Tag Archives: Micah Lee

Freedom of the Press Foundation, Journalist's Toolbox, Opsec, SecureDrop

Snowden Explains “Opsec” – Operational Security for Everybody

Micah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue GardnerMicah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue Gardner

A few weeks ago, Micah Lee, Technologist for The Intercept and   Co-Founder and Board Member of the Freedom of the Press Foundation, went to Moscow to meet Edward Snowden (who is on the Freedom of the Press Foundation’s Board).

They had been in close contact online, since January of 2013, albeit anonymously, on Ed’s end, for the first six months.

Snowden took the opportunity to explain some technical details about what he has come to refer to as “Opsec,” or “Operational Security,” a collection of a few simple best practices for security that folks can use to protect the privacy of their day to day communications.

Engaging in Opsec helps protect one’s privacy, not only against the threat of what is, to some, the merely abstract notion of “government surveillance,” but also against much scarier threats that are not so abstract. For instance, abusive relationship victims, stalking victims, or children who are at risk of being monitored by pedophiles. There are many scary scenarios, all made possible by the current lack of basic encryption on most people’s emails and text messages. In these cases, being a victim of online surveillance often translates into physical harassment or abuse in the “real world.”

Using Opsec to “reclaim your privacy” may seem confusing at first, especially to those who have not realized that their privacy is already compromised daily. But as Micah explains, “This doesn’t need to be an extraordinary lifestyle change. It doesn’t have to be something that is disruptive. It should be invisible, it should be atmospheric, it should be something that happens painlessly, effortlessly.”

In the article, Snowden outlines some Opsec basics, including:

  • Using “Signal” (“Text Secure” on Android), by Open Whisper Systems, to encrypt your text messages and phone calls. It’s very easy to install and use, instantly, on your Android or iPhone device.
  • Encrypting your laptop hard drive, so if your computer is stolen, the thief won’t also have access to all of your private data. (Micah has already written a guide for this.)
  • Using a password manager (here’s Bruce Schneier’s favorite) that helps you generate unique passwords for all of your different services and stores them for you, so you don’t have to remember them.
  • Using two-factor authentication to provide an additional level of security on your accounts.
  • Using browser plugins like HTTPS Everywhere by the EFF, to try to enforce secure encrypted communications so your data is not being passed while “electronically naked,” in transit.
  • Using adblocking software, such as Privacy Badger, by the EFF.
  • Using Tor and TorBrowser to anonymize your browsing.

A few relevant quotes from the article:

On Tor:

Lee: What do you think about Tor? Do you think that everyone should be familiar with it, or do you think that it’s only a use-it-if-you-need-it thing?

Snowden: I think Tor is the most important privacy-enhancing technology project being used today. I use Tor personally all the time. We know it works from at least one anecdotal case that’s fairly familiar to most people at this point. That’s not to say that Tor is bulletproof. What Tor does is it provides a measure of security and allows you to disassociate your physical location…

But the basic idea, the concept of Tor that is so valuable, is that it’s run by volunteers. Anyone can create a new node on the network, whether it’s an entry node, a middle router, or an exit point, on the basis of their willingness to accept some risk. The voluntary nature of this network means that it is survivable, it’s resistant, it’s flexible.

Micah: [Tor Browser is a great way to selectively use Tor to look something up and not leave a trace that you did it. It can also help bypass censorship when you’re on a network where certain sites are blocked. If you want to get more involved, you can volunteer to run your own Tor node, as I do, and support the diversity of the Tor network.]…

On Whistleblowing:

Snowden: What we do need to protect are the facts of our activities, our beliefs, and our lives that could be used against us in manners that are contrary to our interests. So when we think about this for whistleblowers, for example, if you witnessed some kind of wrongdoing and you need to reveal this information, and you believe there are people that want to interfere with that, you need to think about how to compartmentalize that.

Tell no one who doesn’t need to know.

Micah: [Lindsay Mills, Snowden’s girlfriend of several years, didn’t know that he had been collecting documents to leak to journalists until she heard about it on the news, like everyone else.]

Snowden: When we talk about whistleblowers and what to do, you want to think about tools for protecting your identity, protecting the existence of the relationship from any type of conventional communication system. You want to use something like SecureDrop, over the Tor network, so there is no connection between the computer that you are using at the time — preferably with a non-persistent operating system like Tails, so you’ve left no forensic trace on the machine you’re using, which hopefully is a disposable machine that you can get rid of afterward, that can’t be found in a raid, that can’t be analyzed or anything like that — so that the only outcome of your operational activities are the stories reported by the journalists.

Micah: [SecureDrop is a whistleblower submission system. Here is a guide to using The Intercept’s SecureDrop server as safely as possible.]…

On Simple and Practical Threat Modeling:

Snowden: …You can drive yourself crazy thinking about bugs in the walls and cameras in the ceiling. Or you can think about what are the most realistic threats in your current situation? And on that basis take some activity to mitigate the most realistic threats.

In that case, for most people, that’s going to be very simple things. That’s going to be using a safe browser. That’s going to be disabling scripts and active content…And making sure that your regular day-to-day communications are being selectively shared through encrypted means…

On How Cell Phones Track Us By Default:

Micah: People use smartphones a lot. What do you think about using a smartphone for secure communications?

Snowden: Something that people forget about cellphones in general, of any type, is that you’re leaving a permanent record of all of your physical locations as you move around. … The problem with cellphones is they’re basically always talking about you, even when you’re not using them. That’s not to say that everyone should burn their cellphones … but you have to think about the context for your usage. Are you carrying a device that, by virtue of simply having it on your person, places you in a historic record in a place that you don’t want to be associated with, even if it’s something as simple as your place of worship?

