Tag Archives: The Intercept

Snowden Explains “Opsec” – Operational Security for Everybody

Micah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue GardnerMicah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue Gardner

A few weeks ago, Micah Lee, Technologist for The Intercept and   Co-Founder and Board Member of the Freedom of the Press Foundation, went to Moscow to meet Edward Snowden (who is on the Freedom of the Press Foundation’s Board).

They had been in close contact online, since January of 2013, albeit anonymously, on Ed’s end, for the first six months.

Snowden took the opportunity to explain some technical details about what he has come to refer to as “Opsec,” or “Operational Security,” a collection of a few simple best practices for security that folks can use to protect the privacy of their day to day communications.

Engaging in Opsec helps protect one’s privacy, not only against the threat of what is, to some, the merely abstract notion of “government surveillance,” but also against much scarier threats that are not so abstract. For instance, abusive relationship victims, stalking victims, or children who are at risk of being monitored by pedophiles. There are many scary scenarios, all made possible by the current lack of basic encryption on most people’s emails and text messages. In these cases, being a victim of online surveillance often translates into physical harassment or abuse in the “real world.”

Using Opsec to “reclaim your privacy” may seem confusing at first, especially to those who have not realized that their privacy is already compromised daily. But as Micah explains, “This doesn’t need to be an extraordinary lifestyle change. It doesn’t have to be something that is disruptive. It should be invisible, it should be atmospheric, it should be something that happens painlessly, effortlessly.”

In the article, Snowden outlines some Opsec basics, including:

  • Using “Signal” (“Text Secure” on Android), by Open Whisper Systems, to encrypt your text messages and phone calls. It’s very easy to install and use, instantly, on your Android or iPhone device.
  • Encrypting your laptop hard drive, so if your computer is stolen, the thief won’t also have access to all of your private data. (Micah has already written a guide for this.)
  • Using a password manager (here’s Bruce Schneier’s favorite) that helps you generate unique passwords for all of your different services and stores them for you, so you don’t have to remember them.
  • Using two-factor authentication to provide an additional level of security on your accounts.
  • Using browser plugins like HTTPS Everywhere by the EFF, to try to enforce secure encrypted communications so your data is not being passed while “electronically naked,” in transit.
  • Using adblocking software, such as Privacy Badger, by the EFF.
  • Using Tor and TorBrowser to anonymize your browsing.

A few relevant quotes from the article:

On Tor:

Lee: What do you think about Tor? Do you think that everyone should be familiar with it, or do you think that it’s only a use-it-if-you-need-it thing?

Snowden: I think Tor is the most important privacy-enhancing technology project being used today. I use Tor personally all the time. We know it works from at least one anecdotal case that’s fairly familiar to most people at this point. That’s not to say that Tor is bulletproof. What Tor does is it provides a measure of security and allows you to disassociate your physical location…

But the basic idea, the concept of Tor that is so valuable, is that it’s run by volunteers. Anyone can create a new node on the network, whether it’s an entry node, a middle router, or an exit point, on the basis of their willingness to accept some risk. The voluntary nature of this network means that it is survivable, it’s resistant, it’s flexible.

Micah: [Tor Browser is a great way to selectively use Tor to look something up and not leave a trace that you did it. It can also help bypass censorship when you’re on a network where certain sites are blocked. If you want to get more involved, you can volunteer to run your own Tor node, as I do, and support the diversity of the Tor network.]…

On Whistleblowing:

Snowden: What we do need to protect are the facts of our activities, our beliefs, and our lives that could be used against us in manners that are contrary to our interests. So when we think about this for whistleblowers, for example, if you witnessed some kind of wrongdoing and you need to reveal this information, and you believe there are people that want to interfere with that, you need to think about how to compartmentalize that.

Tell no one who doesn’t need to know.

Micah: [Lindsay Mills, Snowden’s girlfriend of several years, didn’t know that he had been collecting documents to leak to journalists until she heard about it on the news, like everyone else.]

