
Secure Computing for Journalists - _pius
https://blog.cryptographyengineering.com/2017/03/05/secure-computing-for-journalists/
======
tptacek
A few weeks ago a bunch of us on Slack tried to put together a brief for
journalists on why they should prefer iPhones. It's still a work in progress,
as you'll see, but here's a draft:

[https://gist.github.com/anonymous/9f789aabd7e8681dec0cf5781a...](https://gist.github.com/anonymous/9f789aabd7e8681dec0cf5781aecf664)

~~~
jhlgkhkhil
Why would someone who's threat model includes the US government possibly want
to trust a totally closed OS made by a US company?? Do you still not see the
US government as a threat to journalists? If not how do you justify this
position?

~~~
zabuni
1) Apple has shown substantial backbone in fighting against the US government
when pressed to exploit a phone.

2) The other choice is a device made by a Chinese or Korean company with a
semi-open operating system made by a US company.

3) Either device will have a totally closed baseband chip.

4) Deploying and maintaining secure Linux environment on a Laptop is a full
time job that requires expertise journalists don't have.

5) Open versus closed source is a red herring. Everyone is using pre-compiled
binaries.

~~~
alasdair_
>2) The other choice is a device made by a Chinese or Korean company with a
semi-open operating system made by a US company.

All iPhones are made in China by a Chinese company.

~~~
zer0tonin
They are made by Foxconn, which is a Taiwanese company.

~~~
na85
Does that make it meaningfully better?

------
dguido
I have a security review for a news room coming up, and I plan on sharing this
blog post with them. Thanks for writing it Matt! I'm definitely behind all of
the points you made.

If anything, I worry that non-technical users will _still_ not understand that
desktop programs can do anything you can do with your computer even after
reading your post. I'm not sure the description is "in your face" enough to
translate for the intended audience. In their minds, "reading files" may be
better expressed as "copy of every email I've ever sent" or "operate my webcam
and grab nudes of me."

~~~
hackuser
> I have a security review for a news room coming up, and I plan on sharing
> this blog post with them

Isn't there something more professional and accurate available? I fear there
is not.

~~~
dguido
There are plenty of alternative sources I could list, but Matt's blog post is
1) accessible 2) correct 3) short. That's a winner in my book!

------
r3bl
I've been trying to secure investigative journalists for about a year and a
half, and this article kind of covers two of the points that I make on all of
the security trainings. They usually go like this:

* Do not have work-related emails on your Android (unless it's Google-made). iOS (9+) is okay. * Do not open random attachments on a Windows machine. (We always do our best to convince them to switch to a Ubuntu station with an AppArmor profile for LibreOffice set.)

This is a good start. I think this article would be even better if it included
some phishing tips (like HTTPS doesn't automatically mean "secure", and if
you're suddenly logged out of Google for no apparent reason, don't just log
into the webpage displayed to you, but instead, open Google by typing the
address bar manually and log in there).

Interesting side-note: Asshats spend days crafting phishing emails
specifically targeted to our journalists, and they _never_ get Google's postal
address right in the footer.

~~~
tptacek
I'm not sure I understand how switching someone from Windows+Office to
Ubuntu+LibreOffice is a security win. LibreOffice is not an especially safe
piece of software.

~~~
hannob
I hope I'm not saying anything wrong here, but from what I'm aware there are
two major problems with MS Office that LibreOffice doesn't have:

* It doesn't have all that macro bundling stuff in normal documents that's the source of the whole macrovirus issue.

* It doesn't have any OLE-object-can-run-embedded-EXE-files-on-click-feature.

I'd say that's a huge win.

~~~
tptacek
It takes seconds to turn macros off in Office, far less time than it takes to
convert someone to LibreOffice. Meanwhile, straightforward fuzzing is still
producing RCEs in LibreOffice.

------
Cieplak
This advice makes sense given the threat model. However, it might not make
sense for someone in Edward Snowden's role. If I were a military agency with a
big budget, I would backdoor the shit out of every phone, enforce cultures of
secrecy inside companies like google, apple, facebook, intel, qualcomm, at&t,
and off any executive that interfered with the mission. Then I would pay
experts to spend their lives on internet forums asserting that devices with
two cameras, two microphones, wifi that can function as radar, an unremovable
battery, a closed-source operating system and root access only available to a
major US corporation via ssh, are the most secure computing platforms in the
universe. That's just me though, if I had a lot of money and lust for world
domination, neither of which I possess :)

Edit: removed sentence "Most mobile devices have baseband chips with DMA"

~~~
tptacek
No, iPhone basebands do not have direct memory access. This is a myth that
will not die. The baseband on an iPhone (and on modern Android phones) is
connected via a serial bus, as a peripheral. Both Google's and Apple's
security teams consider the baseband an adversarial device. This has been true
for many years, just as for many years people have been popping onto message
boards to confidently inform us that basebands have direct access to memory.

