[liberationtech] Medill online Digital Safety Guide

Rich Kulawiec rsk at gsp.org
Sat Jun 1 04:40:35 PDT 2013 

On Wed, May 29, 2013 at 03:21:45PM -0700, frank at journalistsecurity.net wrote:
> I appreciate your feedback and your bluntness, Rich.
> 
> But you are providing far more guidance about what to avoid than what to
> use. If journalists and other users should avoid all commercial based
> operating systems including Macs, or any system requiring anti-virus
> software, then what operating system should they use? Linux maybe? Or
> something else?
> 
> Similarly, if they shouldn't use GUI-based email clients, what email
> should they use?

See below, I'll try to address these questions.

That's actually not my blunt voice.  That's my exasperated voice,
because I've grown exceedingly weary of listening to people explain
how to secure a closed-source OS/application environment.

Can't. Be. Done.

The evidence supporting that statement is already piled so high that one
could spend a lifetime examining it and not finish.  And more arrives
all day, every day.  Yet there are STILL people trying to claim
that yes, you can secure your Windows desktop if only you use anti-spyware
anti-virus anti-malware anti-anti-anti-whatever.  If only you spend enough
money.  If only you use IDS/IPS/firewalls/yadda yadda yadda.

No, you can't.

Not for any reasonable value of "secure".  (Yes, yes, I'm well
aware that nothing is absolutely secure, I'm using the term
in sense of "adequate to stop attacks it might plausibly face".)
People do all those things and spend ferocious amounts of money on
them and yet they are STILL routinely 0wned.  It never seems to
occur to them to step back and consider that they're doing something
fundamentally wrong; it always seems to occur to them that throwing
more money at the problem will fix it.  It won't.

And for your use case, where we can presume that the users' systems
will come under scrutiny from governments, criminal gangs, and other
unsavory people with substantial resources, including possibly the
implied or overt threat of physical force, it's absurd to even consider
that approach.  You need to discard it entirely and try something that
has an appreciable chance of working -- NOT something that's guaranteed,
as I don't think that exists, but something that at least gets you
into the game and gives you a fighting chance.

Is Linux the best choice?  Maybe.  Maybe FreeBSD is.  Maybe something
else.  We could argue (and we *have* argued, for many years) about their
relative merits and drawbacks.  I'll propose that for this purpose it may
well be entirely reasonable to create a custom Linux or BSD distribution
that has only the essentials required for reporters/editors in the field
to do their jobs.   Perhaps it should be based on something that already
exists, e.g., Tails.  But what all of those alternatives have in common is
that they raise your probability of success from zero to something non-zero.

That's not enough, of course.  Reasonably secure software environments
only stay that way if they're used appropriately: procedures are as
important as code.  So if someone equipped with one of those is so
insanely stupid as to log onto Facebook [1] or some other scam site,
then they're probably neatly undercut themselves.  Using these tools
properly takes discipline, restraint and thoughtfulness.

For example: users need to actually look at URLs before they follow
them and they need to know enough to realize that google-com.com
is probably not Google and that CIT1BANK.COM is probably not CitiBank. [2]

Yes, that's tedious.  Sorry.  But it's not as tedious as being
locked in a cell for six years while the State Department
tries to negotiate your release.

Anyway, my point is that a judicious combination of careful procedures
and minimal software applications on a robust operating system will
yield something that has a much higher level of operational
security than anything you can build around a closed-source base.
Or to put it another way, all the discipline/restraint/thoughtfulness
in the world will not help you if you insist on using Adobe Acrobat,
thus making yourself a member of the Ginormous Acrobat Security Hole
of the Month Victim's Club. [3]  Or if you choose to use Outlook
instead of mutt (see http://mutt.org), which is a pretty robust
full-featured email client that trained users can use far more
efficiently than many others.

So a constructive approach to this might be ("might be"):

	1. Write a functional specification.  What computing
	tasks do reporters/editors/etc. in the field have to do?

	2. Determine what applications can perform those tasks.

	3. Figure out which OS those applications will run on.

	4. Figure out what the minimal installation looks like.
	(No point in having FrozzleBlah 1.7 installed if it isn't used.
	Less software = less attack surface, to a first approximation.)

	5. Set the onboard firewall to bidirectional default deny.
	Then start figuring out what holes need to be punched in it
	to make (2) feasible.

	6. Think about network services, VPNs, encryption.  Revisit (5).

	7. Build an alpha release and give it, plus some training,
	to a dozen working journalists.  It will break horribly.
	That's a good thing.

	8. Revisit 1-6 and built a beta release.  Repeat step 7.

	9. Get someone (or better, a group of someones) with devious
	and ingenious minds to attack it.  It will break horribly.
	That's still a good thing.

	10. Revisit 1-8 and repeat 9 until either (a) sufficient
	confidence exists that a serviceable product has been created
	or (b) it becomes apparent that something about the approach
	is irrevocably wrong and can't be fixed without starting over.
	If (a), then move on.  If (b), start over.  (I'm a huge fan
	of the development philosophy that you should always write one
	to throw away.  Sometimes two.  Development efforts that aren't
	willing to do that often don't survive well in the field.)

I submit that this outline, crude and incomplete as it is, has a much
higher probability of generating success than anything one could
possibly do using closed-source software.

Yes, it's a lot of work.  Sorry.  There's no shortcut.  As tempting
as it is to take something like MacOS and adapt it: you can't.  It's
like trying to turn a 1975 Ford Pinto into a tank by bolting armor
plate onto it.  Yeah, it kinda sorta vaguely looks like a tank, but
it's still a Pinto and always will be...and you would not do well in
battle with it.

As to the one of your remarks that I elided, in re electronic
communications in general:

I certainly think that they should make *every* effort to minimize
their footprint.  E.g., if their laptop can be switched off: it should be.
If it can be disconnected from the wireless network via the
hardware switch: it should be.  If their mobile phone can be turned
off and the battery removed: it should be.  Every minute that these
devices are connected provides potentially actionable intelligence
to the adversary, so I think it's sensible to minimize those minutes.
(And of course, VPNs, encryption, and other techniques should be used to
reduce the quantity and quality of information available to an adversary.)

---rsk


[1] Some people may not consider this insanely stupid.  Okay.  Fair
enough.  If you're one of those people, please explain to me EXACTLY
why you think that Facebook (or one of its freelancing employees) would
not cheerfully sell every scrap of data they have on you to country X's
intelligence service/secret police or to one of country Y's indigenous
criminal organizations.  To borrow a line from Feynman, what is the
source of this fantastic faith in the machinery?

Once you've finished that explanation, please also explain to me EXACTLY
why you think that an operation with a long, long history of massive
security holes has now managed to close the last one, thereby rendering
itself impervious to attackers -- even though that same organization
has almost no motivation to do so.  It's not *their* data, after all.

[2] I say "probably" because it's possible the real operations have
acquired those typosquatted domains by now.

[3] I see that Adobe is shifting PhotoShop to "the cloud".  How very nice.
Now when some tinpot dictator wants to see if there are any incriminating
photos being prepped for publication, it's not necessary to break into
laptops and desktops and such; just break into Adobe's cloud (or, perhaps
more readily, pay off an Adobe employee) and it's one-stop shopping.
I suppose Adobe wasn't content with merely having one massive security
hole a month and wanted to create something whose very existence is a
massive, ongoing, perpetual security hole.

More information about the liberationtech mailing list