Snowden: When we talk about whistleblowers and what to do, you want to think about tools for protecting your identity, protecting the existence of the relationship from any type of conventional communication system. You want to use something like SecureDrop, over the Tor network, so there is no connection between the computer that you are using at the time — preferably with a non-persistent operating system like Tails, so you’ve left no forensic trace on the machine you’re using, which hopefully is a disposable machine that you can get rid of afterward, that can’t be found in a raid, that can’t be analyzed or anything like that — so that the only outcome of your operational activities are the stories reported by the journalists.

Micah: [SecureDrop is a whistleblower submission system. Here is a guide to using The Intercept’s SecureDrop server as safely as possible.]…

On Simple and Practical Threat Modeling:

Snowden: …You can drive yourself crazy thinking about bugs in the walls and cameras in the ceiling. Or you can think about what are the most realistic threats in your current situation? And on that basis take some activity to mitigate the most realistic threats.

In that case, for most people, that’s going to be very simple things. That’s going to be using a safe browser. That’s going to be disabling scripts and active content…And making sure that your regular day-to-day communications are being selectively shared through encrypted means…

On How Cell Phones Track Us By Default:

Micah: People use smartphones a lot. What do you think about using a smartphone for secure communications?

Snowden: Something that people forget about cellphones in general, of any type, is that you’re leaving a permanent record of all of your physical locations as you move around. … The problem with cellphones is they’re basically always talking about you, even when you’re not using them. That’s not to say that everyone should burn their cellphones … but you have to think about the context for your usage. Are you carrying a device that, by virtue of simply having it on your person, places you in a historic record in a place that you don’t want to be associated with, even if it’s something as simple as your place of worship?

 

 

Wired: SecureDrop Leak Tool Produces a Massive Trove of Prison Docs

SecureDrop Leak Tool Produces a Massive Trove of Prison Docs

by Andy Greenberg for Wired, November 11, 2015

This is really exciting, and what great timing!

The whole purpose of last weekend’s event was to get the word out about SecureDrop‘s usefulness to the common man, and yet I couldn’t point directly to an example of it in action.

Then, low and behold, when I woke up yesterday afternoon (heh, been a long week), I could not believe my eyes! A real world, shining example of SecureDrop in action. A hacker obtained over 70 million phone records that exposed some first class corruption: exploiting  those who are already underprivileged and underserved in the community. In this case, prisoners and their families, which often barely have enough money for the essentials.

I’ll be posting a summary of The Intercept article that fully explains what the hack, and subsequent anonymous upload, exposed, shortly. It’s a little complicated, and therefore took me a minute to be able to summarize it – but it will be up soon… :-)

From the article:

“It’s been more than two years since the debut of SecureDrop, a piece of software designed to help whistleblowers easily and anonymously leak secrets to media outlets over the Tor anonymity network. Now, that system is finally bearing fruit, in the form of a massive dump of files from one of the country’s largest prison phone companies…”

“Just as significant as those revelations, perhaps, is how the Intercept obtained the documents that enabled them: The news site has confirmed that it first made contact with the anonymous source who provided the Securus files through the Intercept’s SecureDrop platform, starting with an initial sample of the Securus database uploaded around the beginning of 2015.

That Tor-enabled leak marks a landmark for a still-evolving form of journalism that takes a page out of the playbook invented by WikiLeaks: Like Julian Assange’s secret-spilling organization, SecureDrop allows anyone to run a cryptographically anonymous submission system for leaks and tips. Because that upload site runs as a Tor “hidden service,” anyone who visits has to run Tor too, making it very difficult for anyone to trace his or her location or identity—even the news outlet on the receiving end.

The Intercept’s lead security technologist—and a co-author of the Securus story—Micah Lee says SecureDrop’s benefit isn’t just anonymity, it’s ease of use. Instead of carefully using Tor to create an anonymous email address and figuring out how to encrypt email so that service can’t read their leaked secrets, sources can upload their leak or message using SecureDrop in seconds.

