For the first five years Steve Doig spoke at Investigative Reporters and Editors conferences, he talked to a half-empty room of chairs about keeping sources and secrets safe.
But at the recent June conference, more than 80 people packed into his presentation room and fought for 50 seats, finding room on the floor when the chairs were full.
Since Edward Snowden unveiled the National Security Agency’s massive surveillance system in early June, reporters have questioned what digital threats lurk beyond their ability to anticipate or even understand. Doig said paranoia drove them to his lecture, and it’s paranoia that will set them free. Even though most reporters won’t have to worry about the NSA coming after their information, all reporters should adopt a healthy skepticism about their digital safety and learn basic measures to protect their information and sources.
Then on the rare occasion they need to shelter a confidential source, they’ll be prepared.
“It’s a matter of creative paranoia,” Doig said. “A heightened sense about the possibility of surveillance is what you need to be ready when those rare situations come up.”
LOW RISK: DIGITAL SECURITY MEASURES ALL REPORTERS SHOULD TAKE
Everyone with a computer is vulnerable to hackers, crackers and attackers. Here are basic security precautions to help keep you and your sources safe.
PRACTICE HEALTHY PASSWORD HYGIENE
Reporters should build their digital defense on a firm foundation of strong passwords. Dan Goodin, IT security editor at Ars Technica, calls passwords the basic building blocks of security posture.
“It doesn’t matter how sound your antivirus program is or how careful you are about not visiting attack websites,” Goodin said. “If the password you choose to protect your email account is easily cracked, all of your secrets are going to be spilled.”
In his August 2012 article, “Why passwords have never been weaker — and crackers have never been stronger,” Goodin proved a good password is hard to find.
When you’re creating a new account, there’s usually a meter that will rate your password choice and tell you how strong it is. But Goodin said the reliability of password meters is all over the map, and he’s seen amateur crackers break so-called “strong” passwords in a matter of seconds.
“The problem is these meters use an unreliable metric for measuring the strength of a password and don’t take account of the real world techniques used in password cracking,” Goodin said.
Password meters rate passwords on the assumption that attackers are always going to use what’s called a bruteforce attack on your account, cycling through every possible character combination to find a match. If the password is 10 characters, the brute-force attack will try every combination from 10 A’s to 10 Z’s, which can take years to accomplish, Goodin said.
So instead of using brute-force, most crackers cycle through word lists of the most commonly used passwords — a faster, more successful process password meters don’t take into account.
To prove just how easy cracking can be, Ars Technica’s deputy editor and a newbie to password cracking, Nate Anderson, took on a project in March to decipher 16,000 hashed passcodes using only free tools and the resources of the Internet. Within a few hours, Goodin reported that Anderson had deciphered almost half of them.
So if you want to protect your passwords from seasoned crackers, Ars Technica recommends using passwords with a minimum of 11 characters that don’t form a pattern and do contain upper- and lowercase letters as well as numbers.
Goodin said it’s best to create unique passwords for each of your accounts through what’s called a password manager, or a single master password, that unlocks all of your other passwords. The password manager beats the system because it’s a random combination of numbers and characters that can only be cracked using a brute-force attack.
“It might take years or centuries to crack,” Goodin said. “It also compartmentalizes any breach that happens, so if someone cracks my Twitter, they can’t get into my email account, too.”
Three common password managers are 1Password, LastPass and KeePass.
SURF, SEARCH AND SEND SAFELY
When you’re online and sending messages or emails online, you’re using something called “metadata” to communicate with service providers, such as Google. Think of your service provider as the middle man — kind of like the post office — that takes your message from you and delivers it to the person you’re trying to contact or the website you’re logging onto.
As Quinn Norton points out in her ProPublica article, “Worried About the Mass Surveillance? How to Practice Safer Communication,” the message is what you want to say (the letter itself), and the metadata is the information your message needs to arrive at its intended destination (the address and return address on the envelope).
When sending a message through a service provider using traditional HTTP — Hyper Text Transfer Protocol — your message or “letter” is legally protected, but your metadata is at stake. That means third-party intruders who want to see your letter’s “envelope” can peek over your service provider’s shoulder and see who the letter is to and from.
