Defense against the dark arts
Basic cyber-security for journalists
By: Prof. dr. Dariusz Jemielniak
Professor of NeRDS (New Research on Digital Societies) Kozminski University, fellow at the Berkman Center for Internet and Society (Harvard), visiting scholar at MIT, a member of the Board of Trustees of the Wikimedia Foundation.
and Tim de Gier
Journalist at Vrij Nederland and fellow at the Nieman Foundation for Journalism at Harvard
All right are licensed under CCBYSA 4.0.
This guide aims to provide basic cyber-hygiene for journalists. When we talk about this, participating journalists often tell us: we have nothing to hide. Or: I don’t write about anything sensitive. But we’re not per se worried that journalists get into fights with the NSA or army divisions. It could happen of course, but consider this: will you ever write about something that can possibly make someone upset? Because what happens much more often is that adversaries will try to intimidate you or disgrace you by throwing your personal data on the street, photos of you holiday, photos of your children, the school address of your children, your financial information and so on. It’s hard to completely avoid it, but you can make it damn hard.
And then there’s the revelations of Snowden and the current struggle between Apple and the FBI, that increased the overall public interest in the subject of privacy. All the while, most of us don’t have the knowledge, experience or time to really get into the technical details of our privacy. This guide goes over some of the more accessible measures and solutions that at least make you less vulnerable. Because privacy often works the same as locking your bike: just make sure you’re better locked than the bike next to you.
Ground rules
We tried to select apps that are stable, familiar and useful — and not to go over the whole spectre of possibilities (for example, we recommend Signal, not Telegram, or Tox and to avoid confusion, we will not go into the details on why we selected Signal). Please note that the use of these solutions helps only technically, not socially — it does not relieve us from the need of good practice (make sure for example, not to open dubious attachments and suspicious links, especially from unknown senders; or to install unwanted applications from unknown producers. Also, always avoid using a USB stick). And last but not least: both the computer and the phone should always be equipped with up to date antivirus software.
We must also remember not to use the same passwords for different services, as well as to choose a secure password, which will not be fragments of words, and will be a combination of letters (large and small), numbers and special characters. Mnemonic technique is a good example. Select verses from your favorite songs and build password from it, for example: “My coat of many colors that mama made for me” converts to an easy to remember password “Mcomctmmfm.” Add a number in the middle and a special character on the end and you have a reasonable strong password: Mcomc5tmmfm&.
Another pretty good solution is to use a password manager, as LastPass.com or 1Password, on your computer and your phone (for full comfort on all devices, unfortunately, it often requires subscription, so we recommend alternatively completely free and open source Password Safe or KeePass ). Harvard offers a free membership of Lastpass for a year to anyone with a Harvard mail-address. Unfortunately, the mere use of managers is also an element of risk because in the end, if someone gets access to your computer or your password-manager passphrase, the perpetrator at once obtains all your passwords.
On each site, where you can use two-step authorization (that demands that you verify your identity from another device), run it. — so that the losing your master-password is less dangerous. Instructions on how to enable it are here: Dropbox , Facebook , Google , Apple.
We focus on the major threats to surveillance, but not on advertising or tracking by corporations — therefore we will not discuss applications like Adblock , Adblock Plus (though better than those two seems to be uBlock Origin), and there’s Privacy Badger, uMatrix or Ghostery that we nevertheless encourage you to review.
We will suggest just a selection of applications for the computer and the phone, to avoid overloading the excess of options, but occasionally we will suggest an alternative — the person who does not like to choose can use any solution in this category alone at home.
One more thing. Many corporations out there require a custom installed certificate before you’re able to use the Wifi (the popup that says: ‘click here to accept’). You have to remember that it exposes us potentially to surveillance even when sites use the secure https connection (sometimes because the company that provides the WiFi asks for the monitoring of all traffic) — So in short, if you use Wifi with a custom certificate, turn off wifi (and benefit from 3G / 4G) for confidential transfers, and in general always use VPN (more about that below) when you really want to be sure about the connection.
On the computer
The program for Windows, Mac, Linux — is a is free browser and prevents tracking your browsing history by a third party (for example your ISP, like Comcast or Verizon). It’s especially useful for reading, not so much to participate actively, when you go through login pages, because then you still give information away. It also avoids the parties determining where we are. It is worth remembering that if you’re logged into a Google account, information on our searches will still be recorded by the company (which is we like to use search engines like DuckDuckGo or StartPage ).
