Safeguarding the Fourth Estate

Good to see The Citizen Lab’s Knight News Challenge entry for teaching digital security to journalists. There is far too much resistance, ignorance and indifference in newsrooms to securing communications. Journalists understand, I think, that online and telephone newsgathering are easily monitored by multiple actors but most do nothing to protect themselves and their sources. Good also to see the focus for The Citizen Lab is the global south, where I work.

It is not only urgent and essential for journalists to understand how to protect themselves in communications with sources. It is also vital that sources understand how to use these tools. Just today, I spoke to a newsmaker who has been targeted by state and corporate espionage and yet had no means available of communicating with me securely. I had to bring it up. I said, “You and I both know that this phone conversation is almost certainly tapped.” He laughed. But the shared understanding also put a chill into the conversation. And so we’ll need to go offline to discuss the important stuff.

And that takes more time, and requires physical meetings, slowing down the process of gathering and disseminating information. The well-funded spooks win, again.

There are 667 entries in this round of the Knight News Challenge. The round is all about strengthening the Internet for free expression and innovation.

Bitcoin: More about philosophy than finance

Alan Feuer got it right in today’s NYTimes. The virtual digital currency Bitcoin was not chiefly created as a money-making venture.

“To its creators and numerous disciples, bitcoin is — and always has been — a mostly ideological undertaking, more philosophy than finance,” he writes.

All that we’re reading about Bitcoins getting stolen from digital wallets is not anywhere near as interesting as who is recognizing them as currency.

Bitcoin is news because it is disruptive. It embodies a throwing down of the gauntlet by a person or persons (Satoshi Nakamoto) fed up with how the global banking system _ comprised of “fiat” currencies created by nation-states – had fallen prey in 2008 to the machinations of greedy bankers and spineless politicians.

Satoshi was simply fed up with the banks deemed “too big to fail” that failed us all and whose bailout we bankrolled. Stateless digital currencies _ electronic cash as David Chaum envisioned it when he patented the idea in 1982 _ will allow us to develop new models for making payments that cut out the usurious middleman and democratize the economy.

And the key, of course, is public-key cryptography. Want to geek out on how a Bitcoin transation works?  Try this illustration from IEEE Spectrum: “The CryptoAnarchists’ Answer to Cash.”

 

Brazil’s about ready to poke out the “Five Eyes”

A Twitter wag asked today why Glenn Greenwald doesn’t just unload all his Snowden-endowed dirt on who is spying on Brazil in one article. I thought of the old journalistic saw: “Why to sell newspapers, of course.” Sounds quaint, eh?

The Canadians reportedly busted open encryption to have their way with Brazil’s mining ministry. We’d already heard that the NSA spied on Petrobras and President Rousseff’s inner circle. Still to come: Details on how Brazil spies on its citizens. Have patience. Brazilian colleagues are surely working it.

It will be time soon for an update on the divorce Rousseff is preparing from the U.S.-centric Internet. Plenty of experts think that’s a bad idea and will only encourage Balkanization by really nasty regimes already bent on inhibiting the free flow of  information.

 

The Most Important Snowden Documents Yet

I have always trusted Bruce Schneier, author of the much-respected 1996 “Applied Cryptography.”

Glenn Greenwald showed Schneier some of the Snowden documents that featured in today’s stories by The Guardian, The New York Times and Propublica. They are the most important, upsetting revelations to date from the Snowden trove. Without doubt.

The NSA, says Schneier, has been breaking most of the encryption on the Net.  He says the U.S. government has betrayed the Internet and we need to take it back.

Schneier summarizes what the NSA has done to make the Internet a more dangerous place and five ways to stay safe online:  Hide in the network. Encrypt your communications. Assume that while your computer can be compromised, it would take work and risk by the NSA – so it probably isn’t.  Be suspicious of commercial encryption software, especially from large vendors. Try to use public-domain encryption.