To hide your metadata, Eva Galperin, a global policy analyst at the Electronic Frontier Foundation , recommends downloading a program called HTTPS Everywhere. It’s a browser extension for Firefox and Chrome that encrypts your metadata with major service providers whenever possible.
The “S” in HTTPS represents the added security benefit of something called Secure Sockets Layer that creates an extra obstacle for third-party intruders trying to intercept your data. Although it can’t completely block third parties, it forces them to confront your service provider if they want a glimpse at your “envelope” information.
When you’re searching terms in HTTPS, a similar encrypted connection between your browser and your service provider helps protect search terms and results pages from third-party eyes.
“It prevents people from being able to spy on your network when you’re on the same Wi-Fi in an Internet cafe,” Galperin said.
DEVELOP PHISHING DISCRETION
Perhaps the greatest security risk for reporters is something called phishing. It’s a hacker technique that works a lot like actual fishing.
A devious phisher casts an email from a familiar source dangling a tempting link or attachment that usually invites you to click on it. But beware: If you bite, malware can be downloaded onto your computer and watch you or steal your information without you even knowing.
“It’s extremely hard because as journalists we receive links and emails all the time, saying, ‘Here’s a juicy scoop. Go check it out,’” Goodin said. “But we need to know when a link will lead to next big story, and when it leads to a silent attack behind the scenes to install malware on our computer.”
Microsoft Security Center says phishers can target you in emails and websites asking for your information, and they use three basic tactics to reel you in: links in an email, threats if you don’t respond, and the authority of popular company names, such as Facebook. Microsoft also says bad spelling and grammar in a suspicious email might indicate a phisher.
Goodin recommends studying phishing techniques and keeping an eye out for the latest scams. As a basic practice, Galperin said, avoid suspicious emails, and if you’re ever in doubt about a website asking for your credentials, look up in the URL bar before you try logging onto that site.
HIGH RISK: DIGITAL SECURITY MEASURES WHEN SOURCES ARE AT STAKE
Every so often, you might come across a story where you need to protect a source’s identity. Here’s basic advice for protecting information that might be targeted by an individual or group.
EVALUATE YOUR RISK LEVEL
Defending your digital security from a targeted attack starts with considering what information is at stake and who might want that information, according to Frank Smyth, senior adviser for journalist security at the Committee to Protect Journalists.
After reporting under repressive regimes in countries such as Cuba and Guatemala, Smyth founded and directed the Global Journalist Security firm to consult and train journalists in safe practices.
When he’s helping journalists assess the best security tactics for their situation, he tells them to ask themselves four questions:
1. Who would be interested in the information I have?
2. What capabilities do they have?
3. Where am I vulnerable?
4. What can I do to make myself less vulnerable?
Once you know the answers to these questions, Smyth suggests researching digital security tools and evaluating what tools meet your needs. When you’ve narrowed down to a few names and brands, he said running a simple search of those tools on The Liberationtech Archives (by the Center on Democracy, Development and the Rule of Law at Stanford University) can help you evaluate what tools will best suit your needs.
Although you might have to sift through some technical jargon, Smyth said the listserv is the “single best source” for information about security software because it tells you what Internet Freedom activists are saying about the pros and cons of specific tools. Depending on your situation, certain tools might be more of a hindrance than a help.
KNOW YOUR ENEMIES
If you want to be prepared for an attack, you have to study your attacker’s strategies. In this case, that means familiarizing yourself with hacker and tracker techniques and programs.
Smyth said anyone with $40 and the right skills can buy a spyware program called “Blackshades” and use it to digitally eavesdrop on your computer.
After only a few days of digging online, Steve Doig found a handful of similar civilian surveillance tools on the market, including bugs that can be attached to cars to track where they drive and software that turns cell phones into microphones even when they are powered off.
“All it is is a civilian version of much more powerful things used by the intelligence community and law enforcement officials,” Doig said. “At least being aware of things around you and tools that can be used against you will get you thinking of ways that you would be inadvertently revealing the identity of who you’re talking to.”
