Journalists Generally Do Not Use Secure Communication

This should come as no surprise:

Alas, our findings suggest that secure communications haven’t yet attracted mass adoption among journalists. We looked at 2,515 Washington journalists with permanent credentials to cover Congress, and we found only 2.5 percent of them solicit end-to-end encrypted communication via their Twitter bios. That’s just 62 out of all the broadcast, newspaper, wire service, and digital reporters. Just 28 list a way to reach them via Signal or another secure messaging app. Only 22 provide a PGP public key, a method that allows sources to send encrypted messages. A paltry seven advertise a secure email address. In an era when anything that can be hacked will be and when the president has declared outright war on the media, this should serve as a frightening wake-up call.

[…]

When journalists don’t step up, sources with sensitive information face the burden of using riskier modes of communication to initiate contact—and possibly conduct all of their exchanges—with reporters. It increases their chances of getting caught, putting them in danger of losing their job or facing prosecution. It’s burden enough to make them think twice about whistleblowing.

I forgive them for not using secure e-mail. It’s hard to use and confusing. But secure messaging is easy.

Tags: email, encryption, PGP, privacy, Signal, whistleblowers

Posted on August 31, 2017 at 6:52 AM • 74 Comments

Comments

Sancho_P • August 31, 2017 7:05 AM

@Bruce:
Do you mean that kind of security where the app grabs all your contacts to collect intelligence re connections and “friends”?

Ben A. • August 31, 2017 7:37 AM

“I forgive them for not using secure e-mail. It’s hard to use and confusing.”

If you’re referring to PGP, I agree but the article says that 22 use PGP.

If you’re referring to a “secure email address” then there’s no excuse (for journalists) because it’s quick and easy to setup.

I understand a “secure email address” to refer to something like ProtonMail or Tutanota; both are reasonably secure if their non-secure email recipient engages with the journalist via the provided captive portal.

Jared Hall • August 31, 2017 7:40 AM

@Bruce: Why? Because journalists are the least knowledgeable about security. They simply care about a story, not the source. I doubt they get much cyber-security training in journalism school. That is also why so-called “leakers” don’t leak through newspapers much anymore, except via proxy.

225 • August 31, 2017 7:44 AM

This is written like secure communications means only online communications with strangers. I would hope that secure communications with people the reporters already know look like more like face to face meetings or dead drops or internet communications that they do not publicly advertise.

reader • August 31, 2017 8:08 AM

Assumption: May be it is cheaper and less time&nerve&energy consuming to focus more on direct human contacts again than on electronics – an eager agency may nevertheless be able to intercept regardless how much you try to stay up to date (and in case of a severe leak the laziest institution shows incredible and never before seen efforts to find the source…).
And you may be screwed by an error of your source – most of them may not be trained in infosec, too.

François • August 31, 2017 8:28 AM

What tool would you recommend for an individual to securely sign docs (pdf, words, ppt, zip)?

Dirk Praet • August 31, 2017 9:01 AM

@ Ben A.

AFAIK, there’s no such thing as a secure email address. I’m wondering too what they mean by that.

@ François

What tool would you recommend for an individual to securely sign docs (pdf, words, ppt, zip)?

M/S Office, LibreOffice, Adobe Acrobat and plenty of other apps allow you to digitally sign documents with a common X509 certificate. But that’s just a signature. If you want to send them in encrypted form to someone, and your opponent is not a resourceful state actor, the easiest way is for you and the intended recipient to get a free email certificate at Comodo, then configure your MUA (email client; Outlook, Thunderbird, Apple Mail whatever …) to use it for signing and encrypting mails. Alternatively, take a PGP course to do the same.

de La Boetie • August 31, 2017 9:08 AM

I feel it’s actually irresponsible to recommend any electronic & communications security to most journalists, unless it’s backed up by people resourced to deliver that – some media organisations have at least stepped up to the plate regarding secure drop.

However, if I were a source, I’d not touch tech with a barge-pole mostly, and I’d generally avoid attributable electronic communications generally. A dark and stormy night and a usb stick exchange/drop would be the thing (preceded by snail mail or burner phone contact just beforehand). Opsec is what’s needed, not tech so much.

Chairman Mao • August 31, 2017 9:27 AM

@Schneir

I forgive them for not using secure e-mail. It’s hard to use and confusing. But secure messaging is easy.

own and operate your own server and CA.
secure messaging is not secure because there is a third party involved.
Fourth, recipient shoud do the same.

Secure email is easy.

The hard part is the tortious interference by third party CAs and software companies.

Iggy • August 31, 2017 9:31 AM

@de La Boetie • August 31, 2017 9:08 AM said:

“I feel it’s actually irresponsible to recommend any electronic & communications security to most journalists, unless it’s backed up by people resourced to deliver that – some media organisations have at least stepped up to the plate regarding secure drop.

“However, if I were a source, I’d not touch tech with a barge-pole mostly, and I’d generally avoid attributable electronic communications generally. A dark and stormy night and a usb stick exchange/drop would be the thing (preceded by snail mail or burner phone contact just beforehand). Opsec is what’s needed, not tech so much.“

Spot on.

Better yet, we should all give our backs to the “journalistakinder.” Anymore, all they do is snitch us out to the ever listening enemy (of which there are many, of all political stripe), when they themselves aren’t sympathizing with the enemy, that is.

@Schneier, Trump hasn’t declared war on the 5th Column– er, I mean the 4th Estate. He is defending himself against the war declared on him by the butthurt agitpropists. He has the right to do so. He is still a human citizen, after all.

Adam Hooper • August 31, 2017 9:33 AM

Twitter bios? Seriously?

Sources often don’t even know their own risks, the likelihood they’ll be caught, who might catch them, or (really) whether their facts are important or not. There’s no way to give a primer on threat modeling in 160 characters.

Some would say it’s journalistic malpractice to give security advice through a Twitter bio. It’s certainly wrong for a source to follow that advice, even if a trusted journalist wrote it.

More important are the (https-only) “leak to us” pages on news sites. Those are the first sign of an institution’s sense of responsibility.

parabarbarbian • August 31, 2017 10:02 AM

Considering how the “deep state” is using leaks to undermine Trump, I am a little skeptical of how useful the conclusions are. There are a lot of leaks happening from “unnamed sources” but few repercussions. I suspect the press is sticking with the tried-and-true deep throat approach to security. As other have pointed out, there are less public ways to leak data than using the Internet.

asdf • August 31, 2017 10:44 AM

@Adam_Hooper I’ve read the rationale for doing this. It’s much easier to leave the job of securing a website (so someone doesn’t distort your contact information) to Twitter than managing it individually (especially for journalists). Also, it’s harder to pretend to be someone else with a fake account if the target tweets frequently. Also, if the target doesn’t put their contact information in the bio but rather a link to a previous tweet containing their contact info, an account hijacker would be less discreet if they tried to change the information (by either putting out a new tweet or breaking the habit of not including the contact information in the bio). It’s probably also harder to block Twitter as a whole than smaller activist/journalist websites. Surveillance is the biggest issue I know of, but wouldn’t tor help with that?

oliver • August 31, 2017 10:58 AM

Hi everybody

Matthew Green has a blog post for just that exact situation.
A primer for secure communications.