The NSA was told in the mid-1990s that it could not have the Clipper Chip, the backdoor it wanted into our digital lives . Silicon Valley and Bill Gates objected. By 1996 the Clipper Chip was defunct. So the NSA decided to begin breaking-and-entering on its own. Without our approval.

Greenwald/Snowden gave the public some time to prepare today’s disclosure. First, give it a series of primers on the extent to which the NSA is spying on the American public (not to mention allies). Then unload this zinger.

I want more details. What exactly is compromised? Is everything I do using SSL on my Mozilla Firefox browser compromised?

Boing Boing tweeted KEEP CALM AND USE OPEN SOURCE CRYPTO. Excellent advice. Time to revise my anti-surveillance toolkit.

Two small encrypted email services down. Hire the lawyers.

The Snowden backlash is only just beginning. And so is the resistence. Expect U.S. tech companies that have given the National Security Agency direct access to your data to suffer commercially.  How badly, hard to say. Depends on how deep the public outrage. Three of  Germany’s biggest Internet services, one of them Deutsche Telekom, announced they’ll encrypt customers’ emails.  Unfortunately, their encryption appears to be a bad joke. Here’s Chaos Computer Club release (German).

Phil Zimmermann

The U.S. government forced the hand of a small Texas-based email service,  It seems clear that Lavabit’s owner, Ladar Levison, shut down rather than agree to grant the government access to the data of customers. Snowden is reported to have been among his users. Levison has set up a legal defense fund and is accepting contributions. He likely received a National Security Letter, a search warrant or a subpoena with a gag order attached. He can’t say but he says he’s preparing an appeal to the 4th Circut.

“This experience has taught me one very important lesson: without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States,” The New York Times quoted Levison as saying.  I can’t find an image of him online.

The other U.S. email service that preemptively shut down belonged to Silent Circle, a company co-founded by Phil Zimmerman, creator of Pretty Good Privacy encrypted email. It says it wiped the discs containing all that email. The encryption keys were on the servers. Not so with the keys that Silent Circle uses for its text-messaging, video and voice comms services. They are end-to-end secure. The encryption keys are erased when the communcation ends.

Now, which big U.S. tech companies will join the legal challenge in defense of First and Fourth Amendment rights?

Yahoo is the only one known to have challenged a gag order of the type Levison apparently got.

The Internet Archive’s Brewster Kahle, an Internet giant committed to nothing less than providing “universal access to all knowledge,” successfully fought a gag order and is one of the few people who can openly discuss what it’s like to get a National Security Letter.  Read here the New Yorker’s interview with him about it.
Meanwhile, more and more people are posting PGP public keys to servers.

Anti-Surveillance tools and tips – not just for journalists

Long before Snowden, those of us who snoop in the public interest for a living _ and have read every James Bamford book _ knew enough to know we were being watched. And we started putting together infosec toolboxes. Here’s a compendium.

SECURE BROWSING
The point of greatest vulnerability in our interaction with the Internet is the browser. That’s is why it is a must to use end-to-end encryption via Secure Socket Layer, or SSL. It is not perfect. In fact we learned on Sept. 5 from reports based on Snowden documents that it has been compromised by the NSA. Where, we don’t know. But the HTTPS secure communications protocol remains the best available shield for standard browsing. It was designed to protect against such scourages as identity theft. It is especially important when on an open Wi-Fi network. I use the Firefox browser add-on “HTTPS Everywhere” from the Electronic Frontier Foundation. HTTPS does not hide your online activity, the websites you visit, from “sniffers” monitoring your traffic. What it does is encrypt your interactions with websites that use HTTPS.

ANONYMOUS ON THE INTERNET
If you want to hide your online activity, a good option is Tor, originally short for The Onion Router. Tor is designed to hide your IP address, concealing your location and erasing your online footprints.  It is open source, free and supported by a nonprofit. It encrypts users’ online communications – supporting applications including browsing and instant messaging – and bounces them around through a random set of servers called onion routers operated by volunteers. It makes web browsing slow, but much more secure.  *Don’t not expect it to be effective, however against the NSA or other gorvernments equipped with sophisticated global surveillance tools. Download it here and read the directions carefully.