 

 

Aaron Swartz Day 2015, SecureDrop, Video

Micah Lee at Aaron Swartz Day 2015

Download mp4      Hi-res files of entire event
CC0

Note: I’m including a full transcription at the bottom of this post, for safekeeping. Thanks to OpenTranscripts.org for their transcriptions of these talks.

Micha Lee gave a charming first person account of how Ed Snowden first contacted him anonymously, looking for Laura Poitras’ PGP key, and then asked him to please get Glenn Greenwald get set up on PGP.

Next, he explains how SecureDrop enables sources to connect with journalists without having to learn PGP, and how Aaron’s core design is still in use today.

Micah has also written about this entertaining story in much more  splendid detail at The Intercept.

Quotes from Micah’s Talk:

“…two years before Edward Snowden decided to start becoming a whistleblower, Aaron had already done a lot of development work on DeadDrop and was well on his way to making it so that rather than having someone like Ed have to try and send a bunch of plaintext emails to journalists he wants to talk to to convince them to learn how to use PGP and stuff, he made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing…

The one thing is that SecureDrop has come a very long way and it’s really easy to use for sources now. So now if you’re a whistleblower and you want to leak documents, it’s really easy. All you need to do is go and download Tor Browser, go to a web site, click “I’m a new source,” and upload a document. Then you’re done…

…he (Aaron) made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing. And like what Garrett was saying earlier, the core design of DeadDrop is still exactly the same in SecureDrop, and that’s pretty amazing I think that he had such good foresight to figure out what all these technical problems were and try and solve them.– Micah Lee, Co-Founder, Freedom of the Press Foundation, Technologist at The Intercept.

 

***Complete Transcript Below****

Hello. I don’t have a whole lot to say.

When I was thinking about what I would talk about last night, I was reading more about Aaron. Unfortunately, I never got to meet him before he died, but I realized that he passed away on January 11, 2013, and that was actually the same day that I first heard from Edward Snowden.

At the time I didn’t know that it was Edward Snowden. He was anonymous. He sent me an email and it was encrypted. And he was trying to get Laura Poitras’ PGP key and he was saying that—you know, he couldn’t tell me what it was for but I should help Glenn Greenwald learn how to use PGP and it was important.

So I helped out as I could, and it took several months. I kept talking to Glenn and Glenn was into it, but he was also really impatient with learning anything new on the computer and he didn’t really know why it was so important. I didn’t really know why it was so important. There were a couple of false attempts at teaching Glenn PGP, and finally I had a Skype call with him where I helped him set up Pidgin and off-the-record encryption. That was like, five and a half, six months later after I first got that encrypted anonymous email from Snowden. And that was the first time that Snowden was able to have a secure conversation with Glenn Greenwald.

And I was thinking about it. Aaron had already kind of done a lot of work to solve this problem. The year, two years before Edward Snowden decided to start becoming a whistleblower, Aaron had already done a lot of development work on DeadDrop and was well on his way to making it so that rather than having someone like Ed have to try and send a bunch of plaintext emails to journalists he wants to talk to to convince them to learn how to use PGP and stuff, he made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing. And like what Garrett was saying earlier, the core design of DeadDrop is still exactly the same in SecureDrop, and that’s pretty amazing I think that he had such good foresight to figure out what all these technical problems were and try and solve them.

I guess the one thing is that SecureDrop has come a very long way and it’s really easy to use for sources now. So now if you’re a whistleblower and you want to leak documents, it’s really easy. All you need to do is go and download Tor Browser, go to a web site, click “I’m a new source,” and upload a document. Then you’re done, and you don’t have to go through all of this having to be a technical expert and having to train the journalists and all this stuff. But the hard part is that it’s still not nearly as easy for journalists to use. So, in fact, Glenn Greenwald doesn’t use SecureDrop himself. Instead, other people who have more time and patience with technical stuff use it and talk to him about it if there’s stuff for him.

So there’s still a lot more work to be done in this area, and I just really wish that Aaron were still around to help with this, because I think that he would contribute greatly on his project.

And that’s all that I have to say.

Aaron Swartz Day 2015, Video

Video and Transcripts From Aaron Swartz Day 2015

Please donate to my Kickstarter for “From DeadDrop to SecureDrop” – Thanks!!

Index of Speakers and Direct Links to Video and Transcriptions

Giovanni Damiola (Open Library Project)
YouTubeVideo – Transcript

Garrett Robinson (Lead Programmer, SecureDrop)
YouTubeVideoTranscript

Alison Macrina (Founder and Director, Library Freedom Project)
YouTubeVideoTranscript

Brewster Kahle (Digital Librarian, Internet Archive)
YouTubeVideoTranscript

Cindy Cohn (Executive Director, Electronic Frontier Foundation)
YouTubeVideoTranscript

Jacob Appelbaum (Security Expert seen in Citizen Four, Wikileaks volunteer) (Appearing remotely via Jitsi)
YouTubeVideoTranscript Internet Archive Video & Download

Roger Dingledine (Interim Executive Director, Tor Project)
YouTubeVideoTranscript

Micah Lee (Co-founder, Freedom of the Press Foundation and Technologist at “The Intercept”)
YouTubeVideo – Transcript Internet Archive Video & Download

A Special Statement from Chelsea Manning: “The Human Element”
(Read by Lisa Rein)
YouTubeVideoTranscript – Link to Chelsea’s Statement