Check it out via gogle.
Cheers, oliver

neil456 • August 31, 2017 11:10 AM

Most Washington journalists are in bed with the government and instead of doing research or investigating, they just repeat the expected dogma or propaganda. I think the numbers put forth here are probably the total number of real journalists in Washington.

I’ll bet that none of the ones with some form of encryption are with the major media outlets.

Evan • August 31, 2017 11:28 AM

@Dirk Praet
The problem is, with journalists, your adversary usually is a state actor. That suggests to me that a lot of them don’t bother with more secure practices because they don’t think any countermeasures within their power are effective against their threat model. Which isn’t necessarily the case, but it’s certainly a feeling the FBI, NSA, GHQ, FSB, etc want to cultivate.

Clive Robinson • August 31, 2017 12:32 PM

@ Bruce,

Journalists Generally Do Not Use Secure Communication

I’d argue that NOBODY using the Internet is using “secure communications”, and for perfectly good and understandable reasons.

To see why you first have to do what you have not and define what you think “secure is”.

When both of us first started out in this game –for that is what it actually is– many many years ago the common definition for security was “encrypyed contents”. Because back in the 80’s few people let alone in the public domain were talking about security against “traffic analysis” or what we now call “meta data analysis”.

Becaise in part, most people doing “secure communications” were either using radio links or phone networks under their control, which behave very diffetently to the Inyernet. And in part because they were using equipment that had been designed to stop a whole variety of attacks.

Importantly attacks that we now consider “every day” such as “end runs” around the security end point exist because the communications path available to an attacker “extends beyond the security end point available to the user in their device”. That is with a Smart phone etc etc etc the network operator, OS designer, hardware manufacturer and many others can simply reach in through the communications interface around the securiry end point inside the application into the plain text User Interface”. So smart devices etc etc etc are not in any way secure, nor can they be.

It could be argued that such attacks are too resource intensive to be used against all smart device users. Whilst in an abstract sense that might be true, it’s compleatly irrelevant.

The reason is that if someone is considered a person of interest as “whistle blower journalists” were under the Obama administration the SigInt agencies due to their position within the network infrastructure –ie inside the likes of Cisco etc routers– could and do trace packets back directly or using various traffic analysis techniques through low latency onion networks like Tor.

Having found your connection point to the Internet they can enumerate your device and thus use any number of attack methods to get at the User Interface on your smart device, if they want to.

But they probably do not need to as they have probably already done that to the journalist who is the person of interest. Thus the SigInt agency gets to read your communications on the journos smart device without having to either find or infiltrate your device…

So if you are a whistle blower and want to stay out of jail or self imposed excile for the rest of your life, you have to be a lot more switched on than Ed Snowden was. Because his activities caused the level of the game to be raised considerably.

As I keep saying to people a secure app on a smart device is a very dumb idea security wise. But then the OpSec involved with actually being secure is very far from convenient which is why most people will never ever have secure communications even if it is –as it currently is– technically within their reach.

Ben A. • August 31, 2017 12:55 PM

@Dirk Praet

AFAIK, there’s no such thing as a secure email address. I’m wondering too what they mean by that.

In the article itself it says

“…reporters could use end-to-end encryption made possible by technologies like Pretty Good Privacy or secure email like ProtonMail…”

I think Bruce has inadvertently conflated PGP and Secure Email. I’m not suggesting he doesn’t know the difference, of course he will, but when he speaks of ‘secure email’ as being “hard to use and confusing” he surely must mean PGP.

ProtonMail and Tutanota are very easy to use ‘secure’ email services. They can be used by subscribers of the respective service to send secure (internal) communications to one another or they can be used to send email securely to an external address. If a journalist instigates a private communication with a source all he needs to do is send the recipient an email and then communicate the symmetric password to the recipient; ideally out-of-band.

ProtonMail/Tutanota send the recipient an email containing a link and then, once the password has been entered correctly the recipient can read, reply and or use that link to send subsequent secure emails. Their captive portals are secured with Extended SSL validation (that’s a discussion for another day) and they use DANE, TLS, DMARC, DKIM and all of the other various technologies to keep the message as safe as possible. Nothing’s 100% secure but this method is foolproof; anybody who can use Gmail can use ProtonMail or Tutanota.

@Adam Hooper

“Twitter bios? Seriously?”

They’re talking about using Twitter bios to publish their PGP fingerprint, Signal number etc. They’re not suggesting disseminating security advice through the bio.

@ François

“What tool would you recommend for an individual to securely sign docs (pdf, words, ppt, zip)?

GnuPG will sign any file and if you’re on Windows you can use the GUI. It’s difficult for non-technical recipients to validate the documents so you can get free/paid certificates to sign these documents.

The free certificates normally produce a validation error in PDF because Adobe want to make money by selling their own. You can always make a self-signed certificate in your OS – more secure than getting one from a CA but it’ll lead to error messages because it’s not trusted by default.

Easier still use a PGP signature if it’s just a text document and include it at the end of the document. Those who don’t know what it is can ignore it; those who know what it is will know how to check it.

Alternatively, and it’s not the same as signing, but calculate the SHA-256/SHA-512 checksum and distribute that alongside the file.

SecureZIP allow you to use certificates to sign and/or encrypt ZIP files but it’s not free.

https://support.pkware.com/

Bob • August 31, 2017 1:17 PM

@Bruce

As others have commented, secure email is not hard. I’ve been using both signal and protonmail for years now with a big portion of my social circle, and I’ve found protonmail is in many ways easier than signal, for me and for them. Signal often fails sending messages, recognizing contacts, etc. Besides, protonmail can be even more secure than signal, if you think phones are the most vulnerable end-points you can think of.

albert • August 31, 2017 1:43 PM

Is this a joke?

There are only a handful of real investigative journalists in the US. Are there any in the MSM? The rest are the useful idiots of the corporately-controlled gov’t. Except for digging up dirt on Trump, why would they need ‘secure’ communications?

If you’re discussing classified information* and aren’t cleared, you’ve already committed a crime, whether it’s published or not. (It’s also criminal for cleared IC professionals to do the same on -unsecured- channels).

@neil456, you are correct. We will not see any revelations from the MSM, just echoes of the party line.

*of a national security nature.

. .. . .. — ….

MM • August 31, 2017 1:46 PM

“I forgive them for not using secure e-mail. It’s hard to use and confusing.”
Why they have one of the best ways to provide public with their own key fingerprint but as someone wrote if you know something about the topic they try to inform public about you know how little journalists know about it and plausibly anything else!

Chairman Mao • August 31, 2017 2:10 PM

@Bob

Protonmail is a joke.

