Last week, I received an email from the marketing bit of an NGO. This is not an uncommon occurrence, there’s a whole world of spam that exists just for journalists. This one caught my eye because it claimed to place an embargo on me, which always annoys me (You can’t force non-consensual embargoes on journalists any more than you can anyone else), and because it was from Index On Censorship, a UK-based NGO focused on freedom of expression. They’re a older and widely respected organization that supports journalists, artists, creators, and activists all over the world. This is why the next thing I noticed upset me. They’d attached a Word document for me to open.
Email attachments, especially Word, PDF, and executables (.exe) are always to be considered dangerous.
To verify it was probably them, I kicked up a tool called NSlookup and plugged the origin IP number the mail came from. It resolved to their domain, and they later confirmed on Twitter.
Now, I get this kind of thing from people promoting books and their startups on a daily basis. Generally my response looks like this:
And I kill all those emails with happy fury.
Getting one from Index On Censorship was different. This is a group people trust. They’re establishing norms for how we should all behave in the increasingly complicated and networked world of free expression. So I took them to task in a one-sided conversation for having such terrible security norms and endangering their users. They ignored me, which didn’t shock me. When you work in internet security you get used to the world ignoring you. But I figured, the least I owe Index On Censorship, and the many other NGO, newsrooms, small companies, freelancers, and people at home is some ideas on how to improve their security practices.
We’re not going to get to perfect security overnight, and the people who demand heroic measures aren’t being realistic or even helpful most of the time. I am not a security perfectionist. But there measures we can all start to take that would do a huge amount to reduce many, even most, of the security problems we face on a daily basis.
Let’s start with Index On Censorship’s mistake.
Email is a dangerous thing
Email by design is neither authenticated or verified. You have to log in to your email account, sure, but the email itself? It has no network security designed into it at all. Partly this is because what we use for email was meant to be a temporary measure, a stopgap while the real protocol was developed. That was 1982. It got a small update in 2008, but email remains profoundly insecure.
I’ve had a lot of concerned people over the years talk to me about 0days (an unknown, severe bug) and open ports listening to the network on their computers, buffer overflows and advanced ninja levels hacks they fear their adversaries could unleash on them. I generally stop them, and ask them if they open email attachments or random links.
If you do, no one needs to burn an expensive and advanced 0day to take control of you. No one needs to even hack you, per se. You’re handing yourself to whomever is interested in taking control of your computer. A Word document, like a PDF, contains a whole computing language inside of it, capable of anything a computer can do — including install unwanted software that grants control of your computer to someone you don’t even know is there. Now it’s obvious that Index On Censorship is not going to send me malware on purpose, but the way the internet (and 1982 email!) works means anyone can tamper with that attachment along the path to me and add malware to it.
If you’re Index on Censorship, and everyone knows thousands of journalists, activists, and dissident artists trust you, what better email to intercept and modify along the way? Chances are, if an attacker was even a little careful about it, nothing would be noticed by anyone.
We need to change this part of online culture, and stop passing files through email, because despite that update in 2008, email is still from the 1982 internet. There are plenty of safer methods to share files these days, from chat software to great new services like Peerio. These use encryption not just to keep data like Index On Censorship’s press release secret, but to make data tamper-resistant. People forget that this a vital, perhaps even more vital, part of encryption. An encrypted Word file, PDF, or even executable can’t be changed en route, and still properly decrypt at the other end. Encryption tools add a level of verification to communication.
Email as well aggregates more data than you mean it to, and even when you think you have nothing to hide. “It’s natural to think ‘oh, nothing I’m doing here is sensitive or interesting to others’, which may be true about any one thing, but it stops being true in the aggregate,” says Matt Blaze, Professor of Computer Science at University of Pennsylvania. Blaze sees trade-offs in how we use the internet. No particular practice or technique is more important than making informed choices about what trade-offs make sense for you. He believes the general ignorance about cloud services can be harmful, “Realize that cloud services are dangerous… there’s an availability vs. confidentiality tradeoff.”
Beware The Cloud
“I don’t believe journalists should use the cloud.” — me
“I agree with you, but if you have, this subpoena applies to anything you have in the cloud.” — Federal prosecutor who was subpoenaing me
The cloud has filled every nook or our online lives, absorbing more and more of our information into is nebulous placelessness. fundamentally, what we mean by the cloud is a certain kind of hosted service, where we use our computer as the window and interface on the vast server farms of predominantly American corporations. This is not inherently a bad thing, but it requires consideration to get right — consideration almost no one thinks through these days. Blaze gives another example: “Storing documents in the cloud is a nice way to move them across borders but a bad way to hide them from the governments the cloud provider will listen to.”
Your hosted services are by definition under the control of a stranger who doesn’t share your priorities. Think very carefully about what information that’s fine for, and when that becomes a problem. The short and easy way to look at it is anything you don’t want to see published doesn’t belong on the cloud. Internal communication, especially with at-risk people and sources, should never touch the cloud.
But sometimes even when you opt out of the cloud, you can’t, really. I know that despite the fact that I don’t have a gmail account almost all my email is archived at google — because the rest of you do. If a google engineer wanted to reconstruct my mail archive, they would have most of it without much trouble. As a result, my emails have gone from being conversational 20 years ago to dry and logistical now. I save my conversations, professional and personal, for elsewhere.
“The problem with the cloud is that it puts so many eggs in one basket,” Blaze says. “One password compromise and everything is exposed.”
Two factor authentication limits access to your accounts, including the vital email accounts that every other service links back to. In order to access your accounts, you need two things, as the name suggests. Your login and password constitute one factor — something you know. A second factor would be something you have, or something you are. Overwhelmingly two factor as it is used is based on usernames/passwords (something you know) and cellphones or fobs (something you have). One of the best things people and organizations can do for themselves is to institute and use two-factor authentication. These days many services offer a two factor option: Gmail, Apple ID, Amazon Web Services, and many banks, companies, web sites, and so on. They often have easy step-by-step instructions to help you secure the accounts that are securing all of your other data. You should do this personally, and if you run an organization, you should direct them to do this as well.
You Are Not NSA Proof
And that’s OK. None of this makes you completely safe on the internet. It’s very hard to be NSA-proof, or government-attacker-proof in general. This advice isn’t going to keep you safe from any powerful state actor who wants your computer. “If you’re targeted, you need individualized help,” says Blaze. There’s security organizations and professionals you can reach out to in the case of a serious and targeted attack. But most of the internet’s attackers aren’t the NSA.
These measures don’t constitute perfect security. But when we begin to build a culture around being more secure and more empowered, instead of afraid or unwilling to engage at all, we start to make our networks better.