Anti-Surveillance tools and tips – not just for journalists

(updated Dec. 12, 2016)

Long before Snowden, we who snoop in the public interest knew that if we weren’t being watched we would be eventually. So we took steps to protect ourselves. Digital self-defense is now vital for everyone, not just journalists. Our toolboxes are ongoing projects. This is mine, and I am grateful to the coders who help protect us. Questions/suggestions/criticisms encouraged.

SECURE BROWSING
The point of greatest vulnerability in our interaction with the Internet is the browser. That’s is why it is a must to use end-to-end encryption via Secure Socket Layer, or SSL. It is not perfect. In fact we learned in 2013 that it had been compromised by the NSA. Where, we don’t know. But the HTTPS secure communications protocol remains the best available shield for standard browsing. It was designed to protect against such scourges as identity theft. It is especially important on open Wi-Fi networks. I use the browser add-on “HTTPS Everywhere” from the Electronic Frontier Foundation. HTTPS does not hide your online activity, the websites you visit, from “sniffers” that monitor traffic. What it does is encrypt your interactions with websites that use HTTPS. If your favorite news website does not offer HTTPS, tell them to get with the program!

ANONYMOUS ON THE INTERNET
If you want to hide your online activity, a good option is Tor, originally short for The Onion Router. Tor is designed to hide your IP address, concealing your location and erasing your online footprints.  It is best with a VPN (virtual private network) connection. It is open source, free and supported by a nonprofit. It encrypts users’ online communications – supporting applications including browsing and instant messaging – and bounces them around through a random set of servers called onion routers operated by volunteers. It makes web browsing slow, but much more secure.  *Don’t not expect it to be effective, however against the NSA or other governments equipped with sophisticated global surveillance tools. Download it here and read the directions carefully. How Tor works.

A Tor proxy exists for Android operating systems. It’s called Orbot. On the Mac (as well as for iPads and iPhones) the Onion browser tunnels web traffic through the Tor network. Developer Mike Tigas formerly charged 99 cents. Now it’s free!

Tor is best used with a VPN proxy service. They are popular for circumventing censors. I am not going to tell you which one I use. But it’s smart to use one with exit nodes in multiple countries. Best if some of those countries are not apt to cave to the NSA and its Five Eyes allies and let them spy on your traffic.

ANONYMOUS SEARCH
Duckduckgo.com is the most popular anonymous alternative to Google’s search engine.  Its makers explain why it’s a good idea even if you’re not trying to hide from the NSA or other spooks. It has its own web crawler and also uses other sites.  There’s a Duckduckgo Firefox browser extension. Another good option is the Epic privacy browser that’s built on top of Firefox. Google search can be run through a Tor browser for more complete results. Google will demand that you prove you are not a machine. Startpage is an anonymous search engine hosted in the U.S. and the Netherlands that gets its results from Google.

EMAIL ENCRYPTION
Pretty Good Privacy (PGP) doesn’t just encrypt your email. It also authenticates them with digital signatures. Plus it can be used to encrypt disk partitions and files. What it does not do is hide from eavesdroppers the identity of those with whom you are communicating. Easiest to use of the free PGP products is the combination of Enigmail and the Thunderbird email client. I formerly used a commercial product from PGP Corp. until it was purchased by Symantec. Now I use gpg40, an Outlook plug-in. It is not free but works well. Also worth looking at are RiseUp (for the more technically inclined), Peerio (which is quite popular and available for IOS, Android, Mac, Linux and Windows) and Protonmail.com (Swiss-based and browser dependent).

VOICE COMMS/TEXT:
For private smartphone calls, the absolute gold standard is Signal from WhisperSystems. It is free and does instant messaging, too. WhatsApp employs its technology but Signal is more trustworthy because it’s not owned by Facebook, which spies on WhatsApp users and accesses their address books unless specifically told not to. (Good article on Signal by Brian Chen)

INSTANT MESSAGING
For encrypted chat the easiest tool is WhatsApp. Purists opt for instant-messaging with the Off-the-Record Messaging protocol (OTR). It can be installed as a plug-in for Pidgin, an open-source chat program that can talk to all manner of propietary chat programs including AIM and Yahoo! (Google Talk was discontinued). Get plug-in here. Jabber.org is a free, public instant-messaging system that uses the XMPP communications protocol (originally called Jabber) and supports OTR. You’ll need to choose a server that supports XMPP to host your account.  I use the server of the merry pranksters of cyberspace, Germany’s Chaos Computer Club. For MAC OS X there is Adium. It is free and can connect to AIM, Jabber, MSN, Yahoo and more.