Bob • August 31, 2017 2:46 PM

@Mao

Protonmail itself may not be as good as signal, but its not a joke. To me, it seems a joke to have an app as a golden standard, when to use it you have to use a phone, when we know how difficult (maybe impossible) phones are to secure and when even intelligence leaks tell us intelligence is pointing all their guns at phones.

Pavel • August 31, 2017 3:11 PM

So much is often said about “it’s too complicated,” and this is so often repeated as to become, I think, sometimes self-defeating. The problem is that to do one of these things wrong (i.e. by simply ignoring the authentication portion of the otherwise very-easy-to-use and reasonably secure OTR plugins over instant messenger apps, which many do, or to be careless about key exchange in general) makes one not only have wasted one’s time but to additionally have made oneself a target. The “too-complicated” mindset, however, took hold well over a decade ago; now, sure, we’ve better “not-so-complicated” alternatives than totally spuriously secure things such as hushmail, but, I think in the case of journalists who are writing about things like national security and the Internet (as well as organized crime and many other things one might imagine) we ought not to apologize for them so much as to demand a little more technical literacy.

PGP is sort of a failed product because it’s made use of, mostly, by geeks, and also, mostly badly, by a few criminals (especially geeky criminals of the net.drugs sort) but one of it’s clear goals from way back when was to achieve a degree of ubiquity so as not to stand out as a target to traffic analysis. Once one has been caught up in traffic analysis, as pointed out above, then unless one is very, very good (better than I would trust most journalists, or even myself or the average Schneier blog reader) then if the persistence of one’s adversary is even moderate and one’s adversary is a nation-state, then it is all for naught. This is were Signal, it’s semi-ancestor OTR (who’s tagline awas originally, “Don’t Use PGP,” and for exactly these purposes, right?”*), and things of it’s sort are doing a slightly better job, but their ubiquity is still the same, ubiquity amongst geeks and crooks. Nobody else really cares all that much.

The fact that to most people we even have to go into a fairly lengthy discourse to explain why OTR and PGP are two different technologies with different roles and the differences between security, authentication, and so on, shows just how much of an uphill fight that there is.

If one is serious, I don’t think that there will be any technological solution that is one-size-fits-all. This is obvious or even clichéd, but I want to say so in a stronger sense: In the situation described, journalists inviting secure communications, it should not all that difficult to, if one knows what one is doing, get a (relatively) anonymous and hard-to-attribute message to a journalist. From there, the security solution really should be bespoke and tailored the specific needs of the two parties. If news organizations prominently featured people who’s job this was and who carried with them all the implicit/inherent trustworthiness of the journalists themselves (which in most circles these days is sadly not very much … another issue altogether), so much the better; but if one wants to leak to a journalist, or continue a conversation with a journalist, and one is more technologically adept than they are, going for a completely bespoke solution, and most likely one involving some last-century OPSEC discipline, is going to be the way to go. For day to day source-journalist correspondence, then, again, if they aren’t technologically proficient or have access to someone trustworthy who is, they are going to have to pick a solution and stick to it.

Once more and with feeling, a low-tech solution will often be better than a high tech one; yes, perhaps involving pieces of paper and phones without touch screens and quadcore CPUs and all that, at least when there is something of importance to be discussed, and laying down the “protocol” for doing that had ought to be first among the priorities of establishing a relationship between journalist and source, right up there with (in fact, as a part of) establishing bona fides.

Looking for a generic (even generic-per-journalist) solution to this is just not going to work either for journalists or sources.

Pavel • August 31, 2017 3:16 PM

[apologies for double posting]

**But, of course, the fact that we’re talking this a very closed and élite group (2,515 Washington journalists with permanent credentials to cover Congress), they already have their political sources totally ensconsed for the most part and may do some cloak-and-dagger stuff if there were a Watergate-tier leak, but towards outsiders, I think it’s presumptuous to assume that this particular cadre of journalists either has much use for them or will be much use to them. They are already in a parasitic (or more often symbiotic) relationship with their political hosts and rely on them for patronage by way of leaks and political cover repaid generously in getting out messages insiders want out, disguised as messages outsiders want from within.

Thoth • August 31, 2017 6:03 PM

@Clive Robinson

I wanted to write a response which is similar to what you said but after much consideration, it ain’t worth it as people will start to call snitches and flaming.

Save my saliva and let those who so believe in these myths continue to believe.

Not really nice to burst their dreams and let them continue to dream on 🙂 .

Mark • August 31, 2017 6:53 PM

Bruce, using secure messaging apps isn’t easy.

Whatsapp? American-owned, no independent review, no source code available, no encryption of metadata. Guess how Facebook make revenue?

Telegram? Homegrown crypto, opt-in encryption, collects data.

Viber? Ex-Israeli intelligence services. You can’t make up this stuff.

Wickr? American-owned, no source code.

Google whatever. You’re kidding me.

Signal, Wire, and Threema are good choices. But all of them have their problems. (American-owned, some metadata collection, no PFS respectively).

Dirk Praet • August 31, 2017 7:10 PM

@ Ban A.

ProtonMail and Tutanota are very easy to use ‘secure’ email services.

I am familiar with both. The recommended way to set up a Proton account is by first creating a Tutanota identity and using that as your request email address for the Proton one. You do both running from a TAILS or similar live DVD and off a preferably older machine stuffed with RAM and without any Intel ME stuff. After that, always check your Tutanota/Proton mail in the same way. Never access it from your day to day machine, tablet or smartphone.

The usual caveat applies: the entire setup is useless when the endpoints have been compromised.

@ Chairman Mao

Protonmail is a joke

I can imagine it must be a great laugh indeed to watch the girls you share with your buddy Chiang trying to figure out how Protonmail works.

@ Evan

The problem is, with journalists, your adversary usually is a state actor.

Unfortunately so. I wouldn’t exactly recommend S/MIME to a journalist.

@ Thoth

Not really nice to burst their dreams and let them continue to dream on

Sometimes, it is inevitable to burst people’s dreams for their own good. But there sure as hell is no one who’s going to accept a word of what you’re saying if you do it in a condescending way, offering alternatives that either don’t exist, are not publicly available, nobody understands or is just technically incapable to implement. Eventually, you will just come across as a git, people will start questioning your motives and/or ignore you, thus defeating the entire purpose. Building solutions is one thing. Knowing how to sell them the right way something entirely different.

Don’t get me wrong, mate: I’ve got a lot of respect for the cool stuff you’re building, which definitely is a step in the right direction and which I do hope at some point will become mainstream. I’d even pay to become an early adopter. But you’re really shooting yourself (and your work) in the foot with this sort of really unnecessary sarcastic comments that are visibly influenced by another commenter here many of the regulars are already ignoring. Please don’t become like him. I know you’re better than that.

Thoth • August 31, 2017 7:11 PM

Telegram is closed source as well and I tried installing once, it sucks up all the contact if I did allow it to.

Tried to install Signal too, and also attempts to suck up all my contacts lists if I did not disallow it.