Lee says that this is far from the first time the Intercept has received useful leaks through the SecureDrop system. But the Securus revelations represent the first story of national significance where a news outlet has publicly revealed that the story’s source used SecureDrop anonymous submissions.

“We use SecureDrop on a regular basis, but this story is a little exceptional because we decided it was safe for us to mention that it came from SecureDrop,” Lee says. “This is exactly why we decided to run SecureDrop: to get juicy stories like this and do it in a way where we protect our sources.”

Come to the Aaron Swartz Day Privacy-enabling Mini-Conference

RSVP for the privacy-enabling conference, November 7 and 8, in San Francisco, at the Internet Archive.

The SF Hackathon will be going on downstairs, where Garrett Robinson will be there, in person, with other folks from the Freedom of the Press Foundation, working on SecureDrop.

Meanwhile, upstairs in the “Great Room,” there will be a Privacy-enabling Software Conference that starts at the very beginning, for folks that are savvy enough to know they need encryption, but kind of don’t know where to start.

Again: this encryption and privacy-enabling training starts at the very beginning — with the folks from Keybase, who will be providing both a beginning and an advanced tutorial for folks who are just starting out:

10 AM: Session 1:
* Motivation: why encryption, what is public/private key encryption, and why is secure public key distribution important.
* The Keybase solution: social media proofs, client/server architecture,etc.
* Step through generating a key and installing Keybase
* Using Keybase via the website (https://keybase.io)

Break 10:50am-11:10am

11:10 AM Session 2 (advanced):
* Why you probably shouldn’t use Keybase via the website
* Using Keybase on the command line (or native app)
* Using Keybase with an email client
* Looking up public keys using Tor
* Preview of the Keybase File System

Lunch 11:50am-1pm

At 1pm, Cooper Quintin, Staff Technologist for the Electronic Frontier Foundation, will talk about the what, where, and how of Privacy Badger, EFF’s privacy-enhancing creepy-tracker-blocking browser extension. Come learn how you’re being tracked online, and how you can use Privacy Badger to take back your privacy as you browse the web.

At 2pm, Micah Lee, of The Intercept and the Freedom of the Press Foundation, will be giving his “Encryption for Journalists” workshop, so that journalists, librarians, researchers, or anyone else needing to, can protect their sources from prying eyes.

At 3pm, Micah Lee will cover using Onionshare and SecureDrop.

At 4pm, Brad Warren, a Let’s Encrypt Developer, will present Let’s Encrypt, a joint project between the Electronic Frontier Foundation, Mozilla, Akami, Cisco, the University of Michigan, and open-source developers around the world. Let’s Encrypt is a free, automated Certificate Authority which anyone can use to quickly, easily, and securely set up HTTPS on their website in minutes–and the best part is you don’t even need to be a cryptographer or an experienced sysadmin to use it! In his talk, Brad will explain why setting up HTTPS is so difficult without Let’s Encrypt, how Let’s Encrypt is different, and how you can use Let’s Encrypt to secure your website and help bring the world one step closer to a completely encrypted web.

On Sunday, Alison Macrina, librarian and privacy activist and the director of the Library Freedom Project (a partnership among librarians, technologists, and privacy experts that helps people take back their privacy in an age of pervasive surveillance.will offer some solutions to help subvert digital spying) will be presenting from 11am-1pm (with a break from 11:50-12:10):

Come learn about strategies for keeping your information safe from government and corporate surveillance! Alison will teach basic concepts in information security, and cover tools like Tor Browser, NoScript, passphrase management, safer searching, encrypted texting and other mobile security strategies, and more.

Lunch from 1-2pm

At 2pm, Zaki Manian from Restore the 4th will be presenting an introductory tutorial to using Tor Anonymity System on desktop and mobile computers. He will cover the Tor security model and practical application choices to make.

At 3pm, Zaki will give a developer-level talk on “the care and feeding of Tor hidden services.”

RSVP for the privacy-enabling conference.

And be sure to come to the evening event.