Six Easy Tips: Essentials of Digital Security for Targeted News Organizations

Below is a quick reference, distilled list of six easy tips for any news organization employee at risk of being targeted by malicious adversaries. These tips come the Safe Travels Online campaign that the Tibet Action Institute has been developing over the last two years, to assist Tibetan exile human rights organizations, and it has proven effective in reducing the amount of successful “cyberattacks”, and minimizing impact of successful attacks to only a single infected machine (instead of the entire organization).

The recent story on cyberattacks against the NYTimes indicates that email attachments infected with malicious code was likely the source of the infiltration. These types of attacks have been a common pattern that the Tibetan exile of community has experienced for years, and I am happy to now to share of their painfully-acquired wisdom with all of you. With each tip, I have also included a link to a short public service announcement video on the TibetAction YouTube channel.

1. Use HTTPS to Stay Secret, Safe & Secure: You should always keep your network traffic secure to online services and applications, whether at the office, home or traveling abroad
https://tibetaction.net/knowledge/tech/https-eng/

Thumbnail
httpS Keeps You Secret, Safe & Secure!

Thumbnail
Keep your secrets safe using HTTPS

2. Detach from Attachments: Email attachments are a plague on the information age. There are many better, safer and more effective ways to share files in the 21st century
https://tibetaction.net/detach-from-attachments/

(this is one of our most popular tips, so I’ve embedded it for easy viewing!)

Detach from Attachments!

3. Keep Your Enemies Out Of Your Inbox: Google provides the best set of tools for defending against intrusion, or at least knowing when you may have been compromised
https://tibetaction.net/knowledge/tech/keep-enemies-out-of-your-inbox/

Thumbnail
Keep your enemies out of your inbox!

4. Don’t Share Drives: The culture of sticking a USB flash drive in any old USB slot, must end; it’s like having sex without protection; again, there are better ways to share files
https://tibetaction.net/knowledge/tech/dont-share-drives/

Thumbnail
Don’t Share Drives!

5. Strong Password (keep you safe online): You must use better passwords, enable features like Google’s two factor authentication, and use services like LastPass or KeePass
https://tibetaction.net/knowledge/tech/strong-passwords/

Thumbnail
Strong Passwords!

6. Think Before You Click: Hyperlinks have revolutionized our lives, but when they come inside an email message, they can lead to a whole world of hurt.
https://tibetaction.net/think-before-you-click/

(this is our latest tip, and as it is quite relevant here, I’ve embedded the video)


Think Before You Click!

… and here is just one of the great posters available for printing and posting at your workplace, available at https://tibetaction.net/safetravels. Yes, it has Tibetan writing on it, but that makes it even more legit, doesn’t it?

 

 
Tashi Delek!

An extraordinary hacker and activist

Dear friends, family and colleagues… when I get annoyed by you for using the label “hacker” in a negative, nonconstructive, anti-productive manner or to refer to malicious adversaries, it is because there are people like Aaron out there who are true examples of what a hacker is… who use their basic, unstoppable curiosity of deeply technical subjects to change power structures in society, in order to address issues of injustice, basic rights and information freedom. He was also one of the only hackers, consider his brilliant direct action tactics against closed profiteering journal databases, who would have been equally at home at an SFT or Ruckus activist camp, as he would at a hackerspace. RIP.

From danny:

Aaron’s art was an amazing ability to focus on the truly important. When he left, just as when Len left, he left an obligation on the rest of us to keep what each of us have of him, and put it to good use. Between us, I believe we still have a massively parallel, distributed version of Aaron, one unique part of his life shared with each of us alone. The part I’ll remember for us is just how funny he was, and how serious change sometimes requires a light touch, and a sense of the absurd.

 

https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz

http://www.oblomovka.com/wp/2013/01/12/he-was-funny/

http://rememberaaronsw.tumblr.com

and for eternity: www.aaronsw.com

My Quick Guide to a Less Risky Dropbox

While there are definitely many security-related holes and privacy concerns to be had about the free (but not open-source) Dropbox file sharing service, it has taken the world by storm, including many activist and human rights groups, mostly due to the simplicity and effectiveness of its user experience. As we have seen many times before, software and services that “just work”, will always win out over more secure options with the majority of the population. This post is a quick attempt to share some simple steps you can take to ensure your use of Dropbox, or any similar cloud-based file storage and sharing system, is more properly protected, obscured or otherwise mitigated as a direct threat to the security of your information.

1. Use Dropbox over Tor to stop local network monitors from knowing you are using Dropbox to begin with. This also is a good configuration to use with people who live in places where Dropbox might be blocked, but Tor is not.

Install Tor and use Vidalia (the GUI controller) to connect to the Tor network.

Set Dropbox->Preferences->Network->Proxy Settings to use Tor’s secure SOCKS proxy on localhost, port 9050

2. Set Bandwidth Usage to a low value to avoid creating large spikes in network traffic. This will reduce the likelihood your particular use will be singled out if you are syncing large media files or other transfers.

Set Dropbox->Preferences->Network->Bandwidth Usage to a low value such as 50KB/s for upload and download

3. Use Truecrypt to create encrypted disk volume files inside of Dropbox, and then store your files inside of that. This can still be shared by multiple users, if you use a password based volume.

Download, install and configure the free, open-source TrueCrypt software: http://www.truecrypt.org/

Create a new TrueCrypt volume, stored within a Dropbox folder

All in all, there are more secure ways to share sensitive information, such as using GPG file encryption or another OpenPGP solution, but if you absolutely must use Dropbox, and you are under any sort of threat at all to having the information you store on it used against you, then please follow this advice I have shared.

If you have additional tips, warnings or configurations along these lines, please add them to the comments below.

    ITP2800: Designing Mobile Apps for Crisis Situations

    Here is the slide deck and audio recording of a recent lecture I gave to my NYU ITP2800 students. The topic was “Building an Effective User Experience for Mobile Smartphone Applications Used Under Duress”, with the ideas and content coming from an earlier blog post / crowd-sourced effort on this topic. I still consider this talk a work in progress, but figured I’d share it in the spirit of open iteration!

    My (rough) statement for the US Helsinki Commission hearing (Feedback Please!)

    Below is my rough statement for the US Helsinki Commission “Twitter v. Tyrants” hearing this Thursday. I would greatly appreciate any of your comments and feedback, as I will be polishing this up a bit before the hearing Thursday and before I formally submit it into record. I mostly wonder whether I have made to many generalizations in trying to connect the dots for people in the limited time I have. Are there other case studies I should mention that would help? Any other papers, posts, links I should I include? Thanks!

    I greatly appreciate the opportunity to participate in this hearing. Thank you to the members of the commission for the invitation to appear here today, and for your interest in this very important topic. I come here today as a representative of the many, many technology advocates, experts and educators who believe that the most amazing innovations of our generation should be used for more than just acquiring more wealth or as simply new channels entertainment or distractions. I am also a longtime member and former board chair of the international non-profit group Students for a Free Tibet, led by Tibetan activists Lhadon Tethong and Tenzin Dorjee.

    From my perspective, the latest wave of new media protest technology began in 2004, with an open-source web service called TXTMob. TXTMob was first developed by MIT’s Institute for Applied Autonomy for protesters at the 2004 Democratic National Convention in Boston and the Republican National Convention in New York. I was part of a team that utilized TXTMob to broadcast thousands of short messages to over 10,000 people on the streets of New York, letting them know what was happening moment by moment. Later in 2004, during the Orange Revolution in the Ukraine, students utilized the service to coordinate their spontaneous protests or flashmobs, strikes and sit-ins. In 2005, two of my colleagues who had been involved TXTMobs use during the RNC went to work for the company that became Twitter, where they showed the demonstrated the power of TXTMobs and short message broadcasting to their coworkers around the office. It was in those times, that Twitter was born. It is not an accident that things have come full circle, with Twitter now being the standard go-to tool for activists around the world.

    In my activism work, my areas of focus are Asia and the Americas. I have specific experience traveling in and working with organizations focused on China, Tibet and India. I have developed patented technology, focused on the exchange of data between mobile devices over wireless networks. I am also teaching at NYU’s Interactive Telecommunications Program this semester – a new graduate course I’ve designed entitled “Social Activism using Mobile Technology”.  My personal path in this sphere, as a developer, practitioner and instructor in the use of new media technologies within social movements, is built upon a very long tradition that goes back to the first time someone figured out how to use drums, fire and birds to send signal messages.

    During the second world war and the cold war, inventors, mathematicians and the earliest digital computers played a critical role in helping the allies stay one step ahead of the axis. In recent years, open-source hackers, nerds and geeks have gravitated towards the social justice, environmental and human rights movements, creating unique alliances and very rich opportunity for innovation. Four guys in a garage in Silicon Valley, is now multiple activists communicating in realtime through Twitter, Skype, Facebook, all using their iPhones, Blackberries and Google Android phones, to weave together human rights campaigns using true grassroots organizing and tested non-violence tactics with open-source software, cloud-based web services and very powerful, yet very cheap hardware gadgets.

    Take the case of Burma in 2007. Video journalists and I.T. student organizations teamed up to provide their own coverage of the Saffron Revolution. As their footage began reaching the outside world, they become bolder and more targeted by the junta. While the revolution never fully materialized, and many of the monks and activists who participated have been imprisoned, tortured or worse, the “VJ” model of Burma is largely considered to have been successful due to the global attention the protests received. A similar model is being used in Iraq, through the well known citizen journalist video service, “Alive in Baghdad”, that works to cover and disseminate stories of the every day lives of Iraqis. We have also seen this model used with simple camera phones in the Kashmir and most recently in Iran, where a single clip of video of an innocent dying girl instantly clarified the issue for a global audience and brought overwhelming sympathy and support to the side of the Iranian people. The power of the moving image is unavoidable.