Google Allo with it’s Google AI are constantly listening to your chatter. It is also closed source too. Oh and all your phone contacts are Google contacts anyway if you are on Android. How trustworthy is the ‘Off the record messaging mode’ in Google Allo is not verifiable as it is a blackbox.

Let’s stop lying to ourselves to we have security. They do not truely care otherwise a much more robust and open solution would have been available.

Nothing will change for now and nothing will change in the future. All are welcomed to continue living in this dream that some algorithm is all it needs to be considered secure. Continue to make more excuses to not practice proper OPSEC, not want to air-gap your stuff and continue to be lazy and this is what happens.

Security is just another business model at the end of the day. What matters is people buying into the idea and purchasing the product be it WhatsApp, Signal, Telegram … money has to come from somewhere to keep them updated and running.

Pavel • August 31, 2017 7:27 PM

Continue to make more excuses to not practice proper OPSEC, not want to air-gap your stuff and continue to be lazy and this is what happens.

This, generalized, is really a big part of the problem, mentally.

People just want a consumer product to plug’n’play/fire’n’forget and don’t realize that by the time they really want to communicate safely, they’re not really in this ordinary civilian realm anymore even if they want to keep there mindset.

The cypherpunk dream of an Internet of universal anonymity and security and therefore freedom is, or has been made a long time ago, into a joke.

Way back when I had my PGP in my email sig when I was using a shell script rigged into PINE to do everything. And there were key-signing parties and all these things like that, but it never penetrated into the mainstream because it was just a geek hobby. Now the technologies are different; most of them, as pointed out before, with their own problems, but the plug’n’play mindset is just not going to work against an advanced adversary.

And if an advanced adversary is not in your threat model then even checking your webmail via https (if not on open, unencrypted Wifi) is probably overkill anyway. Who are the half measures really intended to beat? Corporate espionage? Low-priority LE operations? Or just a certain sector of the public’s imagination about government & other snoops, which doesn’t really effect them to begin with?

Clive Robinson • August 31, 2017 7:43 PM

@ Thoth,

Not really nice to burst their dreams

I would rather hurt their feelings a little than have someone else hurt them alot by loss of property, liberty or even life…

As Cardinal Richelieu noted in his twenty years of unrivaled power “Give me six lines from the hand of the most honest man, and I will find in there reason enough to hang him”. When you are up against such a mentality it is best to not alow them one word let alone six lines.

Worse still like others here “I have form” as an experienced and accurate doom sayer and in times past I would probably have ended up with rather more than my feet put to the fire.

Whilst kind words will make my ears change colour very easily, to harsh words and profanities my hide has toughened to the point a rhino would look on it with envy.

What my Ex noted she most hated me for was not that I was always right because I was not, but when I cautioned against certain actions and she went ahead it would almost invariably go wrong… So yes a thick hide is what I grew, and unlike W.C.Fields[1] I can remember her name and I do go back and thank her on a regular basis 😉

[1] One of the variants of his quote about women and drink is “I can not remember the name of the woman who drove me to drink, for it is a shame as I never went back to thank her”.

Clive Robinson • August 31, 2017 8:07 PM

@ Dirk Praet,

… offering alternatives that either don’t exist, are not publicly available, nobody understands or is just technically incapable to implement.

As I’ve indicated in the past most of the current content security problems can be solved by taking the security end point out of the communications end point.

It can be as simple as using another “off line device” or even a secure pencil and paper cipher like the one time pad.

The big problem is “it’s not convenient to use” where as applications on a smart phone are even though they can not be made secure.

Drone • August 31, 2017 9:24 PM

What difference, at this point, does it make? All the ‘news’ these days is in large-part – fake.

Chairman Mao • September 1, 2017 12:17 AM

@Dirk @Bob

@ Chairman Mao

Protonmail is a joke

I can imagine it must be a great laugh indeed to watch the girls you share with your buddy Chiang trying to figure out how Protonmail works.

Chiang and I have a different type of “key escrow.”

EvilKiru • September 1, 2017 12:28 AM

@Chairman Mao:

My guess is old-style keyhole keys on a chain around your neck. 🙂

Chairman Mao • September 1, 2017 12:43 AM

@EvilKiru

My guess is old-style keyhole keys on a chain around your neck. 🙂

We NEVER surrender our keys!

reader • September 1, 2017 2:10 AM

Gentlemen,
thanks for all the comments which are insightful of their kind. You all seem to deal a lot of your hours with infosec, may be it is your profession. Please accept that a journalist can NOT invest a comparable amount of time following and weigh such discussions to then try to decide which of all these wisdoms is really the one most true and to be used as lifewest in dangerous waters.

It does not end with the way of communication but continues with storage – how many hours do I have to invest to check the actual status of i.e. Truecrypt and successors etc?

Besides that the bigger problem seems to be on the end of the source who in many cases is NOT trained in any way to deal with his personal risks. In most cases a seized mobile phone not switched off is enough for any hunter… (given what is known about such investigations).
But admitted: Journalists have to learn more from all of your knowledge. Seriously. Thanks for insights.

Clive Robinson • September 1, 2017 4:09 AM

@ Reader,

Please accept that a journalist can NOT invest a comparable amount of time…

It’s a point that has been made on this blog a number of times in the past.

Along with the observation that the likes of 24Hour coverage has made the news gathering and presenting cycle so short that often there is no time to do basic fact checking. Worse yet this has got into more conventional journalism which when coupled with the Internet has caused the likes of “Click Bait” headlines and vacuous tivial content repeated often word for word from one online MSM outlet to the next.

Thus for many journalism is nolonger a proffession with reporting standards it is now a low paid grist mill / sausage machine where time to publish not integrity is the money driver.

Worse –also dicussed a few times here in the past,– the equipment used for news gathering has gone up in sophistication faster and faster with product cycles measured almost in weeks not years.

Thus back in the day of hand written notes, audio tape and film camera journalist could burn the paper/tape/film to quickly ensure no usable trace was left. Now however with digital storage it is almost impossible for even experts to reliably delete recorded material that might contain source identifying information.

And as has been noted the likes of the Obama administration ensured that spying on journalists was standard practice by the likes of the FBI. In effect openly giving them the powers that J Edgar Hoover wielded in secret to stay in power.

Dirk Praet • September 1, 2017 4:30 AM

@ Clive

As I’ve indicated in the past most of the current content security problems can be solved by taking the security end point out of the communications end point.

A point – and the solutions for which – you have been driving home relentlessly for as long as I can remember. And always in a highly informed, polite, witty and educational manner while at the same time pointing out the many pitfalls and shortcomings of methodologies and applications erroneously believed or sold to be secure. Your teachings on endpoint subversion, use of OTP’s, encryption/communication separation, traffic analysis on low latency networks and old-school OPSEC nowadays are key elements in my own discourse whenever talking security to folks, whether it be in casual conversations or formal presentations to customers. And for which I owe you a great deal of gratitude, sensei 😎

But never once have I caught you indulging in name calling, silly golden sticker rants or otherwise condescending behaviour towards less knowledgeable or experienced folk merely trying to learn more about, or (marginally) improve their day to day digital privacy, security and anonimity practices.