How Tor works: https://ssd.eff.org/tech/tor. 

A Tor proxy exists for Android operating systems. It’s called Orbot

On the Mac (as well as for iPads and iPhones) the Onion browser tunnels web traffic through the Tor network. Developer Mike Tigas charges 99 cents.

Another way to go, albeit less secure, is to use proxy services. They are popular for circumventing censors.

ANONYMOUS SEARCH
Duckduckgo is the most popular anonymous alternative to Google’s search engine.  Its makers explain why it’s a good idea even if you’re not trying to hide from the NSA or other spooks. It has its own webcrawler and also uses other sites.  There’s a Duckduckgo Firefox browser extension.

Google search can be run through a Tor browser for more complete results. Google will demand that you prove you are not a machine. But it’s worth it.

Startpage is an anonymous search engine hosted in the U.S. and the Netherlands that gets its results from Google.

EMAIL ENCRYPTION
Pretty Good Privacy (PGP) doesn’t just encrypt your email. It also authenticates them with digital signatures. Plus it can be used to encrypt disk partitions and files. What it does not do is hide from eavesdroppers the identity of those with whom you are communicating. Easiest to use of the free PGP products is the combination of Enigmail and the Thunderbird email client. I formerly used a commercial product from PGP Corp. until it was purchased by Symantec. Now I use gpg40, an Outlook plug-in. It is not free but works well.

INSTANT MESSAGING
For encrypted chat use the Off-the-Record Messaging protocol (OTR). It can be installed as a plug-in for Pidgin, an open-source chat program that can talk to all manner of propietary chat programs including AIM, Yahoo! And Google Talk. Get plug-in here.

Jabber.org is a free, public instant-messaging system that uses the XMPP communications protocol (originally called Jabber) and supports OTR. Google Talk and Facebook chat can connect to it as they support XMPP.  Jabber.org is currently not accepting account registration but you can create an account on other XMPP  services.

For MAC OS X there is Adium. It is free and can connect to AIM, Jabber, MSN, Yahoo and more.

TextSecure from Open WhisperSystems is a good option in secure IM for Android. It is also reported coming for Apple iOS.

ChatSecure is an IM client for Apple’s iOS that uses OTR

AUDIO/VIDEO COMMS and CHAT
Skype, as we know, is insecure. To replace pretty much everything it does there is Jitsi. It supports some of the most popular instant messaging and telephony protocols and works for secure video calls, conferencing, chat. I use it layered over Google Talk. It also works with AIM, ICQ. Yahoo! Messenger. It is available for Windows, Mac and Linux. (Note some privacy concerns are being addressed regarding DNS leaking _ or exposure of the IP address of the server that helps you navigate online.)

VOICE COMMS:
For protecting cell phone calls, encryption is available through RedPhone for Android, also from WhisperSystems. Both parties must use RedPhone for end-to-end encryption. Telecoms service providers do not overtly get metadata (the call register details on which number is calling which, when and for how long) on these calls.

COMMS PACKAGE:
Silent Circle offers encrypted mobile calls, encrypted text and MMS messaging, encrypted VoIP audio and video calls and conferencing. (encrypted mail no longer). It works on Andriod and iOS. It’s from PGP creator Phil Zimmerman and partners.

DISC ENCRYPTION
I use TrueCrypt, freeware that supports Windows, Mac OSX and Linux. There are sophisticated ways to obtain the encryption keys on machines on which these products are installed, but not if the computers are shut off and the attacker is doing a cold boot.

SAFE TRAVELS
Journalists who travel internationally will benefit from this good guide by the Electronic Frontier Foundation on strategies for taking computers across borders, where airport searches are possible: EFF’s – Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.

FURTHER READING:
A good guide with a catchy name to open source, free infosec solutions: https://prism-break.org/

AP colleague Raphael Satter’s June 14 piece on keeping your data private from prying eyes.