    In many cases, the authoritarian states power proves too formidable for adhoc efforts with new media technology. In Tibet, the largely peaceful uprisings in March 2008, were perceived by the outside world as being “riots”, due to China’s ability to control the story by severely restricting news media access and blocking telephone and internet communication. Thousands of Tibetans were detained, many died, and hundreds were given lengthy sentences, many convicted through evidence gathered via close-circuit security cameras, mobile phones, PCs and the Internet. There are countless stories of Chinese, Tibetan and other activists within China being incriminated through their use of email, Skype and other tools. The evidence gathered by the state is often done in collaboration with the technology providers – Yahoo!, eBay, and so on.

    In August of 2008, over seventy activists from around the world traveled to Beijing to protest for Tibetan human rights and independence during the Olympic games. New media tools played a major role during this effort. It provided a loosely coupled link between the various independent activists who were traveling to Beijing to participate. It enabled a team of citizen journalists to document the many different protest that occurred (since mainstream press was mostly unable to due to their “close” relationship with Chinese security agents) – all utilizing broadcast quality HD video cameras, small mobile computers and uploading photos and footage for publishing and broadcast around the world. The Beijing authorities eventually caught on, arresting and detaining for a week, six American citizens who had been documenting the protests. During their detention, they were told that the crimes they were guilty of, documenting and spreading media of protests, was far worse a crime than actually participating in the protest itself. Fortunately, due to their American passports, they were treated fairly and made it home.

    During last years presidential elections, I was a member of an adhoc team of people who came together to build “Twitter Vote Report”, a nation wide web 2.0-style election monitoring system that tied together google maps, wikis, and iPhones with human resources on the ground from watchdog groups and the media. Over 30,000 citizens reported from outside their polling places, providing a real time view and instant notice of any long lines, hanging chads and potentially voter fraud. The data captured that day was released freely to the Internet for analysis and research by academic institutions. The open-source code from this project, as well as a few others, has been utilized in India and Afghanistan, and we hope to see it become a standard tool in the fight against election fraud.

    As you can tell, I am very enthusiastic and active participant in the use of new media tools for social good and in the fight against authoritarianism. However, the use of these tools also brings about the possibility of serious risk to the user, their friends, family and broader movement. As a friend of mine said, “You cannot twitter your way out of a bludgeoning by security goons”. Mobile phones are unique, always broadcasting personal identifiers; changing SIM cards does nothing, phones are tracked easily tracked by their hardware IDs. Laptop computers are often full of incriminating documents, web caches and email addresses. Digital viruses that deliver actual spy-ware such as GhostNet are common and becoming more powerful and more invisible every day – one slip and your entire email inbox can be copied by an adversary. Use of new media and social networks reveal one’s “social graphs”, buddy lists, friends & followers… in a free country, these provide benefit, amplifying your ability to communicate and connect. In an authoritarian state, these reveal your human networks, make the job of cracking down easier and more efficient. It often takes an entire generation to rebuild when an activist network is decimated. The protests of 2007 and 2008 in Burma and Tibet were at level not seen since 1988 and 1989. That twenty year gap is no accident.

    While the free world is easily enamored of applications of new media tools within dictatorships and authoritarian states far way, our own federal, state and local law enforcement are often quite fearful and hostile towards their use within domestic movements. Tad Hirsch, creator of TXTMob, is the subject of a subpoena by the City of New York in connection with several active lawsuits against the City that allege police misconduct during the 2004 Republican National Convention. Elliot Madison, a 41 year old social worker, was been arrested in Pittsburgh on Sept. 24 and charged with hindering apprehension or prosecution, criminal use of a communication facility and possession of instruments of crime. The Pennsylvania State Police said he was found in a hotel room with computers and police scanners while using the social-networking site Twitter to spread information about police movements. Just this week it was announced that In-Q-Tel, the CIA’s venture capital arm, has invested in a company whose technology is capable of powerful data mining from any information openly published on Twitter, Facebook and other social networking sites. In summary, acts taken to secure our homeland from violent terrorists often have similar justifications to acts taken by authoritarian governments to squelch dissent and democracy. Our government needs to be mindful of these contradictory positions on the benefit of new media within our own democracy.

    Finally, I would like to briefly emphasize the comments from Mary Joyce of DigiActive, who could not be here today, on the topic of embargoes. In the digital age, where a “good” is a string of code that can be delivered anywhere in the world with the click of a mouse, even today’s smart sanctions are not smart enough.  By preventing access to blogging platforms, social networks, and other types of new media, current embargo policies harm the very activists who are furthering our common goals of democracy promotion, while leaving authoritarian governments free to spread propaganda through a range of state-controlled media outlets.

    Referenced URLs of note:
    TXTMob: http://en.wikipedia.org/wiki/TXTMob
    Alive in Baghdad: http://aliveinbaghdad.org/
    TwitterVoteReport: http://twittervotereport.com
    Beijing Olympics Protest Coverage: http://freetibet2008.tv
    GhostNet: http://en.wikipedia.org/wiki/GhostNet