As even our respected host has pointed out in the past, you are not just a shiny beacon of knowledge and experience on this forum, but first and foremost also a true master at conveying a strong but difficult and complex message without resorting to insults or otherwise demeaning or alienating your audience. Please don’t think for a second that I was referring to you in my previous reply to @Thoth.

Who? • September 1, 2017 5:30 AM

Journalists are as clever as anyone. They just do not care about good security practices because it is not usually their lives what are in danger but the lives of their sources. They have no incentives to practice good OPSEC.

Thoth • September 1, 2017 5:54 AM

@Clive Robinson

It is interesting that most debates these days are lowered to the level of attacking individuals directly instead of attacking bad ideas and bad concepts. Maintaining the old ideals of targeting the bad ideas and bad concepts with some sarcasm as long as it does not target individuals are over and individual trolling and flaming seems to be the way to go.

Who? • September 1, 2017 6:01 AM

@ Mark

Whatsapp, Telegram, Viber, Wickr, Signal, Wire, Threema and/or Google whatever. Who cares?

These apps run on weak operating systems. Even if the operating system itself is secure (and it clearly is NOT) the firmware on the broadband modem has been compromised so it can read device’s memory, as shown by one of the readers of this forum a few months ago.

Remember, intelligence community does not try breaking encryption —or the software that provides it— if it is easier compromising the computers where it runs. Mobile phones cannot be trusted; even a secure operating system running on them can be easily compromised from the WWAN modem.

wumpus • September 1, 2017 7:37 AM

@de La Boetie: “opsec is what is needed, not tech”

I’d expect that nearly all of these “approved methods” have some nasty failures modes (from running on untrusted OSs full of malware, to simply being co-opted by those seeking whistleblowers to begin with). Dealing with a journalist is essentially the “worst case” for this tech: anyone interested in unmasking your identity knows one side of the communication, and you can assume that said journalist made every possible mistake in using the tech.

I’d strongly suspect that a simple burner phone would go a long way to save oneself from a clueless journalist. Obviously, all suggested methods would go better on burner equipment, but I suspect the most important aspect is to leave no viable trace (and cash works better than bitcoins in covering your traces).

Contacting a journalist means a known point where the information is coming from, and an insecure point at that. The tech discussed here sits on a huge stack full of security holes, opsec is needed so that the stack need not be trusted. Mark Felt’s (Deep Throat) opsec was impressive (it has been listed on this site) and part of the reason he is only known after he revealed himself before death (although Woodward obviously knew who he was).

Dirk Praet • September 1, 2017 7:40 AM

@ Thoth

It is interesting that most debates these days are lowered to the level of attacking individuals directly instead of attacking bad ideas and bad concepts

I am sorry you see it that way, and it was not my intention to offend you . If it is the wish of our host and a majority of visitors to turn this forum into a blog for qualified engineers only, exclusively discussing HA security all while sarcastically belittling everything and everyone that does not meet their standards, then I will gladly oblige, hold my peace and move somewhere else.

Meanwhile, both myself and several other regulars here are indeed fed up with said attitude that instead of promoting a culture of better security awareness and practices with the average reader seems hell-bent on convincing them that they are just a bunch of dumb*sses that should either get themselves an engineering degree or crawl back under their stone because everything they do or is publicly available is utterly useless anyway against any type of opponent every netizen is dealing with on a daily basis.

ab praeceptis • September 1, 2017 9:13 AM

Dirk Praet

instead of promoting a culture of better security awareness

Which begs the question what exactly you contribute in that regard.

Calling people with views one doesn’t like “nazis” or “racists” is hardly “promoting a culture of better security awareness” or do I miss something important?
Similarly painting people one doesn’t like as somehow arrogant and elitist is hardly “promoting a culture of better security awareness”.

You might want to note that our host, Bruce Schneier a) expects people to act in good faith (which ignoring and attacking other users hardly is) and b) contributed quite considerably and very concretely to security, i.a. by a csprng used in some OS and, of course, by creating and making available the *fishes (blow-, two-, etc) – which in your world view seems to be considered elitist and arrogant.

In other words: There is also a need for competent and knowledgeable contributions and discussions. Not exclusively, of course, but as an important part.

You should seriously consider to contribute more constructively and to be less extremist in judging and behaving towards people you don’t like and/or whose views you consider inacceptable.

The following thought might help: all of us were born naked – also in terms of knowledge – and all of us have grown and gained knowledge by thinking about views we didn’t like and which were expressed by people we didn’t particularly like.
In our field we even need to understand adversaries as well as possible. To just dislike and to gratuitously label as somehow evil people who are on the other side, no matter whether as Eve (security) or as someone with politically different views is but obstructing one self as well as ones growth.

And, more on a private note, pardon me, you don’t really think that your allusions to some pub and its rules has any argumentative weight? (or is my image of you way too optimistic?)

Let us stick to Bruce Schneiers rule of acting in good faith. Let us accept the fact that we seem to be quite different men with quite different views and let us contribute here, each in his own way and with his own strengths.

Chairman Mao • September 1, 2017 9:47 AM

Meanwhile, both myself and several other regulars here are indeed fed up with said attitude that instead of promoting a culture of better security awareness and practices with the average reader seems hell-bent on convincing them that they are just a bunch of dumb*sses that should either get themselves an engineering degree or crawl back under their stone because everything they do or is publicly available is utterly useless anyway against any type of opponent every netizen is dealing with on a daily basis.

Everyone is AWARE that NSA reads your Gmail.
Everyone is AWARE that NSA taps your phone.
Everyone is AWARE that NSA inserts backdoors into almost everything.
Everyone is AWARE that NSA hacks computers everywhere.
Everyone is AWARE that NSA is a tool of political hacks and ‘connected-individuals’ the power of God.

Now, everyone is AWARE.

What’ya gonna do about it?

To me, the answer is simple.

AJWM • September 1, 2017 10:30 AM

@Clive
Thus back in the day of hand written notes, audio tape and film camera journalist could burn the paper/tape/film to quickly ensure no usable trace was left. Now however with digital storage it is almost impossible for even experts to reliably delete recorded material that might contain source identifying information.

Burning still works. Not easy on a hard drive (unless you have thermite handy, the Curie point of magnetic disk substrate is probably higher than most ovens can reach, although the aluminum might melt…) but an SD or microSD card wouldn’t last long.

Hmm, I wonder what the effect of digestive juices would be. A microSD card is about small enough to swallow…

Chairman Mao • September 1, 2017 10:50 AM

@ALL

As I said, we are all AWARE.

@Pavel

The cypherpunk dream of an Internet of universal anonymity and security and therefore freedom is, or has been made a long time ago, into a joke.

VERY good comment and analogy.

I had the same ‘dream’.

So, what happened?

