt the Data at Rest • Local hard-disks and USB drives • macOS: FileVault, Windows: BitLocker, Linux: LUKS • Cloud file storage • Zero-knowledge services: Sync.com, TresorIt, SpiderOak Data Protection 101 •Encrypt sensitive data* in transit •Encrypt sensitive data* at rest * Documents, text messages, voice calls etc. ???? What did we miss? Why? • Metadata retention • State sponsored hacking What about metadata? • Mass collection • Retained for 2 years • Links you to the information source • Easy to apply link analysis IBM i2 Analyst's Notebook What about gov’t hacking? Tailored Access Operations (TAO) • Backdooring routers, switches, and firewalls • Backdooring laptops purchased online • Backdooring your laptop by phishing • Backdooring your laptop by exploits (“FOXACID”) On a Security Conference How all this applies to an investigative journalist? Round 2 Data Protection 101 (for journalists!) • Encrypt sensitive data in transit • Encrypt sensitive data at rest • Work in a secure environment (i.e write articles and communicate with info sources) • Hide the metadata • Compartmentalise your work • Solve the first contact problem Secure environment Work on a device that is free of backdoors: • Anonymity: Tails operating system • Security: Qubes OS • Security & Anonymity: Qubes OS + Whonix Hide that metadata Chat: • Ricochet IM File Exchange: • OnionShare Compartmentalise Limits the damage done when you are hacked Compartmentalise (cont’d) • Separate laptop for research & comms • One email address per source • One USB drive per source • Unique password on any website First contact problem • Allow information sources contact you anonymously • SecureDrop • GlobaLeaks Two actually … A word on smartphones Your phone is a spying machine: • Doesn’t matter what model it is • Leave your phone at home The most secure tool •Pen •Paper Wrapping it up Security and privacy is hard… • Surveillance is very sophisticated as technology has advanced • Metadata retention practices and data mining technologies will link you to the info source • The Peeping Toms are on your smartphone and laptop …but not hopeless • Encrypt everything • Compartmentalise • Use a secure • Leave your operating system smartphone home • Use pen and paper • Solve the first contact • Hide the metadata problem Further info • Tweet me on @gszathmari • CryptoAUSTRALIA (soon): https://cryptoaustralia.org.au • Join a CryptoParty: https://cryptoparty.in/sydney • https://www.privacytools.io • https://prism-break.org • https://privacyforjournalists.org.au Questions? Sources • The History of Information Security: A Comprehensive Handbook • https://en.wikipedia.org/wiki/Cabinet_noir • http://blogs.lse.ac.uk/mediapolicyproject/2016/02/15/a-very-brief-history-of-interception/ • https://inforrm.wordpress.com/2016/02/21/a-very-brief-history-of-interception-in-the-britain-bernard-keenan/ • https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects • http://www.computerworld.com/article/2476515/network-security/the-security-flaws-in-tails-linux-are-not-its-only-problem.html • https://freedom.press/blog/2014/04/operating-system-can-protect-you-even-if-you-get-hacked • https://www.theguardian.com/world/2016/apr/14/federal-police-admit-seeking-access-to-reporters-metadata-without-warrant • https://www.techdirt.com/articles/20160829/06300835377/australian-government-using-data-retention-law-to-seek-out-journalists-sources-hunt-down-whistleblowers.shtml • https://theintercept.com/2016/06/30/secret-rules-make-it-pretty-easy-for-the-fbi-to-spy-on-journalists/ • http://www.cbc.ca/news/canada/montreal/journalist-patrick-lagace-police-surveillance-spying-1.3828832 • https://en.wikipedia.org/wiki/Telephone_tapping • http://www.nytimes.com/2015/03/01/nyregion/a-short-history-of-wiretapping.html.