~~~
hackuser
> The baseband on ... on modern Android phones ... is connected via a serial
> bus, as a peripheral

Doesn't that depend on the manufacturer, or does Google somehow make that a
requirement?

------
remx
But if a journalist is going to use a secure desktop Operating System,
he/she/they should investigate the current trio of recommendations which are
as follows, and have different threat models baked into each:

Subgraph. Currently in Alpha version, so be careful using this. Still has to
be vetted by the wider infosec community, but worth downloading and playing
around with.

TailsOS. Very useful for journalists, but since it heavily relies on Tor it
can be tricky dealing with mixed-anonymity workflows where sometimes you just
need a Windows environment (preferably an airgapped Windows sandbox you can
use to code / play around with files using Windows freeware).

Qubes. Heavily reliant on compartmentalization, and this can sometimes prove
too cumbersome if you typically do one type of activity on the web like chat /
email / hang out on slack. Typically for when you need to insulate different
activities from each other and to avoid contaminating different contextual
environments / tasks.

~~~
tptacek
I like Subgraph. I know a lot of people like Qubes (I have no opinions about
it, but the people I know who like it are quite smart). I don't think I know
anyone who recommends Tails.

But none of these are reasonable suggestions for journalists and activists.
We're not talking about people who are running conspiracies and can organize
their working lives around opsec. You can barely get these people to the point
where they aren't blindly clicking on attachments (and the attachments they
open need to open in office software that is compatible with their existing
workflows). They're simply not going to use Linux on their desktops.

This is why security people like phones so much: they run secure operating
systems that laypeople have accepted and can work with.

~~~
remx
> that laypeople have accepted and can work with

There is the caveat that it's hard to get things done in a timely manner on
phones, or even tablets/phablets. If I need to crank out a lengthy blogpost,
then I need a full desktop environment where I can do cross referencing,
wikipedia lookups, file selection, photo editing, and all the other things
that a desktop affords. I have tried writing a blogpost on an iPad and it took
up my whole day when it should have taken 2-3 hours.

I know people who have developed super-fast methods for working on iOS but
they are such a rare creature, and I'm not so sure their workflow is even
teachable enough to be widely adopted by journalists or professional bloggers.
From my experience they're relying on all sorts of hacks to get a blogpost out
the door like using some perfectly curated mix of apps, and being able to pass
files to and fro different apps with ease. Hardly the stuff of laypeople.

------
tyoma
This is a great article but only really covers half the issue. The other half
is why journalists should use secure messaging applications, and not email.

Sometimes the most succesful attacks are phishing attacks that no device will
protect against. As an example, it is rumored that John Podesta used an iPad.

~~~
dguido
Great point, but this sounds like a topic for another blog post. I'm so glad
that FIDO U2F is starting to catch on. I keep a drawer full of keys at work
and hand them out to all our office visitors. The next generation of
Bluetooth, NFC, and software tokens are exciting and a bright spot for the
security industry.

------
patcheudor
Use iOS with a privacy proxy they said...

[http://www.falseconnect.com/](http://www.falseconnect.com/)

The first point being, software flaws and particularly those in low level
networking libraries can expose secrets and the key I suppose as covered in
the article is to ensure your OS is always up to date. The second point, and
Dan covers it elsewhere in this thread, be very cautious about insecure hosted
VPNs & you should really never trust proxies which some VPN providers are
offering.

~~~
dguido
Yes, definitely always keep your OS up to date! Even in 2017, this is still a
major advantage that iPhones have over Android phones. There will be bugs in
any device, and iPhones have a better plan for dealing with them than Android
phones. There is a vast amount of empirical data that shows patch adoption
rates are far faster on iOS.

iOS patches are:

1) _available_ , directly from the vendor

2) come with new features

3) required for certain apps

4) nag you

etc

~~~
patcheudor
A number of years ago I found a crypto flaw in a Samsung component they
shipped on their Android phones. Due to carrier update delays it took nearly
two years for all the patches to roll out. Apple on the other hand can go from
notice to patch available in weeks.

~~~
tptacek
Apple's not perfect about this stuff. Google and Apple both have strengths
when it comes to systems security, including on mobile platforms.

The key advantage Apple has is vertical integration. Google has to coordinate
with third party vendors to ensure that an OS patch reaches Android users.
Apple can just flip a switch.