Way back when I had my PGP in my email sig when I was using a shell script rigged into PINE to do everything. And there were key-signing parties and all these things like that, but it never penetrated into the mainstream because it was just a geek hobby.

Smart man.

But, WHY did it become just a ‘geek’ hobby?

Could it be that we relied too much on other ‘geeks’ to figure it out? All of which are on some oligarch’s payroll who craves even more ‘power’ over the masses, political parties, diplomacy, and even nuke launches? All of whom may be sucking on the same tittie — you and yours?

Now the technologies are different; most of them, as pointed out before, with their own problems, but the plug’n’play mindset is just not going to work against an advanced adversary.

(“They” includes the likes of IBM, Microsoft, Oracle, Google and a few others owned by the entire Alphabet of ticker symbols?)

How many lawyers does it take to screw in a lightbulb?

How many different ways can ‘they’ (“them” being not “us”) recycle the same Cheech and Chong Labradorian turds into a huge joint for your enjoyment and pleasure and paycheck?

Hmm, I wonder what the effect of digestive juices would be. A microSD card is about small enough to swallow…

Tommy Chong said, “Wow man! You just take the most acid I’ve ever seen anybody eat in my life!”

https://www.youtube.com/watch?v=y_Ey3AucXFc

What’s the real problem?

What’s the solution?

Dirk Praet • September 1, 2017 12:46 PM

@ Chairman Mao

Everyone is AWARE that NSA reads your Gmail.

One of the few things I ever agreed upon with @He-who-must-not-be-named is that the NSA is neither omnipotent, nor is 99.9+ percent of the world population of any interest to them. Or to any other TLA, for that matter.

Whilst you are indeed pretty much defenseless the moment you become a person of interest – and therefor a target – to them, the simple fact of the matter is that they don’t give a flying f*ck about the average citizen until such a time that he does. And it is well within the power and capability of said citizen to significantly improve his odds at defeating both corporate and state actor mass surveillance by using a vast array of (however imperfect) publicly available tools, techniques and methodologies.

Anyone unable to differentiate between mass surveillance and targeted surveillance after it has been explained about 15 times to them, and on top of that slandering any party making publicly available such imperfect defenses, is either a git, a spook, or both.

Chairman Mao • September 1, 2017 12:59 PM

@Dirk

Whilst you are indeed pretty much defenseless the moment you become a person of interest – and therefor a target – to them, the simple fact of the matter is that they don’t give a flying f*ck about the average citizen until such a time that he does.

CEOs of NYSE listed companies are POIs to every white collar criminal on the block.

Cops are POIs to every criminal on the block.

Honest cops are POIs to every crooked cop, too. (What was his name? Serpico?)

So, again, I ask? What’s the problem? And the solution?

Another Labradorian Turd Sushi Roll?

ab praeceptis • September 1, 2017 1:49 PM

Dirk Praet

Whilst you are indeed pretty much defenseless the moment you become a person of interest – and therefor a target – to them, the simple fact of the matter is that they don’t give a flying f*ck about the average citizen until such a time that he does.

That’s just a hypothesis, albeit one with which I agree.

And it is well within the power and capability of said citizen to significantly improve his odds at defeating both corporate and state actor mass surveillance by using a vast array of (however imperfect) publicly available tools, techniques and methodologies.

No. Three main reasons:

a) the premise is highly probably largely false

Both state and large corps. are almost certainly not hunting for concrete and personal data. Large corps are hunting for data that can give them an advantage (and be it simply selling those data). States’ interest is in a can-do position and they are, I’m convinced, largely defensively acting, even acting our of fear. What they are mainly after is “we could so something” and “we have some levers in that weird network world” (where most of their classical power and control paradigms don’t work.

b) the tool premise is highly likely false for both sides.

I do not think that state mass surveillance tools are somehow primitive (as opposed to nsa tao). It’s another playing field but I think we shouldn’t take mass surveillance lightly assuming that their tools are crude and feeble.

At the same time I think that most of Janes and Joes tools are questionable at best. Not only are Jane and Joe largely clueless (and, frankly, usually not even interested enough to shift the balance between comfort and security somewhat) but the common tools (signal, telegram, etc) are a) from questionable sources (tainted e.g. by darpa involvement) b) possibly actually traps – a classical and well known state approach.

c) It doesn’t come for free. There is a price to pay and a horrible one, namely that one risks to paint a “elevate me to higher risk target” on ones head.

From what I see, there is the question to answer whether more perceived privacy is worth to be noticeable out of the main stream and such inviting more state scrutiny. Btw, I think that the state players are largely not or wrongly understood. “not being like all the others” is the classical trigger for state agencies to look closer.

Unlike what you seem to think of me (elitist, arrogant, doesn’t care about Jane and Joe) I actually have thought quite a lot about Jane and Joe.
The cornerstone of the result -> we (security people) simply can not do much about it. The major factors defining Janes and Joes behaviour, interests, priorities are simply way outside of our realm; they are of a social nature. The only real and working solution I see to get Jane and Joe out of the danger zone is education and by that I mean not a lesson from you or me but a significant change in education (and education systems) generally.
If Joe and Jane aren’t educated both by the education system and by the system (state) to be clueless, willing, and largely defenseless sheeple they might actually listen to us. Right now they don’t; they might complain occasionally but their readiness to change anything themselves is sadly low.
And you bet that most states like it the way it is.

Chairman Mao • September 1, 2017 2:41 PM

@ab praeceptis

The cornerstone of the result -> we (security people) simply *can not* do much about it. The major factors defining Janes and Joes behaviour, interests, priorities are simply way outside of our realm; they are of a social nature. The only real and working solution I see to get Jane and Joe out of the danger zone is education and by that I mean not a lesson from you or me but a significant change in education (and education systems) generally.

Three kinds of people:
1) Wolves
2) Sheep
3) Sheep Dogs

So… Now what’s the solution?

ab praeceptis • September 1, 2017 3:32 PM

Chairman Mao

1), 2), and 3) is your summary, not mine.

As for what to do/the solution: As far as I am concerned I will simply continue to do what I can do, which is largely of a technical nature and some preaching to professionals/developers; while most of them are not really far away from Jane and Joe we at least have some common ground and I can reasonably entertain the hope they might occasionally take a hint and think about the problem.

As for Jane and Joe I have nothing to offer. Not because I don’t care or like to but largely because of what I said above and because technical solutions for the masses have their own problems, i.a. “marketing” which I’m simply not interested in.
If I can occasionally help the good cause for the Janes and Joes (which is rarely the case due to many and considerable differences) I will do my share but generally I have my own ways. To offer at least a hint: there are groups with some muscles and a strong interest to fight what nsa embodies; they have use for what I can offer (funnily there seem to be not really many with my profile) and I can use what they have to offer and what I lack.

Chairman Mao • September 1, 2017 3:39 PM

@ ab praeciptis

As for what to do/the solution: As far as I am concerned I will simply continue to do what I *can* do, which is largely of a technical nature and some preaching to professionals/developers; while most of them are not really far away from Jane and Joe we at least have some common ground and I can reasonably entertain the hope they might occasionally take a hint and think about the problem.

Well, at least you’re thinking. More than most.

However, how many preachers (of all religions) have preached to their flocks for thousands of years?

How did we all end up on either the stern and the bow of the same boat?

To offer at least a hint: there *are* groups with some muscles and a strong interest to fight what nsa embodies; they have use for what I can offer (funnily there seem to be not really many with my profile) and I can use what they have to offer and what I lack.

You mean like Schneier with IBM “Resilient”?

IBM built a very large portion of the current boat.

So, again, what’s the solution? Anyone?

wumpus • September 1, 2017 6:54 PM

@Dirk Praet
“One of the few things I ever agreed upon with @He-who-must-not-be-named is that the NSA is neither omnipotent, nor is 99.9+ percent of the world population of any interest to them. Or to any other TLA, for that matter.”

If you are remotely concerned with counterterrorism, simply scooping up the data on 99.9% of the world’s population and then attempting figure out which are from POI is one of the few workable solutions.

Symmetric warfare is a bit more straightforward, you can typically figure out your POI beforehand. But that is only a part of what the NSA is tasked to do.

Mass surveillance may well be a monkey trap and excessive data may be a toxic asset but I can’t see Washington DC culture giving up data (especially any data that has been granted the magical status of “top secret”, that’s DC’s own currency) nor turf (DC’s traditional measure and source of power).

An interesting question would be how many of the toys listed in Snowden’s catalog of various attacks would be obsolete if the NSA had the panopticon they are often accused of having. Individual computers would either be targeted because agents/program weren’t cleared to have access to “the good stuff”, or more likely they simply couldn’t find the right needle in the haystack to match with a geographical location they did know about, and need a physical device on said location. I suspect they have all the data they want, and it is similar to the lack of drinking water in Houston.

Note: this an amazingly good derailment of the thead. If Mao works for an agency busting whistleblowers, he’s done a good job. A journalist publishing formerly secret data is doing so about as publicly as possible, and is therefore likely to get hit with every specific direct attack needed to attempt to track the whisteblower and prevent further damage. Certainly no panopticon needed here. Also absolutely nothing on the journalists end can possibly be assumed to be secure (even if you picked somebody on the highschool sports beat on the basis that they weren’t bugged now, the moment they announce their scoop they can be assumed to be fully bugged).

I’d still stick with burner phones, bought with cash. The phone can be traced, bugged, whatever. But it can’t reveal your identity if it never knew it in the first place (you might need to play games with the battery and keep it in a shielded case, but the important thing is to keep it from being able to identify you). I wouldn’t trust any tech to prevent that phone from identifying me (that isn’t something “non-tech” like air gaps, faraday cages for the phone, or yanked batteries). I certainly wouldn’t trust any tech on the journalist’s computer/phone.

Voodoo algorithms to detect outliers • September 1, 2017 7:33 PM

Don’t forget that Obama and some of his closest advisers had their heads deep inside the Voodoo of using algorithms to detect whistleblowers. You can come to your own conclusions as to what data mining and machine learning algorithms are busy working overtime to the NSA’s haul from trawling everyone’s data 😉 If the Voodoo points at an individual has grave implications on the whole life of the person whether or not this is a false positive or accurate detection. Any person with a half brain should be considerate what Voodoo means to their vital interests and go out of their way to prevent falsely caught in their Voodoo nets

Chairman Mao • September 1, 2017 9:42 PM

@wumpus

Note: this an amazingly good derailment of the thead. If Mao works for an agency busting whistleblowers, he’s done a good job.

LOL.

If anyone has derailed journalists from using crypto, might I point to the Board of EFF?

https://www.eff.org/about/advisoryboard

As I said earlier, how many lawyers does it take to screw in a lightbulb? Add IBM and Craiglist?

Wael • September 1, 2017 11:40 PM

@Dirk Praet,

Meanwhile, both myself and several other regulars here are indeed fed up with said attitude that instead of promoting a culture of better security awareness and practices

Don’t let it bother you, I’m with you – it’s a disucssion I avoided for quite sometime because it’s not aligned with my way of expressing myself in a humorous manner. Everyone contributes according to their area of interest and experteise.

[…] hold my peace and move somewhere else.

Likewise! No one, except for the owners of this blog, should demand that others contribute in a certain manner. There are those that share ideas, those of us who share related news, new tools, best practices, etc… and there are those who reccomend books, articles, papers for review, etc… I value all of these and participate to the limit of my ability – so long as the discussion is objective and devoid of subjectivity and personal attacks.

There were several books and articles that I would not have known about had I not been reading this blog. There are tools that I now know about that I hadn’t in the past because someone drew our attention to them here.

Naturally, I would not look down at anyone who doesn’t particpate in a certain manner. Nor would I disparage them. There will be the occasional sarcasm and humor when erroneous information is shared that we try to correct. And I’ll engage anyone to a measured length as long as they adhere to objectivity. When the discussion degenerates to dismissive arguments, name calling, personal attacks, and condescending remarks, then count me out — not the sort of discussion I look forward to engage in.

It Never Penetrated Into The Mainstream... • September 2, 2017 9:28 AM

“People must communicate. They will make mistakes, and we will exploit them.”

–James Clapper, DNI

Chairman Mao • September 2, 2017 10:02 AM

@It Never Penetrated into Mainstream…

“People must communicate. They will make mistakes, and we will exploit them.”

Good quote!

As I said before:
1) Wolves
2) Sheep
3) Sheep Dogs

So, the government solution is self-evident — Wolves + Sheep Dogs form an alliance to eat the sheep.

Is that the only solution?

Dirk Praet • September 2, 2017 1:14 PM

@ wumpus

If you are remotely concerned with counterterrorism, simply scooping up the data on 99.9% of the world’s population and then attempting to figure out which are from POI is one of the few workable solutions.

That’s probably exactly what they are trying to do, but it’s very much like drinking from the water hose. And largely explains why mass surveillance is too blunt a tool to prevent terrorist or other attacks. It’s, as @Clive has often repeated, more like a huge time machine that in general is only useful to connect all pieces of the puzzle ex post facto.

It is reasonable to assume – and even documented as such – that vast quantities of telecommunications and internet traffic are indeed scooped up based on specific criteria and selectors. But until the next Ed Snowden produces material proving otherwise, neither the NSA nor any other TLA is currently capable to collect, store, process, break and analyze in real time every bit of traffic passing through telecommunication networks. Especially encrypted, semi-anonymized or otherwise obfuscated traffic which makes their lives much harder.

The only way to counter act the nightmare scenario of ubiquitous encryption and anonymisation – however half-baked – is by pushing for backdoors and ever more draconian legislation on one hand, and by actively dissuading the general population to use such tools and methodologies.

Chairman Mao • September 2, 2017 2:35 PM

@Dirk

The only way to counter act the nightmare scenario of ubiquitous encryption and anonymisation – however half-baked – is by pushing for backdoors and ever more draconian legislation on one hand, and by actively dissuading the general population to use such tools and methodologies.