It should also be noted that because Tor directs our movement through various countries, parties like Facebook or Google may find our behaviour suspicious and proactively block the account. This more reason to have a two-step login, which we wrote about above, because then they will worry less about us.
Interestingly, Facebook recently also connects through Orbot on Android devices. More about that later.
This is a plug-in for Chrome, Firefox and Opera, forcing sites to use an encrypted connection Many servers allow this, but they do not do it by default, this plugin saves our life.
VPN
This is your own virtual private network (VPN). Using a VPN means that the service provider and connection brokers do not know what kind of data is transmitted — whether film or a text document, or something else, let alone that they know anything about the content. VPN services are mostly commercial, since it takes some maintenance to keep them alive, however you should consider installing a permanent VPN service, especially when it’s very important for us to have the comfort of a high speed connection. Everyone must choose the one which suits him (a good price is approx. $ 2–5 per month, but there’s a variety of factors that influences the price — here list of over a hundred VPN‘s, and here, in turn, is the best VPN by PCMag for 2016). But you must note that some VPN services (eg. the popular “Hide My Ass”) are keeping logs in case they need to provide information to government agencies. We use CactusVPN (due to the combination of price, the ease of installation, as well as the availability of a mobile phone free of charge). we can also recommend VyprVPN or PureVPN.
Bitlocker (Windows) FileVault (MacOSX)
Depending on the version of the Windows operating system, sometimes we can take advantage of the free disk encryption software called BitLocker (Windows 10, 8.1 Pro / Enterprise et al.) — If we have this feature, you must turn it on! (Control Panel -> System and Security -> Drive Encryption), but it will help more against data theft than surveillance (the NSA can still break in ). Mac users should turn on FileVault, which works the same.
BitLocker and FileVault are lazy solutions. A better alternative is the free and open-source program VeraCrypt (for Windows, MacOSX, Linux). It is definitely invaluable, especially if you use several different systems and have specific wishes.
When you’re using external disks, make sure to encrypt them as well. We know security experts who appreciate a paid Symantec Drive Encryption. For convenient encryption of individual files, you can use the free AxCrypt. Especially if you do not use encryption, you should use at least a program for secure deletion of data, for example Eraser. Note on the phone — iPhone users have enabled encryption by default, Android is doing that only on some phones (eg. Nexus 6 and later), so you need to check whether the option is enabled in the security settings of your phone.
Optional:
Plug-in for Chrome, Safari, Firefox, Opera, iOS app. It allows you to transfer files in a secure way, in the future they will also offer integration with Facebook chat.
Optional:
Application on Windows, Linux, MacOSX, Android, iOS. Many of us use disk storage in the cloud (Dropbox, Google Drive, onedrive). It’s comfortable, even for backups, but unfortunately not enough to protect your data. A better solution is SpiderOak, which serves as a secure drive that uses cloud computing, but it is, unfortunately, a paid service since last year (60 days free, using 2GB). Note: Please do not use the cloud Mega (50 GB free) that is sometimes recommended — the creator himself admits that the data is not safe there.
Optional:
Application on Windows, MacOSX, Android, iOS. People who want to keep using the cloud drives, because they don’t want to change (if only because they are free), must install a program to encrypt the files in the cloud. We would recommend Viivo or Boxcryptor (the latter is commercial when you use more than two devices).
On the phone
This is a chat application similar to Whatsapp for Android and iOS. The app replaces the default program for SMS and enables a safe way for phone calls. Everything is encrypted on the client side, on your phone itself. In other words, as opposed to a regular phone, one can not easily overhear conversations or the content of text messages, as long as both parties have installed Signal. Signal is very easy to use, has a clean interface, the code is open-source and subject to audits — the only drawback is that they have a central server. You can avoid that risk by also using Orbot (see below) or VPN. The beta version is also available on desktop.
Note for insiders: there a quite a lot similar programs. Signal has some of the best cryptographic solutions in the world and a very high comfort of use, it is suitable even for novice users, and takes care of both SMS and calls. Therefore we recommend this as standard, and not one of the many other programs, as Tox, Telegram (note the numerous holes), or Lumicall and SMSSecure.