------
bubblethink
I wonder how helpful these sort of posts are for actual journalists or whistle
blowers. It's one thing to tell a casual user to get an iphone as a reasonably
secure choice compared to Android's fragmented mess, but for someone whose job
and/or life is on the line, you need a more thorough coverage. You may even
need like a mini course of sorts that covers basics of CS and infosec. Short
of that, such cavalier advice can be misleading.

~~~
pvg
This was written as a response to a question from an actual journalist. It's
quoted right at the top. What do you find 'cavalier' about it?

~~~
bubblethink
Because it fails to mention any downsides of running an ios based phone, and
I'm sure that a balanced discussion would find many. Security is complex, and
paraphrasing it this way may be fine as casual advice, but when you add
"journalists" in the title of your post, it falls short.

~~~
pvg
It outlines many of the limits of the advice, describes a specific case in
which an activist was targeted by multiple iOS zero days, etc. What are the
downsides you think it omits and in what ways does Matthew Green misunderstand
the complexities of security?

~~~
bubblethink
Not so much about misunderstanding as it is about omitting other details. For
one, IOS is a completely closed box whereas AOSP is completely open. You can
argue for or against security by obscurity v/s security in open software, but
at the very least it needs a mention in any fair comparison. Secondly, most of
the blog focuses on average case behaviour. In Apple's case the average, best
and worst case are all the same since they make only one device and one OS. In
contrast, android is a vast spectrum. Now if you were to give out advice to
people with sensitive data, you should compare the best case for both of them,
which he briefly does, but not quite as detailed as it warrants. For instance,
is iphone necessarily better than a Pixel running AOSP or something like
CopperheadOS ? I'm not so sure. IOS's centralized behaviour also makes it an
easier target in some ways. Want to attack all browsers on an iphone ? Attack
webkit. There are other security fails such as relying on either itunes or
icloud for getting data in and out of the phone. Much fuss was made over
Cloudfare's lack of a bug bounty program. Apple didn't have one either until
quite recently either.

~~~
pvg
I'll just take the bit with the highest inaccuracy density:

 _IOS is a completely closed box whereas AOSP is completely open. You can
argue for or against security by obscurity v /s security in open software, but
at the very least it needs a mention in any fair comparison._

This gets addressed by people working in security on every single HN thread,
including this one. Assessments of the security of iOS are not dependent on
its 'openness'. There is also nobody seriously arguing 'security by obscurity'
vs 'open software'. That's not what 'security by obscurity' means nor does the
security of iOS depend on 'obscurity'. None of this needs a mention in a 'fair
comparison' because it's simply wrong.

------
claudiojulio
IOS more secure than android? Joke ready. IOS is closed source. You can not
tell whether Apple, the CIA, or the NSA are spying on you.

~~~
dguido
Do you own a disassembler? I do. Also, a decompiler, debugger, and other
analysis tools. Closed source does not mean "black box."

And besides, open source doesn't mean anyone has reviewed the code. Reviewing
a program for security takes work, regardless of whether it is open or closed.

~~~
claudiojulio
I really do not understand any of this. I am in the 1st period of the
Information Systems course. But I know one thing, it's much easier to find a
backdoor with the open code than the other way around. Besides that nothing
guarantees that with these techniques you do not miss something.

~~~
tedunangst
One of my perennial favorite HN comments: you, the professional reverse
engineer, could not possibly do what you do. I've never tried to do it, but I
know you can't.

~~~
jhlgkhkhil
More like I the lowly software developer can read code but I can't reverse
engineer - and why should I learn?

~~~
tptacek
It's fine not to learn. What's less fine is stridently asserting, as you have
all over this thread, that security advice from experts is flawed while at the
same time huffing about how little time you have to learn about the details.

~~~
jhlgkhkhil
I have repeatedly asked you to actually provide some citations for your
claims. Please do so.

------
claudiojulio
To be safe see this site. It has everything you need.
Https://www.privacytools.io/

~~~
dguido
Hi, my name is Dan, and I don't recommend anything on the privacytools
website.

Above all the many problems it has, it recommends using insecure hosted VPNs
and advocates an app-centric approach to restoring your privacy (e.g., Install
this app and you'll be safe!). This is no better than believing you can eat
unhealthy food and fix it with weight loss pills.

If you're looking for a better solution to a communications security problem,
you're welcome to check out Algo, a self-hosted VPN that I support:

[https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-
th...](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/)

~~~
ploggingdev
Thanks for the link to Algo. First time coming across it.

I was under the impression that PrivateInternetAccess was well regarded, but
this link [1] which is in the blog post linked above was an eye opener.

[1]
[https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa)