A wolf in sheep’s clothing response –“counter act the nightmare scenario of ubiquitous encryption and anonymisation”

Nightmare to Clapper because he won’t be able to speculate on Wall Street options futures.

de La Boetie • September 2, 2017 3:12 PM

@dirk

There are a number of ways to counteract more widespread encryption.

First and best would be to squash the market for it by abandoning mass surveillance (already known to be ineffective in its nominal application) – this has created the mass market in the first place. But a) that’s not realistic given their addiction to it (and use of it for many other purposes such as state and corporate insider dealing), and b) is too late because the trust has gone.

Second, there is really no need to formalise backdoors, because there are so many insecure front doors – the “terrifically weak” client security. This means that both targeted people can be attacked (as suggested by the ex-head of GCHQ), and I suspect en-masse by automated large-scale attack tools which could pop in implants ready to be exploited.

Dissuading the general population to use such tools and methodologies is already in full swing by associating Tor with illegal scummy sites for example, and insinuating that anonymity is a Bad Thing.

Chairman Mao • September 2, 2017 3:22 PM

@de La Boetie

I suspect en-masse by automated large-scale attack tools which could pop in implants ready to be exploited.

Don’t forget to turn on “Automatic Security Updates.”

First and best would be to squash the market for it by abandoning mass surveillance (already known to be ineffective in its nominal application) – this has created the mass market in the first place.

ALL Alphabet (Google and all the baby-Googles), Microsoft, ATT, Verizon, Tmobile, and hundreds of other stock prices would plummet.

Google with mass surveillance is worth, today, $981 per share. After dumping mass surveillance, it’s worth what Alta Vista was worth in the 1990s.

Too many politicians (incl Al Gore) and James Clappers trade options and commodity futures to abandon mass surveillance.

Chairman Mao • September 2, 2017 3:25 PM

IN ADDITION, without mass surveillance, Facebook would become worthless.

John P. • September 2, 2017 7:39 PM

@Bruce, securing email is quite simple now, and has been for some time. DefiniSec makes it pretty easy on Windows w/ Outlook. Coverage will grow. Not a plug either, because it’s available at no cost for those in infosec (security researchers as well, for many other things – not just email). It picks up where Signal stops, at the endpoint itself. Attachments, files, email, etc.

Dirk Praet • September 3, 2017 3:24 AM

@ de La Boetie

… and I suspect en-masse by automated large-scale attack tools which could pop in implants ready to be exploited.

No argument there, but such an approach would significantly increase the chances of such implants being detected.

Although @Clive can probably come up with at least 5 different ways to distribute and hide APT’s in firmware, the existence of which would be very difficult to prove, the NSA – despite its formidable resources – is not $DEITY, thus cannot change the laws of physics or probability. And which dictate that any such large-scale operation eventually would be found out about and its implants neutered, not to forget the subsequent political and economic blowback to all parties involved.

It could of course be argued that Windows 10 is in fact the very thing you are describing, but that’s a different story 😎

EvilKiru • September 3, 2017 8:56 PM

@Chairman Mao: “You mean like Schneier with IBM “Resilient”?”

Seeing as how your correspondent didn’t mention any specific groups, I can only say this:

Why hello there straw man argument.

Chaiman Mao • September 3, 2017 11:20 PM

@EvilKiru

Strawman argument? NOT.

The Original “Proposition” is “Journalists Generally Do Not Use Secure Communication…I forgive them for not using secure e-mail. It’s hard to use and confusing. But secure messaging is easy.”

That statement is simply untrue. Everyone should be running their own CA and email server, at the very least.

EFF board includes IBM. Schneier. 100+ lawyers. Craiglist? That doesn’t make any sense. Something is wrong.

Thus far, I’ve given a summary of facts by example. Something is wrong.

Nobody has any solutions — except to call it a “social” problem? I don’t think it’s a “social” problem except for the status quo. Then, in that case, yes — the status quo IS the “social” problem. As I said, before:

@ It Never Penetrated into Mainstream…
“People must communicate. They will make mistakes, and we will exploit them.”
Good quote!

As I said before:
1) Wolves
2) Sheep
3) Sheep Dogs

So, the government solution is self-evident — Wolves + Sheep Dogs form an alliance to eat the sheep.
Is that the only solution?

The status quo: The sheep dogs breed with wolves now. “Give us this day our daily mutton.”

ab praeceptis • September 4, 2017 10:23 AM

Chairman Mao

“You mean like Schneier with IBM “Resilient”?”

Just to avoid misunderstandings: I did not mean Bruce Schneier and I do not assume that Schneier is part of some evil group. In fact, I did not even think of him (in that context).

I might be wrong (and accused of lack of interest in details of Schneiers personal life) but it is my understanding that Schneier works for a living; after his time at BT he seems to have sold his company to IBM where he now (as is quite usual) continues to work. Again, I might be wrong and, frankly, I don’t even care. My Schneier image is largely defined by his work.

If “works for/with company xyz” were an indicator of evilness, pretty much everyone would be evil. That’s not how I see things.

Chairman Mao • September 4, 2017 11:20 AM

@ ab praeciptis

I’m not implying anything other than the “social” problem, itself.

Wolves + Sheep Dog = ????

A benevolent wolf????

IBM’s govt (e.g Clapper the Big Bad Wolf) contracts probably look something like the national debt.

IBM’s motto — money talks; bs walks.

Also, lawyers. Lawyers are “officers of the court.” Being “officers of the court”, they are “agents” of Clapper the Big Bad Wolf. They make their living by arguing — not by creating “easy to use” solutions. (Easy to use phone “messaging” still has an MITM (e.g. Verizon — one of the largest known perps to date.)

Plain and simple. How many lawyers at EFF use crypto? Or, Gmail? I’ve done my own survey, too.

You’d be AMAZED.

EFF has been “coopted.” (Cross bred with Wolves.)

Chairman Mao • September 4, 2017 11:21 AM

NOTE: Verizon is represented on the EFF board, too.

Tenth Fouchet • September 6, 2017 1:58 AM

re: IM

Viber was sold to some Japanese company years ago. No idea if that had changed anything.

Out of all IMs listed in the post, Telegram is the least shitty client-wise – there is an F-Droid version that comes without 3rd party analytics modules. All other criticisms remain true.

Frank • September 11, 2017 12:11 PM

This is more of a general (newbie) query.

I understand that, if I wanted to run some open source software on my PC, I could grab the source code, compile it and feel fairly secure about the code that I’m running.

Just recently I signed up for Tutanota mail; and the front page states: “Tutanota is licensed under GPL v3 – essential to any encryption service. Open source enables security experts to verify the code that protects your mails.”

But when using open source software online how would I know exactly what code is running on the server? The published stuff may be verified but how does that help me understand what I’m using?

Schneier on Security

Journalists Generally Do Not Use Secure Communication

Comments

Leave a comment Cancel reply