Open in app

Sign in

Write

Sign in

One’s head in the lion’s mouth

And finding the way out before he realizes.

Raphaël Vinot
7 min readJan 31, 2014

We are now reaching the last part of the trilogy aiming to help the journalists going to Sochi to understand what the network operators can do against them and how can a sports journalist cover the event without taking too much risks.

This piece aims to help a journalist trying to cover the political situation and activities not supported by the Russian government.

First of all, let’s have a bit of context: you are a political journalist in your country, you cover the Russian democratur from the country you live in, you have sources in Russia and the Russian government knows you. You are on their lists, they want to know what you do, when, the peoples you speak with and the articles you want to publish. They might use those information to put people in jail, and to prepare press releases before you publish an article.

I am not telling you anything new: it is going to be hard.

I do not want to explain again what I already said in the previous pieces so here is a short list of recommendations that also apply to you:

  • Assume your computer and all the system you connect to will be compromised at some point
  • If possible: use a dedicated hardware
  • Do not connect to critical systems, or use accounts with low privileges
  • Know your mobile phone is always a tracking device
  • Do not carry any unnecessary devices or data
  • Have a backup you have tried out and are sure you can restore from

But you know what you are doing, you know the people you want to speak with and you know which secure channels to use to communicate with them.

What differentiates you from the sports journalist is that you can (or will have to) make a compromise between availability and security.

What you always have to keep in mind is that the information you want to protect will have different levels of security :

  • Your location when you have a meeting with a source must not be known in real time (or within a few hours) by someone tracking you
  • The exact topic you are covering must not be public before the article is published or before you leave the country
  • The name of your source must never be known by anyone

Then, depending on the story, as long as you manage to keep your secrets for the required time, you will be fine.

It is all about your threat model: who is your attacker and what do you want to protect.

I am going to cover the 3 threats I have mentioned and explain explains some of the issues they present. While not a complete discussion, I hope it will give a comprehensive list of counter measures you can use to be safer. If you have other ideas, or you think I forget something, please let me know.

Position tracking

The first rule is not to carry your phone, and there is sadly no alternative to that. As soon as you carry your phone with you, your position is known by the GMS network, this is the way mobile phone technology works. If you absolutely need your phone, remove the SIM card (airplane mode is not enough), and disable the WiFi. If possible, take out your battery when you don’t need it.

The best solution is to give the phone to someone else, and tell them to do something very boring, like go to a cafe or store.

If you need to use your computer and to connect it to a WiFi network, change your MAC address (Windows/Mac/Linux). I recommend you to do this as often as possible, all the time. And disable the broadcast of your computer name…

If you use a Virtual Private Network (VPN) to connect to your newsroom, use it through Tor, or hide it in an other VPN connection (this one should be very common to make it harder to trace back to you). You can also use a few different VPN providers, or Tor. Tor will act as a poor man’s VPN.

Using Tails is also a very good solution as it will change your MAC address, and your computer name, and put all your traffic into the Tor network.

None of this works? Think again before you take your laptop: pen and paper might also do the job.

Protecting the topic of the pieces

You are now working on your articles, where you are is less important, but you do not want to make it public too early.

Think of the CCTVs, there might be even more than there are in London, and they have very high resolution these days…

You probably want to use a VPN when you are working on your articles, and make sure everything goes through it. Also the DNS requests to hide the websites you are actually browsing. It might be useful to have multiple VPNs to be able to switch VPNs if the one you are using is blocked. Do not use the backup VPNs before you need too, to avoid them all getting blocked at the same time. Or, again, use Tor.

Assume all the text messages you sent via your phone are intercepted and read. Use bTextSecure if you need to use your phone.

Identification of sources

If you have sources that should stay secret you will have to think about ways to keep them safe even if you are heavily targeted, which could lead to the compromise of your computer, or other devices.

No magical solution here, except using your brain.

I will not spend a lot of time on explaining you that you should not open attachments, plug untrusted USB keys into your computer, or click on weird links, because you already know that. But still, do not forget that even if it comes from a trusted source, it might be malicious (knowingly or not). If you receive a USB key, you probably want to have a look at it after it is sanitized in something like the CIRCLean/KittenGroomer (Disclaimer: I am the main developer)

Keep your eyes open online just as you would on the street. Keep track of unusual things that might start to happen, such as SSL errors, weird redirections, or other unusual random other error messages.

The most important thing is that whatever you plan to use, make sure it works properly before you are in Russia. The worst security choices are made when you are unable to get your work done, and having to improvise without support in a stressful situation.

Make sure your stuff works, understand your plans, and have fallback solutions.

Remote support

Something else that could be useful is to make sure that someone in your newsroom keeps and eye on your activity on the network: you said that you are going to be offline for the night, and your username is attempting to login to the CMS? Your user is connected and is crawling all the shared directory of your office? That’s a bad sign.

Something else that a remote contact can achieve: providing a one time pad, a password that will never be reused again. Given over the phone just before use will be safe enough most of the times.

To go one step further, assume your devices might be compromised, do not keep nor carry information on them that can lead to identifying a source, most especially on your phone…

Something went really bad

If information that can only come from your computer leaked, you are compromised for sure. This is a stressful situation and you need to know what to do, if you don’t, you will make mistakes.

You still have to work, keep in touch with people, you cannot wait until you come back home. Read only devices (CD/DVDs) to reinstall a system from scratch will be critical: you cannot trust any of your devices anymore to get a safe live CD from the internet.

Make sure you have a way to use a CD…

It would also be nice to have a Tails installation, to backup your data before a re-installation, or to go back online as soon as possible without using a compromised system. The even more tricky part is to have an up-to-date system, or you will be reinfected immediately. Make sure you have offline packages to apply the most critical security updates.

Do not apply any non-critical updates from the internet while you are in Russia.

You have to know all the things you need to go from nothing to a fully operational working environment without any physical access to any other device. For that, you will probably have to try out your procedures before the trip.

Broadcast as much as you can that your accounts might have been compromised. And start using other accounts you prepared beforehand, that some other trusted people can confirm being you.

You are probably the most IT savvy person in the crew of people you will stay with, so if they have issues, they will come to you. It may be a good thing to have a way to give them access to a backup device, that is not yours, in case they are stuck with a broken or unusable device.

Another computer or just a Tails instance might save you from your colleague covering the finals of the 100m and an angry editor forcing you to allow him to connect his dirty and probably infected USB key to your safe computer.

--

--

Raphaël Vinot

Written by Raphaël Vinot

149 Followers

I mostly talk IT Sec. So I rant a lot.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams