The Living Thing / Notebooks :

Confidentiality online, journalist edition

Many people today are living in surveillance states with weak citizen protection and persecution of citizens who blow the whistle on state wrongdoing, rapid erosion of privacy, criminalisation of failure to turn state informer, or even counselling resistance, and attacks on the free press, all without oversight by the public.

That’s Australia. Things are even worse in Yemen, India, China, Russia, Saudi Arabia, etc. I’ll go ahead here and say that I think that on balance strong encryption is a good idea to have in society as one bulwark against surveillance societies and also just plain safety. In practice, we all use consumer-grade encryption, even the army. There are some interesting options for solidarity in software designers, as Eleanor Saitta points out, or you might say, design challenges stringent enough that our quisling tech sector will be unlikley to rise to them.

🚧 link to particular risks for each state.

For any of these anti-journalist states, you need hardcore security.

What you might use to get around this

EFF’s Surveillance Self Defense course is a good starting point.

They talk you through the theory and practice of different types of security, modelling the risks you face and trying to minimise them for different scenarios.

Maciej Cegłowski observes, discussing the related problem of securing political campaigns:

Campaigns have small budgets and operate in an unusually hostile environment. Not only are there people whose job it is to attack campaigns, but those people enjoy their work, get a government pension when they retire, and live happy, fulfilled professional lives.

I presume (hope?) he’s talking about hostile foreign actors but who knows these days?

OK, there is a lot to do, but let’s start with the basic. First, minimise your exposure to corporate surveillance.

Next you probably want to lock down of your computer. Maybe lock down one a little bit and also get a second, hardcore locked-down computer for your secret stuff.

DNS

You need to fix this to avoid getting profiled in the first place. Constantly leaking info if you don’t kick it in the pants. See DNS servers.

Sharing confidential information anonymously

OK, you are doing something that the Australian state finds threatening, such as exposing possible murder by government employees to public oversight, and for which they will send you to prison. The state will mobilise the full force of the law to get at you.

Obviously a journalist reporting these stories needs legal protection for their whistleblowers, but this is no longer offered in Australia.

A bandaid solution to the erosion of press freedom is the ability to transfer documents anonymously.

Secure Drop

SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. It was originally created by the late Aaron Swartz and is now managed by Freedom of the Press Foundation.

There is an instance run by DuckDuckGo at dmys7duszeb2salo.onion which you could use to transfer documents.

SSH

There’s a lot of fiddling in ssh.

To secure it in particular, you need to beat 1024 bit DH keys sigh. NSA is reading your comms with keys shorter than 2048 bits.

researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. […] In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.

There are more steps to secure ssh.

USB

USB is another security nightmare. See e.g. Badusb Malware: O.M.G cable (explanation for the busy), Poisontap, lanturtle usbarmory

Countering it? USB condoms such as USG do a partial job. That is, if you don’t mind carrying a large, slow inconvenient device that only supports a small fraction of the functionality you are used to. Very few of us feel like we are likely enough to be targeted that this is worth doing, although as the cost of these attacks drops to nothing, that might change.

Hardened Desktop OS

See hardened OSes.

Hardened smartphones

See hardened smartphones.