AUDIO/VIDEO COMMS and CHAT
Skype, as we know, is insecure. To replace pretty much everything it does there is Jitsi. It supports some of the most popular instant messaging and telephony protocols and works for secure video calls, conferencing, chat. The easiest way to use the technology is to use meet.jit.si . It creates a secure video/audio chatroom to which one can invite multiple parties.

DISC ENCRYPTION
I have used TrueCrypt, freeware that supports Windows, Mac OSX and Linux. But there are questions as to whether it remains secure. There are also sophisticated ways to obtain the encryption keys of a TrueCrypt install on machines on which these products are installed, but not if the computers are shut off and the attacker is doing a cold boot. Some people use Windows’ Bitlocker. I tend to distrust Microsoft. Security expert Bruce Schneier recommends BestCrypt.

SAFE TRAVELS
A strategy is vital for what to do if border guards _ or local police, for that matter  _demand that you unlock the data on your cellphone or laptop so they can review it. Especially in need of a strategy are people who handle information so sensitive it could get people killed if revealed . Not carrying the information when you travel is one option. Putting it on a cloud-based encrypted backup service like SpiderOak One is another. There are many.

Journalists who travel internationally will benefit from this good guide by the Electronic Frontier Foundation on strategies for taking computers across borders, where airport searches aren’t just possible. They’re happening: EFF’s – Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.

Whatever you do, make sure you LOCK your PHONE with a long password. Mine is nine digits. They might be able to crack it after I’m dead.

FURTHER READING:
(There is a lot out there! Do send me links to guides not listed that should be)
A good guide with a catchy name to open source, free infosec solutions: https://prism-break.org/
The Committee to Protect Journalists includes an infosec page in its online Journalists’ Security Guide.
Press Freedom Foundation compendium of online security tools and how they work.
Surveillance Self-Defense from EFF: https://ssd.eff.org/
The Tactical Tech Collective
have a very good list of tools and a how-to booklet at SecurityinaBox.org
AP colleague Raphael Satter’s June 14, 2013 piece on keeping your data private from prying eyes.

Peru’s attempt to protect a little fish with a big global impact

The story Franklin Briceno and I did on the Peruvian government’s attempt to begin to effectively police the world’s biggest fishery _ the anchoveta industry _ against misbehavior by the commercial fishing fleet was published precisely as the Production Ministry announced results of this season’s catch.

The day’s headline: The fleet did not catch the full quota of 810,000 metric tons (it reported catching 732,000 tons). In the seventh week of the 10-week season that ended Jan. 31 it began breaking the rules blatantly by catching too many juveniles, which is illegal and endangers regeneration. They illegally harvested more than 18,000 tons of juveniles.

“They have no social conscience,” said vice minister Paul Phumpiu. He is trying to get the industry to divert more of its catch to human consumption but so far doesn’t seem to have much traction.

A pilot project to promote the anchoveta as table fish, chiefly by distributing free samples at markets in Peru, is about to get under way. It’s budget: about $4 million.

Chavez’s prostration – Cuba and Brazil’s behavior

Two  interesting  points about the Venezuela conundrum made in this  Economist piece:

1) “Mr Chávez’s prostration has given Cuba unhealthy sway over events in the country. Cuba’s influence was already considerable: it provides Mr Chávez with intelligence and security advisers in return for Venezuelan oil.”

Are the Cubans indeed  gatekeepers to Chavez? Controlling who he sees? Or does it boil down to Chavez’s daughters?

2) Mercosur, led by Brazil, suspended Paraguay’s last year “after its left-wing president was impeached—constitutionally, albeit with unseemly haste.” The Economist says Mercosur should “now similarly suspend Venezuela until it adheres to its own constitution.”

Many will remember Venezuelan Foreign Minister Nicolas Maduro’s alleged attempt to persuade Paraguayan military leaders to act to thwart the impeachment of Fernando Lugo.

Maduro and National Assembly speaker Diosdado Cabello are now engaged in a political high-wire act, without a constitutional net.

Panchita – Peru on the grill

Credit: Peru 21

If you like grilled Peruvian food (apologies to the vegetarians) you can’t do much better in Lima than Panchita.  It is loosely modeled on an anticucheria. Anticuchos are, principally but not exclusively, cow’s heart kebabs. Other tripes that Peruvians skewer and grill also fall under the category. Done well, they are  surprisingly succulent.

I am not particularly fond of anticuchos, and there is much else to satisfy on the menu of this restaurant created by Gaston Acurio, whose celebrity among living Peruvians is matched perhaps only by that of  Mario Vargas Llosa. (Update: Newest Acurio restaurant reported set to open in Chicago in March).

 

The yucca stuffed with seco limeño, as a first course, was superb. Accompanied by a rocoto chile sauce. And don’t forget to order huancaina sauce with pretty much whatever you eat. It’s a right  proper partner for the  potato.

Our only compliant: The restaurant’s acoustics. Get a sound designer in there, Gaston. The place gets loud!

Item:  If you’re looking for a good Peruvian food blog (Sp.) check out Cucharas Bravas.  Its Panchita review.  If you’re looking for good ceviche, Panchita is not the place. But then, real Limeños don’t eat ceviche for dinner. I learned that the hard way some years ago ordering it in front of my in-laws after dusk.

Journalist: protect your sources, erase electronic footprints

Kashmir Hill of Forbes compiled a nice list of tools to scrape metadata from documents, photos that could betray sources identities 0r locations. Other ways to keep your reporting data from falling into the right hands: Don’t be a digital packrat. That resists our nature, doesn’t it? And, of course, encrypt data and communications.  I need to start trying Jitsi (https://jitsi.org) as an alternative to Skype.

 

Lima’s extraordinary unpreparedness for a major quake

I got quite worried reporting our story about just how unprepared Lima is for a quake of 8.0 magnitude or higher. Lima’s La Republica newspaper summarized the most alarming quotes in Spanish.

Lima authorities have urged everyone to have an emergency backpack at the ready with water, food , flashlight and personal hygiene items. And they are trying to get people to think about situational awareness in a major quake: where is it safest to shelter. Do you run? Duck under a table?

Meanwhile, check out this new study that pinpoints where the world’s “great quakes” are most apt to occur, a PDF:  “The link between great earthquakes and the subduction of oceanic fracture zones.”

Eight of the 15 most devastating quakes ever recorded have occurred where I live – gulp – along the Peru-Chile trench where the undersea Nazca plate collides with the South American continental plate. The Nazca plate slides into the subduction zone at about 3 inches a year on average.

International Court of Justice sets borders in Colombia-Nicaragua dispute over Caribbean islands

Colombia’s government is not happy with the outcome of the court’s ruling.  The Hague court delineated a horseshoe around the English-speaking archipelago, which was first settled by Protestants and claimed by Colombia in the early 19th century. President Santos of Colombia, bowing to pressure from environmentalist and local politicians, announced last year would be no oil exploration in the islands’ waters (the reef is a divers’ paradise). All indications are that Nicaragua will drill. A good Oxfam blog posting on the victory against drilling.  And a description of the Old Providence barrier reef at the islands, designated a Biosphere Reserve by UNESCO in 2000.

See also AP correspondent Andrew Selsky’s 2003  piece on the islands.

Colombian govt cool to FARC cease-fire announcement

As peace talks get under way in Havana, the FARC announces a cease-fire. Not a big surprise, and not well-received by the government.

HAVANA (AP) — Colombia’s main rebel group announced a unilateral cease-fire on Monday as it began much-anticipated peace talks, but the Bogota government responded that it would continue military operations. Top negotiator Ivan Marquez said the Revolutionary Armed Forces of Colombia would halt all acts of sabotage and attacks against government and private property starting at midnight Monday and running through Jan. 20.

He made the announcement as negotiators for both sides entered the talks in Havana without other comment.

Marquez said the move was “aimed at strengthening the climate of understanding necessary for the parties to start a dialogue.”

Hours later, Defense Minister Juan Carlos Pinzon told reporters in the Colombian capital that while the government hoped the FARC would keep its promise, “history shows that this terrorist organization has never kept its word. It’s very difficult to believe.”

He added that Colombian security forces have “the constitutional duty to pursue all criminals who have violated the Constitution.”

Read more at AP’s “The Big Story”

 

Colombia peace talks start in Havana – Who’s Who

Peace talks get under way in earnest in Havana on Monday nearly three months after negotiators for Colombia’s government and the FARC signed a roadmap that includes a five-point agenda. Up first is land reform, though the start of talks was delayed a few days as both sides hashed out the design of a website that will allow “civil society” to provide input.

The Santos government is trying to keep the substance of the negotiations from the news media until such time as both sides have announcements to make. We’ll see how that goes. We’ve profiled the two top negotiators, the Dutch guerrilla Tanja Nijmeijer and Simon Trinidad, the FARC commander penned up at the maximum-security prison in the Rocky Mountains where the United States holds its most notorious convicted terrorists. Trinidad’s story highlights the depth of U.S. involvement in the conflict. It also helps explain why reaching a peace agreement will be so difficult.

If you read Spanish, I highly recommend ‘Libranos del Bien’ to get a good sense of the society that bred Trinidad and the paramilitary warlord Rodrigo Tovar Pupo, aka Jorge 40. He’s also now in a U.S. prison.