[liberationtech] Medill online Digital Safety Guide

Wed May 29 15:21:45 PDT 2013

I appreciate your feedback and your bluntness, Rich.

But you are providing far more guidance about what to avoid than what to
use. If journalists and other users should avoid all commercial based
operating systems including Macs, or any system requiring anti-virus
software, then what operating system should they use? Linux maybe? Or
something else?

Similarly, if they shouldn't use GUI-based email clients, what email
should they use?

The practical gist of your message to journalists seems to be: don't
trust digital information or communications at all. That may well be a
very wise point.

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank at journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net

> -------- Original Message --------
> Subject: Re: [liberationtech] Medill online Digital Safety Guide
> From: Rich Kulawiec <rsk at gsp.org>
> Date: Wed, May 29, 2013 7:45 am
> To: liberationtech <liberationtech at mailman.stanford.edu>
> 
> 
> I see a number of major problems with this guide -- I'm not going to go
> into all of them, I'm just going to highlight a few to give the sense of
> where I'm coming from.  You're probably not going to like this.
> Sorry, but strong criticism from me is not nearly so bad as having a hotel
> room door kicked in at 3 AM and being dragged off to a dark hole.
> 
> 1. "Use only licensed software and keep it updated."
> 
> There's nothing wrong with the concept of keeping your software updated.
> (Although I would recommend judiciously choosing where and how you update it.
> An adversary monitoring your connection and observing that you're
> pulling down updates for FrozzleBlah 1.7 now knows that you're running
> FrozzleBlah and may find that piece of information highly useful.
> Another adversary may have the capability and willingness to substitute
> their update to FrozzleBlah for the one you think you're getting.)
> 
> But I'd replace this with: "use only open-source software."  Closed-source
> software is not and can not be secure, period, full stop.  Anyone choosing
> closed-source software is choosing insecurity -- which, for a journalist in
> a hostile environment, is very self-destructive.  That's not an artifact of
> any particular piece of software or any particular vendor; it's an
> unavoidable consequence of the closed development process.  Please see:
> 
> 	https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007504.html
> 
> Moreover: anyone who has been paying any attention at all over the
> past 10, 20, 30 years knows that in addition to the plethora
> of accidental gaping security holes we know about, there are clearly
> plenty of accidental gaping security holes that we don't know about --
> which are being discovered, hoarded, sold, and used by vulnerability
> researchers and governments and other parties unknown.  And then there
> are the deliberate gaping security holes: see most recently: Skype.
> And *then* there the deliberate gaping security holes which various
> governments are demanding be created for their convenience, not realizing
> in their ignorance and hubris that what is convenient for Government A
> is very likely convenient for Government B for many values of (A,B).
> See for example this particularly assinine proposal:
> 
> 	http://www.electronista.com/articles/13/05/27/us.government.sponsored.report.claims.china.biggest.offender/
> 
> Of course there are security holes in open source software as well:
> using it is NOT a panacea.  But it at least gives you a fighting chance,
> whereas with closed-source software, you have none at all.
> 
> YES, this means no Windows, no IE, no Outlook, no Acrobat, no PhotoShop,
> and so on.  Don't tell it me "it can't be done".  Of course it can.  People
> do it every day.
> 
> 
> 2. "Use good anti-virus and anti-spyware software [...]"
> 
> No.  This is completely the wrong approach, for two reasons:
> 
> First, if you're using a software platform that's architected such that
> you think you need these, you have chosen your software platform poorly.
> 
> Poorly, as in:
> 
> 	https://www.youtube.com/watch?v=xCUwQIn3GrU	
> 
> Trying to remedy that poor choice by slapping on AV/AS software after
> the fact might make you feel better about it, but that's all it does.
> 
> Second, AV/AS software is GUARANTEED to fail when you'll need it most.
> 
> (A bold statement?  Heck no.  Quite conservative, actually, given that
> the observed failure rate to date under those circumstances is 100%.  What
> would be highly speculative is predicting any outcome *other* than failure.)
> 
> 
> 3. "Use passwords or, better yet, passphrases that are both at least eight
> keyboard characters long and that include multiple types of characters."
> 
> I don't think that's nearly long enough for someone whose freedom
> and/or life might depend on password strength.  Advances in GPU-based
> password crackers (for example, see:
> 
> 	http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
> 
> among others) as well as the usual improvements in distributed/cloud
> computing, brute-force attacks, etc., suggest to me that much longer
> would be much better.  I'll defer to the cryptographers on precisely
> *how* much longer, but I don't think 8 characters will cut it any more;
> my guess would be >= 16.
> 
> Length and character diversity are not the only requirements, by the way;
> please see:
> 
> 	http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+arstechnica/index+%28Ars+Technica+-+All+content%29
> 
> for some insights into how passwords might be attacked, and adjust
> password creation accordingly.
> 
> 
> 4. "Be wary of any email attachments, and even odd-seeming links [...]"
> 
> That's good advice, as far as it goes.  But it doesn't go far enough.
> Folks in these situations should not be using GUI-based email clients
> because it's too easy to use the GUI to fool recipients -- as we see
> all day every day.  Use mutt or equivalent -- and no whining about the
> interface, it's eminently usable by anyone equipped with modest clue.
> It also armors you pretty well against a plethora of content-borne and
> attachment-borne attacks.  But more importantly it makes spam, phish,
> typosquatting, etc. attacks *much* harder to pull off because it
> makes them highly visible.  I've trained non-technical personnel in
> how to use it to inspect headers and links  -- and THAT has much
> more defensive value than any anti-virus/anti-spyware program.
> 
> BTW, speaking of odd-seeming links: no URL-shorteners.
> There are zero legitimate uses for them, they're overrun with
> abuse thanks to the profound incompetence and systemic negligence
> of their operators, and there is evidence that some of them are
> *run* by abusers.
> 
> 
> And so on.  (I did say I wasn't going into all the problems.)
> 
> I *do* agree somewhat with the assessment of smart phones: nobody in this
> position/environment should have one, as they have no chance at all of
> keeping it secure.  Any repressive regime worthy of that characterization
> will be monitoring every single thing journalists' phones do, where they
> go, who they call, who calls them, who they text, who text them, what
> web sites they visit, etc. and they'll probably try (and succeed) in
> installing malware on them.
> 
> And some of the software/service recommendations are fine, although
> I'd scratch Gmail (and Yahoo and Hotmail -- or whatever they're calling
> it this week).  All of these freemail services are very poorly run,
> they're almost certainly deliberately backdoored (on purpose) which in
> turn means that they can probably be backdoored (by third parties).
> 
> Oh, look, it's already happened:
> 
> 	https://www.techdirt.com/articles/20130522/03160923172/chinese-hacks-google-database-surveillance-targets-highlight-how-dumb-technology-backdoors-are.shtml
> 
> Now: everyone who thinks that's the *first* time it's happened,
> raise your hand.
> 
> ---rsk
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech