Steve DoigCronkite School of Journalism

Arizona State University

Spycraft: Keeping your sources safe

Why spycraft for reporters?

Need to keep identity of confidential sources secret from subpoena or government snooping.

Need to keep identity of confidential whistleblowers secret from corporations.

Need to travel in places where governments detain journalists.

Examples

National Security Agency revelations from Snowden

Barry Bearak of the NY Times in ZimbabweHewlett Packard board leaksSecret subpoena of AP phone recordsFox News reporter’s email contents

What I’ll cover

Keeping internet searches privateMaking and receiving untraceable callsKeeping email privateEncryption/decryption programsKeeping your computer cleanTricking keyloggers

Private internet searching

NSA monitors search termsAOL debacle: 36 million search terms of 650,000

users (http://www.aolstalker.com/)Subpoenas to your IT department or IP providerAlternative: www.ixquick.com: No IP addresses

kept, no cookies, search terms deleted within 48 hours

DuckDuckGo.com: nothing keptAnonymizer.com?: Anonymizer Universal ($80)

Torproject.org

TOR enables anonymous browsingBounces your browsing through a worldwide net of

relaysGet through national firewallsUsed by journalists, activists, bloggers, NGOs,

companies, et al.

Keeping identity private in calls

*67 blocks Caller ID in U.S.Old NYT caller ID: 111-111-1111“Spoof” your Caller ID with SpoofCard

(www.spoofcard.com) -- $10/60 minutesCrazycall.net (international)Also do voice changing

Cellphone cautions

GIS-equipped cellphones track your locationCellphones also track location by cell tower

triangulationCellphones and wireless phones can be heard by

scannersCellphones can be bugged

Cellphone spyware

Listen to calls, extract SMS, view photos, read call logs ($60) (but not iPhones)

Pre-paid “burner” cell phones

No-contract cell phones and SIM cardsIMPORTANT: Buy with cash, and replenish with

cashCommon outside the U.S. Phones as cheap as $10-$20Pre-paid cards as cheap as 10 cents/minute in US

Voice over Internet Protocol (VoIP)

Internet voice callsBeware “man in the middle” attacks (NSA, for

instance)Skype encrypts voice/video data stream

But there is an NSA back door…

Use Jitsi.org instead of SkypeZfone with VoIP clients like Gizmo, GoogleTalk,

Magic Jack

Silent Circle

Started by PGP inventor Phil ZimmermanApp for iPhone or AndroidEncrypts phone, text, video chatBut secure email server has been shut down!$10/monthPrepaid “Rōnin card” – get service anonymously

Blackphone

Use with Silent CircleSecure phone, text, wirelessAnonymous search/browsingRemote wipe if lost

Texting and chat

TextSecure from WhisperSystems: (for Android, but IOS soon?)...encrypted end to end

ChatSecure: Use for Facebook chat, Google Hangouts, et al....works on any platform

Keeping identity private in email

Use free “throwaway” email addresses from Yahoo, Gmail, etc.

Anonymizer.com: Nyms software creates throwaway email addresses that will forward to your real address ($20/yr)

Other remailers: Mixmaster, QuickSilver, et al.

Email without sending email

Trick used by CIA director David Petraeus and mistress Paula Broadwell

Create an anonymous Gmail accountWrite messages as drafts, but don’t send

them

Smuggling your text and pictures

Use micro SD cardsUp to 128 GB

Cryptography

Use code to make files on disk, phone, etc., unreadable

Avoid simple ciphers, one-time pads, etc.Public-key cryptography is bestTrueCrypt.org: not secure!!TrueCrypt to be replaced by CipherShed Boxcryptor: encrypt files in the cloud GnuPG 2.0 also open sourceUse a strong passphrase!Keep data on encrypted thumb drive

Hidden USB drives

Email encryption

MS Outlook will encrypt email

Better: GnuPG 2.0 (free) Uses public-key crypto

Can be built into GmailEnigmail extension for

Mozilla Thunderbird

Cryptonerd’s fantasy

Steganography

Poe’s “Purloined Letter”: Hide in plain sightMessage hidden in “covertext” of some sort:

Plaintext MP3s, jpegs, video, Flash, etc.

www.jjtc.com/Steganography/tools.htmlOpenPuff 4.0 – deniable encryption using less

secret data as a decoyNew – hiding files in the silence of Skype

conversations!

Stego example: original

Stego example: encoded

Hiding directories

Create hidden “safes” on computer“Safes” can be on USB drives, DVDsEspionageapp.com

Watermarking, fingerprinting

Related to steganographyHidden information embedded in filesInvisible watermarking uses variety of techniques: Shift

lines, text and/or characters; deliberate misspellings, etc.Used to verify copyright, reveal image tampering, traitor

tracingWatermarker.com: “IceMark” invisible watermark ($50)Strategy: Retype the document, adding your own

variations…

Spammimic.com

Turns a short message into spam, which can be decoded

“Dear Friend ; Thank-you for your interest in our publication . If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our club ! This mail is being sent in compliance with Senate bill 1816 ; Title 3 ; Section 304 ….

Spammimic.com

Turns a short message into spam, which can be decoded

“Dear Friend ; Thank-you for your interest in our publication . If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our club ! This mail is being sent in compliance with Senate bill 1816 ; Title 3 ; Section 304 ….

Cleaning your computer

Deleting files doesn’t destroy themNeed software that overwrites deleted file space,

temp files, etc.CyberScrub Privacy Suite ($60)

Overwipes data files, erases other traces

Ccleaner (free), Eraser 6.0, other freewareDarik’s Boot and Nuke (CD wipes all drives)Blancco: industrial-grade data wiping

Keyloggers

Hidden program that captures keystrokes and sends them to whoever installed it.

Common at internet cafes!FBI’s Magic Lantern keyloggerAnti-spyware software will detect many – but

not all – keyloggers.Stopgap protection: When typing password

letters, type a few random letters elsewhere on window between each

Hardware keyloggers

Insert between keyboard and computer ($50-$200)

Software keyloggers

Installs software in 5 seconds ($99)

GPS tracking

GPS Trackers with cell SIM cards can update location every minute

Recommendations

Assess the risk to your source Who wants your source’s identity? What are their capabilities?

Discuss security with your sourcesMake security decisions sooner rather than

laterConsider low-tech face-to-face meetings

Some privacy resources

www.privacy.orgwww.epic.orgwww.privacyinternational.orgwww.journalistsecurity.net/www.securityinabox.org

Questions and ideas?