[liberationtech] Medill online Digital Safety Guide

[Rich Kulawiec]

I see a number of major problems with this guide -- I'm not going to go
into all of them, I'm just going to highlight a few to give the sense of
where I'm coming from.  You're probably not going to like this.
Sorry, but strong criticism from me is not nearly so bad as having a hotel
room door kicked in at 3 AM and being dragged off to a dark hole.

1. "Use only licensed software and keep it updated."

There's nothing wrong with the concept of keeping your software updated.
(Although I would recommend judiciously choosing where and how you update it.
An adversary monitoring your connection and observing that you're
pulling down updates for FrozzleBlah 1.7 now knows that you're running
FrozzleBlah and may find that piece of information highly useful.
Another adversary may have the capability and willingness to substitute
their update to FrozzleBlah for the one you think you're getting.)

But I'd replace this with: "use only open-source software."  Closed-source
software is not and can not be secure, period, full stop.  Anyone choosing
closed-source software is choosing insecurity -- which, for a journalist in
a hostile environment, is very self-destructive.  That's not an artifact of
any particular piece of software or any particular vendor; it's an
unavoidable consequence of the closed development process.  Please see:

	https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007504.html

Moreover: anyone who has been paying any attention at all over the
past 10, 20, 30 years knows that in addition to the plethora
of accidental gaping security holes we know about, there are clearly
plenty of accidental gaping security holes that we don't know about --
which are being discovered, hoarded, sold, and used by vulnerability
researchers and governments and other parties unknown.  And then there
are the deliberate gaping security holes: see most recently: Skype.
And *then* there the deliberate gaping security holes which various
governments are demanding be created for their convenience, not realizing
in their ignorance and hubris that what is convenient for Government A
is very likely convenient for Government B for many values of (A,B).
See for example this particularly assinine proposal:

	http://www.electronista.com/articles/13/05/27/us.government.sponsored.report.claims.china.biggest.offender/

Of course there are security holes in open source software as well:
using it is NOT a panacea.  But it at least gives you a fighting chance,
whereas with closed-source software, you have none at all.

YES, this means no Windows, no IE, no Outlook, no Acrobat, no PhotoShop,
and so on.  Don't tell it me "it can't be done".  Of course it can.  People
do it every day.


2. "Use good anti-virus and anti-spyware software [...]"

No.  This is completely the wrong approach, for two reasons:

First, if you're using a software platform that's architected such that
you think you need these, you have chosen your software platform poorly.

Poorly, as in:

	https://www.youtube.com/watch?v=xCUwQIn3GrU	

Trying to remedy that poor choice by slapping on AV/AS software after
the fact might make you feel better about it, but that's all it does.

Second, AV/AS software is GUARANTEED to fail when you'll need it most.

(A bold statement?  Heck no.  Quite conservative, actually, given that
the observed failure rate to date under those circumstances is 100%.  What
would be highly speculative is predicting any outcome *other* than failure.)


3. "Use passwords or, better yet, passphrases that are both at least eight
keyboard characters long and that include multiple types of characters."

I don't think that's nearly long enough for someone whose freedom
and/or life might depend on password strength.  Advances in GPU-based
password crackers (for example, see:

	http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

among others) as well as the usual improvements in distributed/cloud
computing, brute-force attacks, etc., suggest to me that much longer
would be much better.  I'll defer to the cryptographers on precisely
*how* much longer, but I don't think 8 characters will cut it any more;
my guess would be >= 16.

Length and character diversity are not the only requirements, by the way;
please see:

	http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+arstechnica/index+%28Ars+Technica+-+All+content%29

for some insights into how passwords might be attacked, and adjust
password creation accordingly.


4. "Be wary of any email attachments, and even odd-seeming links [...]"

That's good advice, as far as it goes.  But it doesn't go far enough.
Folks in these situations should not be using GUI-based email clients
because it's too easy to use the GUI to fool recipients -- as we see
all day every day.  Use mutt or equivalent -- and no whining about the
interface, it's eminently usable by anyone equipped with modest clue.
It also armors you pretty well against a plethora of content-borne and
attachment-borne attacks.  But more importantly it makes spam, phish,
typosquatting, etc. attacks *much* harder to pull off because it
makes them highly visible.  I've trained non-technical personnel in
how to use it to inspect headers and links  -- and THAT has much
more defensive value than any anti-virus/anti-spyware program.

BTW, speaking of odd-seeming links: no URL-shorteners.
There are zero legitimate uses for them, they're overrun with
abuse thanks to the profound incompetence and systemic negligence
of their operators, and there is evidence that some of them are
*run* by abusers.


And so on.  (I did say I wasn't going into all the problems.)

I *do* agree somewhat with the assessment of smart phones: nobody in this
position/environment should have one, as they have no chance at all of
keeping it secure.  Any repressive regime worthy of that characterization
will be monitoring every single thing journalists' phones do, where they
go, who they call, who calls them, who they text, who text them, what
web sites they visit, etc. and they'll probably try (and succeed) in
installing malware on them.

And some of the software/service recommendations are fine, although
I'd scratch Gmail (and Yahoo and Hotmail -- or whatever they're calling
it this week).  All of these freemail services are very poorly run,
they're almost certainly deliberately backdoored (on purpose) which in
turn means that they can probably be backdoored (by third parties).

Oh, look, it's already happened:

	https://www.techdirt.com/articles/20130522/03160923172/chinese-hacks-google-database-surveillance-targets-highlight-how-dumb-technology-backdoors-are.shtml

Now: everyone who thinks that's the *first* time it's happened,
raise your hand.

---rsk