Tuesday, February 21, 2017

Border Digital Safety for Journalists

The CPJ, the "Committee to Protect Journalists", offers some horrible advice [*] on Digital Security, especially when crossing the border.

The most important piece of advice I can give you is this: if somebody's life depends upon it, then no simple piece of advice, no infographic, is going to help you. You have to learn about cybersecurity enough to make intelligent decisions for yourself. You have to make difficult tradeoffs yourself. Anybody giving you simple advice or infographics is a charlatan.

So I thought I'd discuss what's wrong with the following infographic:

I. Passwords, managers, and two-factor

The biggest issue is don't reuse passwords across different accounts. If you do, when hackers breach one of your accounts, they breach all of them. I use a simple password for all the accounts I don't care about, then complex unique passwords for all my important accounts. I have to write them down on a piece of paper I've got hidden at home, because sometimes I forget them.

Password managers certainly help you have multiple strong passwords across many accounts. On the other hand, it puts all your eggs in one basket, and the police can grab them from the company.

Two-fact can help, but hackers have shown they can intercept SMS messages to your phone number.

One problem you have to deal with is that going through border control, they'll ask for all your social media passwords. If you are using two-factor authentication (SMS to a phone) then it won't do them much good having the passwords. Not having your phone with you while your cross the border isn't hard. You can use a separate Google Voice phone number (free) which you disconnect form your phone before traveling across the border, and reconnect when you get back home. You can also use a cheap $3/month account (like one of the M2M/IoT SIMs) on a second phone.

II. Encrypt laptop and screen lock

Border control, law enforcement, and smart criminals can bypass the "screen lock". This is practically true for MacBooks (with their Thunderbolt ports), they've got the tools to do this with ease. This is theoretically true for Windows, though without Thunderbolt or Firewire, I don't know how to easily break out the screen lock on most of them.

The upshot is that before going through border security, power off your laptop completely.

Encrypting your laptop is excellent advice, but you are still likely to fail at this. In all likelihood, you are going to choose a weak password that can be "brute-forced" (guessed) by the police. Or, you are going to setup a "password recovery" feature where the police can get your password by subpoenaing Apple or Microsoft. Describing how to do this well requires multiple pages of text.

III. Use Signal or WhatsApp

Using Signal is good. However, they still get the metadata who you are talking to. Also, using Signal in a foreign country makes you stand out, because only people with something to hide from the police use Signal. Using WhatsApp is better, because lots of people use WhatsApp for normal day-to-day chat. These are the sorts of subtle issues you have to think through.

IV. Secure Browser

On the phone, use Brave. It's like having Chrome with HTTPS-Anywhere and uBlock origin built in, getting rid of privacy tracking cookies and ads. Indeed, one of the engineers of HTTPS-Anywhere is one of the principle engineers of Brave.

On a laptop, either configure the browser to forget all cookies when it exits, or use "incognito" mode a lot. Features that secure cookies aren't as important as not leaving a cookie trail to begin with. I've got Twitter, Gmail, Spotify, and other privacy-identifying apps open in Chrome, but use "incognito" mode whenever I google search for something (like "weapons grade uranium"), so that the government can't tie the search back to me.


Don't take this post as advice what you should do.

Instead, the purpose of this post is to show the limitations of a simple infographic. While it's not precisely bad advice, if you do what it says, you (the journalist in the case) will still divulge all your sources to border control when coming into the United States.


The situations you are really confronted with are things like border control demanding access to your Facebook account before they let you into the country. How long are you willing to wait? They'll certainly try to detain you long enough until you miss your connecting flight. Whatever security you have still depends upon how much pressure they can apply. If you aren't willing to miss your connecting flight, no amount of security is going to help you.


Colin McD said...

Well said.

I think the graphic is a little problematic. How effective is a security key being carried with the journalist as he boards the airport for instance? "Dear sir can I have your RSA key please?"., Yet just remember the target audience. You have Journalists who may I don't know loose a 2GB USB key containing the leaked material of a certain US defence worker....

Really we want at least the basics to be covered, but not leave people with a false sense of security. I.e. Journalists, put a screen lock. Yes the FBI will crack that laptop if they think there is Pedophile data OR details of a terrorist strike. But a screen lock will slow/stop someone from getting the name of a whistle blower talking about how his boss is sexually harassing people in their workplace! (think of a journalist just loosing their laptop). Remote wiping software, another good idea.

a few my 2c things:
Password managers are awesome. Going something open source like Keepass, open source password manager installed as a program on your laptop you are doing pretty well. Sure you will need 1 complex password (or 2 factor auth) to decript your password DB, but you can't have a vendor just unlock it unlike Cloud or propriety solutions.

Have a fake account for facebook/twitter/whatever ready to go if you suspect you may need to reveal it. A security guard wont' know the difference easily and you should be able to show a very benign account.

William Warren said...

Easy way to avoid the password hogging apple or microsoft. BOTH mac and windows give you the option to create local accounts..aka not connected to apple or microsoft. It takes a bit of effort but it isn't that hard.

William Warren said...

Another way to avoid having to give up your information is to ship your electronics separately from your person....

Lukáš Šrom said...

For passwords I use a little piece of code that lets me generate strong passwords without the need for centralized storage. These are generated only when I need them, are not stored anywhere and I don't need to remember complex passwords or pass phrases.
I only remember one password and enter it into my algorithm together with name of the page I want to log in. It returns very strong password and because I implemented it in C, Javascript and as Android application, I can use it anywhere.
It does similar things to LessPass which is more widely used. To self promote myself a bit, I include a link to my blog where I talk about it a bit more and show the strength of passwords that are generated. http://lsrom.cz/blog/2016/11/08/lesspass_why_holding_back_gets_you_nowhere.html