Heavily advanced users with very high security needs could use vuvuzela (but those users do not need this guide). Of course, stubborn users can also choose a different app and convince all of their friends to use it. In the end the value of the program increases with the number of people using it. A very serious advice is not to use WhatsApp. WhatsApp does not guarantee us the same level of safety as Signal (if only because the encryption keys stay with the service, in some versions it does not encrypt anything, it’s quite unclear when it does encryption, they’re not clear about working with third parties, it does not protect against snooping by print- screenshots, etc.) — I encourage you to read the statement of Electronic Frontier Foundation.
This is an app specially for Android. The program allows the channeling of some apps through the network Tor. In the near future — it will include the option the use VPN (as to divert traffic for any application without the need for root access).
VPN
Like VPN for the computer, the use of VPN on the phone is highly useful because it masks the content of the data — try to choose a VPN service provider that does not charge an additional fee for cellphones.
Optional: App Ops
Application for Android which allows you to downgrade rights for specific apps on your phone.
Optional: AppLock
The application for Android that allows additional protection by locking apps with a password.
Optional: Orfox (Android) or Onion Browser (iOS)
This is a browser for android, directing traffic through the Tor network, blocking scripts and forcing https connection when possible. Definitely recommended, but still in the development phase (so it sometimes has annoying shortcomings). For iPhone owners: Onion Browser (iOS app paid $ 0.99.)
Mail encryption
We wondered for a while whether or not to include mail encryption in this guide. Let’s say that manual encryption requires a little bit more technical knowledge and is maybe not of direct use in the day to day working life of the journalist.
However, when Snowden looked for a journalist to help him with the publications of his files, he looked for a journalist that could correspond with him safely. And that took some time, since most journalists are not ready. It takes about a day to get ready for it, and then you can open an encrypted discussion whenever you need.
The standard for mail encryption is Pretty Good Privacy (PGP). It turns understandable text into incomprehensible strings of letters and numbers for the outsider. PGP will not only encrypt mail for you, but whatever you wants: files, text, pictures, et cetera. If offers you two keys: one to lock files (your public key) and one to unlock them (your private key). This is what an asymmetric key means: one to encrypt and one to decrypt. When you send an e-mail to someone, you look for his/her public key, encrypt the text, and the recipient is the only one that can open the text. Make sure that you’re key is a so called 4096-key, so it’s extremely hard to unlock.
You will need a program that creates a key for you and that handles the encryption for you. We use the GPG-suite, which is free and creates and maintains keys for you. And here’s Jerzy J. Gangi, who explains in easy language how to set it up: The best PGP tutorial for Mac OS X, ever. After that, you can lock and unlock messages with just a single key combination. In case you ever want to share something secret with us, or just want to test, here are the ‘fingerprints’ that give you our keys:
Dariusz Jemielniak: 799A D915 6E37 2A29 2BD0 396C 0705 82C7 A83A 81ED
Tim de Gier: 6E6F 3292 061C A3AC 3F5F 137D 699E E50B 0648 E4E3
Some advanced questions
What to use in the end, VPN or Tor? Or both?
Both Tor and VPN have advantages and disadvantages (technically speaking is Tor is specific type of VPN). Tor exposes us to control by output channels and is also much slower. VPN transfers the burden of trust from the Internet Service Provider to the provider of the VPN (ensures privacy but not anonymity). You can use both solutions at the same time — here’s a description of how to do it , and here another way to do it (Tor -> VPN, VPN -> Tor, et al.). There are also solutions like, for instance. Privatoria , allowing the machine to combine both solutions (with allegedly considerable expense in speed. We have not tested this).
Is this all?
Of course not. This is a selection. It would be easier to make a list of 20 than 6. There are many other important issues in masking your identity. We identify ourselves in the end also by a MAC address (although that can be masked as well). This guide is primarily a basic package that facilitates privacy of our communication.
Why do you not recommend … (here insert the name of the program)?
We got a lot of correspondence with queries about specific programs. Quite a few don’t list any motivation — some are substantive (explained in the text, eg: Why not recommend Telegram, WhatsApp, or Mega). Suggestions are welcome, of course, but I recommend only solutions that we tested, and which are well reviewed.