The Committee to Protect Journalists includes an infosec page in its online Journalists’ Security Guide.

Press Freedom Foundation compendium of online security tools and how they work.

Surveillance Self-Defense from EFF: https://ssd.eff.org/

The Tactical Tech Collective have a very good list of tools and a how-to booklet at SecurityinaBox.org

Peru’s attempt to protect a little fish with a big global impact

The story Franklin Briceno and I did on the Peruvian government’s attempt to begin to effectively police the world’s biggest fishery _ the anchoveta industry _ against misbehavior by the commercial fishing fleet was published precisely as the Production Ministry announced results of this season’s catch.

The day’s headline: The fleet did not catch the full quota of 810,000 metric tons (it reported catching 732,000 tons). In the seventh week of the 10-week season that ended Jan. 31 it began breaking the rules blatantly by catching too many juveniles, which is illegal and endangers regeneration. They illegally harvested more than 18,000 tons of juveniles.

“They have no social conscience,” said vice minister Paul Phumpiu. He is trying to get the industry to divert more of its catch to human consumption but so far doesn’t seem to have much traction.

A pilot project to promote the anchoveta as table fish, chiefly by distributing free samples at markets in Peru, is about to get under way. It’s budget: about $4 million.

Chavez’s prostration – Cuba and Brazil’s behavior

Two  interesting  points about the Venezuela conundrum made in this  Economist piece:

1) “Mr Chávez’s prostration has given Cuba unhealthy sway over events in the country. Cuba’s influence was already considerable: it provides Mr Chávez with intelligence and security advisers in return for Venezuelan oil.”

Are the Cubans indeed  gatekeepers to Chavez? Controlling who he sees? Or does it boil down to Chavez’s daughters?

2) Mercosur, led by Brazil, suspended Paraguay’s last year “after its left-wing president was impeached—constitutionally, albeit with unseemly haste.” The Economist says Mercosur should “now similarly suspend Venezuela until it adheres to its own constitution.”

Many will remember Venezuelan Foreign Minister Nicolas Maduro’s alleged attempt to persuade Paraguayan military leaders to act to thwart the impeachment of Fernando Lugo.

Maduro and National Assembly speaker Diosdado Cabello are now engaged in a political high-wire act, without a constitutional net.

Panchita – Peru on the grill

Credit: Peru 21

If you like grilled Peruvian food (apologies to the vegetarians) you can’t do much better in Lima than Panchita.  It is loosely modeled on an anticucheria. Anticuchos are, principally but not exclusively, cow’s heart kebabs. Other tripes that Peruvians skewer and grill also fall under the category. Done well, they are  surprisingly succulent.

I am not particularly fond of anticuchos, and there is much else to satisfy on the menu of this restaurant created by Gaston Acurio, whose celebrity among living Peruvians is matched perhaps only by that of  Mario Vargas Llosa. (Update: Newest Acurio restaurant reported set to open in Chicago in March).

 

The yucca stuffed with seco limeño, as a first course, was superb. Accompanied by a rocoto chile sauce. And don’t forget to order huancaina sauce with pretty much whatever you eat. It’s a right  proper partner for the  potato.

Our only compliant: The restaurant’s acoustics. Get a sound designer in there, Gaston. The place gets loud!

Item:  If you’re looking for a good Peruvian food blog (Sp.) check out Cucharas Bravas.  Its Panchita review.  If you’re looking for good ceviche, Panchita is not the place. But then, real Limeños don’t eat ceviche for dinner. I learned that the hard way some years ago ordering it in front of my in-laws after dusk.

Journalist: protect your sources, erase electronic footprints

Kashmir Hill of Forbes compiled a nice list of tools to scrape metadata from documents, photos that could betray sources identities 0r locations. Other ways to keep your reporting data from falling into the right hands: Don’t be a digital packrat. That resists our nature, doesn’t it? And, of course, encrypt data and communications.  I need to start trying Jitsi (https://jitsi.org) as an alternative to Skype.