Digital security session live notes at #ipinip

This session is flagged as aworkshop so not sure how tweet able it will be. Already some restrictions on picture taking due to nature of discussion.

Introductory talk making the point that people take more care about the security of their wallet than their phones whereas the data for the latter is worth far more than a few pounds in your pocket.

Second half of this workshop will move to a Qand A.

Currently being subjected to an interrogation as an audience – are you a practising journalist, an editor, a technologist, a journalist who works with tech etc. etc.

Point being made that malware now being very specifically targeted at individual journalists. Those that write about it are then targeted. The aim can be for people like security services to find out what we’re working on or for commercial interests to learn about other companies activities.

Speaker showing us securedrop from the freedom of the press foundation. An original drop box. A tool that gets around the data which google, Facebook etc. makes available to services such as NSA by creating anonymity for sources.
Lots of news orgs. turning to it. HTTPS://fredomfoundation.org/securedrop

Good question from the audience about keeping things secure from employers and even colleagues.

Ravi making the case that all of us need to be more secure in irder to make it better for everyone.

One of the reasons O’Brian thinks that it’s important to come to Africa for this is not only because it will be the the target if some of these attacks but the prevalence of mobile activity and channels makes it likely.

CPJ has a digital security for journalists guide online.

One if the most important things you can do is prevent copies happening. The more copies, the more difficult to protect.

Protect your data when it is ‘at rest’. Eg. A document stored on a device.

That’s under threat from:
A. Malware.
B. Physical protection of the device from security services, criminals etc.

Things that can be done:
– encryption. Use passwords that are very strong and not easy to guess. Hackers generally have large databases of passwords you might have chosen. Particularly easy for dictionary words.
– diceware is a platform which creates humanly memorable random passwords. Gives far more protection.
– back up of data. Copy onto USB and hide. Some people working on USB in case the device is taken. Save the data to the cloud but use encryption.

Syria is the first place where journalists have been targeting specifically because of some certain software they were using to encrypt. Technical savvy among the oppressors as well.

Good question from the audience – how can you keep your USB data safe if you’re needing to rely on Internet cafés for access to the internet?

In answering, O’Brian sees that the future problem is increasingly mobile devices rather than desktops. Desktops being legacy. Internet cafés very hard to secure. Not a good answer to give.

One option is to work out a chain if getting the USB out if the country. Some if the best ways to take video out of Syria were people smuggling sticks over the border.

Lunch break now. Be back after

Problem with yahoo in Africa where penetration was high was the way it travels across the internet and so was not secure.

Gmail set up differently with encryption between transactions of user to recipient.

Some specific how-to coming up:

– encrypt the entire hard drive of your desktop. Google ‘encrypt my disk’ and follow intstructions
– how many passwords do you have ? More is better. Keep passwords specific to one place only. Use a password manager and memorise the one password you’ll need to get into it. Keepass is one such service that can also generate complicated passwords. Securityinabox.org keeps details of services which are open source and so the code can be checked/monitored.passwords need to be at least 18 characters long. Multi language phrases good because the databases scrape through entire languages in minutes.
– two factor identification. Set up a second question that needs to be entered. Google does this with a mobile phone number but that then links your mobile to your email.
– email encryption. Public key encryption communication means that only the sender can give the recipient the ability to read it.
– text messages. Get into the habit of clearing your text messages regularly. Texts are small and easily stored by agencies looking to track you.
– use false names with contacts and move them to secure areas on a regular basis so they are not all visible via your mobile at all times.
– guardianproject.info provides link to chatsecure for private and secure messaging.
– myshadow.org starting to collect together useful information including a watpybto trace your own shadow – where was your email revealed, what apps are you using etc.
– http://www.eff.org is a browser plugin which automatically turns on the most secure way of using whichever service you are trying to use.https everywhere. Creates locked off sites.
– Use fake information for the second question eg. Mothers maiden name, pet, first school etc.
– Social login exposes a lot of your personal data. Interested to hear the speaker here mention this and personally hope the trend for news organisation’s to require this for engagement takes on board the fact many of us don’t want to join our the dots like this with our data.
– Tor can protect anonymity online. http://www.torproject.org

This session concludes: “wider question here is why these things are insecure, his they are insecure. Journalists need to make an extra step and report on these things and help others. There’s. A huge traffic in surveillance systems. Very little is reported but it is a huge target for journalists not just for your own safety.”