But despite the availability of high-tech tools, Galperin said most hackers use a variation on the same old techniques. They’re intercepting traffic, copying traffic, tricking you into opening something, getting you to give up your password or installing devices to track your movements.
“If you know how to protect yourself against the same old themes, you can count on yourself to be protected,” Galperin said.
USE PHONE AND SHORT CONVERSATIONS TO YOUR ADVANTAGE
When Smyth was working with confidential sources in El Salvador, he used his phone like a beeper. Either he would call the source or the source would call him when they needed to meet in person, and they kept conversations short and vague.
“All we would say is: ‘Let’s meet. Same place? Same time?’ Boom. That’s the conversation,” Smyth said. “We would never say anything more. If you were listening, you might get a sense of what was going on, but who knows.”
Today, Smyth said reporters can easily contact sources via Facebook or Twitter to send previously established code messages, such as, “We’re overdue for Chinese food,” when they want to meet up with the source or want the source to check an encrypted email account.
Doig said if you plan to text or call a source regularly, you should consider buying cheap, no-contract phones with cash for both of you. But he warns that you and your source can only use these phones to call each other. The first call you make to a landline or a contract cell phone will be traceable and will link you to that phone’s owner.
(Although Smyth said cryptic conversation methods worked well in El Salvador, he said it would attract too much attention in places like Guatemala, so reporters overseas should always use discretion based on their location.)
MAKE A TRAIL THAT’S DIFFICULT TO TRACE
When Florida socialite Jill Kelley began receiving anonymous harassing emails in May 2012, she contacted a friend in the FBI to investigate the source. By November, the FBI discovered the source was biographer and former military officer Paula Broadwell, and they eventually uncovered a chain of emails linking Broadwell to an extramarital affair with then-CIA director Gen. David Petraeus.
But Smyth said that if the former CIA director had used more covert methods of communication with his mistress, the two might have hidden their ties and escaped public scrutiny.
When a source’s identity is at stake, you, too, should use anonymity tools so you don’t leave an obvious digital trail. Smyth recommends a tool called the Tor Project that allows users to access the Internet without leaving behind digital footprints. It works by hiding your ISP address and bouncing your signal off dozens of other servers in various nations before it reaches its destination.
“It’s inconvenient; it’s slow; but if Petraeus used it, he might not have been caught,” Smyth said.
To use Tor effectively, Smyth recommends hiding your ISP by setting up Tor at a public Internet cafe or in a university or library. If your source is doing the same, the ISP address will not be connected to either of your email accounts, and you can talk in the cloud without allowing third parties to peg you.
Smyth also recommends less complicated methods for covert communication. Instead of making one six-hour phone call that might send a red flag to anyone who gets their hands on phone records, he suggests breaking the conversation up with Skype calls, encrypted emails and personal meetings whenever possible.
But be careful, Doig warns. Sometimes it’s the simple tracking methods that trip up reporters more than the complicated surveillance systems they might expect.
Signing a visitor’s log at a public office or swiping a toll card on a toll road when you’re traveling to a private meeting could indicate an association between you with your source.
“There are so many ways we don’t even think about that keep track of us, and if someone wants to see if there’s a relationship, they can,” Doig said.
TELL SOURCES YOU NEED THEIR HELP
Above all, remember security isn’t a one-way street, Galperin said. When you’re communicating with a source, the source has to be willing to take the same precautions you’re taking, or you’ll both be vulnerable to surveillance.
“The biggest threat to your source is your source,” Galperin said. “Your source will only take the precautions that you can convince them to take.”
But Galperin said since most confidential sources are risking their own jobs or even lives to tell you information, they will usually be highly motivated to protect themselves. That’s why it’s the reporter’s responsibility to learn digital security strategies and tools well enough to teach sources and make sure they understand how to keep themselves safe.
“Otherwise, sources get themselves into trouble because they don’t understand the risk they’re taking,” Galperin said.
Kara Hackett is SPJ’s Pulliam/Kilgore Freedom of Information intern, a freelance writer and a free press enthusiast. Contact her at khackett@spj.org or on Twitter: @KaraHackett